[PATCH] Xi: Test exact size of XIBarrierReleasePointer

Peter Hutterer peter.hutterer at who-t.net
Tue Jul 11 02:43:35 UTC 2017 

On Fri, Jul 07, 2017 at 05:21:46PM +0200, msrb at suse.com wrote:
> From: Michal Srb <msrb at suse.com>
> 
> Otherwise a client can send any value of num_barriers and cause reading or
> swapping of values on heap behind the receive buffer.
> ---
>  Xi/xibarriers.c | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
> 
> diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
> index af1562ed2..d82ecb6a5 100644
> --- a/Xi/xibarriers.c
> +++ b/Xi/xibarriers.c
> @@ -830,10 +830,13 @@ SProcXIBarrierReleasePointer(ClientPtr client)
>      REQUEST(xXIBarrierReleasePointerReq);
>      int i;
>  
> -    info = (xXIBarrierReleasePointerInfo*) &stuff[1];
> -
>      swaps(&stuff->length);
> +    REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
> +
>      swapl(&stuff->num_barriers);
> +    REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
> +
> +    info = (xXIBarrierReleasePointerInfo*) &stuff[1];
>      for (i = 0; i < stuff->num_barriers; i++, info++) {
>          swaps(&info->deviceid);
>          swapl(&info->barrier);
> @@ -853,7 +856,7 @@ ProcXIBarrierReleasePointer(ClientPtr client)
>      xXIBarrierReleasePointerInfo *info;
>  
>      REQUEST(xXIBarrierReleasePointerReq);
> -    REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
> +    REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));

technically, both requests can be longer than the payload to accommodate for
future versions (i.e length > num_barriers calculated length is allowed).
The precise approach would be to have a length check in the for loop to make
sure we never go over req->length.

But I think that's rather a niche case and it's unlikely this request will be
extended in the forseeable future. 

remote: I: patch #165877 updated using rev 211e05ac85a294ef361b9f80d689047fa52b9076.
remote: I: 1 patch(es) updated to state Accepted.
To git+ssh://git.freedesktop.org/git/xorg/xserver
   abb031e73..211e05ac8  master -> master

Thanks!

Cheers,
   Peter

>  
>      info = (xXIBarrierReleasePointerInfo*) &stuff[1];
>      for (i = 0; i < stuff->num_barriers; i++, info++) {
> -- 
> 2.12.3
> 
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: https://lists.x.org/mailman/listinfo/xorg-devel
>

More information about the xorg-devel mailing list