[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0017-Add-request-length-checking-test-cases-for-some-Xinp.patch

From 0b199c0b23aecfdce53c28ea653c9342217d6f33 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 9 Feb 2014 21:27:27 -0800
Subject: [PATCH 17/33] Add request length checking test cases for some Xinput
 1.x requests

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 configure.ac                             |    1 +
 test/Makefile.am                         |    2 +-
 test/xi1/Makefile.am                     |   34 +++++++++
 test/xi1/protocol-xchangedevicecontrol.c |  122 ++++++++++++++++++++++++++++++
 4 files changed, 158 insertions(+), 1 deletion(-)
 create mode 100644 test/xi1/Makefile.am
 create mode 100644 test/xi1/protocol-xchangedevicecontrol.c

--- a/configure.ac
+++ b/configure.ac
@@ -2553,6 +2553,7 @@ hw/kdrive/fbdev/Makefile
 hw/kdrive/linux/Makefile
 hw/kdrive/src/Makefile
 test/Makefile
+test/xi1/Makefile
 test/xi2/Makefile
 xserver.ent
 xorg-server.pc
--- /dev/null
+++ b/test/xi1/Makefile.am
@@ -0,0 +1,34 @@
+if ENABLE_UNIT_TESTS
+if HAVE_LD_WRAP
+noinst_PROGRAMS =  \
+	protocol-xchangedevicecontrol
+
+TESTS=$(noinst_PROGRAMS)
+TESTS_ENVIRONMENT = $(XORG_MALLOC_DEBUG_ENV)
+
+AM_CFLAGS = $(DIX_CFLAGS) @XORG_CFLAGS@
+AM_CPPFLAGS = @XORG_INCS@ -I$(srcdir)/../xi2
+TEST_LDADD=../libxservertest.la $(XORG_SYS_LIBS) $(XSERVER_SYS_LIBS) $(GLX_SYS_LIBS)
+COMMON_SOURCES=$(srcdir)/../xi2/protocol-common.c
+
+if SPECIAL_DTRACE_OBJECTS
+TEST_LDADD += $(OS_LIB) $(DIX_LIB)
+endif
+
+protocol_xchangedevicecontrol_LDADD=$(TEST_LDADD)
+
+protocol_xchangedevicecontrol_LDFLAGS=$(AM_LDFLAGS) -Wl,-wrap,WriteToClient
+
+protocol_xchangedevicecontrol_SOURCES=$(COMMON_SOURCES) protocol-xchangedevicecontrol.c
+
+else
+# Print that xi1-tests were skipped (exit code 77 for automake test harness)
+TESTS = xi1-tests
+CLEANFILES = $(TESTS)
+
+xi1-tests:
+	@echo 'echo "ld -wrap support required for xi1 unit tests, skipping"' > $@
+	@echo 'exit 77' >> $@
+	$(AM_V_GEN)chmod +x $@
+endif
+endif
--- /dev/null
+++ b/test/xi1/protocol-xchangedevicecontrol.c
@@ -0,0 +1,122 @@
+/**
+ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice (including the next
+ * paragraph) shall be included in all copies or substantial portions of the
+ * Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifdef HAVE_DIX_CONFIG_H
+#include <dix-config.h>
+#endif
+
+/*
+ * Protocol testing for ChangeDeviceControl request.
+ */
+#include <stdint.h>
+#include <X11/X.h>
+#include <X11/Xproto.h>
+#include <X11/extensions/XIproto.h>
+#include "inputstr.h"
+#include "chgdctl.h"
+
+#include "protocol-common.h"
+
+static ClientRec client_request;
+
+static void
+reply_ChangeDeviceControl(ClientPtr client, int len, char *data, void *userdata)
+{
+    xChangeDeviceControlReply *rep = (xChangeDeviceControlReply *) data;
+
+    if (client->swapped) {
+        swapl(&rep->length);
+        swaps(&rep->sequenceNumber);
+    }
+
+    reply_check_defaults(rep, len, ChangeDeviceControl);
+
+    /* XXX: check status code in reply */
+}
+
+static void
+request_ChangeDeviceControl(ClientPtr client, xChangeDeviceControlReq * req,
+                            xDeviceCtl *ctl, int error)
+{
+    int rc;
+
+    client_request.req_len = req->length;
+    rc = ProcXChangeDeviceControl(&client_request);
+    assert(rc == error);
+
+    /* XXX: ChangeDeviceControl doesn't seem to fill in errorValue to check */
+
+    client_request.swapped = TRUE;
+    swaps(&req->length);
+    swaps(&req->control);
+    swaps(&ctl->length);
+    swaps(&ctl->control);
+    /* XXX: swap other contents of ctl, depending on type */
+    rc = SProcXChangeDeviceControl(&client_request);
+    assert(rc == error);
+}
+
+static unsigned char *data[4096];       /* the request buffer */
+
+static void
+test_ChangeDeviceControl(void)
+{
+    xChangeDeviceControlReq *request = (xChangeDeviceControlReq *) data;
+    xDeviceCtl *control = (xDeviceCtl *) (&request[1]);
+
+    request_init(request, ChangeDeviceControl);
+
+    reply_handler = reply_ChangeDeviceControl;
+
+    client_request = init_client(request->length, request);
+
+    printf("Testing invalid lengths:\n");
+    printf(" -- no control struct\n");
+    request_ChangeDeviceControl(&client_request, request, control, BadLength);
+
+    printf(" -- xDeviceResolutionCtl\n");
+    request_init(request, ChangeDeviceControl);
+    request->control = DEVICE_RESOLUTION;
+    control->length = (sizeof(xDeviceResolutionCtl) >> 2);
+    request->length += control->length - 2;
+    request_ChangeDeviceControl(&client_request, request, control, BadLength);
+
+    printf(" -- xDeviceEnableCtl\n");
+    request_init(request, ChangeDeviceControl);
+    request->control = DEVICE_ENABLE;
+    control->length = (sizeof(xDeviceEnableCtl) >> 2);
+    request->length += control->length - 2;
+    request_ChangeDeviceControl(&client_request, request, control, BadLength);
+
+    /* XXX: Test functionality! */
+}
+
+int
+main(int argc, char **argv)
+{
+    init_simple();
+
+    test_ChangeDeviceControl();
+
+    return 0;
+}
Commit	Line	Data
7217e0ca ML	1	From 0b199c0b23aecfdce53c28ea653c9342217d6f33 Mon Sep 17 00:00:00 2001
	2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
	3	Date: Sun, 9 Feb 2014 21:27:27 -0800
	4	Subject: [PATCH 17/33] Add request length checking test cases for some Xinput
	5	1.x requests
	6
	7	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	8	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
	9	---
	10	configure.ac \| 1 +
	11	test/Makefile.am \| 2 +-
	12	test/xi1/Makefile.am \| 34 +++++++++
	13	test/xi1/protocol-xchangedevicecontrol.c \| 122 ++++++++++++++++++++++++++++++
	14	4 files changed, 158 insertions(+), 1 deletion(-)
	15	create mode 100644 test/xi1/Makefile.am
	16	create mode 100644 test/xi1/protocol-xchangedevicecontrol.c
	17
4db25562 JB	18	--- a/configure.ac
	19	+++ b/configure.ac
	20	@@ -2553,6 +2553,7 @@ hw/kdrive/fbdev/Makefile
7217e0ca ML	21	hw/kdrive/linux/Makefile
	22	hw/kdrive/src/Makefile
	23	test/Makefile
	24	+test/xi1/Makefile
	25	test/xi2/Makefile
	26	xserver.ent
	27	xorg-server.pc
4db25562 JB	28	--- /dev/null
4db25562 JB	29	+++ b/test/xi1/Makefile.am
7217e0ca ML	30	@@ -0,0 +1,34 @@
	31	+if ENABLE_UNIT_TESTS
	32	+if HAVE_LD_WRAP
	33	+noinst_PROGRAMS = \
	34	+ protocol-xchangedevicecontrol
	35	+
	36	+TESTS=$(noinst_PROGRAMS)
	37	+TESTS_ENVIRONMENT = $(XORG_MALLOC_DEBUG_ENV)
	38	+
	39	+AM_CFLAGS = $(DIX_CFLAGS) @XORG_CFLAGS@
	40	+AM_CPPFLAGS = @XORG_INCS@ -I$(srcdir)/../xi2
	41	+TEST_LDADD=../libxservertest.la $(XORG_SYS_LIBS) $(XSERVER_SYS_LIBS) $(GLX_SYS_LIBS)
	42	+COMMON_SOURCES=$(srcdir)/../xi2/protocol-common.c
	43	+
	44	+if SPECIAL_DTRACE_OBJECTS
	45	+TEST_LDADD += $(OS_LIB) $(DIX_LIB)
	46	+endif
	47	+
	48	+protocol_xchangedevicecontrol_LDADD=$(TEST_LDADD)
	49	+
	50	+protocol_xchangedevicecontrol_LDFLAGS=$(AM_LDFLAGS) -Wl,-wrap,WriteToClient
	51	+
	52	+protocol_xchangedevicecontrol_SOURCES=$(COMMON_SOURCES) protocol-xchangedevicecontrol.c
	53	+
	54	+else
	55	+# Print that xi1-tests were skipped (exit code 77 for automake test harness)
	56	+TESTS = xi1-tests
	57	+CLEANFILES = $(TESTS)
	58	+
	59	+xi1-tests:
	60	+ @echo 'echo "ld -wrap support required for xi1 unit tests, skipping"' > $@
	61	+ @echo 'exit 77' >> $@
	62	+ $(AM_V_GEN)chmod +x $@
	63	+endif
	64	+endif
4db25562 JB	65	--- /dev/null
4db25562 JB	66	+++ b/test/xi1/protocol-xchangedevicecontrol.c
7217e0ca ML	67	@@ -0,0 +1,122 @@
	68	+/**
	69	+ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
	70	+ *
	71	+ * Permission is hereby granted, free of charge, to any person obtaining a
	72	+ * copy of this software and associated documentation files (the "Software"),
	73	+ * to deal in the Software without restriction, including without limitation
	74	+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
	75	+ * and/or sell copies of the Software, and to permit persons to whom the
	76	+ * Software is furnished to do so, subject to the following conditions:
	77	+ *
	78	+ * The above copyright notice and this permission notice (including the next
	79	+ * paragraph) shall be included in all copies or substantial portions of the
	80	+ * Software.
	81	+ *
	82	+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
	83	+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	84	+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
	85	+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
	86	+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
	87	+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
	88	+ * DEALINGS IN THE SOFTWARE.
	89	+ */
	90	+
	91	+#ifdef HAVE_DIX_CONFIG_H
	92	+#include <dix-config.h>
	93	+#endif
	94	+
	95	+/*
	96	+ * Protocol testing for ChangeDeviceControl request.
	97	+ */
	98	+#include <stdint.h>
	99	+#include <X11/X.h>
	100	+#include <X11/Xproto.h>
	101	+#include <X11/extensions/XIproto.h>
	102	+#include "inputstr.h"
	103	+#include "chgdctl.h"
	104	+
	105	+#include "protocol-common.h"
	106	+
	107	+static ClientRec client_request;
	108	+
	109	+static void
	110	+reply_ChangeDeviceControl(ClientPtr client, int len, char data, void userdata)
	111	+{
	112	+ xChangeDeviceControlReply rep = (xChangeDeviceControlReply ) data;
	113	+
	114	+ if (client->swapped) {
	115	+ swapl(&rep->length);
	116	+ swaps(&rep->sequenceNumber);
	117	+ }
	118	+
	119	+ reply_check_defaults(rep, len, ChangeDeviceControl);
	120	+
	121	+ /* XXX: check status code in reply */
	122	+}
	123	+
	124	+static void
	125	+request_ChangeDeviceControl(ClientPtr client, xChangeDeviceControlReq * req,
	126	+ xDeviceCtl *ctl, int error)
	127	+{
	128	+ int rc;
	129	+
	130	+ client_request.req_len = req->length;
131	+ rc = ProcXChangeDeviceControl(&client_request);
132	+ assert(rc == error);
133	+
134	+ /* XXX: ChangeDeviceControl doesn't seem to fill in errorValue to check */
135	+
136	+ client_request.swapped = TRUE;
137	+ swaps(&req->length);
138	+ swaps(&req->control);
139	+ swaps(&ctl->length);
140	+ swaps(&ctl->control);
141	+ /* XXX: swap other contents of ctl, depending on type */
142	+ rc = SProcXChangeDeviceControl(&client_request);
143	+ assert(rc == error);
144	+}
145	+
146	+static unsigned char data[4096]; / the request buffer */
147	+
148	+static void
149	+test_ChangeDeviceControl(void)
150	+{
151	+ xChangeDeviceControlReq request = (xChangeDeviceControlReq ) data;
152	+ xDeviceCtl control = (xDeviceCtl ) (&request[1]);
153	+
154	+ request_init(request, ChangeDeviceControl);
155	+
156	+ reply_handler = reply_ChangeDeviceControl;
157	+
158	+ client_request = init_client(request->length, request);
159	+
160	+ printf("Testing invalid lengths:\n");
161	+ printf(" -- no control struct\n");
162	+ request_ChangeDeviceControl(&client_request, request, control, BadLength);
163	+
164	+ printf(" -- xDeviceResolutionCtl\n");
165	+ request_init(request, ChangeDeviceControl);
166	+ request->control = DEVICE_RESOLUTION;
167	+ control->length = (sizeof(xDeviceResolutionCtl) >> 2);
168	+ request->length += control->length - 2;
169	+ request_ChangeDeviceControl(&client_request, request, control, BadLength);
170	+
171	+ printf(" -- xDeviceEnableCtl\n");
172	+ request_init(request, ChangeDeviceControl);
173	+ request->control = DEVICE_ENABLE;
174	+ control->length = (sizeof(xDeviceEnableCtl) >> 2);
175	+ request->length += control->length - 2;
176	+ request_ChangeDeviceControl(&client_request, request, control, BadLength);
177	+
178	+ /* XXX: Test functionality! */
179	+}
180	+
181	+int
182	+main(int argc, char **argv)
183	+{
184	+ init_simple();
185	+
186	+ test_ChangeDeviceControl();
187	+
188	+ return 0;
189	+}