[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0003-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch

From 2f605f86acec5ce853f764c41f8c737154a274f5 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Mon, 6 Jan 2014 23:30:14 -0800
Subject: [PATCH 03/33] dix: integer overflow in GetHosts() [CVE-2014-8092
 2/4]

GetHosts() iterates over all the hosts it has in memory, and copies
them to a buffer. The buffer length is calculated by iterating over
all the hosts and adding up all of their combined length. There is a
potential integer overflow, if there are lots and lots of hosts (with
a combined length of > ~4 gig). This should be possible by repeatedly
calling ProcChangeHosts() on 64bit machines with enough memory.

This patch caps the list at 1mb, because multi-megabyte hostname
lists for X access control are insane.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 os/access.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/os/access.c
+++ b/os/access.c
@@ -1323,6 +1323,10 @@ GetHosts(pointer *data, int *pnHosts, in
     for (host = validhosts; host; host = host->next) {
         nHosts++;
         n += pad_to_int32(host->len) + sizeof(xHostEntry);
+        /* Could check for INT_MAX, but in reality having more than 1mb of
+           hostnames in the access list is ridiculous */
+        if (n >= 1048576)
+            break;
     }
     if (n) {
         *data = ptr = malloc(n);
@@ -1331,6 +1335,8 @@ GetHosts(pointer *data, int *pnHosts, in
         }
         for (host = validhosts; host; host = host->next) {
             len = host->len;
+            if ((ptr + sizeof(xHostEntry) + len) > (data + n))
+                break;
             ((xHostEntry *) ptr)->family = host->family;
             ((xHostEntry *) ptr)->length = len;
             ptr += sizeof(xHostEntry);
Commit	Line	Data
7217e0ca ML	1	From 2f605f86acec5ce853f764c41f8c737154a274f5 Mon Sep 17 00:00:00 2001
	2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
	3	Date: Mon, 6 Jan 2014 23:30:14 -0800
	4	Subject: [PATCH 03/33] dix: integer overflow in GetHosts() [CVE-2014-8092
	5	2/4]
	6
	7	GetHosts() iterates over all the hosts it has in memory, and copies
	8	them to a buffer. The buffer length is calculated by iterating over
	9	all the hosts and adding up all of their combined length. There is a
	10	potential integer overflow, if there are lots and lots of hosts (with
	11	a combined length of > ~4 gig). This should be possible by repeatedly
	12	calling ProcChangeHosts() on 64bit machines with enough memory.
	13
	14	This patch caps the list at 1mb, because multi-megabyte hostname
	15	lists for X access control are insane.
	16
	17	Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
	18	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	19	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
	20	---
	21	os/access.c \| 6 ++++++
	22	1 file changed, 6 insertions(+)
	23
4db25562 JB	24	--- a/os/access.c
	25	+++ b/os/access.c
	26	@@ -1323,6 +1323,10 @@ GetHosts(pointer data, int pnHosts, in
7217e0ca ML	27	for (host = validhosts; host; host = host->next) {
	28	nHosts++;
	29	n += pad_to_int32(host->len) + sizeof(xHostEntry);
	30	+ /* Could check for INT_MAX, but in reality having more than 1mb of
	31	+ hostnames in the access list is ridiculous */
	32	+ if (n >= 1048576)
	33	+ break;
	34	}
	35	if (n) {
	36	*data = ptr = malloc(n);
4db25562	37	@@ -1331,6 +1335,8 @@ GetHosts(pointer data, int pnHosts, in
7217e0ca ML	38	}
	39	for (host = validhosts; host; host = host->next) {
	40	len = host->len;
	41	+ if ((ptr + sizeof(xHostEntry) + len) > (data + n))
	42	+ break;
	43	((xHostEntry *) ptr)->family = host->family;
	44	((xHostEntry *) ptr)->length = len;
	45	ptr += sizeof(xHostEntry);