| 1 | From 02f91446a5446d7287a0fc30aa8b15a1cd29c2cf Mon Sep 17 00:00:00 2001 |
| 2 | From: Julien Cristau <jcristau@debian.org> |
| 3 | Date: Mon, 10 Nov 2014 12:13:41 -0500 |
| 4 | Subject: [PATCH 25/33] glx: Length checking for GLXRender requests (v2) |
| 5 | [CVE-2014-8098 2/8] |
| 6 | |
| 7 | v2: |
| 8 | Remove can't-happen comparison for cmdlen < 0 (Michal Srb) |
| 9 | |
| 10 | Reviewed-by: Adam Jackson <ajax@redhat.com> |
| 11 | Reviewed-by: Michal Srb <msrb@suse.com> |
| 12 | Reviewed-by: Andy Ritger <aritger@nvidia.com> |
| 13 | Signed-off-by: Julien Cristau <jcristau@debian.org> |
| 14 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> |
| 15 | --- |
| 16 | glx/glxcmds.c | 21 ++++++++++----------- |
| 17 | 1 file changed, 10 insertions(+), 11 deletions(-) |
| 18 | |
| 19 | Index: xorg-server-1.15.1/glx/glxcmds.c |
| 20 | =================================================================== |
| 21 | --- xorg-server-1.15.1.orig/glx/glxcmds.c 2014-12-04 11:56:07.897284200 -0500 |
| 22 | +++ xorg-server-1.15.1/glx/glxcmds.c 2014-12-04 11:56:07.893284176 -0500 |
| 23 | @@ -2015,7 +2015,7 @@ |
| 24 | left = (req->length << 2) - sz_xGLXRenderReq; |
| 25 | while (left > 0) { |
| 26 | __GLXrenderSizeData entry; |
| 27 | - int extra; |
| 28 | + int extra = 0; |
| 29 | __GLXdispatchRenderProcPtr proc; |
| 30 | int err; |
| 31 | |
| 32 | @@ -2034,6 +2034,9 @@ |
| 33 | cmdlen = hdr->length; |
| 34 | opcode = hdr->opcode; |
| 35 | |
| 36 | + if (left < cmdlen) |
| 37 | + return BadLength; |
| 38 | + |
| 39 | /* |
| 40 | ** Check for core opcodes and grab entry data. |
| 41 | */ |
| 42 | @@ -2047,6 +2050,10 @@ |
| 43 | return __glXError(GLXBadRenderRequest); |
| 44 | } |
| 45 | |
| 46 | + if (cmdlen < entry.bytes) { |
| 47 | + return BadLength; |
| 48 | + } |
| 49 | + |
| 50 | if (entry.varsize) { |
| 51 | /* variable size command */ |
| 52 | extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE, |
| 53 | @@ -2054,17 +2061,9 @@ |
| 54 | if (extra < 0) { |
| 55 | return BadLength; |
| 56 | } |
| 57 | - if (cmdlen != __GLX_PAD(entry.bytes + extra)) { |
| 58 | - return BadLength; |
| 59 | - } |
| 60 | } |
| 61 | - else { |
| 62 | - /* constant size command */ |
| 63 | - if (cmdlen != __GLX_PAD(entry.bytes)) { |
| 64 | - return BadLength; |
| 65 | - } |
| 66 | - } |
| 67 | - if (left < cmdlen) { |
| 68 | + |
| 69 | + if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) { |
| 70 | return BadLength; |
| 71 | } |
| 72 | |