From 14f480010a93ff962fef66a16412fafff81ad632 Mon Sep 17 00:00:00 2001 From: Peter Hutterer Date: Mon, 27 Nov 2023 16:27:49 +1000 Subject: [PATCH] randr: avoid integer truncation in length check of ProcRRChange*Property Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty. See also xserver@8f454b79 where this same bug was fixed for the core protocol and XI. This fixes an OOB read and the resulting information disclosure. Length calculation for the request was clipped to a 32-bit integer. With the correct stuff->nUnits value the expected request size was truncated, passing the REQUEST_FIXED_SIZE check. The server then proceeded with reading at least stuff->num_items bytes (depending on stuff->format) from the request and stuffing whatever it finds into the property. In the process it would also allocate at least stuff->nUnits bytes, i.e. 4GB. CVE-2023-6478, ZDI-CAN-22561 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632] CVE: CVE-2023-6478 Signed-off-by: Vijay Anusuri --- randr/rrproperty.c | 2 +- randr/rrproviderproperty.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/randr/rrproperty.c b/randr/rrproperty.c index 25469f57b2..c4fef8a1f6 100644 --- a/randr/rrproperty.c +++ b/randr/rrproperty.c @@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client) char format, mode; unsigned long len; int sizeInBytes; - int totalSize; + uint64_t totalSize; int err; REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq); diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c index b79c17f9bf..90c5a9a933 100644 --- a/randr/rrproviderproperty.c +++ b/randr/rrproviderproperty.c @@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client) char format, mode; unsigned long len; int sizeInBytes; - int totalSize; + uint64_t totalSize; int err; REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq); -- GitLab