[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0020-glx-Be-more-paranoid-about-variable-length-requests-.patch

From 096a5af8e52faafc38ae84dd17bede7ac03a3b83 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Mon, 10 Nov 2014 12:13:36 -0500
Subject: [PATCH 20/33] glx: Be more paranoid about variable-length requests
 [CVE-2014-8093 1/6]

If the size computation routine returns -1 we should just reject the
request outright.  Clamping it to zero could give an attacker the
opportunity to also mangle cmdlen in such a way that the subsequent
length check passes, and the request would get executed, thus passing
data we wanted to reject to the renderer.

Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 glx/glxcmds.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Index: xorg-server-1.15.1/glx/glxcmds.c
===================================================================
--- xorg-server-1.15.1.orig/glx/glxcmds.c	2014-12-04 11:55:22.293001486 -0500
+++ xorg-server-1.15.1/glx/glxcmds.c	2014-12-04 11:55:22.289001461 -0500
@@ -2052,7 +2052,7 @@
             extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
                                       client->swapped);
             if (extra < 0) {
-                extra = 0;
+                return BadLength;
             }
             if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
                 return BadLength;
@@ -2169,7 +2169,7 @@
             extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
                                       client->swapped);
             if (extra < 0) {
-                extra = 0;
+                return BadLength;
             }
             /* large command's header is 4 bytes longer, so add 4 */
             if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
Commit	Line	Data
7217e0ca ML	1	From 096a5af8e52faafc38ae84dd17bede7ac03a3b83 Mon Sep 17 00:00:00 2001
	2	From: Adam Jackson <ajax@redhat.com>
	3	Date: Mon, 10 Nov 2014 12:13:36 -0500
	4	Subject: [PATCH 20/33] glx: Be more paranoid about variable-length requests
	5	[CVE-2014-8093 1/6]
	6
	7	If the size computation routine returns -1 we should just reject the
	8	request outright. Clamping it to zero could give an attacker the
	9	opportunity to also mangle cmdlen in such a way that the subsequent
	10	length check passes, and the request would get executed, thus passing
	11	data we wanted to reject to the renderer.
	12
	13	Reviewed-by: Keith Packard <keithp@keithp.com>
	14	Reviewed-by: Julien Cristau <jcristau@debian.org>
	15	Reviewed-by: Michal Srb <msrb@suse.com>
	16	Reviewed-by: Andy Ritger <aritger@nvidia.com>
	17	Signed-off-by: Adam Jackson <ajax@redhat.com>
	18	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	19	---
	20	glx/glxcmds.c \| 4 ++--
	21	1 file changed, 2 insertions(+), 2 deletions(-)
	22
	23	Index: xorg-server-1.15.1/glx/glxcmds.c
	24	===================================================================
	25	--- xorg-server-1.15.1.orig/glx/glxcmds.c 2014-12-04 11:55:22.293001486 -0500
	26	+++ xorg-server-1.15.1/glx/glxcmds.c 2014-12-04 11:55:22.289001461 -0500
	27	@@ -2052,7 +2052,7 @@
	28	extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
	29	client->swapped);
	30	if (extra < 0) {
	31	- extra = 0;
	32	+ return BadLength;
	33	}
	34	if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
	35	return BadLength;
	36	@@ -2169,7 +2169,7 @@
	37	extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
	38	client->swapped);
	39	if (extra < 0) {
	40	- extra = 0;
	41	+ return BadLength;
	42	}
	43	/* large command's header is 4 bytes longer, so add 4 */
	44	if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {