You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
82 lines
3.0 KiB
82 lines
3.0 KiB
From be6bcbfa3f388ca0705db8baf10fa5c2d29b7d36 Mon Sep 17 00:00:00 2001 |
|
From: Peter Hutterer <peter.hutterer@who-t.net> |
|
Date: Tue, 29 Nov 2022 13:55:32 +1000 |
|
Subject: [PATCH xserver 4/7] Xi: disallow passive grabs with a detail > 255 |
|
|
|
The XKB protocol effectively prevents us from ever using keycodes above |
|
255. For buttons it's theoretically possible but realistically too niche |
|
to worry about. For all other passive grabs, the detail must be zero |
|
anyway. |
|
|
|
This fixes an OOB write: |
|
|
|
ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a |
|
temporary grab struct which contains tempGrab->detail.exact = stuff->detail. |
|
For matching existing grabs, DeleteDetailFromMask is called with the |
|
stuff->detail value. This function creates a new mask with the one bit |
|
representing stuff->detail cleared. |
|
|
|
However, the array size for the new mask is 8 * sizeof(CARD32) bits, |
|
thus any detail above 255 results in an OOB array write. |
|
|
|
CVE-2022-46341, ZDI-CAN 19381 |
|
|
|
This vulnerability was discovered by: |
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative |
|
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> |
|
Acked-by: Olivier Fourdan <ofourdan@redhat.com> |
|
--- |
|
Xi/xipassivegrab.c | 22 ++++++++++++++-------- |
|
1 file changed, 14 insertions(+), 8 deletions(-) |
|
|
|
diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c |
|
index 2769fb7c94..c9ac2f8553 100644 |
|
--- a/Xi/xipassivegrab.c |
|
+++ b/Xi/xipassivegrab.c |
|
@@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client) |
|
return BadValue; |
|
} |
|
|
|
+ /* XI2 allows 32-bit keycodes but thanks to XKB we can never |
|
+ * implement this. Just return an error for all keycodes that |
|
+ * cannot work anyway, same for buttons > 255. */ |
|
+ if (stuff->detail > 255) |
|
+ return XIAlreadyGrabbed; |
|
+ |
|
if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1], |
|
stuff->mask_len * 4) != Success) |
|
return BadValue; |
|
@@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client) |
|
¶m, XI2, &mask); |
|
break; |
|
case XIGrabtypeKeycode: |
|
- /* XI2 allows 32-bit keycodes but thanks to XKB we can never |
|
- * implement this. Just return an error for all keycodes that |
|
- * cannot work anyway */ |
|
- if (stuff->detail > 255) |
|
- status = XIAlreadyGrabbed; |
|
- else |
|
- status = GrabKey(client, dev, mod_dev, stuff->detail, |
|
- ¶m, XI2, &mask); |
|
+ status = GrabKey(client, dev, mod_dev, stuff->detail, |
|
+ ¶m, XI2, &mask); |
|
break; |
|
case XIGrabtypeEnter: |
|
case XIGrabtypeFocusIn: |
|
@@ -334,6 +334,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client) |
|
return BadValue; |
|
} |
|
|
|
+ /* We don't allow passive grabs for details > 255 anyway */ |
|
+ if (stuff->detail > 255) { |
|
+ client->errorValue = stuff->detail; |
|
+ return BadValue; |
|
+ } |
|
+ |
|
rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess); |
|
if (rc != Success) |
|
return rc; |
|
-- |
|
2.38.1 |
|
|
|
|