| 1 | From 096a5af8e52faafc38ae84dd17bede7ac03a3b83 Mon Sep 17 00:00:00 2001 |
| 2 | From: Adam Jackson <ajax@redhat.com> |
| 3 | Date: Mon, 10 Nov 2014 12:13:36 -0500 |
| 4 | Subject: [PATCH 20/33] glx: Be more paranoid about variable-length requests |
| 5 | [CVE-2014-8093 1/6] |
| 6 | |
| 7 | If the size computation routine returns -1 we should just reject the |
| 8 | request outright. Clamping it to zero could give an attacker the |
| 9 | opportunity to also mangle cmdlen in such a way that the subsequent |
| 10 | length check passes, and the request would get executed, thus passing |
| 11 | data we wanted to reject to the renderer. |
| 12 | |
| 13 | Reviewed-by: Keith Packard <keithp@keithp.com> |
| 14 | Reviewed-by: Julien Cristau <jcristau@debian.org> |
| 15 | Reviewed-by: Michal Srb <msrb@suse.com> |
| 16 | Reviewed-by: Andy Ritger <aritger@nvidia.com> |
| 17 | Signed-off-by: Adam Jackson <ajax@redhat.com> |
| 18 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> |
| 19 | --- |
| 20 | glx/glxcmds.c | 4 ++-- |
| 21 | 1 file changed, 2 insertions(+), 2 deletions(-) |
| 22 | |
| 23 | --- a/glx/glxcmds.c |
| 24 | +++ b/glx/glxcmds.c |
| 25 | @@ -2052,7 +2052,7 @@ __glXDisp_Render(__GLXclientState * cl, |
| 26 | extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE, |
| 27 | client->swapped); |
| 28 | if (extra < 0) { |
| 29 | - extra = 0; |
| 30 | + return BadLength; |
| 31 | } |
| 32 | if (cmdlen != __GLX_PAD(entry.bytes + extra)) { |
| 33 | return BadLength; |
| 34 | @@ -2169,7 +2169,7 @@ __glXDisp_RenderLarge(__GLXclientState * |
| 35 | extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE, |
| 36 | client->swapped); |
| 37 | if (extra < 0) { |
| 38 | - extra = 0; |
| 39 | + return BadLength; |
| 40 | } |
| 41 | /* large command's header is 4 bytes longer, so add 4 */ |
| 42 | if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) { |