diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-27 13:40:42 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-27 14:06:57 +0000 |
commit | daf9b293c5e40e9edb1b89794e235f3dcbfe9917 (patch) | |
tree | 522f7bf0e5db70c20c9a57c614f7e0527f4f660c | |
parent | 9f6402e6a959d314a3a9d08b9bd824e5f3357f02 (diff) | |
download | aports-daf9b293c5e40e9edb1b89794e235f3dcbfe9917.tar.bz2 aports-daf9b293c5e40e9edb1b89794e235f3dcbfe9917.tar.xz |
17 files changed, 1466 insertions, 12 deletions
diff --git a/main/libxi/0001-Expand-comment-on-the-memory-vs.-reply-ordering-in-X.patch b/main/libxi/0001-Expand-comment-on-the-memory-vs.-reply-ordering-in-X.patch new file mode 100644 index 0000000000..b6b21ce2ac --- /dev/null +++ b/main/libxi/0001-Expand-comment-on-the-memory-vs.-reply-ordering-in-X.patch @@ -0,0 +1,42 @@ +From f32ad442c24f2407d3a14773201e9f8ec43a7bc6 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Mon, 29 Apr 2013 18:39:34 -0700 +Subject: [PATCH 1/3] Expand comment on the memory vs. reply ordering in + XIGetSelectedEvents() + +Unpacking from the wire involves un-interleaving the structs & masks, +which wasn't obvious to me the first time I read it, so make notes +before I forget again. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +(cherry picked from commit bb82c72a1d69eaf60b7586570faf797df967f661) +(cherry picked from commit 362c9058dcbeedacaae0190c279e076a5db1d564) +--- + src/XISelEv.c | 10 ++++++++-- + 1 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/XISelEv.c b/src/XISelEv.c +index 3192b6b..bd5a29a 100644 +--- a/src/XISelEv.c ++++ b/src/XISelEv.c +@@ -132,8 +132,14 @@ XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return) + + _XRead(dpy, (char*)mask_in, reply.length * 4); + +- /* Memory layout of the XIEventMask for a 3 mask reply: +- * [struct a][struct b][struct c][masks a][masks b][masks c] ++ /* ++ * This function takes interleaved xXIEventMask structs & masks off ++ * the wire, such as this 3 mask reply: ++ * [struct a][masks a][struct b][masks b][struct c][masks c] ++ * And generates a memory buffer to be returned to callers in which ++ * they are not interleaved, so that callers can treat the returned ++ * pointer as a simple array of XIEventMask structs, such as: ++ * [struct a][struct b][struct c][masks a][masks b][masks c] + */ + len = reply.num_masks * sizeof(XIEventMask); + +-- +1.7.7.1 + diff --git a/main/libxi/0002-Copy-the-sequence-number-into-the-target-event-too-6.patch b/main/libxi/0002-Copy-the-sequence-number-into-the-target-event-too-6.patch new file mode 100644 index 0000000000..a41d773428 --- /dev/null +++ b/main/libxi/0002-Copy-the-sequence-number-into-the-target-event-too-6.patch @@ -0,0 +1,86 @@ +From 5594d848a60301243dff803bc0f5281405d28e5a Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Fri, 17 May 2013 09:07:44 +1000 +Subject: [PATCH 2/3] Copy the sequence number into the target event too + (#64687) + +X.Org Bug 64687 <http://bugs.freedesktop.org/show_bug.cgi?id=64687> + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Reviewed-by: Jasper St. Pierre <jstpierre@mecheye.net> +(cherry picked from commit 5d43d4914dcabb6de69859567061e99300e56ef4) + +Conflicts: + src/XExtInt.c +(cherry picked from commit 768c64aaf9d89b1b94f873c68b6b5b38a3af79fa) + +Conflicts: + + src/XExtInt.c +--- + src/XExtInt.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +diff --git a/src/XExtInt.c b/src/XExtInt.c +index 63afb8f..c7e6128 100644 +--- a/src/XExtInt.c ++++ b/src/XExtInt.c +@@ -891,6 +891,7 @@ static void xge_copy_to_cookie(xGenericEvent* ev, + cookie->type = ev->type; + cookie->evtype = ev->evtype; + cookie->extension = ev->extension; ++ cookie->serial = ev->sequenceNumber; + } + + static Bool +@@ -1355,6 +1356,7 @@ wireToDeviceEvent(xXIDeviceEvent *in, XGenericEventCookie* cookie) + out = next_block(&ptr_lib, sizeof(XIDeviceEvent)); + out->display = cookie->display; + out->type = in->type; ++ out->serial = in->sequenceNumber; + out->extension = in->extension; + out->evtype = in->evtype; + out->send_event = ((in->type & 0x80) != 0); +@@ -1569,6 +1571,7 @@ wireToDeviceChangedEvent(xXIDeviceChangedEvent *in, XGenericEventCookie *cookie) + cookie->data = out = malloc(sizeof(XIDeviceChangedEvent) + len); + + out->type = in->type; ++ out->serial = in->sequenceNumber; + out->display = cookie->display; + out->extension = in->extension; + out->evtype = in->evtype; +@@ -1601,6 +1604,7 @@ wireToHierarchyChangedEvent(xXIHierarchyEvent *in, XGenericEventCookie *cookie) + out->info = (XIHierarchyInfo*)&out[1]; + out->display = cookie->display; + out->type = in->type; ++ out->serial = in->sequenceNumber; + out->extension = in->extension; + out->evtype = in->evtype; + out->send_event = ((in->type & 0x80) != 0); +@@ -1642,6 +1646,7 @@ wireToRawEvent(xXIRawEvent *in, XGenericEventCookie *cookie) + + out = next_block(&ptr, sizeof(XIRawEvent)); + out->type = in->type; ++ out->serial = in->sequenceNumber; + out->display = cookie->display; + out->extension = in->extension; + out->evtype = in->evtype; +@@ -1687,6 +1692,7 @@ wireToEnterLeave(xXIEnterEvent *in, XGenericEventCookie *cookie) + out->buttons.mask = (unsigned char*)&out[1]; + + out->type = in->type; ++ out->serial = in->sequenceNumber; + out->display = cookie->display; + out->extension = in->extension; + out->evtype = in->evtype; +@@ -1729,6 +1735,7 @@ wireToPropertyEvent(xXIPropertyEvent *in, XGenericEventCookie *cookie) + cookie->data = out; + + out->type = in->type; ++ out->serial = in->sequenceNumber; + out->extension = in->extension; + out->evtype = in->evtype; + out->send_event = ((in->type & 0x80) != 0); +-- +1.7.7.1 + diff --git a/main/libxi/0003-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch b/main/libxi/0003-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch new file mode 100644 index 0000000000..4d3ae7627b --- /dev/null +++ b/main/libxi/0003-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch @@ -0,0 +1,298 @@ +From eb0cf9b0ba0ad213954a15c757932b8005bff99e Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Wed, 1 May 2013 23:58:39 -0700 +Subject: [PATCH 3/3] Use _XEatDataWords to avoid overflow of rep.length bit + shifting + +rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +(cherry picked from commit 59b8e1388a687f871831ac5a9e0ac11de75e2516) +(cherry picked from commit 4579fadd11883c62db486ecc64c40342c2ab5506) +--- + configure.ac | 6 ++++++ + src/XGMotion.c | 2 +- + src/XGetDCtl.c | 2 +- + src/XGetDProp.c | 5 ++--- + src/XGetFCtl.c | 2 +- + src/XGetKMap.c | 2 +- + src/XGetMMap.c | 2 +- + src/XGetProp.c | 4 +--- + src/XGtSelect.c | 2 +- + src/XIProperties.c | 7 +++---- + src/XIint.h | 19 +++++++++++++++++++ + src/XListDProp.c | 2 +- + src/XListDev.c | 2 +- + src/XOpenDev.c | 2 +- + src/XQueryDv.c | 2 +- + 15 files changed, 41 insertions(+), 20 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 9d5d5eb..3ffdef3 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -28,6 +28,12 @@ XORG_CHECK_MALLOC_ZERO + # Obtain compiler/linker options for depedencies + PKG_CHECK_MODULES(XI, [xproto >= 7.0.13] [x11 >= 1.2.99.1] [xextproto >= 7.0.3] [xext >= 1.0.99.1] [inputproto >= 1.9.99.902]) + ++# Check for _XEatDataWords function that may be patched into older Xlib releases ++SAVE_LIBS="$LIBS" ++LIBS="$XI_LIBS" ++AC_CHECK_FUNCS([_XEatDataWords]) ++LIBS="$SAVE_LIBS" ++ + # Check for xmlto and asciidoc for man page conversion + # (only needed by people building tarballs) + if test "$have_xmlto" = yes && test "$have_asciidoc" = yes; then +diff --git a/src/XGMotion.c b/src/XGMotion.c +index aee6671..f3b6751 100644 +--- a/src/XGMotion.c ++++ b/src/XGMotion.c +@@ -109,7 +109,7 @@ XGetDeviceMotionEvents( + Xfree(bufp); + Xfree(savp); + *nEvents = 0; +- _XEatData(dpy, (unsigned long)size); ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay(dpy); + SyncHandle(); + return (NULL); +diff --git a/src/XGetDCtl.c b/src/XGetDCtl.c +index 729b0a0..a1e49ee 100644 +--- a/src/XGetDCtl.c ++++ b/src/XGetDCtl.c +@@ -91,7 +91,7 @@ XGetDeviceControl( + nbytes = (long)rep.length << 2; + d = (xDeviceState *) Xmalloc((unsigned)nbytes); + if (!d) { +- _XEatData(dpy, (unsigned long)nbytes); ++ _XEatDataWords(dpy, rep.length); + goto out; + } + sav = d; +diff --git a/src/XGetDProp.c b/src/XGetDProp.c +index 5d44f91..f9e8f0c 100644 +--- a/src/XGetDProp.c ++++ b/src/XGetDProp.c +@@ -112,14 +112,13 @@ XGetDeviceProperty(Display* dpy, XDevice* dev, + * This part of the code should never be reached. If it is, + * the server sent back a property with an invalid format. + */ +- nbytes = rep.length << 2; +- _XEatData(dpy, (unsigned long) nbytes); ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay(dpy); + SyncHandle(); + return(BadImplementation); + } + if (! *prop) { +- _XEatData(dpy, (unsigned long) nbytes); ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay(dpy); + SyncHandle(); + return(BadAlloc); +diff --git a/src/XGetFCtl.c b/src/XGetFCtl.c +index 3d64404..5a05397 100644 +--- a/src/XGetFCtl.c ++++ b/src/XGetFCtl.c +@@ -91,7 +91,7 @@ XGetFeedbackControl( + nbytes = (long)rep.length << 2; + f = (xFeedbackState *) Xmalloc((unsigned)nbytes); + if (!f) { +- _XEatData(dpy, (unsigned long)nbytes); ++ _XEatDataWords(dpy, rep.length); + goto out; + } + sav = f; +diff --git a/src/XGetKMap.c b/src/XGetKMap.c +index 4596ff0..0f1d077 100644 +--- a/src/XGetKMap.c ++++ b/src/XGetKMap.c +@@ -95,7 +95,7 @@ XGetDeviceKeyMapping(register Display * dpy, XDevice * dev, + if (mapping) + _XRead(dpy, (char *)mapping, nbytes); + else +- _XEatData(dpy, (unsigned long)nbytes); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay(dpy); +diff --git a/src/XGetMMap.c b/src/XGetMMap.c +index a4bf094..a9b5950 100644 +--- a/src/XGetMMap.c ++++ b/src/XGetMMap.c +@@ -89,7 +89,7 @@ XGetDeviceModifierMapping( + if (res->modifiermap) + _XReadPad(dpy, (char *)res->modifiermap, nbytes); + else +- _XEatData(dpy, (unsigned long)nbytes); ++ _XEatDataWords(dpy, rep.length); + res->max_keypermod = rep.numKeyPerModifier; + } + +diff --git a/src/XGetProp.c b/src/XGetProp.c +index 7ccf9fe..ca6f657 100644 +--- a/src/XGetProp.c ++++ b/src/XGetProp.c +@@ -65,7 +65,6 @@ XGetDeviceDontPropagateList( + int *count) + { + XEventClass *list = NULL; +- int rlen; + xGetDeviceDontPropagateListReq *req; + xGetDeviceDontPropagateListReply rep; + XExtDisplayInfo *info = XInput_find_display(dpy); +@@ -87,7 +86,6 @@ XGetDeviceDontPropagateList( + *count = rep.count; + + if (*count) { +- rlen = rep.length << 2; + list = (XEventClass *) Xmalloc(rep.length * sizeof(XEventClass)); + if (list) { + int i; +@@ -102,7 +100,7 @@ XGetDeviceDontPropagateList( + list[i] = (XEventClass) ec; + } + } else +- _XEatData(dpy, (unsigned long)rlen); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay(dpy); +diff --git a/src/XGtSelect.c b/src/XGtSelect.c +index dea8c4c..495e40b 100644 +--- a/src/XGtSelect.c ++++ b/src/XGtSelect.c +@@ -101,7 +101,7 @@ XGetSelectedExtensionEvents( + (XEventClass *) Xmalloc(*this_client_count * + sizeof(XEventClass)); + if (!*this_client_list) { +- _XEatData(dpy, (unsigned long)tlen + alen); ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay(dpy); + SyncHandle(); + return (Success); +diff --git a/src/XIProperties.c b/src/XIProperties.c +index 83a7a68..5e58fb6 100644 +--- a/src/XIProperties.c ++++ b/src/XIProperties.c +@@ -64,7 +64,7 @@ XIListProperties(Display* dpy, int deviceid, int *num_props_return) + props = (Atom*)Xmalloc(rep.num_properties * sizeof(Atom)); + if (!props) + { +- _XEatData(dpy, rep.num_properties << 2); ++ _XEatDataWords(dpy, rep.length); + goto cleanup; + } + +@@ -203,8 +203,7 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset, + * This part of the code should never be reached. If it is, + * the server sent back a property with an invalid format. + */ +- nbytes = rep.length << 2; +- _XEatData(dpy, nbytes); ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay(dpy); + SyncHandle(); + return(BadImplementation); +@@ -222,7 +221,7 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset, + *data = Xmalloc(rbytes); + + if (!(*data)) { +- _XEatData(dpy, nbytes); ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay(dpy); + SyncHandle(); + return(BadAlloc); +diff --git a/src/XIint.h b/src/XIint.h +index b27f04a..5de4913 100644 +--- a/src/XIint.h ++++ b/src/XIint.h +@@ -5,7 +5,12 @@ + + #ifndef _XIINT_H_ + #define _XIINT_H_ ++#ifdef HAVE_CONFIG_H ++#include <config.h> ++#endif ++ + #include <X11/extensions/XI.h> ++#include <config.h> + + extern XExtDisplayInfo *XInput_find_display(Display *); + +@@ -65,4 +70,18 @@ next_block(void **ptr, int size) { + return ret; + } + ++#ifndef HAVE__XEATDATAWORDS ++#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */ ++#include <limits.h> ++ ++static inline void _XEatDataWords(Display *dpy, unsigned long n) ++{ ++# ifndef LONG64 ++ if (n >= (ULONG_MAX >> 2)) ++ _XIOError(dpy); ++# endif ++ _XEatData (dpy, n << 2); ++} ++#endif ++ + #endif +diff --git a/src/XListDProp.c b/src/XListDProp.c +index 66b9eca..a87164d 100644 +--- a/src/XListDProp.c ++++ b/src/XListDProp.c +@@ -65,7 +65,7 @@ XListDeviceProperties(Display* dpy, XDevice* dev, int *nprops_return) + props = (Atom*)Xmalloc(rep.nAtoms * sizeof(Atom)); + if (!props) + { +- _XEatData(dpy, rep.nAtoms << 2); ++ _XEatDataWords(dpy, rep.length); + goto cleanup; + } + +diff --git a/src/XListDev.c b/src/XListDev.c +index c544ae0..ad8f548 100644 +--- a/src/XListDev.c ++++ b/src/XListDev.c +@@ -187,7 +187,7 @@ XListInputDevices( + list = (xDeviceInfo *) Xmalloc(rlen); + slist = list; + if (!slist) { +- _XEatData(dpy, (unsigned long)rlen); ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay(dpy); + SyncHandle(); + return (XDeviceInfo *) NULL; +diff --git a/src/XOpenDev.c b/src/XOpenDev.c +index b50d5b0..e09ccbd 100644 +--- a/src/XOpenDev.c ++++ b/src/XOpenDev.c +@@ -98,7 +98,7 @@ XOpenDevice( + if (rlen - dlen > 0) + _XEatData(dpy, (unsigned long)rlen - dlen); + } else +- _XEatData(dpy, (unsigned long)rlen); ++ _XEatDataWords(dpy, rep.length); + + UnlockDisplay(dpy); + SyncHandle(); +diff --git a/src/XQueryDv.c b/src/XQueryDv.c +index 637d5cf..9ef0190 100644 +--- a/src/XQueryDv.c ++++ b/src/XQueryDv.c +@@ -88,7 +88,7 @@ XQueryDeviceState( + if (rlen > 0) { + data = Xmalloc(rlen); + if (!data) { +- _XEatData(dpy, (unsigned long)rlen); ++ _XEatDataWords(dpy, rep.length); + goto out; + } + _XRead(dpy, data, rlen); +-- +1.7.7.1 + diff --git a/main/libxi/0004-Stack-buffer-overflow-in-XGetDeviceButtonMapping-CVE.patch b/main/libxi/0004-Stack-buffer-overflow-in-XGetDeviceButtonMapping-CVE.patch new file mode 100644 index 0000000000..c42dbd13f9 --- /dev/null +++ b/main/libxi/0004-Stack-buffer-overflow-in-XGetDeviceButtonMapping-CVE.patch @@ -0,0 +1,68 @@ +From 4384e622471dbdab88dd5dae28f9eecbfe79ddd8 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 9 Mar 2013 22:26:52 -0800 +Subject: [PATCH 04/16] Stack buffer overflow in XGetDeviceButtonMapping() + [CVE-2013-1998 1/3] + +We copy the entire reply sent by the server into the fixed size +mapping[] array on the stack, even if the server says it's a larger +size than the mapping array can hold. HULK SMASH STACK! + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +(cherry picked from commit f3e08e4fbe40016484ba795feecf1a742170ffc1) +(cherry picked from commit d7537ad6fba36af4536c576220c135a63507789c) +--- + src/XGetBMap.c | 21 +++++++++++++-------- + 1 files changed, 13 insertions(+), 8 deletions(-) + +diff --git a/src/XGetBMap.c b/src/XGetBMap.c +index 610795b..a37c714 100644 +--- a/src/XGetBMap.c ++++ b/src/XGetBMap.c +@@ -56,6 +56,7 @@ SOFTWARE. + #include <X11/extensions/XInput.h> + #include <X11/extensions/extutil.h> + #include "XIint.h" ++#include <limits.h> + + #ifdef MIN /* some systems define this in <sys/param.h> */ + #undef MIN +@@ -71,7 +72,6 @@ XGetDeviceButtonMapping( + { + int status = 0; + unsigned char mapping[256]; /* known fixed size */ +- long nbytes; + XExtDisplayInfo *info = XInput_find_display(dpy); + + register xGetDeviceButtonMappingReq *req; +@@ -88,13 +88,18 @@ XGetDeviceButtonMapping( + + status = _XReply(dpy, (xReply *) & rep, 0, xFalse); + if (status == 1) { +- nbytes = (long)rep.length << 2; +- _XRead(dpy, (char *)mapping, nbytes); +- +- /* don't return more data than the user asked for. */ +- if (rep.nElts) +- memcpy((char *)map, (char *)mapping, MIN((int)rep.nElts, nmap)); +- status = rep.nElts; ++ if (rep.length <= (sizeof(mapping) >> 2)) { ++ unsigned long nbytes = rep.length << 2; ++ _XRead(dpy, (char *)mapping, nbytes); ++ ++ /* don't return more data than the user asked for. */ ++ if (rep.nElts) ++ memcpy(map, mapping, MIN((int)rep.nElts, nmap)); ++ status = rep.nElts; ++ } else { ++ _XEatDataWords(dpy, rep.length); ++ status = 0; ++ } + } else + status = 0; + UnlockDisplay(dpy); +-- +1.7.7.1 + diff --git a/main/libxi/0005-memory-corruption-in-_XIPassiveGrabDevice-CVE-2013-1.patch b/main/libxi/0005-memory-corruption-in-_XIPassiveGrabDevice-CVE-2013-1.patch new file mode 100644 index 0000000000..76a7024a2d --- /dev/null +++ b/main/libxi/0005-memory-corruption-in-_XIPassiveGrabDevice-CVE-2013-1.patch @@ -0,0 +1,34 @@ +From 894a5825df6b9389f677ecdf5950c712f2a2c890 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 9 Mar 2013 23:37:23 -0800 +Subject: [PATCH 05/16] memory corruption in _XIPassiveGrabDevice() + [CVE-2013-1998 2/3] + +If the server returned more modifiers than the caller asked for, +we'd just keep copying past the end of the array provided by the +caller, writing over who-knows-what happened to be there. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +(cherry picked from commit 91434737f592e8f5cc1762383882a582b55fc03a) +(cherry picked from commit f0c0f2ff06c8f9ec36f3f344dda4bec71ca5698b) +--- + src/XIPassiveGrab.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/src/XIPassiveGrab.c b/src/XIPassiveGrab.c +index 34f1bf3..c64f6ae 100644 +--- a/src/XIPassiveGrab.c ++++ b/src/XIPassiveGrab.c +@@ -85,7 +85,7 @@ _XIPassiveGrabDevice(Display* dpy, int deviceid, int grabtype, int detail, + return -1; + _XRead(dpy, (char*)failed_mods, reply.num_modifiers * sizeof(xXIGrabModifierInfo)); + +- for (i = 0; i < reply.num_modifiers; i++) ++ for (i = 0; i < reply.num_modifiers && i < num_modifiers; i++) + { + modifiers_inout[i].status = failed_mods[i].status; + modifiers_inout[i].modifiers = failed_mods[i].modifiers; +-- +1.7.7.1 + diff --git a/main/libxi/0006-unvalidated-lengths-in-XQueryDeviceState-CVE-2013-19.patch b/main/libxi/0006-unvalidated-lengths-in-XQueryDeviceState-CVE-2013-19.patch new file mode 100644 index 0000000000..7b8680a6d4 --- /dev/null +++ b/main/libxi/0006-unvalidated-lengths-in-XQueryDeviceState-CVE-2013-19.patch @@ -0,0 +1,70 @@ +From ba6b8bc3413b4818d5c507421193eaa63e8a1ebe Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Fri, 26 Apr 2013 22:48:36 -0700 +Subject: [PATCH 06/16] unvalidated lengths in XQueryDeviceState() + [CVE-2013-1998 3/3] + +If the lengths given for each class state in the reply add up to more +than the rep.length, we could read past the end of the buffer allocated +to hold the data read from the server. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +(cherry picked from commit 5398ac0797f7516f2c9b8f2869a6c6d071437352) +(cherry picked from commit 2736e93eb52109e5bab5bd14395142cc750f2614) +--- + src/XQueryDv.c | 17 ++++++++++++----- + 1 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/src/XQueryDv.c b/src/XQueryDv.c +index 9ef0190..e9cdc55 100644 +--- a/src/XQueryDv.c ++++ b/src/XQueryDv.c +@@ -56,6 +56,7 @@ SOFTWARE. + #include <X11/extensions/XInput.h> + #include <X11/extensions/extutil.h> + #include "XIint.h" ++#include <limits.h> + + XDeviceState * + XQueryDeviceState( +@@ -63,8 +64,8 @@ XQueryDeviceState( + XDevice *dev) + { + int i, j; +- int rlen; +- int size = 0; ++ unsigned long rlen; ++ size_t size = 0; + xQueryDeviceStateReq *req; + xQueryDeviceStateReply rep; + XDeviceState *state = NULL; +@@ -84,9 +85,11 @@ XQueryDeviceState( + if (!_XReply(dpy, (xReply *) & rep, 0, xFalse)) + goto out; + +- rlen = rep.length << 2; +- if (rlen > 0) { +- data = Xmalloc(rlen); ++ if (rep.length > 0) { ++ if (rep.length < (INT_MAX >> 2)) { ++ rlen = (unsigned long) rep.length << 2; ++ data = Xmalloc(rlen); ++ } + if (!data) { + _XEatDataWords(dpy, rep.length); + goto out; +@@ -94,6 +97,10 @@ XQueryDeviceState( + _XRead(dpy, data, rlen); + + for (i = 0, any = (XInputClass *) data; i < (int)rep.num_classes; i++) { ++ if (any->length > rlen) ++ goto out; ++ rlen -= any->length; ++ + switch (any->class) { + case KeyClass: + size += sizeof(XKeyState); +-- +1.7.7.1 + diff --git a/main/libxi/0007-integer-overflow-in-XGetDeviceControl-CVE-2013-1984-.patch b/main/libxi/0007-integer-overflow-in-XGetDeviceControl-CVE-2013-1984-.patch new file mode 100644 index 0000000000..5b7fa2532d --- /dev/null +++ b/main/libxi/0007-integer-overflow-in-XGetDeviceControl-CVE-2013-1984-.patch @@ -0,0 +1,120 @@ +From 36d6ecb9bcbe8554ab01fe4a24a19462072fdd64 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 9 Mar 2013 22:55:23 -0800 +Subject: [PATCH 07/16] integer overflow in XGetDeviceControl() [CVE-2013-1984 + 1/8] + +If the number of valuators reported by the server is large enough that +it overflows when multiplied by the size of the appropriate struct, then +memory corruption can occur when more bytes are copied from the X server +reply than the size of the buffer we allocated to hold them. + +v2: check that reply size fits inside the data read from the server, so +we don't read out of bounds either + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +(cherry picked from commit b0b13c12a8079a5a0e7f43b2b8983699057b2cec) +(cherry picked from commit e7ebe26edd40996a9b36b0c7a068728781eb41bb) +--- + src/XGetDCtl.c | 31 ++++++++++++++++++++++++------- + 1 files changed, 24 insertions(+), 7 deletions(-) + +diff --git a/src/XGetDCtl.c b/src/XGetDCtl.c +index a1e49ee..66a7100 100644 +--- a/src/XGetDCtl.c ++++ b/src/XGetDCtl.c +@@ -57,6 +57,7 @@ SOFTWARE. + #include <X11/extensions/XInput.h> + #include <X11/extensions/extutil.h> + #include "XIint.h" ++#include <limits.h> + + XDeviceControl * + XGetDeviceControl( +@@ -64,8 +65,6 @@ XGetDeviceControl( + XDevice *dev, + int control) + { +- int size = 0; +- int nbytes, i; + XDeviceControl *Device = NULL; + XDeviceControl *Sav = NULL; + xDeviceState *d = NULL; +@@ -88,8 +87,12 @@ XGetDeviceControl( + goto out; + + if (rep.length > 0) { +- nbytes = (long)rep.length << 2; +- d = (xDeviceState *) Xmalloc((unsigned)nbytes); ++ unsigned long nbytes; ++ size_t size = 0; ++ if (rep.length < (INT_MAX >> 2)) { ++ nbytes = (unsigned long) rep.length << 2; ++ d = Xmalloc(nbytes); ++ } + if (!d) { + _XEatDataWords(dpy, rep.length); + goto out; +@@ -107,33 +110,46 @@ XGetDeviceControl( + case DEVICE_RESOLUTION: + { + xDeviceResolutionState *r; ++ size_t val_size; + + r = (xDeviceResolutionState *) d; +- size += sizeof(XDeviceResolutionState) + +- (3 * sizeof(int) * r->num_valuators); ++ if (r->num_valuators >= (INT_MAX / (3 * sizeof(int)))) ++ goto out; ++ val_size = 3 * sizeof(int) * r->num_valuators; ++ if ((sizeof(xDeviceResolutionState) + val_size) > nbytes) ++ goto out; ++ size += sizeof(XDeviceResolutionState) + val_size; + break; + } + case DEVICE_ABS_CALIB: + { ++ if (sizeof(xDeviceAbsCalibState) > nbytes) ++ goto out; + size += sizeof(XDeviceAbsCalibState); + break; + } + case DEVICE_ABS_AREA: + { ++ if (sizeof(xDeviceAbsAreaState) > nbytes) ++ goto out; + size += sizeof(XDeviceAbsAreaState); + break; + } + case DEVICE_CORE: + { ++ if (sizeof(xDeviceCoreState) > nbytes) ++ goto out; + size += sizeof(XDeviceCoreState); + break; + } + default: ++ if (d->length > nbytes) ++ goto out; + size += d->length; + break; + } + +- Device = (XDeviceControl *) Xmalloc((unsigned)size); ++ Device = Xmalloc(size); + if (!Device) + goto out; + +@@ -146,6 +162,7 @@ XGetDeviceControl( + int *iptr, *iptr2; + xDeviceResolutionState *r; + XDeviceResolutionState *R; ++ unsigned int i; + + r = (xDeviceResolutionState *) d; + R = (XDeviceResolutionState *) Device; +-- +1.7.7.1 + diff --git a/main/libxi/0008-integer-overflow-in-XGetFeedbackControl-CVE-2013-198.patch b/main/libxi/0008-integer-overflow-in-XGetFeedbackControl-CVE-2013-198.patch new file mode 100644 index 0000000000..b6cb05711a --- /dev/null +++ b/main/libxi/0008-integer-overflow-in-XGetFeedbackControl-CVE-2013-198.patch @@ -0,0 +1,101 @@ +From 72afdb4d4c2bcc9064defd95680308f123c67afc Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 9 Mar 2013 22:55:23 -0800 +Subject: [PATCH 08/16] integer overflow in XGetFeedbackControl() + [CVE-2013-1984 2/8] + +If the number of feedbacks reported by the server is large enough that +it overflows when multiplied by the size of the appropriate struct, or +if the total size of all the feedback structures overflows when added +together, then memory corruption can occur when more bytes are copied from +the X server reply than the size of the buffer we allocated to hold them. + +v2: check that reply size fits inside the data read from the server, so + we don't read out of bounds either + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +(cherry picked from commit 322ee3576789380222d4403366e4fd12fb24cb6a) +(cherry picked from commit bb14753444842d74de61293ba61863b6c8e12e22) +--- + src/XGetFCtl.c | 24 +++++++++++++++++++----- + 1 files changed, 19 insertions(+), 5 deletions(-) + +diff --git a/src/XGetFCtl.c b/src/XGetFCtl.c +index 5a05397..e896c79 100644 +--- a/src/XGetFCtl.c ++++ b/src/XGetFCtl.c +@@ -57,6 +57,7 @@ SOFTWARE. + #include <X11/extensions/XInput.h> + #include <X11/extensions/extutil.h> + #include "XIint.h" ++#include <limits.h> + + XFeedbackState * + XGetFeedbackControl( +@@ -64,8 +65,6 @@ XGetFeedbackControl( + XDevice *dev, + int *num_feedbacks) + { +- int size = 0; +- int nbytes, i; + XFeedbackState *Feedback = NULL; + XFeedbackState *Sav = NULL; + xFeedbackState *f = NULL; +@@ -87,9 +86,16 @@ XGetFeedbackControl( + goto out; + + if (rep.length > 0) { ++ unsigned long nbytes; ++ size_t size = 0; ++ int i; ++ + *num_feedbacks = rep.num_feedbacks; +- nbytes = (long)rep.length << 2; +- f = (xFeedbackState *) Xmalloc((unsigned)nbytes); ++ ++ if (rep.length < (INT_MAX >> 2)) { ++ nbytes = rep.length << 2; ++ f = Xmalloc(nbytes); ++ } + if (!f) { + _XEatDataWords(dpy, rep.length); + goto out; +@@ -98,6 +104,10 @@ XGetFeedbackControl( + _XRead(dpy, (char *)f, nbytes); + + for (i = 0; i < *num_feedbacks; i++) { ++ if (f->length > nbytes) ++ goto out; ++ nbytes -= f->length; ++ + switch (f->class) { + case KbdFeedbackClass: + size += sizeof(XKbdFeedbackState); +@@ -112,6 +122,8 @@ XGetFeedbackControl( + { + xStringFeedbackState *strf = (xStringFeedbackState *) f; + ++ if (strf->num_syms_supported >= (INT_MAX / sizeof(KeySym))) ++ goto out; + size += sizeof(XStringFeedbackState) + + (strf->num_syms_supported * sizeof(KeySym)); + } +@@ -126,10 +138,12 @@ XGetFeedbackControl( + size += f->length; + break; + } ++ if (size > INT_MAX) ++ goto out; + f = (xFeedbackState *) ((char *)f + f->length); + } + +- Feedback = (XFeedbackState *) Xmalloc((unsigned)size); ++ Feedback = Xmalloc(size); + if (!Feedback) + goto out; + +-- +1.7.7.1 + diff --git a/main/libxi/0009-integer-overflow-in-XGetDeviceDontPropagateList-CVE-.patch b/main/libxi/0009-integer-overflow-in-XGetDeviceDontPropagateList-CVE-.patch new file mode 100644 index 0000000000..768b48be6f --- /dev/null +++ b/main/libxi/0009-integer-overflow-in-XGetDeviceDontPropagateList-CVE-.patch @@ -0,0 +1,52 @@ +From b098d40cbd8b5e093e032063eefbf8d62daa7ce9 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 9 Mar 2013 22:55:23 -0800 +Subject: [PATCH 09/16] integer overflow in XGetDeviceDontPropagateList() + [CVE-2013-1984 3/8] + +If the number of event classes reported by the server is large enough +that it overflows when multiplied by the size of the appropriate struct, +then memory corruption can occur when more bytes are copied from the +X server reply than the size of the buffer we allocated to hold them. + +V2: EatData if count is 0 but length is > 0 to avoid XIOErrors + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +(cherry picked from commit 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff) +(cherry picked from commit 843e1e83de77df8e7e2fc0e992955871498e8432) +--- + src/XGetProp.c | 8 +++++--- + 1 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/XGetProp.c b/src/XGetProp.c +index ca6f657..1ddc4a3 100644 +--- a/src/XGetProp.c ++++ b/src/XGetProp.c +@@ -57,6 +57,7 @@ SOFTWARE. + #include <X11/extensions/XInput.h> + #include <X11/extensions/extutil.h> + #include "XIint.h" ++#include <limits.h> + + XEventClass * + XGetDeviceDontPropagateList( +@@ -85,10 +86,11 @@ XGetDeviceDontPropagateList( + } + *count = rep.count; + +- if (*count) { +- list = (XEventClass *) Xmalloc(rep.length * sizeof(XEventClass)); ++ if (rep.length != 0) { ++ if ((rep.count != 0) && (rep.length < (INT_MAX / sizeof(XEventClass)))) ++ list = Xmalloc(rep.length * sizeof(XEventClass)); + if (list) { +- int i; ++ unsigned int i; + CARD32 ec; + + /* read and assign each XEventClass separately because +-- +1.7.7.1 + diff --git a/main/libxi/0010-integer-overflow-in-XGetDeviceMotionEvents-CVE-2013-.patch b/main/libxi/0010-integer-overflow-in-XGetDeviceMotionEvents-CVE-2013-.patch new file mode 100644 index 0000000000..a54f186bbe --- /dev/null +++ b/main/libxi/0010-integer-overflow-in-XGetDeviceMotionEvents-CVE-2013-.patch @@ -0,0 +1,70 @@ +From f51b6a628679cad8e116fa4380ea7fb492b91901 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 9 Mar 2013 22:55:23 -0800 +Subject: [PATCH 10/16] integer overflow in XGetDeviceMotionEvents() + [CVE-2013-1984 4/8] + +If the number of events or axes reported by the server is large enough +that it overflows when multiplied by the size of the appropriate struct, +then memory corruption can occur when more bytes are copied from the +X server reply than the size of the buffer we allocated to hold them. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +(cherry picked from commit bb922ed4253b35590f0369f32a917ff89ade0830) +(cherry picked from commit b273909309cfdde0369ee728b17c15984eb84e49) +--- + src/XGMotion.c | 22 +++++++++++++++++----- + 1 files changed, 17 insertions(+), 5 deletions(-) + +diff --git a/src/XGMotion.c b/src/XGMotion.c +index f3b6751..def83a1 100644 +--- a/src/XGMotion.c ++++ b/src/XGMotion.c +@@ -56,6 +56,7 @@ SOFTWARE. + #include <X11/extensions/XInput.h> + #include <X11/extensions/extutil.h> + #include "XIint.h" ++#include <limits.h> + + XDeviceTimeCoord * + XGetDeviceMotionEvents( +@@ -71,7 +72,7 @@ XGetDeviceMotionEvents( + xGetDeviceMotionEventsReply rep; + XDeviceTimeCoord *tc; + int *data, *bufp, *readp, *savp; +- long size, size2; ++ unsigned long size; + int i, j; + XExtDisplayInfo *info = XInput_find_display(dpy); + +@@ -101,10 +102,21 @@ XGetDeviceMotionEvents( + SyncHandle(); + return (NULL); + } +- size = rep.length << 2; +- size2 = rep.nEvents * (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int))); +- savp = readp = (int *)Xmalloc(size); +- bufp = (int *)Xmalloc(size2); ++ if (rep.length < (INT_MAX >> 2)) { ++ size = rep.length << 2; ++ savp = readp = Xmalloc(size); ++ } else { ++ size = 0; ++ savp = readp = NULL; ++ } ++ /* rep.axes is a CARD8, so assume max number of axes for bounds check */ ++ if (rep.nEvents < ++ (INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int))))) { ++ size_t bsize = rep.nEvents * ++ (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int))); ++ bufp = Xmalloc(bsize); ++ } else ++ bufp = NULL; + if (!bufp || !savp) { + Xfree(bufp); + Xfree(savp); +-- +1.7.7.1 + diff --git a/main/libxi/0011-integer-overflow-in-XIGetProperty-CVE-2013-1984-5-8.patch b/main/libxi/0011-integer-overflow-in-XIGetProperty-CVE-2013-1984-5-8.patch new file mode 100644 index 0000000000..739b5ce401 --- /dev/null +++ b/main/libxi/0011-integer-overflow-in-XIGetProperty-CVE-2013-1984-5-8.patch @@ -0,0 +1,59 @@ +From dcb6742eea1e709aa1cc6d5cbbcfb5b060bb067c Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 9 Mar 2013 22:55:23 -0800 +Subject: [PATCH 11/16] integer overflow in XIGetProperty() [CVE-2013-1984 + 5/8] + +If the number of items reported by the server is large enough that +it overflows when multiplied by the size of the appropriate item type, +then memory corruption can occur when more bytes are copied from the +X server reply than the size of the buffer we allocated to hold them. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +(cherry picked from commit 242f92b490a695fbab244af5bad11b71f897c732) +(cherry picked from commit 6d992e2b31f58e716e63f9a1e5d910a66f51a11b) +--- + src/XIProperties.c | 11 +++++++---- + 1 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/XIProperties.c b/src/XIProperties.c +index 5e58fb6..32436d1 100644 +--- a/src/XIProperties.c ++++ b/src/XIProperties.c +@@ -38,6 +38,7 @@ + #include <X11/extensions/XInput2.h> + #include <X11/extensions/extutil.h> + #include "XIint.h" ++#include <limits.h> + + Atom* + XIListProperties(Display* dpy, int deviceid, int *num_props_return) +@@ -170,7 +171,7 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset, + { + xXIGetPropertyReq *req; + xXIGetPropertyReply rep; +- long nbytes, rbytes; ++ unsigned long nbytes, rbytes; + + XExtDisplayInfo *info = XInput_find_display(dpy); + +@@ -216,9 +217,11 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset, + * recopy the string to make it null terminated. + */ + +- nbytes = rep.num_items * rep.format/8; +- rbytes = nbytes + 1; +- *data = Xmalloc(rbytes); ++ if (rep.num_items < (INT_MAX / (rep.format/8))) { ++ nbytes = rep.num_items * rep.format/8; ++ rbytes = nbytes + 1; ++ *data = Xmalloc(rbytes); ++ } + + if (!(*data)) { + _XEatDataWords(dpy, rep.length); +-- +1.7.7.1 + diff --git a/main/libxi/0012-integer-overflow-in-XIGetSelectedEvents-CVE-2013-198.patch b/main/libxi/0012-integer-overflow-in-XIGetSelectedEvents-CVE-2013-198.patch new file mode 100644 index 0000000000..f67862a23f --- /dev/null +++ b/main/libxi/0012-integer-overflow-in-XIGetSelectedEvents-CVE-2013-198.patch @@ -0,0 +1,92 @@ +From 98861f0e2b4d7045430e7839a3aca12c6beaed56 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 9 Mar 2013 22:55:23 -0800 +Subject: [PATCH 12/16] integer overflow in XIGetSelectedEvents() + [CVE-2013-1984 6/8] + +If the number of events or masks reported by the server is large enough +that it overflows when multiplied by the size of the appropriate struct, +or the sizes overflow as they are totaled up, then memory corruption can +occur when more bytes are copied from the X server reply than the size +of the buffer we allocated to hold them. + +v2: check that reply size fits inside the data read from the server, + so that we don't read out of bounds either + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +(cherry picked from commit 528419b9ef437e7eeafb41bf45e8ff7d818bd845) +(cherry picked from commit cabe9d3f00a28aa05dcb14c114196a30278b5e22) +--- + src/XISelEv.c | 25 +++++++++++++++++++------ + 1 files changed, 19 insertions(+), 6 deletions(-) + +diff --git a/src/XISelEv.c b/src/XISelEv.c +index bd5a29a..008ec60 100644 +--- a/src/XISelEv.c ++++ b/src/XISelEv.c +@@ -39,6 +39,7 @@ in this Software without prior written authorization from the author. + #include <X11/extensions/ge.h> + #include <X11/extensions/geproto.h> + #include "XIint.h" ++#include <limits.h> + + int + XISelectEvents(Display* dpy, Window win, XIEventMask* masks, int num_masks) +@@ -98,13 +99,14 @@ out: + XIEventMask* + XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return) + { +- int i, len = 0; ++ unsigned int i, len = 0; + unsigned char *mask; + XIEventMask *mask_out = NULL; + xXIEventMask *mask_in = NULL, *mi; + xXIGetSelectedEventsReq *req; + xXIGetSelectedEventsReply reply; + XExtDisplayInfo *info = XInput_find_display(dpy); ++ size_t rbytes; + + *num_masks_return = -1; + LockDisplay(dpy); +@@ -126,11 +128,16 @@ XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return) + goto out; + } + +- mask_in = Xmalloc(reply.length * 4); +- if (!mask_in) ++ if (reply.length < (INT_MAX >> 2)) { ++ rbytes = (unsigned long) reply.length << 2; ++ mask_in = Xmalloc(rbytes); ++ } ++ if (!mask_in) { ++ _XEatDataWords(dpy, reply.length); + goto out; ++ } + +- _XRead(dpy, (char*)mask_in, reply.length * 4); ++ _XRead(dpy, (char*)mask_in, rbytes); + + /* + * This function takes interleaved xXIEventMask structs & masks off +@@ -145,8 +152,14 @@ XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return) + + for (i = 0, mi = mask_in; i < reply.num_masks; i++) + { +- len += mi->mask_len * 4; +- mi = (xXIEventMask*)((char*)mi + mi->mask_len * 4); ++ unsigned int mask_bytes = mi->mask_len * 4; ++ len += mask_bytes; ++ if (len > INT_MAX) ++ goto out; ++ if ((sizeof(xXIEventMask) + mask_bytes) > rbytes) ++ goto out; ++ rbytes -= (sizeof(xXIEventMask) + mask_bytes); ++ mi = (xXIEventMask*)((char*)mi + mask_bytes); + mi++; + } + +-- +1.7.7.1 + diff --git a/main/libxi/0013-Avoid-integer-overflow-in-XGetDeviceProperties-CVE-2.patch b/main/libxi/0013-Avoid-integer-overflow-in-XGetDeviceProperties-CVE-2.patch new file mode 100644 index 0000000000..560f3d8d57 --- /dev/null +++ b/main/libxi/0013-Avoid-integer-overflow-in-XGetDeviceProperties-CVE-2.patch @@ -0,0 +1,135 @@ +From 873f86cb8b8fb5a1efabd8b39a50242ef093136f Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sun, 10 Mar 2013 13:30:55 -0700 +Subject: [PATCH 13/16] Avoid integer overflow in XGetDeviceProperties() + [CVE-2013-1984 7/8] + +If the number of items as reported by the Xserver is too large, it +could overflow the calculation for the size of the buffer to copy the +reply into, causing memory corruption. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +(cherry picked from commit 17071c1c608247800b2ca03a35b1fcc9c4cabe6c) +(cherry picked from commit 7be9dcc311e29ed326e53117904648cb51ee21df) +--- + src/XGetDProp.c | 61 +++++++++++++++++++++++++++++++++--------------------- + 1 files changed, 37 insertions(+), 24 deletions(-) + +diff --git a/src/XGetDProp.c b/src/XGetDProp.c +index f9e8f0c..3691122 100644 +--- a/src/XGetDProp.c ++++ b/src/XGetDProp.c +@@ -38,6 +38,7 @@ in this Software without prior written authorization from the author. + #include <X11/extensions/XInput.h> + #include <X11/extensions/extutil.h> + #include "XIint.h" ++#include <limits.h> + + int + XGetDeviceProperty(Display* dpy, XDevice* dev, +@@ -48,7 +49,8 @@ XGetDeviceProperty(Display* dpy, XDevice* dev, + { + xGetDevicePropertyReq *req; + xGetDevicePropertyReply rep; +- long nbytes, rbytes; ++ unsigned long nbytes, rbytes; ++ int ret = Success; + + XExtDisplayInfo *info = XInput_find_display(dpy); + +@@ -81,30 +83,43 @@ XGetDeviceProperty(Display* dpy, XDevice* dev, + * data, but this last byte is null terminated and convenient for + * returning string properties, so the client doesn't then have to + * recopy the string to make it null terminated. ++ * ++ * Maximum item limits are set to both prevent integer overflow when ++ * calculating the amount of memory to malloc, and to limit how much ++ * memory will be used if a server provides an insanely high count. + */ + switch (rep.format) { + case 8: +- nbytes = rep.nItems; +- rbytes = rep.nItems + 1; +- if (rbytes > 0 && +- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) +- _XReadPad (dpy, (char *) *prop, nbytes); ++ if (rep.nItems < INT_MAX) { ++ nbytes = rep.nItems; ++ rbytes = rep.nItems + 1; ++ if ((*prop = Xmalloc (rbytes))) ++ _XReadPad (dpy, (char *) *prop, nbytes); ++ else ++ ret = BadAlloc; ++ } + break; + + case 16: +- nbytes = rep.nItems << 1; +- rbytes = rep.nItems * sizeof (short) + 1; +- if (rbytes > 0 && +- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) +- _XRead16Pad (dpy, (short *) *prop, nbytes); ++ if (rep.nItems < (INT_MAX / sizeof (short))) { ++ nbytes = rep.nItems << 1; ++ rbytes = rep.nItems * sizeof (short) + 1; ++ if ((*prop = Xmalloc (rbytes))) ++ _XRead16Pad (dpy, (short *) *prop, nbytes); ++ else ++ ret = BadAlloc; ++ } + break; + + case 32: +- nbytes = rep.nItems << 2; +- rbytes = rep.nItems * sizeof (long) + 1; +- if (rbytes > 0 && +- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) +- _XRead32 (dpy, (long *) *prop, nbytes); ++ if (rep.nItems < (INT_MAX / sizeof (long))) { ++ nbytes = rep.nItems << 2; ++ rbytes = rep.nItems * sizeof (long) + 1; ++ if ((*prop = Xmalloc (rbytes))) ++ _XRead32 (dpy, (long *) *prop, nbytes); ++ else ++ ret = BadAlloc; ++ } + break; + + default: +@@ -112,16 +127,13 @@ XGetDeviceProperty(Display* dpy, XDevice* dev, + * This part of the code should never be reached. If it is, + * the server sent back a property with an invalid format. + */ +- _XEatDataWords(dpy, rep.length); +- UnlockDisplay(dpy); +- SyncHandle(); +- return(BadImplementation); ++ ret = BadImplementation; + } + if (! *prop) { + _XEatDataWords(dpy, rep.length); +- UnlockDisplay(dpy); +- SyncHandle(); +- return(BadAlloc); ++ if (ret == Success) ++ ret = BadAlloc; ++ goto out; + } + (*prop)[rbytes - 1] = '\0'; + } +@@ -130,9 +142,10 @@ XGetDeviceProperty(Display* dpy, XDevice* dev, + *actual_format = rep.format; + *nitems = rep.nItems; + *bytes_after = rep.bytesAfter; ++ out: + UnlockDisplay (dpy); + SyncHandle (); + +- return Success; ++ return ret; + } + +-- +1.7.7.1 + diff --git a/main/libxi/0014-Avoid-integer-overflow-in-XListInputDevices-CVE-2013.patch b/main/libxi/0014-Avoid-integer-overflow-in-XListInputDevices-CVE-2013.patch new file mode 100644 index 0000000000..a5cd33fe15 --- /dev/null +++ b/main/libxi/0014-Avoid-integer-overflow-in-XListInputDevices-CVE-2013.patch @@ -0,0 +1,56 @@ +From cce662bb80060b6e45d32186d9bbdccf8ea1172d Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sun, 10 Mar 2013 00:22:14 -0800 +Subject: [PATCH 14/16] Avoid integer overflow in XListInputDevices() + [CVE-2013-1984 8/8] + +If the length of the reply as reported by the Xserver is too long, it +could overflow the calculation for the size of the buffer to copy the +reply into, causing memory corruption. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +(cherry picked from commit ef82512288d8ca36ac0beeb289f158195b0a8cae) +(cherry picked from commit f888a17af24945e2b583625c7d85ebed1518fc05) +--- + src/XListDev.c | 10 ++++++---- + 1 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/src/XListDev.c b/src/XListDev.c +index ad8f548..d8abddb 100644 +--- a/src/XListDev.c ++++ b/src/XListDev.c +@@ -57,6 +57,7 @@ SOFTWARE. + #include <X11/extensions/XInput.h> + #include <X11/extensions/extutil.h> + #include "XIint.h" ++#include <limits.h> + + static int + SizeClassInfo(xAnyClassPtr *any, int num_classes) +@@ -164,7 +165,7 @@ XListInputDevices( + XAnyClassPtr Any; + char *nptr, *Nptr; + int i; +- long rlen; ++ unsigned long rlen; + XExtDisplayInfo *info = XInput_find_display(dpy); + + LockDisplay(dpy); +@@ -183,9 +184,10 @@ XListInputDevices( + + if ((*ndevices = rep.ndevices)) { /* at least 1 input device */ + size = *ndevices * sizeof(XDeviceInfo); +- rlen = rep.length << 2; /* multiply length by 4 */ +- list = (xDeviceInfo *) Xmalloc(rlen); +- slist = list; ++ if (rep.length < (INT_MAX >> 2)) { ++ rlen = rep.length << 2; /* multiply length by 4 */ ++ slist = list = Xmalloc(rlen); ++ } + if (!slist) { + _XEatDataWords(dpy, rep.length); + UnlockDisplay(dpy); +-- +1.7.7.1 + diff --git a/main/libxi/0015-sign-extension-issue-in-XListInputDevices-CVE-2013-1.patch b/main/libxi/0015-sign-extension-issue-in-XListInputDevices-CVE-2013-1.patch new file mode 100644 index 0000000000..6e8187a90a --- /dev/null +++ b/main/libxi/0015-sign-extension-issue-in-XListInputDevices-CVE-2013-1.patch @@ -0,0 +1,94 @@ +From 28a91c1944be8c8e8185eac5d75095ebd39339a6 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sun, 10 Mar 2013 00:16:22 -0800 +Subject: [PATCH 15/16] sign extension issue in XListInputDevices() + [CVE-2013-1995] + +nptr is (signed) char, which can be negative, and will sign extend +when added to the int size, which means size can be subtracted from, +leading to allocating too small a buffer to hold the data being copied +from the X server's reply. + +v2: check that string size fits inside the data read from the server, + so that we don't read out of bounds either + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +(cherry picked from commit 81b4df8ac6aa1520c41c3526961014a6f115cc46) +(cherry picked from commit 62c1e47de0448242a0dd1f5226be93f92a06824f) + +Conflicts: + + src/XListDev.c +--- + src/XListDev.c | 16 ++++++++++------ + 1 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/src/XListDev.c b/src/XListDev.c +index d8abddb..7f4538c 100644 +--- a/src/XListDev.c ++++ b/src/XListDev.c +@@ -59,7 +59,7 @@ SOFTWARE. + #include "XIint.h" + #include <limits.h> + +-static int ++static size_t + SizeClassInfo(xAnyClassPtr *any, int num_classes) + { + int size = 0; +@@ -155,7 +155,7 @@ XListInputDevices( + register Display *dpy, + int *ndevices) + { +- int size; ++ size_t size; + xListInputDevicesReq *req; + xListInputDevicesReply rep; + xDeviceInfo *list, *slist = NULL; +@@ -163,7 +163,7 @@ XListInputDevices( + XDeviceInfo *clist = NULL; + xAnyClassPtr any, sav_any; + XAnyClassPtr Any; +- char *nptr, *Nptr; ++ unsigned char *nptr, *Nptr; + int i; + unsigned long rlen; + XExtDisplayInfo *info = XInput_find_display(dpy); +@@ -202,9 +202,12 @@ XListInputDevices( + size += SizeClassInfo(&any, (int)list->num_classes); + } + +- for (i = 0, nptr = (char *)any; i < *ndevices; i++) { ++ Nptr = ((unsigned char *)list) + rlen + 1; ++ for (i = 0, nptr = (unsigned char *)any; i < *ndevices; i++) { + size += *nptr + 1; + nptr += (*nptr + 1); ++ if (nptr > Nptr) ++ goto out; + } + + clist = (XDeviceInfoPtr) Xmalloc(size); +@@ -230,8 +233,8 @@ XListInputDevices( + } + + clist = sclist; +- nptr = (char *)any; +- Nptr = (char *)Any; ++ nptr = (unsigned char *)any; ++ Nptr = (unsigned char *)Any; + for (i = 0; i < *ndevices; i++, clist++) { + clist->name = (char *)Nptr; + memcpy(Nptr, nptr + 1, *nptr); +@@ -241,6 +244,7 @@ XListInputDevices( + } + } + ++ out: + XFree((char *)slist); + UnlockDisplay(dpy); + SyncHandle(); +-- +1.7.7.1 + diff --git a/main/libxi/0016-Don-t-overwrite-the-cookies-serial-number.patch b/main/libxi/0016-Don-t-overwrite-the-cookies-serial-number.patch new file mode 100644 index 0000000000..35aa49a3c8 --- /dev/null +++ b/main/libxi/0016-Don-t-overwrite-the-cookies-serial-number.patch @@ -0,0 +1,35 @@ +From d548f53eb7a79a244f458d7d4c306defe82ab1b7 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 21 May 2013 12:23:05 +1000 +Subject: [PATCH 16/16] Don't overwrite the cookies serial number + +serial != sequenceNumber, see _XSetLastRequestRead() + +cookie->serial is already set at this point, setting it again directly from +the sequenceNumber of the event causes a bunch of weird issues such as +scrollbars and text drag-n-drop breaking. + +https://bugzilla.redhat.com/show_bug.cgi?id=965347 + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +(cherry picked from commit 661c45ca17c434dbd342a46fd3fb813852ae0ca9) +(cherry picked from commit 49307ef3e8b4a24b501729f0a9551d10cc53b9c5) +--- + src/XExtInt.c | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +diff --git a/src/XExtInt.c b/src/XExtInt.c +index c7e6128..5fc7afc 100644 +--- a/src/XExtInt.c ++++ b/src/XExtInt.c +@@ -891,7 +891,6 @@ static void xge_copy_to_cookie(xGenericEvent* ev, + cookie->type = ev->type; + cookie->evtype = ev->evtype; + cookie->extension = ev->extension; +- cookie->serial = ev->sequenceNumber; + } + + static Bool +-- +1.7.7.1 + diff --git a/main/libxi/APKBUILD b/main/libxi/APKBUILD index c2c4ff10ff..a9d7032681 100644 --- a/main/libxi/APKBUILD +++ b/main/libxi/APKBUILD @@ -1,36 +1,78 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libxi pkgver=1.4.5 -pkgrel=0 +pkgrel=1 pkgdesc="X11 Input extension library" url="http://xorg.freedesktop.org" arch="all" license="custom" subpackages="$pkgname-dev $pkgname-doc" depends= +depends_dev="inputproto libx11-dev libxext-dev" makedepends=" - inputproto - libx11-dev - libxext-dev - pkgconfig + $depends_dev xextproto xproto + autoconf automake libtool util-macros + " +source="http://xorg.freedesktop.org/releases/individual/lib/libXi-$pkgver.tar.bz2 + 0001-Expand-comment-on-the-memory-vs.-reply-ordering-in-X.patch + 0002-Copy-the-sequence-number-into-the-target-event-too-6.patch + 0003-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch + 0004-Stack-buffer-overflow-in-XGetDeviceButtonMapping-CVE.patch + 0005-memory-corruption-in-_XIPassiveGrabDevice-CVE-2013-1.patch + 0006-unvalidated-lengths-in-XQueryDeviceState-CVE-2013-19.patch + 0007-integer-overflow-in-XGetDeviceControl-CVE-2013-1984-.patch + 0008-integer-overflow-in-XGetFeedbackControl-CVE-2013-198.patch + 0009-integer-overflow-in-XGetDeviceDontPropagateList-CVE-.patch + 0010-integer-overflow-in-XGetDeviceMotionEvents-CVE-2013-.patch + 0011-integer-overflow-in-XIGetProperty-CVE-2013-1984-5-8.patch + 0012-integer-overflow-in-XIGetSelectedEvents-CVE-2013-198.patch + 0013-Avoid-integer-overflow-in-XGetDeviceProperties-CVE-2.patch + 0014-Avoid-integer-overflow-in-XListInputDevices-CVE-2013.patch + 0015-sign-extension-issue-in-XListInputDevices-CVE-2013-1.patch + 0016-Don-t-overwrite-the-cookies-serial-number.patch " -source="http://xorg.freedesktop.org/releases/individual/lib/libXi-$pkgver.tar.bz2" -depends_dev="inputproto libx11-dev libxext-dev" + +_builddir="$srcdir"/libXi-$pkgver +prepare() { + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done + libtoolize --force && aclocal && autoconf && autoheader \ + && automake --add-missing +} -build () -{ - cd "$srcdir"/libXi-$pkgver +build() { + cd "$_builddir" ./configure --prefix=/usr --sysconfdir=/etc || return 1 make || return 1 } package() { - cd "$srcdir"/libXi-$pkgver + cd "$_builddir" make DESTDIR="$pkgdir" install || return 1 rm "$pkgdir"/usr/lib/*.la || return 1 install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING } -md5sums="82dcdc76388116800a2c3ad969f510a4 libXi-1.4.5.tar.bz2" +md5sums="82dcdc76388116800a2c3ad969f510a4 libXi-1.4.5.tar.bz2 +c0c052c5a0b6ff9b50f413cdc4bc8f5c 0001-Expand-comment-on-the-memory-vs.-reply-ordering-in-X.patch +3a9c4bf6da4faee8aea8a3c17f1250a7 0002-Copy-the-sequence-number-into-the-target-event-too-6.patch +2030ba2ffa05fc0003b8624d05768b22 0003-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch +cb0fbf3cdfef06a12db6ee8deaf1bdfe 0004-Stack-buffer-overflow-in-XGetDeviceButtonMapping-CVE.patch +b29c53b3c77685c7a9e92ff164069a4c 0005-memory-corruption-in-_XIPassiveGrabDevice-CVE-2013-1.patch +81780c4a48c3f16a3d08056e4b0f96a2 0006-unvalidated-lengths-in-XQueryDeviceState-CVE-2013-19.patch +67cbebc59c86f8895a6d3f5ca2449e60 0007-integer-overflow-in-XGetDeviceControl-CVE-2013-1984-.patch +901ddbf2c247fa31108f8b79c2228199 0008-integer-overflow-in-XGetFeedbackControl-CVE-2013-198.patch +380f49370c6acab49a15d5be5ff629ad 0009-integer-overflow-in-XGetDeviceDontPropagateList-CVE-.patch +11d6ff63524ffdbdbc64faa3cf6e7919 0010-integer-overflow-in-XGetDeviceMotionEvents-CVE-2013-.patch +1a8a8af65af071ed2d03d89fe65d3f85 0011-integer-overflow-in-XIGetProperty-CVE-2013-1984-5-8.patch +3d72dcd08c560d21efc8fa7a78b0d8e6 0012-integer-overflow-in-XIGetSelectedEvents-CVE-2013-198.patch +057cf9b49f542ce5f5e006f3d4155bc4 0013-Avoid-integer-overflow-in-XGetDeviceProperties-CVE-2.patch +bace284f9d20dee5fe6caf287fbfc024 0014-Avoid-integer-overflow-in-XListInputDevices-CVE-2013.patch +40a7631fc06edd14c8ba9405c16ce1c6 0015-sign-extension-issue-in-XListInputDevices-CVE-2013-1.patch +3e3bff61d4f9aabb5346dc4e47819921 0016-Don-t-overwrite-the-cookies-serial-number.patch" |