debian/patches/CVE-2014-8xxx/0017-Add-request-length-checking-test-cases-for-some-Xinp.patch

   1 From 0b199c0b23aecfdce53c28ea653c9342217d6f33 Mon Sep 17 00:00:00 2001
   2 From: Alan Coopersmith <alan.coopersmith@oracle.com>
   3 Date: Sun, 9 Feb 2014 21:27:27 -0800
   4 Subject: [PATCH 17/33] Add request length checking test cases for some Xinput
   5  1.x requests
   6
   7 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
   8 Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
   9 ---
  10  configure.ac                             |    1 +
  11  test/Makefile.am                         |    2 +-
  12  test/xi1/Makefile.am                     |   34 +++++++++
  13  test/xi1/protocol-xchangedevicecontrol.c |  122 ++++++++++++++++++++++++++++++
  14  4 files changed, 158 insertions(+), 1 deletion(-)
  15  create mode 100644 test/xi1/Makefile.am
  16  create mode 100644 test/xi1/protocol-xchangedevicecontrol.c
  17
  18 Index: xorg-server-1.15.1/configure.ac
  19 ===================================================================
  20 --- xorg-server-1.15.1.orig/configure.ac        2014-12-04 11:54:14.712587810 -0500
  21 +++ xorg-server-1.15.1/configure.ac     2014-12-04 11:54:14.708587787 -0500
  22 @@ -2553,6 +2553,7 @@
  23  hw/kdrive/linux/Makefile
  24  hw/kdrive/src/Makefile
  25  test/Makefile
  26 +test/xi1/Makefile
  27  test/xi2/Makefile
  28  xserver.ent
  29  xorg-server.pc
  30 Index: xorg-server-1.15.1/test/xi1/Makefile.am
  31 ===================================================================
  32 --- /dev/null   1970-01-01 00:00:00.000000000 +0000
  33 +++ xorg-server-1.15.1/test/xi1/Makefile.am     2014-12-04 11:54:14.708587787 -0500
  34 @@ -0,0 +1,34 @@
  35 +if ENABLE_UNIT_TESTS
  36 +if HAVE_LD_WRAP
  37 +noinst_PROGRAMS =  \
  38 +       protocol-xchangedevicecontrol
  39 +
  40 +TESTS=$(noinst_PROGRAMS)
  41 +TESTS_ENVIRONMENT = $(XORG_MALLOC_DEBUG_ENV)
  42 +
  43 +AM_CFLAGS = $(DIX_CFLAGS) @XORG_CFLAGS@
  44 +AM_CPPFLAGS = @XORG_INCS@ -I$(srcdir)/../xi2
  45 +TEST_LDADD=../libxservertest.la $(XORG_SYS_LIBS) $(XSERVER_SYS_LIBS) $(GLX_SYS_LIBS)
  46 +COMMON_SOURCES=$(srcdir)/../xi2/protocol-common.c
  47 +
  48 +if SPECIAL_DTRACE_OBJECTS
  49 +TEST_LDADD += $(OS_LIB) $(DIX_LIB)
  50 +endif
  51 +
  52 +protocol_xchangedevicecontrol_LDADD=$(TEST_LDADD)
  53 +
  54 +protocol_xchangedevicecontrol_LDFLAGS=$(AM_LDFLAGS) -Wl,-wrap,WriteToClient
  55 +
  56 +protocol_xchangedevicecontrol_SOURCES=$(COMMON_SOURCES) protocol-xchangedevicecontrol.c
  57 +
  58 +else
  59 +# Print that xi1-tests were skipped (exit code 77 for automake test harness)
  60 +TESTS = xi1-tests
  61 +CLEANFILES = $(TESTS)
  62 +
  63 +xi1-tests:
  64 +       @echo 'echo "ld -wrap support required for xi1 unit tests, skipping"' > $@
  65 +       @echo 'exit 77' >> $@
  66 +       $(AM_V_GEN)chmod +x $@
  67 +endif
  68 +endif
  69 Index: xorg-server-1.15.1/test/xi1/protocol-xchangedevicecontrol.c
  70 ===================================================================
  71 --- /dev/null   1970-01-01 00:00:00.000000000 +0000
  72 +++ xorg-server-1.15.1/test/xi1/protocol-xchangedevicecontrol.c 2014-12-04 11:54:14.708587787 -0500
  73 @@ -0,0 +1,122 @@
  74 +/**
  75 + * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
  76 + *
  77 + * Permission is hereby granted, free of charge, to any person obtaining a
  78 + * copy of this software and associated documentation files (the "Software"),
  79 + * to deal in the Software without restriction, including without limitation
  80 + * the rights to use, copy, modify, merge, publish, distribute, sublicense,
  81 + * and/or sell copies of the Software, and to permit persons to whom the
  82 + * Software is furnished to do so, subject to the following conditions:
  83 + *
  84 + * The above copyright notice and this permission notice (including the next
  85 + * paragraph) shall be included in all copies or substantial portions of the
  86 + * Software.
  87 + *
  88 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  89 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  90 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
  91 + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  92 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
  93 + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
  94 + * DEALINGS IN THE SOFTWARE.
  95 + */
  96 +
  97 +#ifdef HAVE_DIX_CONFIG_H
  98 +#include <dix-config.h>
  99 +#endif
 100 +
 101 +/*
 102 + * Protocol testing for ChangeDeviceControl request.
 103 + */
 104 +#include <stdint.h>
 105 +#include <X11/X.h>
 106 +#include <X11/Xproto.h>
 107 +#include <X11/extensions/XIproto.h>
 108 +#include "inputstr.h"
 109 +#include "chgdctl.h"
 110 +
 111 +#include "protocol-common.h"
 112 +
 113 +static ClientRec client_request;
 114 +
 115 +static void
 116 +reply_ChangeDeviceControl(ClientPtr client, int len, char *data, void *userdata)
 117 +{
 118 +    xChangeDeviceControlReply *rep = (xChangeDeviceControlReply *) data;
 119 +
 120 +    if (client->swapped) {
 121 +        swapl(&rep->length);
 122 +        swaps(&rep->sequenceNumber);
 123 +    }
 124 +
 125 +    reply_check_defaults(rep, len, ChangeDeviceControl);
 126 +
 127 +    /* XXX: check status code in reply */
 128 +}
 129 +
 130 +static void
 131 +request_ChangeDeviceControl(ClientPtr client, xChangeDeviceControlReq * req,
 132 +                            xDeviceCtl *ctl, int error)
 133 +{
 134 +    int rc;
 135 +
 136 +    client_request.req_len = req->length;
 137 +    rc = ProcXChangeDeviceControl(&client_request);
 138 +    assert(rc == error);
 139 +
 140 +    /* XXX: ChangeDeviceControl doesn't seem to fill in errorValue to check */
 141 +
 142 +    client_request.swapped = TRUE;
 143 +    swaps(&req->length);
 144 +    swaps(&req->control);
 145 +    swaps(&ctl->length);
 146 +    swaps(&ctl->control);
 147 +    /* XXX: swap other contents of ctl, depending on type */
 148 +    rc = SProcXChangeDeviceControl(&client_request);
 149 +    assert(rc == error);
 150 +}
 151 +
 152 +static unsigned char *data[4096];       /* the request buffer */
 153 +
 154 +static void
 155 +test_ChangeDeviceControl(void)
 156 +{
 157 +    xChangeDeviceControlReq *request = (xChangeDeviceControlReq *) data;
 158 +    xDeviceCtl *control = (xDeviceCtl *) (&request[1]);
 159 +
 160 +    request_init(request, ChangeDeviceControl);
 161 +
 162 +    reply_handler = reply_ChangeDeviceControl;
 163 +
 164 +    client_request = init_client(request->length, request);
 165 +
 166 +    printf("Testing invalid lengths:\n");
 167 +    printf(" -- no control struct\n");
 168 +    request_ChangeDeviceControl(&client_request, request, control, BadLength);
 169 +
 170 +    printf(" -- xDeviceResolutionCtl\n");
 171 +    request_init(request, ChangeDeviceControl);
 172 +    request->control = DEVICE_RESOLUTION;
 173 +    control->length = (sizeof(xDeviceResolutionCtl) >> 2);
 174 +    request->length += control->length - 2;
 175 +    request_ChangeDeviceControl(&client_request, request, control, BadLength);
 176 +
 177 +    printf(" -- xDeviceEnableCtl\n");
 178 +    request_init(request, ChangeDeviceControl);
 179 +    request->control = DEVICE_ENABLE;
 180 +    control->length = (sizeof(xDeviceEnableCtl) >> 2);
 181 +    request->length += control->length - 2;
 182 +    request_ChangeDeviceControl(&client_request, request, control, BadLength);
 183 +
 184 +    /* XXX: Test functionality! */
 185 +}
 186 +
 187 +int
 188 +main(int argc, char **argv)
 189 +{
 190 +    init_simple();
 191 +
 192 +    test_ChangeDeviceControl();
 193 +
 194 +    return 0;
 195 +}