fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-06-06 23:28:19 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
xserver/xkb
History
Exact
Peter Hutterer 54c3d9fad0 xkb: clamp nMaps to mapWidths buffer size in CheckKeyTypes 
CheckKeyTypes computes nMaps = firstType + nTypes from client-controlled
request fields when XkbSetMapResizeTypes is set. This value is used to
index mapWidths[], a stack-allocated CARD8 array of XkbMaxLegalKeyCode + 1
(256) elements. No upper bound is enforced on nMaps.

An attacker can first send SetMap(firstType=0, nTypes=255, ResizeTypes) to
set the server's num_types to 255, then send SetMap(firstType=255,
nTypes=10, ResizeTypes). The firstType > num_types check passes because
255 > 255 is false (the check uses > rather than >=). nMaps is then
computed as 265, and the loop writes mapWidths[255..264], overflowing 9
bytes past the stack buffer into adjacent stack variables (symsPerKey[]).

Fix by rejecting requests where firstType + nTypes would exceed the
mapWidths buffer size (XkbMaxLegalKeyCode + 1).

This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative

ZDI-CAN-30161

Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit 867b59b33b)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
2026-06-02 09:47:21 +10:00
..
ddxBeep.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
ddxCtrls.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
ddxKillSrv.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
ddxLEDs.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
ddxLoad.c xkb: don't require a trailing slash for the XKM output dir 2021-04-09 17:37:29 +00:00
ddxPrivate.c Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
ddxVT.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
Makefile.am XKB: Remove component listing support 2012-11-19 12:12:28 +10:00
maprules.c xkb: fix check for appending '|' character when applying rules 2016-09-07 15:16:13 +10:00
meson.build Add a Meson build system alongside autotools. 2017-04-26 15:25:27 -07:00
README.compiled R6.6 is the Xorg base-line 2003-11-14 15:54:54 +00:00
xkb.c xkb: clamp nMaps to mapWidths buffer size in CheckKeyTypes 2026-06-02 09:47:21 +10:00
xkb.h Move extension initialisation prototypes into extinit.h 2012-07-09 23:06:41 -07:00
xkbAccessX.c xkb: add hook to allow/deny AccessX key repeat 2016-06-03 09:39:42 +02:00
xkbActions.c xkb: Fix locked/latched indicator desync across multiple keyboards 2026-03-28 16:40:00 +00:00
XKBAlloc.c xkb: ensure XkbAllocNames sets num_rg to 0 on allocation failure 2025-04-08 09:50:29 +02:00
xkbDflts.h Use ARRAY_SIZE all over the tree 2017-10-30 13:45:20 -04:00
xkbEvents.c xkb: Free the XKB resource when freeing XkbInterest 2025-10-28 14:15:35 +01:00
xkbfmisc.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
XKBGAlloc.c xkb: fix incorrect size check when growing doodads in a section 2026-05-30 10:16:12 -07:00
xkbgeom.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
xkbInit.c xkb: Write the _XKB_RULES_NAMES window property synchronously 2018-11-13 10:36:18 -05:00
xkbLEDs.c xkb: after changing the keymap, force an indicator update 2016-05-04 10:55:09 -04:00
XKBMAlloc.c xkb: Check that needed is > 0 in XkbResizeKeyActions 2025-04-08 09:50:36 +02:00
XKBMisc.c xkb: Fix buffer overflow in XkbChangeTypesOfKey() 2025-02-25 19:36:29 +01:00
xkbout.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
xkbPrKeyEv.c xkb: Match key releases with an overlaid press 2017-01-04 13:23:31 +10:00
xkbSwap.c Fix XkbSelectEvents() integer underflow 2020-08-25 17:01:29 +02:00
xkbtext.c xkb: fix potential buff overflow in XkbVModIndexText for XkbCFile format 2026-05-30 10:35:53 -07:00
xkbUtils.c xkb: Fix key type without level names in XkbCopyKeymap 2026-03-28 16:40:00 +00:00
XKM_file_format.txt Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
xkmread.c xkb: Fix parsing of XkbSA_DeviceValuator action type 2021-03-30 18:47:04 +00:00

README.compiled 

The X server uses this directory to store the compiled version of the
current keymap and/or any scratch keymaps used by clients.  The X server
or some other tool might destroy or replace the files in this directory,
so it is not a safe place to store compiled keymaps for long periods of
time.  The default keymap for any server is usually stored in:
     X<num>-default.xkm
where <num> is the display number of the server in question, which makes
it possible for several servers *on the same host* to share the same 
directory.

Unless the X server is modified, sharing this directory between servers on
different hosts could cause problems.