[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0017-Add-request-length-checking-test-cases-for-some-Xinp.patch

From 0b199c0b23aecfdce53c28ea653c9342217d6f33 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 9 Feb 2014 21:27:27 -0800
Subject: [PATCH 17/33] Add request length checking test cases for some Xinput
 1.x requests

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 configure.ac                             |    1 +
 test/Makefile.am                         |    2 +-
 test/xi1/Makefile.am                     |   34 +++++++++
 test/xi1/protocol-xchangedevicecontrol.c |  122 ++++++++++++++++++++++++++++++
 4 files changed, 158 insertions(+), 1 deletion(-)
 create mode 100644 test/xi1/Makefile.am
 create mode 100644 test/xi1/protocol-xchangedevicecontrol.c

Index: xorg-server-1.15.1/configure.ac
===================================================================
--- xorg-server-1.15.1.orig/configure.ac	2014-12-04 11:54:14.712587810 -0500
+++ xorg-server-1.15.1/configure.ac	2014-12-04 11:54:14.708587787 -0500
@@ -2553,6 +2553,7 @@
 hw/kdrive/linux/Makefile
 hw/kdrive/src/Makefile
 test/Makefile
+test/xi1/Makefile
 test/xi2/Makefile
 xserver.ent
 xorg-server.pc
Index: xorg-server-1.15.1/test/xi1/Makefile.am
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ xorg-server-1.15.1/test/xi1/Makefile.am	2014-12-04 11:54:14.708587787 -0500
@@ -0,0 +1,34 @@
+if ENABLE_UNIT_TESTS
+if HAVE_LD_WRAP
+noinst_PROGRAMS =  \
+	protocol-xchangedevicecontrol
+
+TESTS=$(noinst_PROGRAMS)
+TESTS_ENVIRONMENT = $(XORG_MALLOC_DEBUG_ENV)
+
+AM_CFLAGS = $(DIX_CFLAGS) @XORG_CFLAGS@
+AM_CPPFLAGS = @XORG_INCS@ -I$(srcdir)/../xi2
+TEST_LDADD=../libxservertest.la $(XORG_SYS_LIBS) $(XSERVER_SYS_LIBS) $(GLX_SYS_LIBS)
+COMMON_SOURCES=$(srcdir)/../xi2/protocol-common.c
+
+if SPECIAL_DTRACE_OBJECTS
+TEST_LDADD += $(OS_LIB) $(DIX_LIB)
+endif
+
+protocol_xchangedevicecontrol_LDADD=$(TEST_LDADD)
+
+protocol_xchangedevicecontrol_LDFLAGS=$(AM_LDFLAGS) -Wl,-wrap,WriteToClient
+
+protocol_xchangedevicecontrol_SOURCES=$(COMMON_SOURCES) protocol-xchangedevicecontrol.c
+
+else
+# Print that xi1-tests were skipped (exit code 77 for automake test harness)
+TESTS = xi1-tests
+CLEANFILES = $(TESTS)
+
+xi1-tests:
+	@echo 'echo "ld -wrap support required for xi1 unit tests, skipping"' > $@
+	@echo 'exit 77' >> $@
+	$(AM_V_GEN)chmod +x $@
+endif
+endif
Index: xorg-server-1.15.1/test/xi1/protocol-xchangedevicecontrol.c
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ xorg-server-1.15.1/test/xi1/protocol-xchangedevicecontrol.c	2014-12-04 11:54:14.708587787 -0500
@@ -0,0 +1,122 @@
+/**
+ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice (including the next
+ * paragraph) shall be included in all copies or substantial portions of the
+ * Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifdef HAVE_DIX_CONFIG_H
+#include <dix-config.h>
+#endif
+
+/*
+ * Protocol testing for ChangeDeviceControl request.
+ */
+#include <stdint.h>
+#include <X11/X.h>
+#include <X11/Xproto.h>
+#include <X11/extensions/XIproto.h>
+#include "inputstr.h"
+#include "chgdctl.h"
+
+#include "protocol-common.h"
+
+static ClientRec client_request;
+
+static void
+reply_ChangeDeviceControl(ClientPtr client, int len, char *data, void *userdata)
+{
+    xChangeDeviceControlReply *rep = (xChangeDeviceControlReply *) data;
+
+    if (client->swapped) {
+        swapl(&rep->length);
+        swaps(&rep->sequenceNumber);
+    }
+
+    reply_check_defaults(rep, len, ChangeDeviceControl);
+
+    /* XXX: check status code in reply */
+}
+
+static void
+request_ChangeDeviceControl(ClientPtr client, xChangeDeviceControlReq * req,
+                            xDeviceCtl *ctl, int error)
+{
+    int rc;
+
+    client_request.req_len = req->length;
+    rc = ProcXChangeDeviceControl(&client_request);
+    assert(rc == error);
+
+    /* XXX: ChangeDeviceControl doesn't seem to fill in errorValue to check */
+
+    client_request.swapped = TRUE;
+    swaps(&req->length);
+    swaps(&req->control);
+    swaps(&ctl->length);
+    swaps(&ctl->control);
+    /* XXX: swap other contents of ctl, depending on type */
+    rc = SProcXChangeDeviceControl(&client_request);
+    assert(rc == error);
+}
+
+static unsigned char *data[4096];       /* the request buffer */
+
+static void
+test_ChangeDeviceControl(void)
+{
+    xChangeDeviceControlReq *request = (xChangeDeviceControlReq *) data;
+    xDeviceCtl *control = (xDeviceCtl *) (&request[1]);
+
+    request_init(request, ChangeDeviceControl);
+
+    reply_handler = reply_ChangeDeviceControl;
+
+    client_request = init_client(request->length, request);
+
+    printf("Testing invalid lengths:\n");
+    printf(" -- no control struct\n");
+    request_ChangeDeviceControl(&client_request, request, control, BadLength);
+
+    printf(" -- xDeviceResolutionCtl\n");
+    request_init(request, ChangeDeviceControl);
+    request->control = DEVICE_RESOLUTION;
+    control->length = (sizeof(xDeviceResolutionCtl) >> 2);
+    request->length += control->length - 2;
+    request_ChangeDeviceControl(&client_request, request, control, BadLength);
+
+    printf(" -- xDeviceEnableCtl\n");
+    request_init(request, ChangeDeviceControl);
+    request->control = DEVICE_ENABLE;
+    control->length = (sizeof(xDeviceEnableCtl) >> 2);
+    request->length += control->length - 2;
+    request_ChangeDeviceControl(&client_request, request, control, BadLength);
+
+    /* XXX: Test functionality! */
+}
+
+int
+main(int argc, char **argv)
+{
+    init_simple();
+
+    test_ChangeDeviceControl();
+
+    return 0;
+}
Commit	Line	Data
7217e0ca ML	1	From 0b199c0b23aecfdce53c28ea653c9342217d6f33 Mon Sep 17 00:00:00 2001
	2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
	3	Date: Sun, 9 Feb 2014 21:27:27 -0800
	4	Subject: [PATCH 17/33] Add request length checking test cases for some Xinput
	5	1.x requests
	6
	7	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	8	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
	9	---
	10	configure.ac \| 1 +
	11	test/Makefile.am \| 2 +-
	12	test/xi1/Makefile.am \| 34 +++++++++
	13	test/xi1/protocol-xchangedevicecontrol.c \| 122 ++++++++++++++++++++++++++++++
	14	4 files changed, 158 insertions(+), 1 deletion(-)
	15	create mode 100644 test/xi1/Makefile.am
	16	create mode 100644 test/xi1/protocol-xchangedevicecontrol.c
	17
	18	Index: xorg-server-1.15.1/configure.ac
	19	===================================================================
	20	--- xorg-server-1.15.1.orig/configure.ac 2014-12-04 11:54:14.712587810 -0500
	21	+++ xorg-server-1.15.1/configure.ac 2014-12-04 11:54:14.708587787 -0500
	22	@@ -2553,6 +2553,7 @@
	23	hw/kdrive/linux/Makefile
	24	hw/kdrive/src/Makefile
	25	test/Makefile
	26	+test/xi1/Makefile
	27	test/xi2/Makefile
	28	xserver.ent
	29	xorg-server.pc
	30	Index: xorg-server-1.15.1/test/xi1/Makefile.am
	31	===================================================================
	32	--- /dev/null 1970-01-01 00:00:00.000000000 +0000
	33	+++ xorg-server-1.15.1/test/xi1/Makefile.am 2014-12-04 11:54:14.708587787 -0500
	34	@@ -0,0 +1,34 @@
	35	+if ENABLE_UNIT_TESTS
	36	+if HAVE_LD_WRAP
	37	+noinst_PROGRAMS = \
	38	+ protocol-xchangedevicecontrol
	39	+
	40	+TESTS=$(noinst_PROGRAMS)
	41	+TESTS_ENVIRONMENT = $(XORG_MALLOC_DEBUG_ENV)
	42	+
	43	+AM_CFLAGS = $(DIX_CFLAGS) @XORG_CFLAGS@
	44	+AM_CPPFLAGS = @XORG_INCS@ -I$(srcdir)/../xi2
	45	+TEST_LDADD=../libxservertest.la $(XORG_SYS_LIBS) $(XSERVER_SYS_LIBS) $(GLX_SYS_LIBS)
	46	+COMMON_SOURCES=$(srcdir)/../xi2/protocol-common.c
	47	+
	48	+if SPECIAL_DTRACE_OBJECTS
	49	+TEST_LDADD += $(OS_LIB) $(DIX_LIB)
	50	+endif
	51	+
	52	+protocol_xchangedevicecontrol_LDADD=$(TEST_LDADD)
	53	+
	54	+protocol_xchangedevicecontrol_LDFLAGS=$(AM_LDFLAGS) -Wl,-wrap,WriteToClient
	55	+
	56	+protocol_xchangedevicecontrol_SOURCES=$(COMMON_SOURCES) protocol-xchangedevicecontrol.c
	57	+
	58	+else
	59	+# Print that xi1-tests were skipped (exit code 77 for automake test harness)
	60	+TESTS = xi1-tests
	61	+CLEANFILES = $(TESTS)
	62	+
	63	+xi1-tests:
	64	+ @echo 'echo "ld -wrap support required for xi1 unit tests, skipping"' > $@
65	+ @echo 'exit 77' >> $@
66	+ $(AM_V_GEN)chmod +x $@
67	+endif
68	+endif
69	Index: xorg-server-1.15.1/test/xi1/protocol-xchangedevicecontrol.c
70	===================================================================
71	--- /dev/null 1970-01-01 00:00:00.000000000 +0000
72	+++ xorg-server-1.15.1/test/xi1/protocol-xchangedevicecontrol.c 2014-12-04 11:54:14.708587787 -0500
73	@@ -0,0 +1,122 @@
74	+/**
75	+ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
76	+ *
77	+ * Permission is hereby granted, free of charge, to any person obtaining a
78	+ * copy of this software and associated documentation files (the "Software"),
79	+ * to deal in the Software without restriction, including without limitation
80	+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
81	+ * and/or sell copies of the Software, and to permit persons to whom the
82	+ * Software is furnished to do so, subject to the following conditions:
83	+ *
84	+ * The above copyright notice and this permission notice (including the next
85	+ * paragraph) shall be included in all copies or substantial portions of the
86	+ * Software.
87	+ *
88	+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
89	+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
90	+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
91	+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
92	+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
93	+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
94	+ * DEALINGS IN THE SOFTWARE.
95	+ */
96	+
97	+#ifdef HAVE_DIX_CONFIG_H
98	+#include <dix-config.h>
99	+#endif
100	+
101	+/*
102	+ * Protocol testing for ChangeDeviceControl request.
103	+ */
104	+#include <stdint.h>
105	+#include <X11/X.h>
106	+#include <X11/Xproto.h>
107	+#include <X11/extensions/XIproto.h>
108	+#include "inputstr.h"
109	+#include "chgdctl.h"
110	+
111	+#include "protocol-common.h"
112	+
113	+static ClientRec client_request;
114	+
115	+static void
116	+reply_ChangeDeviceControl(ClientPtr client, int len, char data, void userdata)
117	+{
118	+ xChangeDeviceControlReply rep = (xChangeDeviceControlReply ) data;
119	+
120	+ if (client->swapped) {
121	+ swapl(&rep->length);
122	+ swaps(&rep->sequenceNumber);
123	+ }
124	+
125	+ reply_check_defaults(rep, len, ChangeDeviceControl);
126	+
127	+ /* XXX: check status code in reply */
128	+}
129	+
130	+static void
131	+request_ChangeDeviceControl(ClientPtr client, xChangeDeviceControlReq * req,
132	+ xDeviceCtl *ctl, int error)
133	+{
134	+ int rc;
135	+
136	+ client_request.req_len = req->length;
137	+ rc = ProcXChangeDeviceControl(&client_request);
138	+ assert(rc == error);
139	+
140	+ /* XXX: ChangeDeviceControl doesn't seem to fill in errorValue to check */
141	+
142	+ client_request.swapped = TRUE;
143	+ swaps(&req->length);
144	+ swaps(&req->control);
145	+ swaps(&ctl->length);
146	+ swaps(&ctl->control);
147	+ /* XXX: swap other contents of ctl, depending on type */
148	+ rc = SProcXChangeDeviceControl(&client_request);
149	+ assert(rc == error);
150	+}
151	+
152	+static unsigned char data[4096]; / the request buffer */
153	+
154	+static void
155	+test_ChangeDeviceControl(void)
156	+{
157	+ xChangeDeviceControlReq request = (xChangeDeviceControlReq ) data;
158	+ xDeviceCtl control = (xDeviceCtl ) (&request[1]);
159	+
160	+ request_init(request, ChangeDeviceControl);
161	+
162	+ reply_handler = reply_ChangeDeviceControl;
163	+
164	+ client_request = init_client(request->length, request);
165	+
166	+ printf("Testing invalid lengths:\n");
167	+ printf(" -- no control struct\n");
168	+ request_ChangeDeviceControl(&client_request, request, control, BadLength);
169	+
170	+ printf(" -- xDeviceResolutionCtl\n");
171	+ request_init(request, ChangeDeviceControl);
172	+ request->control = DEVICE_RESOLUTION;
173	+ control->length = (sizeof(xDeviceResolutionCtl) >> 2);
174	+ request->length += control->length - 2;
175	+ request_ChangeDeviceControl(&client_request, request, control, BadLength);
176	+
177	+ printf(" -- xDeviceEnableCtl\n");
178	+ request_init(request, ChangeDeviceControl);
179	+ request->control = DEVICE_ENABLE;
180	+ control->length = (sizeof(xDeviceEnableCtl) >> 2);
181	+ request->length += control->length - 2;
182	+ request_ChangeDeviceControl(&client_request, request, control, BadLength);
183	+
184	+ /* XXX: Test functionality! */
185	+}
186	+
187	+int
188	+main(int argc, char **argv)
189	+{
190	+ init_simple();
191	+
192	+ test_ChangeDeviceControl();
193	+
194	+ return 0;
195	+}