1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
From: Julien Cristau <jcristau@debian.org>
Date: Sun Jan 23 13:35:54 2011 +0100
Subject: [PATCH] glx: Work around wrong request lengths sent by mesa
Patch-Mainline: Upstream
Git-commit: 402b329c3aa8ddbebaa1f593306a02d4cd6fed26
References: bnc #648278, CVE-2010-4818
Signed-off-by: Egbert Eich <eich@suse.de>
mesa used to send too long requests for GLXDestroyPixmap,
GLXDestroyWindow, GLXChangeDrawableAttributes, GLXGetDrawableAttributes
and GLXGetFBConfigsSGIX.
Fixes a regression introduced in ec9c97c6bf70b523bc500bd3adf62176f1bb33a4
X.Org bug#33324 <https://bugs.freedesktop.org/show_bug.cgi?id=33324>
Reported-by: xunx.fang@intel.com
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Adam Jackson <ajax@redhat.com>
---
glx/glxcmds.c | 19 +++++++++++++++----
glx/glxcmdsswap.c | 12 +++++++-----
2 files changed, 22 insertions(+), 9 deletions(-)
--- xorg-server-1.6.5.orig/glx/glxcmds.c
+++ xorg-server-1.6.5/glx/glxcmds.c
@@ -1113,7 +1113,8 @@ int __glXDisp_GetFBConfigsSGIX(__GLXclie
{
ClientPtr client = cl->client;
xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
- REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
+ /* work around mesa bug, don't use REQUEST_SIZE_MATCH */
+ REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq);
return DoGetFBConfigs(cl, req->screen);
}
@@ -1341,7 +1342,9 @@ int __glXDisp_DestroyPixmap(__GLXclientS
ClientPtr client = cl->client;
xGLXDestroyPixmapReq *req = (xGLXDestroyPixmapReq *) pc;
- REQUEST_SIZE_MATCH(xGLXDestroyPixmapReq);
+ /* should be REQUEST_SIZE_MATCH, but mesa's glXDestroyPixmap used to set
+ * length to 3 instead of 2 */
+ REQUEST_AT_LEAST_SIZE(xGLXDestroyPixmapReq);
return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP);
}
@@ -1470,7 +1473,13 @@ int __glXDisp_ChangeDrawableAttributes(_
client->errorValue = req->numAttribs;
return BadValue;
}
+#if 0
+ /* mesa sends an additional 8 bytes */
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
+#else
+ if (((sizeof(xGLXChangeDrawableAttributesReq) + (req->numAttribs << 3)) >> 2) < client->req_len)
+ return BadLength;
+#endif
return DoChangeDrawableAttributes(cl->client, req->drawable,
req->numAttribs, (CARD32 *) (req + 1));
@@ -1532,7 +1541,8 @@ int __glXDisp_DestroyWindow(__GLXclientS
ClientPtr client = cl->client;
xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc;
- REQUEST_SIZE_MATCH(xGLXDestroyWindowReq);
+ /* mesa's glXDestroyWindow used to set length to 3 instead of 2 */
+ REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq);
return DoDestroyDrawable(cl, req->glxwindow, GLX_DRAWABLE_WINDOW);
}
@@ -1849,7 +1859,8 @@ int __glXDisp_GetDrawableAttributes(__GL
ClientPtr client = cl->client;
xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc;
- REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq);
+ /* this should be REQUEST_SIZE_MATCH, but mesa sends an additional 4 bytes */
+ REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq);
return DoGetDrawableAttributes(cl, req->drawable);
}
--- xorg-server-1.6.5.orig/glx/glxcmdsswap.c
+++ xorg-server-1.6.5/glx/glxcmdsswap.c
@@ -282,7 +282,7 @@ int __glXDispSwap_GetFBConfigsSGIX(__GLX
xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
+ REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq);
__GLX_SWAP_INT(&req->screen);
return __glXDisp_GetFBConfigsSGIX(cl, pc);
@@ -371,7 +371,7 @@ int __glXDispSwap_DestroyPixmap(__GLXcli
xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq);
+ REQUEST_AT_LEAST_SIZE(xGLXDestroyGLXPixmapReq);
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->glxpixmap);
@@ -480,7 +480,9 @@ int __glXDispSwap_ChangeDrawableAttribut
client->errorValue = req->numAttribs;
return BadValue;
}
- REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
+ if (((sizeof(xGLXChangeDrawableAttributesReq) + (req->numAttribs << 3)) >> 2) < client->req_len)
+ return BadLength;
+
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -546,7 +548,7 @@ int __glXDispSwap_DestroyWindow(__GLXcli
xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_SIZE_MATCH(xGLXDestroyWindowReq);
+ REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq);
__GLX_SWAP_INT(&req->glxwindow);
@@ -746,7 +748,7 @@ int __glXDispSwap_GetDrawableAttributes(
xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq);
+ REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq);
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->drawable);
|