Bug 13522 - XInput Extension Memory Corruption Vulnerability
Summary: XInput Extension Memory Corruption Vulnerability
Alias: None
Product: xorg
Classification: Unclassified
Component: Security (show other bugs)
Version: 7.3 (2007.09)
Hardware: Other All
: medium normal
Assignee: X.Org Security
QA Contact: X.Org Security
Depends on:
Reported: 2007-12-04 12:58 UTC by Matthieu Herrb
Modified: 2008-01-17 08:28 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:

Draft advisory (4.39 KB, text/plain)
2007-12-04 12:59 UTC, Matthieu Herrb
no flags Details
Proposed but untested patch (6.99 KB, patch)
2007-12-10 21:01 UTC, Alan Coopersmith
no flags Details | Splinter Review
backport to XFree86 and Xorg 6.8 (6.99 KB, patch)
2007-12-13 16:59 UTC, Dave Airlie
no flags Details | Splinter Review
Testcase (8.65 KB, text/plain)
2007-12-19 18:38 UTC, Alan Coopersmith
no flags Details

Description Matthieu Herrb 2007-12-04 12:58:41 UTC
iDefense has sent us the attached draft advisory
Comment 1 Matthieu Herrb 2007-12-04 12:59:11 UTC
Created attachment 12942 [details]
Draft advisory
Comment 2 Alan Coopersmith 2007-12-10 21:01:41 UTC
Created attachment 13025 [details] [review]
Proposed but untested patch

This patch is intended to both fix the reported issue, and the problem of
swapping twice as far as the end of the request on 64-bit machines, when
the code uses a pointer of type "long" to iterate over the CARD32's (which
could at least lead to a denial-of-service, if not a full exploit).
Comment 3 Dave Airlie 2007-12-13 16:59:13 UTC
Created attachment 13095 [details] [review]
backport to XFree86 and Xorg 6.8

I've backported this across register removals..
Comment 4 Alan Coopersmith 2007-12-19 18:38:58 UTC
Created attachment 13246 [details]

Testcase for 7 of the 8 modified calls (only tests the initial issue, not the
long vs. CARD32 on 64-bit platforms).

IMPORTANT: test case must be built and run on a machine of opposite endianness 
of the system under test - for example, when testing X server on x86, run 
testcase on a SPARC machine.

To test, run:
	./testcase-13522 -1
	./testcase-13522 -2
	./testcase-13522 -3
	./testcase-13522 -4
	./testcase-13522 -5
	./testcase-13522 -6
	./testcase-13522 -7

Without the fix, the X server crashes, with it, for all the above it should
	TEST PASSED: illegal call returned BadLength
Comment 5 Matthieu Herrb 2008-01-17 08:28:54 UTC
Patch has been committed dd5e0f5cd5f3a87fee86d99c073ffa7cf89b0a27 and this is public now.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.