mirror of
https://gitlab.freedesktop.org/xorg/xserver.git
synced 2026-05-14 23:48:05 +02:00
b85b00dd7b
The function CheckKeyTypes() will loop over the client's request but won't perform any additional bound checking to ensure that the data read remains within the request bounds. As a result, a specifically crafted request may cause CheckKeyTypes() to read past the request data, as reported by valgrind: == Invalid read of size 2 == at 0x5A3D1D: CheckKeyTypes (xkb.c:1694) == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515) == by 0x5A759E: ProcXkbSetMap (xkb.c:2736) == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245) == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501) == by 0x4A20DF: Dispatch (dispatch.c:551) == by 0x4B03B4: dix_main (main.c:277) == by 0x428941: main (stubmain.c:34) == Address is 30 bytes after a block of size 28,672 in arena "client" == == Invalid read of size 2 == at 0x5A3AB6: CheckKeyTypes (xkb.c:1669) == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515) == by 0x5A759E: ProcXkbSetMap (xkb.c:2736) == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245) == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501) == by 0x4A20DF: Dispatch (dispatch.c:551) == by 0x4B03B4: dix_main (main.c:277) == by 0x428941: main (stubmain.c:34) == Address is 2 bytes after a block of size 28,672 alloc'd == at 0x4848897: realloc (vg_replace_malloc.c:1804) == by 0x5E357A: ReadRequestFromClient (io.c:336) == by 0x4A1FAB: Dispatch (dispatch.c:519) == by 0x4B03B4: dix_main (main.c:277) == by 0x428941: main (stubmain.c:34) == == Invalid write of size 2 == at 0x5A3AD7: CheckKeyTypes (xkb.c:1669) == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515) == by 0x5A759E: ProcXkbSetMap (xkb.c:2736) == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245) == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501) == by 0x4A20DF: Dispatch (dispatch.c:551) == by 0x4B03B4: dix_main (main.c:277) == by 0x428941: main (stubmain.c:34) == Address is 2 bytes after a block of size 28,672 alloc'd == at 0x4848897: realloc (vg_replace_malloc.c:1804) == by 0x5E357A: ReadRequestFromClient (io.c:336) == by 0x4A1FAB: Dispatch (dispatch.c:519) == by 0x4B03B4: dix_main (main.c:277) == by 0x428941: main (stubmain.c:34) == To avoid that issue, add additional bounds checking within the loops by calling _XkbCheckRequestBounds() and report an error if we are to read past the client's request. CVE-2026-34003, ZDI-CAN-28736 This vulnerability was discovered by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Acked-by: Peter Hutterer <peter.hutterer@who-t.net> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2176> |
||
|---|---|---|
| .. | ||
| ddxBeep.c | ||
| ddxCtrls.c | ||
| ddxKillSrv.c | ||
| ddxLEDs.c | ||
| ddxLoad.c | ||
| ddxPrivate.c | ||
| ddxVT.c | ||
| maprules.c | ||
| meson.build | ||
| README.compiled | ||
| xkb-procs.h | ||
| xkb.c | ||
| xkbAccessX.c | ||
| xkbActions.c | ||
| XKBAlloc.c | ||
| xkbDflts.h | ||
| xkbEvents.c | ||
| xkbfmisc.c | ||
| XKBGAlloc.c | ||
| xkbgeom.h | ||
| xkbInit.c | ||
| xkbLEDs.c | ||
| XKBMAlloc.c | ||
| XKBMisc.c | ||
| xkbout.c | ||
| xkbPrKeyEv.c | ||
| xkbSwap.c | ||
| xkbtext.c | ||
| xkbUtils.c | ||
| XKM_file_format.txt | ||
| xkmread.c | ||
The X server uses this directory to store the compiled version of the
current keymap and/or any scratch keymaps used by clients. The X server
or some other tool might destroy or replace the files in this directory,
so it is not a safe place to store compiled keymaps for long periods of
time. The default keymap for any server is usually stored in:
X<num>-default.xkm
where <num> is the display number of the server in question, which makes
it possible for several servers *on the same host* to share the same
directory.
Unless the X server is modified, sharing this directory between servers on
different hosts could cause problems.