fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2025-12-25 03:40:05 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
xserver/dix
History
Michal Srb 21f559038c dix: Disallow GenericEvent in SendEvent request. 
The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
no less. Both ProcSendEvent and SProcSendEvent verify that the received data
exactly match the request size. However nothing stops the client from passing
in event with xEvent::type = GenericEvent and any value of
xGenericEvent::length.

In the case of ProcSendEvent, the event will be eventually passed to
WriteEventsToClient which will see that it is Generic event and copy the
arbitrary length from the receive buffer (and possibly past it) and send it to
the other client. This allows clients to copy unitialized heap memory out of X
server or to crash it.

In case of SProcSendEvent, it will attempt to swap the incoming event by
calling a swapping function from the EventSwapVector array. The swapped event
is written to target buffer, which in this case is local xEvent variable. The
xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
expect that the target buffer has size matching the size of the source
GenericEvent. This allows clients to cause stack buffer overflows.

Signed-off-by: Michal Srb <msrb@suse.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 215f894965)
2017-09-25 15:34:10 -04:00
..
.gitignore dix and os: gitignore dix.O and os.O 2011-09-23 17:14:47 -07:00
atom.c atom: make FreeAtom static 2015-07-08 16:41:29 -04:00
buildatoms XFree86 4.3.0.1 2003-11-14 16:49:22 +00:00
BuiltInAtoms R6.6 is the Xorg base-line 2003-11-14 15:54:54 +00:00
colormap.c configurable maximum number of clients 2015-08-24 00:00:18 -07:00
cursor.c dix: Work around non-premultiplied ARGB cursor data 2016-07-15 09:53:07 -04:00
devices.c dix: Make InitCoreDevices() failures more verbose. 2016-09-21 21:11:40 +10:00
dispatch.c dix: Remove clients from input and output ready queues after closing 2017-09-25 15:34:10 -04:00
dispatch.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
dixfonts.c Remove fd_set from Block/Wakeup handler API 2016-07-18 15:27:51 -04:00
dixutils.c Remove fd_set from Block/Wakeup handler API 2016-07-18 15:27:51 -04:00
enterleave.c dix: Don't update current time in the middle of input event processing 2016-06-01 10:31:52 -07:00
enterleave.h dix: Unexport various implementation details 2015-07-08 16:40:57 -04:00
eventconvert.c dix: send the current axis value in DeviceChangedEvents (#62321) 2013-05-07 09:40:42 +10:00
events.c dix: Disallow GenericEvent in SendEvent request. 2017-09-25 15:34:10 -04:00
extension.c Convert dix/* to new *allocarray functions 2015-04-21 16:57:08 -07:00
ffs.c Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
gc.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
getevents.c xwayland: Don't send KeyRelease events on wl_keyboard::leave 2017-01-11 14:58:44 -05:00
globals.c dix: Remove bogus input_mutex and input_mutex_count definitions from globals.c 2016-05-30 00:17:15 -07:00
glyphcurs.c Let calloc handle multiplication 2015-04-21 16:57:07 -07:00
grabs.c Convert dix/* to new *allocarray functions 2015-04-21 16:57:08 -07:00
initatoms.c Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
inpututils.c dix: Add valuator_mask_set_absolute_unaccelerated 2016-10-05 13:46:29 -04:00
main.c XQuartz: Adopt input_lock() and input_unlock() 2016-09-22 14:55:02 -07:00
Makefile.am os,dix: Depend custom libs on libs, not objects 2017-01-11 15:01:36 -05:00
pixmap.c Revert "prime: Sync shared pixmap from root window instead of screen pixmap" 2017-03-10 10:56:15 -05:00
privates.c dix: Add dixPrivatesCreated helper function 2016-09-13 10:26:40 +02:00
property.c dix: Avoid writing uninitialized bytes in deliverPropertyNotifyEvent 2016-08-15 08:54:45 -07:00
protocol.txt protocol.txt: Add MIT-SHM 1.2 requests 2015-09-25 09:46:11 -04:00
ptrveloc.c Remove SIGIO support for input [v5] 2016-05-26 16:07:54 -07:00
region.c Convert dix/* to new *allocarray functions 2015-04-21 16:57:08 -07:00
registry.c Build required portions of registry.c automatically [v2] 2014-09-18 15:29:29 -07:00
resource.c dix: Bump MAXHASHSIZE for the resource db [v2] 2016-10-28 09:28:32 -07:00
selection.c dix: Push UpdateCurrentTimeIf down out of the main loop 2016-05-04 10:58:01 -04:00
stubmain.c Allow DDX to provide a main() 2013-07-23 23:56:58 +01:00
swaprep.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
swapreq.c dix: Disallow GenericEvent in SendEvent request. 2017-09-25 15:34:10 -04:00
tables.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
touch.c dix: Reallocate touchpoint buffer at input event time [v2] 2016-05-26 16:07:54 -07:00
window.c dix: Add hybrid full-size/empty-clip mode to SetRootClip 2016-02-22 13:26:31 -05:00
Xserver-dtrace.h.in dix: add dtrace probes to input API 2012-03-22 11:33:42 +10:00
Xserver.d Get rid of const warnings in XSERVER_INPUT_EVENT dtrace probe calls 2015-02-10 18:14:44 -08:00