Commit | Line | Data |
---|---|---|
7217e0ca ML |
1 | From 096a5af8e52faafc38ae84dd17bede7ac03a3b83 Mon Sep 17 00:00:00 2001 |
2 | From: Adam Jackson <ajax@redhat.com> | |
3 | Date: Mon, 10 Nov 2014 12:13:36 -0500 | |
4 | Subject: [PATCH 20/33] glx: Be more paranoid about variable-length requests | |
5 | [CVE-2014-8093 1/6] | |
6 | ||
7 | If the size computation routine returns -1 we should just reject the | |
8 | request outright. Clamping it to zero could give an attacker the | |
9 | opportunity to also mangle cmdlen in such a way that the subsequent | |
10 | length check passes, and the request would get executed, thus passing | |
11 | data we wanted to reject to the renderer. | |
12 | ||
13 | Reviewed-by: Keith Packard <keithp@keithp.com> | |
14 | Reviewed-by: Julien Cristau <jcristau@debian.org> | |
15 | Reviewed-by: Michal Srb <msrb@suse.com> | |
16 | Reviewed-by: Andy Ritger <aritger@nvidia.com> | |
17 | Signed-off-by: Adam Jackson <ajax@redhat.com> | |
18 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
19 | --- | |
20 | glx/glxcmds.c | 4 ++-- | |
21 | 1 file changed, 2 insertions(+), 2 deletions(-) | |
22 | ||
23 | Index: xorg-server-1.15.1/glx/glxcmds.c | |
24 | =================================================================== | |
25 | --- xorg-server-1.15.1.orig/glx/glxcmds.c 2014-12-04 11:55:22.293001486 -0500 | |
26 | +++ xorg-server-1.15.1/glx/glxcmds.c 2014-12-04 11:55:22.289001461 -0500 | |
27 | @@ -2052,7 +2052,7 @@ | |
28 | extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE, | |
29 | client->swapped); | |
30 | if (extra < 0) { | |
31 | - extra = 0; | |
32 | + return BadLength; | |
33 | } | |
34 | if (cmdlen != __GLX_PAD(entry.bytes + extra)) { | |
35 | return BadLength; | |
36 | @@ -2169,7 +2169,7 @@ | |
37 | extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE, | |
38 | client->swapped); | |
39 | if (extra < 0) { | |
40 | - extra = 0; | |
41 | + return BadLength; | |
42 | } | |
43 | /* large command's header is 4 bytes longer, so add 4 */ | |
44 | if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) { |