kpriv/freebsd-ports
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
freebsd-ports/x11-servers/xorg-server/files/patch-CVE-2017-12179
Koop Mast 05d144d761 Fix security issues: CVE-2017-12176 through CVE-2017-12187 in xorg-server. 
Bump all the slaves due to not being sure where the shared code is used.

MFH:		2017Q4
Security:	7274e0cc-575f-41bc-8619-14a41b3c2ad0
2017-10-13 19:14:53 +00:00

52 lines
2 KiB
Text
Raw Blame History

From c77cd08efcf386bcc5d8dfbd0427134b2b2d0888 Mon Sep 17 00:00:00 2001
From: Nathan Kidd <nkidd@opentext.com>
Date: Fri, 9 Jan 2015 10:04:41 -0500
Subject: Xi: integer overflow and unvalidated length in
(S)ProcXIBarrierReleasePointer
[jcristau: originally this patch fixed the same issue as commit
211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the
addition of these checks]
This addresses CVE-2017-12179
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit d088e3c1286b548a58e62afdc70bb40981cdb9e8)
--- Xi/xibarriers.c.orig 2016-07-15 18:17:45.000000000 +0200
+++ Xi/xibarriers.c 2017-10-13 18:26:09.226006000 +0200
@@ -830,10 +830,15 @@
REQUEST(xXIBarrierReleasePointerReq);
int i;
- info = (xXIBarrierReleasePointerInfo*) &stuff[1];
-
swaps(&stuff->length);
+ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
+
swapl(&stuff->num_barriers);
+ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
+ return BadLength;
+ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
+
+ info = (xXIBarrierReleasePointerInfo*) &stuff[1];
for (i = 0; i < stuff->num_barriers; i++, info++) {
swaps(&info->deviceid);
swapl(&info->barrier);
@@ -854,6 +859,10 @@
REQUEST(xXIBarrierReleasePointerReq);
REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
+ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
+ return BadLength;
+ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
+
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
for (i = 0; i < stuff->num_barriers; i++, info++) {
Reference in a new issue View git blame Copy permalink