13522 – XInput Extension Memory Corruption Vulnerability

Bug 13522 - XInput Extension Memory Corruption Vulnerability

Summary: XInput Extension Memory Corruption Vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	xorg
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7.3 (2007.09)
Hardware:	Other All

Importance:	medium normal
Assignee:	X.Org Security
QA Contact:	X.Org Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2007-12-04 12:58 UTC by Matthieu Herrb
Modified:	2008-01-17 08:28 UTC (History)
CC List:	2 users (show)

See Also:
i915 platform:
i915 features:

Attachments
Draft advisory (4.39 KB, text/plain) 2007-12-04 12:59 UTC, Matthieu Herrb	no flags	Details
Proposed but untested patch (6.99 KB, patch) 2007-12-10 21:01 UTC, Alan Coopersmith	no flags	Details \| Splinter Review
backport to XFree86 and Xorg 6.8 (6.99 KB, patch) 2007-12-13 16:59 UTC, Dave Airlie	no flags	Details \| Splinter Review
Testcase (8.65 KB, text/plain) 2007-12-19 18:38 UTC, Alan Coopersmith	no flags	Details
View All

Description Matthieu Herrb 2007-12-04 12:58:41 UTC

iDefense has sent us the attached draft advisory

Comment 1 Matthieu Herrb 2007-12-04 12:59:11 UTC

Created attachment 12942 [details]
Draft advisory

Comment 2 Alan Coopersmith 2007-12-10 21:01:41 UTC

Created attachment 13025 [details] [review]
Proposed but untested patch

This patch is intended to both fix the reported issue, and the problem of
swapping twice as far as the end of the request on 64-bit machines, when
the code uses a pointer of type "long" to iterate over the CARD32's (which
could at least lead to a denial-of-service, if not a full exploit).

Comment 3 Dave Airlie 2007-12-13 16:59:13 UTC

Created attachment 13095 [details] [review]
backport to XFree86 and Xorg 6.8

I've backported this across register removals..

Comment 4 Alan Coopersmith 2007-12-19 18:38:58 UTC

Created attachment 13246 [details]
Testcase

Testcase for 7 of the 8 modified calls (only tests the initial issue, not the
long vs. CARD32 on 64-bit platforms).

IMPORTANT: test case must be built and run on a machine of opposite endianness 
of the system under test - for example, when testing X server on x86, run 
testcase on a SPARC machine.

To test, run:
	./testcase-13522 -1
	./testcase-13522 -2
	./testcase-13522 -3
	./testcase-13522 -4
	./testcase-13522 -5
	./testcase-13522 -6
	./testcase-13522 -7

Without the fix, the X server crashes, with it, for all the above it should
print:
	TEST PASSED: illegal call returned BadLength

Comment 5 Matthieu Herrb 2008-01-17 08:28:54 UTC

Patch has been committed dd5e0f5cd5f3a87fee86d99c073ffa7cf89b0a27 and this is public now.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.