Module Name: xsrc Committed By: mrg Date: Fri Jul 7 04:46:50 UTC 2017
Modified Files: xsrc/external/mit/xorg-server/dist/Xi: sendexev.c xsrc/external/mit/xorg-server/dist/dix: events.c swapreq.c Log Message: CVE-2017-10971 and CVE-2017-10972: apply fixes to the event loop from https://cgit.freedesktop.org/xorg/xserver/commit/?id=ba336b24052122b136486961c82deac76bbde455 https://cgit.freedesktop.org/xorg/xserver/commit/?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d https://cgit.freedesktop.org/xorg/xserver/commit/?id=215f894965df5fb0bb45b107d84524e700d2073c https://cgit.freedesktop.org/xorg/xserver/commit/?id=05442de962d3dc624f79fc1a00eca3ffc5489ced XXX: pullup-[678] (6/7 also need xfree port.) To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 xsrc/external/mit/xorg-server/dist/Xi/sendexev.c cvs rdiff -u -r1.1.1.9 -r1.2 xsrc/external/mit/xorg-server/dist/dix/events.c cvs rdiff -u -r1.1.1.3 -r1.2 xsrc/external/mit/xorg-server/dist/dix/swapreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: xsrc/external/mit/xorg-server/dist/Xi/sendexev.c diff -u xsrc/external/mit/xorg-server/dist/Xi/sendexev.c:1.3 xsrc/external/mit/xorg-server/dist/Xi/sendexev.c:1.4 --- xsrc/external/mit/xorg-server/dist/Xi/sendexev.c:1.3 Thu Aug 11 00:04:26 2016 +++ xsrc/external/mit/xorg-server/dist/Xi/sendexev.c Fri Jul 7 04:46:50 2017 @@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr clien { CARD32 *p; int i; - xEvent eventT; + xEvent eventT = { .u.u.type = 0 }; xEvent *eventP; EventSwapPtr proc; @@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr clien eventP = (xEvent *) &stuff[1]; for (i = 0; i < stuff->num_events; i++, eventP++) { + if (eventP->u.u.type == GenericEvent) { + client->errorValue = eventP->u.u.type; + return BadValue; + } + proc = EventSwapVector[eventP->u.u.type & 0177]; - if (proc == NotImplemented) /* no swapping proc; invalid event type? */ + /* no swapping proc; invalid event type? */ + if (proc == NotImplemented) { + client->errorValue = eventP->u.u.type; return BadValue; + } (*proc) (eventP, &eventT); *eventP = eventT; } @@ -117,7 +125,7 @@ SProcXSendExtensionEvent(ClientPtr clien int ProcXSendExtensionEvent(ClientPtr client) { - int ret; + int ret, i; DeviceIntPtr dev; xEvent *first; XEventClass *list; @@ -144,10 +152,12 @@ ProcXSendExtensionEvent(ClientPtr client /* The client's event type must be one defined by an extension. */ first = ((xEvent *) &stuff[1]); - if (!((EXTENSION_EVENT_BASE <= first->u.u.type) && - (first->u.u.type < lastEvent))) { - client->errorValue = first->u.u.type; - return BadValue; + for (i = 0; i < stuff->num_events; i++) { + if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) && + (first[i].u.u.type < lastEvent))) { + client->errorValue = first[i].u.u.type; + return BadValue; + } } list = (XEventClass *) (first + stuff->num_events); Index: xsrc/external/mit/xorg-server/dist/dix/events.c diff -u xsrc/external/mit/xorg-server/dist/dix/events.c:1.1.1.9 xsrc/external/mit/xorg-server/dist/dix/events.c:1.2 --- xsrc/external/mit/xorg-server/dist/dix/events.c:1.1.1.9 Wed Aug 10 07:44:32 2016 +++ xsrc/external/mit/xorg-server/dist/dix/events.c Fri Jul 7 04:46:50 2017 @@ -5355,6 +5355,12 @@ ProcSendEvent(ClientPtr client) client->errorValue = stuff->event.u.u.type; return BadValue; } + /* Generic events can have variable size, but SendEvent request holds + exactly 32B of event data. */ + if (stuff->event.u.u.type == GenericEvent) { + client->errorValue = stuff->event.u.u.type; + return BadValue; + } if (stuff->event.u.u.type == ClientMessage && stuff->event.u.u.detail != 8 && stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) { Index: xsrc/external/mit/xorg-server/dist/dix/swapreq.c diff -u xsrc/external/mit/xorg-server/dist/dix/swapreq.c:1.1.1.3 xsrc/external/mit/xorg-server/dist/dix/swapreq.c:1.2 --- xsrc/external/mit/xorg-server/dist/dix/swapreq.c:1.1.1.3 Wed Aug 10 07:44:31 2016 +++ xsrc/external/mit/xorg-server/dist/dix/swapreq.c Fri Jul 7 04:46:50 2017 @@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client) swapl(&stuff->destination); swapl(&stuff->eventMask); + /* Generic events can have variable size, but SendEvent request holds + exactly 32B of event data. */ + if (stuff->event.u.u.type == GenericEvent) { + client->errorValue = stuff->event.u.u.type; + return BadValue; + } + /* Swap event */ proc = EventSwapVector[stuff->event.u.u.type & 0177]; if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */