X.Org Security Advisory: July 12, 2022
Multiple input validation failures in X server extensions
========================================================
All theses issues can lead to local privileges elevation on systems
where the X server is running privileged and remote code execution for
ssh X forwarding sessions.
* CVE-2022-2319/ZDI-CAN-16062: X.Org Server ProcXkbSetGeometry Out-Of-Bounds
Access
The handler for the ProcXkbSetGeometry request of the Xkb extension does
not properly validate the request length leading to out of bounds memory
write.
* CVE-2022-2320/ZDI-CAN-16070: X.Org Server ProcXkbSetDeviceInfo Out-Of-Bounds
Access
The handler for the ProcXkbSetDeviceInfo request of the Xkb extension
does not properly validate the request length leading to out of bounds
memory write.
Patches
-------
Patches for this issues have been committed to the xorg server git
repository. xorg-server 21.1.4 will be released shortly and will
include these patches.
commit 6907b6ea2b4ce949cb07271f5b678d5966d9df42
xkb: add request length validation for XkbSetGeometry
No validation of the various fields on that report were done, so a
malicious client could send a short request that claims it had N
sections, or rows, or keys, and the server would process the request
for N sections, running out of bounds of the actual request data.
Fix this by adding size checks to ensure our data is valid.
Fixes ZDI-CAN 16062, CVE-2022-2319.
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
commit dd8caf39e9e15d8f302e54045dd08d8ebf1025dc
xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck
XKB often uses a FooCheck and Foo function pair, the former is
supposed to check all values in the request and error out on
BadLength, BadValue, etc. The latter is then called once we're
confident the values are good (they may still fail on an individual
device, but that's a different topic).
In the case of XkbSetDeviceInfo, those functions were incorrectly
named, with XkbSetDeviceInfo ending up as the checker function and
XkbSetDeviceInfoCheck as the setter function. As a result, the setter
function was called before the checker function, accessing request
data and modifying device state before we ensured that the data is
valid.
In particular, the setter function relied on values being already
byte-swapped. This in turn could lead to potential OOB memory access.
Fix this by correctly naming the functions and moving the length checks
over to the checker function. These were added in 87c64fc5b0 to the
wrong function, probably due to the incorrect naming.
Fixes ZDI-CAN 16070, CVE-2022-2320.
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Introduced in c06e27b2f6fd9f7b9f827623a48876a225264132
Backporting of the security fixes also needs this commit:
f1070c01d616c5f21f939d5ebc533738779451ac.
Thanks
=====
The vulnerabilities have been discovered by Jan-Niklas Sohn working with
Trend Micro Zero Day Initiative and fixed by Peter Hutterer.
--
Povilas Kanapickas