fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-06-07 00:38:20 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
xserver/xkb
History
Peter Hutterer 867b59b33b xkb: clamp nMaps to mapWidths buffer size in CheckKeyTypes 
CheckKeyTypes computes nMaps = firstType + nTypes from client-controlled
request fields when XkbSetMapResizeTypes is set. This value is used to
index mapWidths[], a stack-allocated CARD8 array of XkbMaxLegalKeyCode + 1
(256) elements. No upper bound is enforced on nMaps.

An attacker can first send SetMap(firstType=0, nTypes=255, ResizeTypes) to
set the server's num_types to 255, then send SetMap(firstType=255,
nTypes=10, ResizeTypes). The firstType > num_types check passes because
255 > 255 is false (the check uses > rather than >=). nMaps is then
computed as 265, and the loop writes mapWidths[255..264], overflowing 9
bytes past the stack buffer into adjacent stack variables (symsPerKey[]).

Fix by rejecting requests where firstType + nTypes would exceed the
mapWidths buffer size (XkbMaxLegalKeyCode + 1).

This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative

ZDI-CAN-30161

Assisted-by: Claude:claude-opus-4-6
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2228>
2026-06-01 08:31:59 +10:00
..
ddxBeep.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
ddxCtrls.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
ddxKillSrv.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
ddxLEDs.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
ddxLoad.c xkb: handle -Wanalyzer-null-dereference in XkbDDXLoadKeymapByNames() 2026-04-11 18:12:24 +00:00
ddxPrivate.c Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
ddxVT.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
maprules.c xkb: preserve buffer on realloc failure 2026-05-25 12:48:50 +03:00
meson.build Add a Meson build system alongside autotools. 2017-04-26 15:25:27 -07:00
README.compiled Strip trailing whitespace from source files 2026-01-25 10:40:02 -08:00
xkb-procs.h xkb: rename xkb.h to xkb-procs.h 2022-07-08 14:27:04 +00:00
xkb.c xkb: clamp nMaps to mapWidths buffer size in CheckKeyTypes 2026-06-01 08:31:59 +10:00
xkbAccessX.c Zero out structs to avoid leaking information via padding 2026-04-24 01:14:55 +00:00
xkbActions.c xkb: Handle allocation failures in _XkbNextFreeFilter() 2026-04-28 02:37:44 +00:00
XKBAlloc.c xkb: ensure XkbAllocNames sets num_rg to 0 on allocation failure 2026-01-25 10:40:01 -08:00
xkbDflts.h Use ARRAY_SIZE all over the tree 2017-10-30 13:45:20 -04:00
xkbEvents.c Zero out structs to avoid leaking information via padding 2026-04-24 01:14:55 +00:00
xkbfmisc.c xkb: drop ununsed XkbNameMatchesPattern() 2026-01-19 12:32:25 -08:00
XKBGAlloc.c xkb: add missing NULL check for strdup in XkbAddGeomProperty update path 2026-04-28 02:37:43 +00:00
xkbgeom.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
xkbInit.c xkb: fail if we can't strdup our default rules 2026-04-28 02:37:43 +00:00
xkbLEDs.c Fix typos 2026-03-03 06:50:01 -03:00
XKBMAlloc.c xkb: Check that needed is > 0 in XkbResizeKeyActions 2026-01-25 10:40:01 -08:00
XKBMisc.c xkb: Fix buffer overflow in XkbChangeTypesOfKey() 2026-01-25 10:40:01 -08:00
xkbout.c xkb: drop defining XKBSRV_NEED_FILE_FUNCS 2026-01-19 12:32:18 -08:00
xkbPrKeyEv.c xwayland: Don't run key behaviors and actions 2026-01-25 10:39:58 -08:00
xkbSwap.c xkb: drop swapping request length fields 2026-01-25 10:39:58 -08:00
xkbtext.c xkb: Fix potential uninitialized variable 2026-04-29 13:08:12 +00:00
xkbUtils.c Zero out structs to avoid leaking information via padding 2026-04-24 01:14:55 +00:00
XKM_file_format.txt Fix typos 2026-03-03 06:50:01 -03:00
xkmread.c xkb: Fix out-of-bounds array access in xkmread.c ReadXkmGeometry 2026-05-10 23:18:25 +00:00

README.compiled 

The X server uses this directory to store the compiled version of the
current keymap and/or any scratch keymaps used by clients.  The X server
or some other tool might destroy or replace the files in this directory,
so it is not a safe place to store compiled keymaps for long periods of
time.  The default keymap for any server is usually stored in:
     X<num>-default.xkm
where <num> is the display number of the server in question, which makes
it possible for several servers *on the same host* to share the same
directory.

Unless the X server is modified, sharing this directory between servers on
different hosts could cause problems.