diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 09:44:11 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 09:44:11 +0000 |
commit | a632a13327ab882c590bbae004b3be338edc14cf (patch) | |
tree | d0a81c4701d5f4c93baed98904ae3422ddf0df53 | |
parent | dfac4cbecc1c27d53504a0d9a80019146c9c9bfb (diff) | |
download | aports-a632a13327ab882c590bbae004b3be338edc14cf.tar.bz2 aports-a632a13327ab882c590bbae004b3be338edc14cf.tar.xz |
main/libxxf86vm: fix CVE-2013-2001
ref #1931
9 files changed, 603 insertions, 8 deletions
diff --git a/main/libxxf86vm/0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch b/main/libxxf86vm/0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch new file mode 100644 index 0000000000..cd5b67a977 --- /dev/null +++ b/main/libxxf86vm/0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch @@ -0,0 +1,60 @@ +From ef95f1c3737d9efc7d97fb1784f80ef3540a846b Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 15:13:06 -0700 +Subject: [PATCH 1/8] When Xcalloc() returns NULL, you don't need to Xfree() it + +I have no words to explain how this ever happened. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + src/XF86VMode.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/src/XF86VMode.c b/src/XF86VMode.c +index 4f19cf3..c0e50e6 100644 +--- a/src/XF86VMode.c ++++ b/src/XF86VMode.c +@@ -256,7 +256,6 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock, + if (modeline->privsize > 0) { + if (!(modeline->private = Xcalloc(modeline->privsize, sizeof(INT32)))) { + _XEatData(dpy, (modeline->privsize) * sizeof(INT32)); +- Xfree(modeline->private); + return False; + } + _XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32)); +@@ -321,7 +320,6 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount, + _XEatData(dpy, (rep.modecount) * sizeof(xXF86OldVidModeModeInfo)); + else + _XEatData(dpy, (rep.modecount) * sizeof(xXF86VidModeModeInfo)); +- Xfree(modelines); + return False; + } + mdinfptr = (XF86VidModeModeInfo *) ( +@@ -353,7 +351,6 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount, + if (!(modelines[i]->private = + Xcalloc(oldxmdline.privsize, sizeof(INT32)))) { + _XEatData(dpy, (oldxmdline.privsize) * sizeof(INT32)); +- Xfree(modelines[i]->private); + } else { + _XRead(dpy, (char*)modelines[i]->private, + oldxmdline.privsize * sizeof(INT32)); +@@ -384,7 +381,6 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount, + if (!(modelines[i]->private = + Xcalloc(xmdline.privsize, sizeof(INT32)))) { + _XEatData(dpy, (xmdline.privsize) * sizeof(INT32)); +- Xfree(modelines[i]->private); + } else { + _XRead(dpy, (char*)modelines[i]->private, + xmdline.privsize * sizeof(INT32)); +@@ -1039,7 +1035,6 @@ XF86VidModeGetDotClocks(Display* dpy, int screen, int *flagsPtr, + + if (!(dotclocks = (int*) Xcalloc(rep.clocks, sizeof(int)))) { + _XEatData(dpy, (rep.clocks) * 4); +- Xfree(dotclocks); + return False; + } + +-- +1.8.2.3 + diff --git a/main/libxxf86vm/0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch b/main/libxxf86vm/0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch new file mode 100644 index 0000000000..099ca99716 --- /dev/null +++ b/main/libxxf86vm/0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch @@ -0,0 +1,134 @@ +From a89b1ad3377bfef9bab52f15f98b00f6540d531a Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 17:40:24 -0700 +Subject: [PATCH 2/8] Improve error handling in XF86VidModeGetMonitor() + +Ensure that when we return an error we unlock the display first, and +NULL out any pointers we freed in error cleanup. + +Instead of adding these fixes to every error check, instead combine +the error handling cleanup into a single copy. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + src/XF86VMode.c | 82 +++++++++++++++++++++++++++------------------------------ + 1 file changed, 39 insertions(+), 43 deletions(-) + +diff --git a/src/XF86VMode.c b/src/XF86VMode.c +index c0e50e6..165f8ba 100644 +--- a/src/XF86VMode.c ++++ b/src/XF86VMode.c +@@ -856,6 +856,7 @@ XF86VidModeGetMonitor(Display* dpy, int screen, XF86VidModeMonitor* monitor) + xXF86VidModeGetMonitorReq *req; + CARD32 syncrange; + int i; ++ Bool result = True; + + XF86VidModeCheckExtension (dpy, info, False); + +@@ -875,63 +876,58 @@ XF86VidModeGetMonitor(Display* dpy, int screen, XF86VidModeMonitor* monitor) + monitor->bandwidth = (float)rep.bandwidth / 1e6; + #endif + if (rep.vendorLength) { +- if (!(monitor->vendor = (char *)Xcalloc(rep.vendorLength + 1, 1))) { +- _XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 + +- ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3)); +- return False; +- } ++ monitor->vendor = Xcalloc(rep.vendorLength + 1, 1); ++ if (monitor->vendor == NULL) ++ result = False; + } else { + monitor->vendor = NULL; + } +- if (rep.modelLength) { +- if (!(monitor->model = Xcalloc(rep.modelLength + 1, 1))) { +- _XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 + +- ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3)); +- if (monitor->vendor) +- Xfree(monitor->vendor); +- return False; +- } ++ if (result && rep.modelLength) { ++ monitor->model = Xcalloc(rep.modelLength + 1, 1); ++ if (monitor->model == NULL) ++ result = False; + } else { + monitor->model = NULL; + } +- if (!(monitor->hsync = Xcalloc(rep.nhsync, sizeof(XF86VidModeSyncRange)))) { +- _XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 + +- ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3)); +- +- if (monitor->vendor) +- Xfree(monitor->vendor); +- if (monitor->model) +- Xfree(monitor->model); +- return False; ++ if (result) { ++ monitor->hsync = Xcalloc(rep.nhsync, sizeof(XF86VidModeSyncRange)); ++ monitor->vsync = Xcalloc(rep.nvsync, sizeof(XF86VidModeSyncRange)); ++ if ((monitor->hsync == NULL) || (monitor->vsync == NULL)) ++ result = False; ++ } else { ++ monitor->hsync = monitor->vsync = NULL; + } +- if (!(monitor->vsync = Xcalloc(rep.nvsync, sizeof(XF86VidModeSyncRange)))) { ++ if (result == False) { + _XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 + + ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3)); +- if (monitor->vendor) +- Xfree(monitor->vendor); +- if (monitor->model) +- Xfree(monitor->model); ++ Xfree(monitor->vendor); ++ monitor->vendor = NULL; ++ Xfree(monitor->model); ++ monitor->model = NULL; + Xfree(monitor->hsync); +- return False; +- } +- for (i = 0; i < rep.nhsync; i++) { +- _XRead(dpy, (char *)&syncrange, 4); +- monitor->hsync[i].lo = (float)(syncrange & 0xFFFF) / 100.0; +- monitor->hsync[i].hi = (float)(syncrange >> 16) / 100.0; ++ monitor->hsync = NULL; ++ Xfree(monitor->vsync); ++ monitor->vsync = NULL; + } +- for (i = 0; i < rep.nvsync; i++) { +- _XRead(dpy, (char *)&syncrange, 4); +- monitor->vsync[i].lo = (float)(syncrange & 0xFFFF) / 100.0; +- monitor->vsync[i].hi = (float)(syncrange >> 16) / 100.0; ++ else { ++ for (i = 0; i < rep.nhsync; i++) { ++ _XRead(dpy, (char *)&syncrange, 4); ++ monitor->hsync[i].lo = (float)(syncrange & 0xFFFF) / 100.0; ++ monitor->hsync[i].hi = (float)(syncrange >> 16) / 100.0; ++ } ++ for (i = 0; i < rep.nvsync; i++) { ++ _XRead(dpy, (char *)&syncrange, 4); ++ monitor->vsync[i].lo = (float)(syncrange & 0xFFFF) / 100.0; ++ monitor->vsync[i].hi = (float)(syncrange >> 16) / 100.0; ++ } ++ if (rep.vendorLength) ++ _XReadPad(dpy, monitor->vendor, rep.vendorLength); ++ if (rep.modelLength) ++ _XReadPad(dpy, monitor->model, rep.modelLength); + } +- if (rep.vendorLength) +- _XReadPad(dpy, monitor->vendor, rep.vendorLength); +- if (rep.modelLength) +- _XReadPad(dpy, monitor->model, rep.modelLength); +- + UnlockDisplay(dpy); + SyncHandle(); +- return True; ++ return result; + } + + Bool +-- +1.8.2.3 + diff --git a/main/libxxf86vm/0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch b/main/libxxf86vm/0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch new file mode 100644 index 0000000000..3b6bc15b8a --- /dev/null +++ b/main/libxxf86vm/0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch @@ -0,0 +1,51 @@ +From 8ed00bd0a7c44c7fece687e2566d920ea74ef809 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 17:52:12 -0700 +Subject: [PATCH 3/8] Unlock display before returning alloc error in + XF86VidModeGetModeLine() + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + src/XF86VMode.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/src/XF86VMode.c b/src/XF86VMode.c +index 165f8ba..28c79c1 100644 +--- a/src/XF86VMode.c ++++ b/src/XF86VMode.c +@@ -203,6 +203,7 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock, + xXF86OldVidModeGetModeLineReply oldrep; + xXF86VidModeGetModeLineReq *req; + int majorVersion, minorVersion; ++ Bool result = True; + + XF86VidModeCheckExtension (dpy, info, False); + XF86VidModeQueryVersion(dpy, &majorVersion, &minorVersion); +@@ -254,17 +255,18 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock, + } + + if (modeline->privsize > 0) { +- if (!(modeline->private = Xcalloc(modeline->privsize, sizeof(INT32)))) { ++ modeline->private = Xcalloc(modeline->privsize, sizeof(INT32)); ++ if (modeline->private == NULL) { + _XEatData(dpy, (modeline->privsize) * sizeof(INT32)); +- return False; +- } +- _XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32)); ++ result = False; ++ } else ++ _XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32)); + } else { + modeline->private = NULL; + } + UnlockDisplay(dpy); + SyncHandle(); +- return True; ++ return result; + } + + Bool +-- +1.8.2.3 + diff --git a/main/libxxf86vm/0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch b/main/libxxf86vm/0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch new file mode 100644 index 0000000000..3be28ee5b8 --- /dev/null +++ b/main/libxxf86vm/0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch @@ -0,0 +1,28 @@ +From 6c82906f25abcb0f8ec92bcdaf1872bd8b63ca5d Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 17:54:45 -0700 +Subject: [PATCH 4/8] Unlock display before returning alloc error in + XF86VidModeGetAllModeLines() + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + src/XF86VMode.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/XF86VMode.c b/src/XF86VMode.c +index 28c79c1..76276b6 100644 +--- a/src/XF86VMode.c ++++ b/src/XF86VMode.c +@@ -322,6 +322,8 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount, + _XEatData(dpy, (rep.modecount) * sizeof(xXF86OldVidModeModeInfo)); + else + _XEatData(dpy, (rep.modecount) * sizeof(xXF86VidModeModeInfo)); ++ UnlockDisplay(dpy); ++ SyncHandle(); + return False; + } + mdinfptr = (XF86VidModeModeInfo *) ( +-- +1.8.2.3 + diff --git a/main/libxxf86vm/0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch b/main/libxxf86vm/0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch new file mode 100644 index 0000000000..b59be7bc1a --- /dev/null +++ b/main/libxxf86vm/0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch @@ -0,0 +1,56 @@ +From d0355b28dd53fba6fb29c350e090ed4a73d4c480 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 17:58:28 -0700 +Subject: [PATCH 5/8] Unlock display before returning alloc error in + XF86VidModeGetDotClocks() + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + src/XF86VMode.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/src/XF86VMode.c b/src/XF86VMode.c +index 76276b6..1b907f4 100644 +--- a/src/XF86VMode.c ++++ b/src/XF86VMode.c +@@ -1014,6 +1014,7 @@ XF86VidModeGetDotClocks(Display* dpy, int screen, int *flagsPtr, + xXF86VidModeGetDotClocksReq *req; + int i, *dotclocks; + CARD32 dotclk; ++ Bool result = True; + + XF86VidModeCheckExtension (dpy, info, False); + +@@ -1033,19 +1034,21 @@ XF86VidModeGetDotClocks(Display* dpy, int screen, int *flagsPtr, + *maxclocksPtr = rep.maxclocks; + *flagsPtr = rep.flags; + +- if (!(dotclocks = (int*) Xcalloc(rep.clocks, sizeof(int)))) { ++ dotclocks = Xcalloc(rep.clocks, sizeof(int)); ++ if (dotclocks == NULL) { + _XEatData(dpy, (rep.clocks) * 4); +- return False; ++ result = False; + } +- +- for (i = 0; i < rep.clocks; i++) { +- _XRead(dpy, (char*)&dotclk, 4); +- dotclocks[i] = dotclk; ++ else { ++ for (i = 0; i < rep.clocks; i++) { ++ _XRead(dpy, (char*)&dotclk, 4); ++ dotclocks[i] = dotclk; ++ } + } + *clocksPtr = dotclocks; + UnlockDisplay(dpy); + SyncHandle(); +- return True; ++ return result; + } + + Bool +-- +1.8.2.3 + diff --git a/main/libxxf86vm/0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch b/main/libxxf86vm/0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch new file mode 100644 index 0000000000..b10d3b7135 --- /dev/null +++ b/main/libxxf86vm/0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch @@ -0,0 +1,125 @@ +From 284a88e21fc05a63466115b33efa411c60d988c9 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 14:24:12 -0700 +Subject: [PATCH 6/8] Use _XEatDataWords to avoid overflow of length + calculations + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + configure.ac | 6 ++++++ + src/XF86VMode.c | 35 +++++++++++++++++++++++++---------- + 2 files changed, 31 insertions(+), 10 deletions(-) + +diff --git a/configure.ac b/configure.ac +index d8a23b0..b637788 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -22,6 +22,12 @@ XORG_CHECK_MALLOC_ZERO + # Obtain compiler/linker options for depedencies + PKG_CHECK_MODULES(XXF86VM, xproto x11 xextproto xext [xf86vidmodeproto >= 2.2.99.1]) + ++# Check for _XEatDataWords function that may be patched into older Xlib release ++SAVE_LIBS="$LIBS" ++LIBS="$XXF86VM_LIBS" ++AC_CHECK_FUNCS([_XEatDataWords]) ++LIBS="$SAVE_LIBS" ++ + AC_CONFIG_FILES([Makefile + src/Makefile + man/Makefile +diff --git a/src/XF86VMode.c b/src/XF86VMode.c +index 1b907f4..bd54937 100644 +--- a/src/XF86VMode.c ++++ b/src/XF86VMode.c +@@ -30,11 +30,27 @@ from Kaleb S. KEITHLEY. + + /* THIS IS NOT AN X CONSORTIUM STANDARD */ + ++#ifdef HAVE_CONFIG_H ++#include <config.h> ++#endif ++ + #include <X11/Xlibint.h> + #include <X11/extensions/xf86vmproto.h> + #include <X11/extensions/xf86vmode.h> + #include <X11/extensions/Xext.h> + #include <X11/extensions/extutil.h> ++#include <limits.h> ++ ++#ifndef HAVE__XEATDATAWORDS ++static inline void _XEatDataWords(Display *dpy, unsigned long n) ++{ ++# ifndef LONG64 ++ if (n >= (ULONG_MAX >> 2)) ++ _XIOError(dpy); ++# endif ++ _XEatData (dpy, n << 2); ++} ++#endif + + #ifdef DEBUG + #include <stdio.h> +@@ -257,7 +273,8 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock, + if (modeline->privsize > 0) { + modeline->private = Xcalloc(modeline->privsize, sizeof(INT32)); + if (modeline->private == NULL) { +- _XEatData(dpy, (modeline->privsize) * sizeof(INT32)); ++ _XEatDataWords(dpy, rep.length - ++ ((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2)); + result = False; + } else + _XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32)); +@@ -318,10 +335,8 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount, + if (!(modelines = (XF86VidModeModeInfo **) Xcalloc(rep.modecount, + sizeof(XF86VidModeModeInfo *) + +sizeof(XF86VidModeModeInfo)))) { +- if (majorVersion < 2) +- _XEatData(dpy, (rep.modecount) * sizeof(xXF86OldVidModeModeInfo)); +- else +- _XEatData(dpy, (rep.modecount) * sizeof(xXF86VidModeModeInfo)); ++ _XEatDataWords(dpy, rep.length - ++ ((SIZEOF(xXF86VidModeGetAllModeLinesReply) - SIZEOF(xReply)) >> 2)); + UnlockDisplay(dpy); + SyncHandle(); + return False; +@@ -354,7 +369,7 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount, + if (oldxmdline.privsize > 0) { + if (!(modelines[i]->private = + Xcalloc(oldxmdline.privsize, sizeof(INT32)))) { +- _XEatData(dpy, (oldxmdline.privsize) * sizeof(INT32)); ++ _XEatDataWords(dpy, oldxmdline.privsize); + } else { + _XRead(dpy, (char*)modelines[i]->private, + oldxmdline.privsize * sizeof(INT32)); +@@ -384,7 +399,7 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount, + if (xmdline.privsize > 0) { + if (!(modelines[i]->private = + Xcalloc(xmdline.privsize, sizeof(INT32)))) { +- _XEatData(dpy, (xmdline.privsize) * sizeof(INT32)); ++ _XEatDataWords(dpy, xmdline.privsize); + } else { + _XRead(dpy, (char*)modelines[i]->private, + xmdline.privsize * sizeof(INT32)); +@@ -902,8 +917,7 @@ XF86VidModeGetMonitor(Display* dpy, int screen, XF86VidModeMonitor* monitor) + monitor->hsync = monitor->vsync = NULL; + } + if (result == False) { +- _XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 + +- ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3)); ++ _XEatDataWords(dpy, rep.length); + Xfree(monitor->vendor); + monitor->vendor = NULL; + Xfree(monitor->model); +@@ -1036,7 +1050,8 @@ XF86VidModeGetDotClocks(Display* dpy, int screen, int *flagsPtr, + + dotclocks = Xcalloc(rep.clocks, sizeof(int)); + if (dotclocks == NULL) { +- _XEatData(dpy, (rep.clocks) * 4); ++ _XEatDataWords(dpy, rep.length - ++ ((SIZEOF(xXF86VidModeGetDotClocksReply) - SIZEOF(xReply)) >> 2)); + result = False; + } + else { +-- +1.8.2.3 + diff --git a/main/libxxf86vm/0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch b/main/libxxf86vm/0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch new file mode 100644 index 0000000000..71dca30fda --- /dev/null +++ b/main/libxxf86vm/0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch @@ -0,0 +1,62 @@ +From 47bb28ac0e6e49d3b6eb90c7c215f2fcf54f1a95 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 14:33:32 -0700 +Subject: [PATCH 7/8] memory corruption in XF86VidModeGetGammaRamp() + [CVE-2013-2001] + +We trusted the server not to return more data than the client said it had +allocated room for, and would overflow the provided buffers if it did. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XF86VMode.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/src/XF86VMode.c b/src/XF86VMode.c +index bd54937..a32564e 100644 +--- a/src/XF86VMode.c ++++ b/src/XF86VMode.c +@@ -1110,6 +1110,7 @@ XF86VidModeGetGammaRamp ( + XExtDisplayInfo *info = find_display (dpy); + xXF86VidModeGetGammaRampReq *req; + xXF86VidModeGetGammaRampReply rep; ++ Bool result = True; + + XF86VidModeCheckExtension (dpy, info, False); + +@@ -1120,19 +1121,23 @@ XF86VidModeGetGammaRamp ( + req->screen = screen; + req->size = size; + if (!_XReply (dpy, (xReply *) &rep, 0, xFalse)) { +- UnlockDisplay (dpy); +- SyncHandle (); +- return False; ++ result = False; + } +- if(rep.size) { +- _XRead(dpy, (char*)red, rep.size << 1); +- _XRead(dpy, (char*)green, rep.size << 1); +- _XRead(dpy, (char*)blue, rep.size << 1); ++ else if (rep.size) { ++ if (rep.size <= size) { ++ _XRead(dpy, (char*)red, rep.size << 1); ++ _XRead(dpy, (char*)green, rep.size << 1); ++ _XRead(dpy, (char*)blue, rep.size << 1); ++ } ++ else { ++ _XEatDataWords(dpy, rep.length); ++ result = False; ++ } + } + + UnlockDisplay(dpy); + SyncHandle(); +- return True; ++ return result; + } + + Bool XF86VidModeGetGammaRampSize( +-- +1.8.2.3 + diff --git a/main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch b/main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch new file mode 100644 index 0000000000..f879c5b116 --- /dev/null +++ b/main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch @@ -0,0 +1,34 @@ +From 4c4123441e40da97acd10f58911193ad3dcef5cd Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 14:43:48 -0700 +Subject: [PATCH 8/8] avoid integer overflow in XF86VidModeGetModeLine() + +rep.privsize is a CARD32 and needs to be bounds checked before multiplying +by sizeof(INT32) to come up with the total size to allocate & read to avoid +integer overflow, though it would not result in buffer overflow as the same +calculation was used for both allocation & reading from the network. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XF86VMode.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/XF86VMode.c b/src/XF86VMode.c +index a32564e..fb94816 100644 +--- a/src/XF86VMode.c ++++ b/src/XF86VMode.c +@@ -271,7 +271,10 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock, + } + + if (modeline->privsize > 0) { +- modeline->private = Xcalloc(modeline->privsize, sizeof(INT32)); ++ if (modeline->privsize < (INT_MAX / sizeof(INT32))) ++ modeline->private = Xcalloc(modeline->privsize, sizeof(INT32)); ++ else ++ modeline->private = NULL; + if (modeline->private == NULL) { + _XEatDataWords(dpy, rep.length - + ((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2)); +-- +1.8.2.3 + diff --git a/main/libxxf86vm/APKBUILD b/main/libxxf86vm/APKBUILD index edcfc275f7..fec2991790 100644 --- a/main/libxxf86vm/APKBUILD +++ b/main/libxxf86vm/APKBUILD @@ -1,29 +1,74 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libxxf86vm pkgver=1.1.2 -pkgrel=0 +pkgrel=1 pkgdesc="X11 XFree86 video mode extension library" url="http://xorg.freedesktop.org/" arch="all" license="custom" subpackages="$pkgname-dev $pkgname-doc" depends= -makedepends="pkgconfig xproto libx11-dev xf86vidmodeproto xextproto - libxext-dev" -source="http://xorg.freedesktop.org/releases/individual/lib/libXxf86vm-$pkgver.tar.bz2" - depends_dev="xf86vidmodeproto libx11-dev libxext-dev" +makedepends="$depends_dev libtool autoconf automake util-macros" +source="http://xorg.freedesktop.org/releases/individual/lib/libXxf86vm-$pkgver.tar.bz2 + 0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch + 0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch + 0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch + 0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch + 0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch + 0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch + 0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch + 0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch + " + +_builddir="$srcdir"/libXxf86vm-$pkgver +prepare() { + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done + libtoolize --force && aclocal && autoheader && autoconf \ + && automake --add-missing +} build() { - cd "$srcdir"/libXxf86vm-$pkgver + cd "$_builddir" ./configure --prefix=/usr || return 1 make || return 1 } package() { - cd "$srcdir"/libXxf86vm-$pkgver + cd "$_builddir" make DESTDIR="$pkgdir" install || return 1 rm "$pkgdir"/usr/lib/*.la || return 1 install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING } -md5sums="ffd93bcedd8b2b5aeabf184e7b91f326 libXxf86vm-1.1.2.tar.bz2" +md5sums="ffd93bcedd8b2b5aeabf184e7b91f326 libXxf86vm-1.1.2.tar.bz2 +0147e68657e82274c85d9a76360f2f7e 0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch +93ea0ba28daa2b9a0446b21e317c454e 0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch +becbb6759243d4f5e7d87d611501b2e8 0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch +7cc84f83f064d575c8628f45afec2691 0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch +d16fbe7f3656d1c65aa74f4a45a8bbcd 0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch +722b2379320147190135f00eb12782c5 0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch +569c6902f1b15289b02d2f7a644a34cc 0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch +a86c5904529d2ccfd92c12aef547136e 0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch" +sha256sums="a564172fb866b1b587bbccb7d041088931029845245e0d15c32ca7f1bb48fc84 libXxf86vm-1.1.2.tar.bz2 +b457de56462689eff9b2d5b61e07e767bcfe85b2e1c6317cf97fe0a420d95409 0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch +a5f97c643cb7a09c9fdb10c99445d968de038f49ad7ab145094a816991f09ec9 0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch +442d8fffc438a6e22114d77775df86bd8166e57f404f510d4e85824a8e8446bb 0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch +30b41220a8399c7961be7f5b0be83a18fb357100ca94b03e898f4a7b7cc0d00d 0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch +3e82f5d621c2d7e4fa7010cb28c5c2e35fd668fd9acc6db5a1a00c9c63067d19 0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch +e0e3298f6be09483b376a3da0ba5944befc9d46b1cb2b6e1c043c2eb832bcc91 0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch +531c281d602c67b1c702cecb35f948a97ee67fcbd429e723239ff240c69a8594 0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch +62e4c96728c0adea4b5c2c9ce4c1089ffe6b57a5466a2789832681bc56d8cd47 0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch" +sha512sums="594243f2d0275a3036754e5cfd3f440f2faae78f6c836e6787129d54a559af0ceba6fefe18d98d6908aa75ea322875a188a3b3ffee7e3deec1168c7656e7a96a libXxf86vm-1.1.2.tar.bz2 +4b40e349407a105d07a54b72077b9a7d6371db743b377cbe246d7d21f7894b549fd2ebf77b0acac6520e513829491c07b3b76891d2fe450baf294caa7be72db3 0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch +09a8cd3b934b4c46c2143c50cde25e70b0800afcafa265c00f2118f4ce0f74eaffb8cede5027b1d065469da874f27adf2efb18500bb7b4fca70a911096f7db48 0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch +38260b81f4e052587a2f38a1d15202511070b7c9985ea374d732abd982953c98d1fbc96b56bd3b57afdae3728f5607e6cb83ee2b43a871c36f4d9366df058ca2 0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch +f2a891c4aec0c2d640f92cf63a05f6655531089735c59d9b184b5ef460a850f6cf4f8dfce582cced12dd9d7b14f6e91e590bf9feef37ba714561b696b0e67485 0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch +f54396628ff1ab4c31396960b3ee79311a00bd6147d1f76128f9c3f9dbe81bbfeaa7e37e4c1c7686cadfa2901e95e75e06e8f1c297a90f2287a0c4e22382beab 0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch +a4a260efeb52f00ddf2adb476f241a88b6809bda75e3b5477ca15caba24e2b9f0fa9fc6cf070fb2f3ba64f7b5d1b9372727533e80d61c1ae3da035952aa87741 0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch +e54a46c0c0d54b08daa62578a814ed1dafaa66d5b2e13e2f50dc0dfb11dc061dc505e7001c39ce579f9f4d2ce29dd6b53c40109800c1692d7102f1c5b0583b24 0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch +43e2e04e1da133e986ec717e294a7f4fad803d7ff8cafa9a120649cfec30dc986516f0bd7389781cf0dfcda84c59dce63831c47f58f6d25ee6b488cced742d59 0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch" |