[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0003-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch

From 2f605f86acec5ce853f764c41f8c737154a274f5 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Mon, 6 Jan 2014 23:30:14 -0800
Subject: [PATCH 03/33] dix: integer overflow in GetHosts() [CVE-2014-8092
 2/4]

GetHosts() iterates over all the hosts it has in memory, and copies
them to a buffer. The buffer length is calculated by iterating over
all the hosts and adding up all of their combined length. There is a
potential integer overflow, if there are lots and lots of hosts (with
a combined length of > ~4 gig). This should be possible by repeatedly
calling ProcChangeHosts() on 64bit machines with enough memory.

This patch caps the list at 1mb, because multi-megabyte hostname
lists for X access control are insane.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 os/access.c |    6 ++++++
 1 file changed, 6 insertions(+)

Index: xorg-server-1.16.0/os/access.c
===================================================================
--- xorg-server-1.16.0.orig/os/access.c	2014-12-04 11:11:43.752542885 -0500
+++ xorg-server-1.16.0/os/access.c	2014-12-04 11:11:43.748542843 -0500
@@ -1323,6 +1323,10 @@
     for (host = validhosts; host; host = host->next) {
         nHosts++;
         n += pad_to_int32(host->len) + sizeof(xHostEntry);
+        /* Could check for INT_MAX, but in reality having more than 1mb of
+           hostnames in the access list is ridiculous */
+        if (n >= 1048576)
+            break;
     }
     if (n) {
         *data = ptr = malloc(n);
@@ -1331,6 +1335,8 @@
         }
         for (host = validhosts; host; host = host->next) {
             len = host->len;
+            if ((ptr + sizeof(xHostEntry) + len) > (data + n))
+                break;
             ((xHostEntry *) ptr)->family = host->family;
             ((xHostEntry *) ptr)->length = len;
             ptr += sizeof(xHostEntry);
Commit	Line	Data
7217e0ca ML	1	From 2f605f86acec5ce853f764c41f8c737154a274f5 Mon Sep 17 00:00:00 2001
	2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
	3	Date: Mon, 6 Jan 2014 23:30:14 -0800
	4	Subject: [PATCH 03/33] dix: integer overflow in GetHosts() [CVE-2014-8092
	5	2/4]
	6
	7	GetHosts() iterates over all the hosts it has in memory, and copies
	8	them to a buffer. The buffer length is calculated by iterating over
	9	all the hosts and adding up all of their combined length. There is a
	10	potential integer overflow, if there are lots and lots of hosts (with
	11	a combined length of > ~4 gig). This should be possible by repeatedly
	12	calling ProcChangeHosts() on 64bit machines with enough memory.
	13
	14	This patch caps the list at 1mb, because multi-megabyte hostname
	15	lists for X access control are insane.
	16
	17	Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
	18	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	19	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
	20	---
	21	os/access.c \| 6 ++++++
	22	1 file changed, 6 insertions(+)
	23
	24	Index: xorg-server-1.16.0/os/access.c
	25	===================================================================
	26	--- xorg-server-1.16.0.orig/os/access.c 2014-12-04 11:11:43.752542885 -0500
	27	+++ xorg-server-1.16.0/os/access.c 2014-12-04 11:11:43.748542843 -0500
	28	@@ -1323,6 +1323,10 @@
	29	for (host = validhosts; host; host = host->next) {
	30	nHosts++;
	31	n += pad_to_int32(host->len) + sizeof(xHostEntry);
	32	+ /* Could check for INT_MAX, but in reality having more than 1mb of
	33	+ hostnames in the access list is ridiculous */
	34	+ if (n >= 1048576)
	35	+ break;
	36	}
	37	if (n) {
	38	*data = ptr = malloc(n);
	39	@@ -1331,6 +1335,8 @@
	40	}
	41	for (host = validhosts; host; host = host->next) {
	42	len = host->len;
	43	+ if ((ptr + sizeof(xHostEntry) + len) > (data + n))
	44	+ break;
	45	((xHostEntry *) ptr)->family = host->family;
	46	((xHostEntry *) ptr)->length = len;
	47	ptr += sizeof(xHostEntry);