X-Git-Url: https://git.piment-noir.org/?p=deb_xorg-server.git;a=blobdiff_plain;f=debian%2Fpatches%2FCVE-2014-8xxx%2F0017-Add-request-length-checking-test-cases-for-some-Xinp.patch;fp=debian%2Fpatches%2FCVE-2014-8xxx%2F0017-Add-request-length-checking-test-cases-for-some-Xinp.patch;h=cbad490446cec8fba73524c05b5c7637ce22a302;hp=0000000000000000000000000000000000000000;hb=7217e0ca50bba73dad94782e67980aeeb24ab693;hpb=a09e091a5c996d46a398abb27b06fe504591673f

diff --git a/debian/patches/CVE-2014-8xxx/0017-Add-request-length-checking-test-cases-for-some-Xinp.patch b/debian/patches/CVE-2014-8xxx/0017-Add-request-length-checking-test-cases-for-some-Xinp.patch
new file mode 100644
index 0000000..cbad490
--- /dev/null
+++ b/debian/patches/CVE-2014-8xxx/0017-Add-request-length-checking-test-cases-for-some-Xinp.patch
@@ -0,0 +1,195 @@
+From 0b199c0b23aecfdce53c28ea653c9342217d6f33 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun, 9 Feb 2014 21:27:27 -0800
+Subject: [PATCH 17/33] Add request length checking test cases for some Xinput
+ 1.x requests
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ configure.ac                             |    1 +
+ test/Makefile.am                         |    2 +-
+ test/xi1/Makefile.am                     |   34 +++++++++
+ test/xi1/protocol-xchangedevicecontrol.c |  122 ++++++++++++++++++++++++++++++
+ 4 files changed, 158 insertions(+), 1 deletion(-)
+ create mode 100644 test/xi1/Makefile.am
+ create mode 100644 test/xi1/protocol-xchangedevicecontrol.c
+
+Index: xorg-server-1.15.1/configure.ac
+===================================================================
+--- xorg-server-1.15.1.orig/configure.ac	2014-12-04 11:54:14.712587810 -0500
++++ xorg-server-1.15.1/configure.ac	2014-12-04 11:54:14.708587787 -0500
+@@ -2553,6 +2553,7 @@
+ hw/kdrive/linux/Makefile
+ hw/kdrive/src/Makefile
+ test/Makefile
++test/xi1/Makefile
+ test/xi2/Makefile
+ xserver.ent
+ xorg-server.pc
+Index: xorg-server-1.15.1/test/xi1/Makefile.am
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ xorg-server-1.15.1/test/xi1/Makefile.am	2014-12-04 11:54:14.708587787 -0500
+@@ -0,0 +1,34 @@
++if ENABLE_UNIT_TESTS
++if HAVE_LD_WRAP
++noinst_PROGRAMS =  \
++	protocol-xchangedevicecontrol
++
++TESTS=$(noinst_PROGRAMS)
++TESTS_ENVIRONMENT = $(XORG_MALLOC_DEBUG_ENV)
++
++AM_CFLAGS = $(DIX_CFLAGS) @XORG_CFLAGS@
++AM_CPPFLAGS = @XORG_INCS@ -I$(srcdir)/../xi2
++TEST_LDADD=../libxservertest.la $(XORG_SYS_LIBS) $(XSERVER_SYS_LIBS) $(GLX_SYS_LIBS)
++COMMON_SOURCES=$(srcdir)/../xi2/protocol-common.c
++
++if SPECIAL_DTRACE_OBJECTS
++TEST_LDADD += $(OS_LIB) $(DIX_LIB)
++endif
++
++protocol_xchangedevicecontrol_LDADD=$(TEST_LDADD)
++
++protocol_xchangedevicecontrol_LDFLAGS=$(AM_LDFLAGS) -Wl,-wrap,WriteToClient
++
++protocol_xchangedevicecontrol_SOURCES=$(COMMON_SOURCES) protocol-xchangedevicecontrol.c
++
++else
++# Print that xi1-tests were skipped (exit code 77 for automake test harness)
++TESTS = xi1-tests
++CLEANFILES = $(TESTS)
++
++xi1-tests:
++	@echo 'echo "ld -wrap support required for xi1 unit tests, skipping"' > $@
++	@echo 'exit 77' >> $@
++	$(AM_V_GEN)chmod +x $@
++endif
++endif
+Index: xorg-server-1.15.1/test/xi1/protocol-xchangedevicecontrol.c
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ xorg-server-1.15.1/test/xi1/protocol-xchangedevicecontrol.c	2014-12-04 11:54:14.708587787 -0500
+@@ -0,0 +1,122 @@
++/**
++ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a
++ * copy of this software and associated documentation files (the "Software"),
++ * to deal in the Software without restriction, including without limitation
++ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
++ * and/or sell copies of the Software, and to permit persons to whom the
++ * Software is furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice (including the next
++ * paragraph) shall be included in all copies or substantial portions of the
++ * Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
++ * DEALINGS IN THE SOFTWARE.
++ */
++
++#ifdef HAVE_DIX_CONFIG_H
++#include <dix-config.h>
++#endif
++
++/*
++ * Protocol testing for ChangeDeviceControl request.
++ */
++#include <stdint.h>
++#include <X11/X.h>
++#include <X11/Xproto.h>
++#include <X11/extensions/XIproto.h>
++#include "inputstr.h"
++#include "chgdctl.h"
++
++#include "protocol-common.h"
++
++static ClientRec client_request;
++
++static void
++reply_ChangeDeviceControl(ClientPtr client, int len, char *data, void *userdata)
++{
++    xChangeDeviceControlReply *rep = (xChangeDeviceControlReply *) data;
++
++    if (client->swapped) {
++        swapl(&rep->length);
++        swaps(&rep->sequenceNumber);
++    }
++
++    reply_check_defaults(rep, len, ChangeDeviceControl);
++
++    /* XXX: check status code in reply */
++}
++
++static void
++request_ChangeDeviceControl(ClientPtr client, xChangeDeviceControlReq * req,
++                            xDeviceCtl *ctl, int error)
++{
++    int rc;
++
++    client_request.req_len = req->length;
++    rc = ProcXChangeDeviceControl(&client_request);
++    assert(rc == error);
++
++    /* XXX: ChangeDeviceControl doesn't seem to fill in errorValue to check */
++
++    client_request.swapped = TRUE;
++    swaps(&req->length);
++    swaps(&req->control);
++    swaps(&ctl->length);
++    swaps(&ctl->control);
++    /* XXX: swap other contents of ctl, depending on type */
++    rc = SProcXChangeDeviceControl(&client_request);
++    assert(rc == error);
++}
++
++static unsigned char *data[4096];       /* the request buffer */
++
++static void
++test_ChangeDeviceControl(void)
++{
++    xChangeDeviceControlReq *request = (xChangeDeviceControlReq *) data;
++    xDeviceCtl *control = (xDeviceCtl *) (&request[1]);
++
++    request_init(request, ChangeDeviceControl);
++
++    reply_handler = reply_ChangeDeviceControl;
++
++    client_request = init_client(request->length, request);
++
++    printf("Testing invalid lengths:\n");
++    printf(" -- no control struct\n");
++    request_ChangeDeviceControl(&client_request, request, control, BadLength);
++
++    printf(" -- xDeviceResolutionCtl\n");
++    request_init(request, ChangeDeviceControl);
++    request->control = DEVICE_RESOLUTION;
++    control->length = (sizeof(xDeviceResolutionCtl) >> 2);
++    request->length += control->length - 2;
++    request_ChangeDeviceControl(&client_request, request, control, BadLength);
++
++    printf(" -- xDeviceEnableCtl\n");
++    request_init(request, ChangeDeviceControl);
++    request->control = DEVICE_ENABLE;
++    control->length = (sizeof(xDeviceEnableCtl) >> 2);
++    request->length += control->length - 2;
++    request_ChangeDeviceControl(&client_request, request, control, BadLength);
++
++    /* XXX: Test functionality! */
++}
++
++int
++main(int argc, char **argv)
++{
++    init_simple();
++
++    test_ChangeDeviceControl();
++
++    return 0;
++}