Update access.c with potential fix for Type Confusion alert no. 1893#17
Open
HaplessIdiot wants to merge 406 commits into
Open
Update access.c with potential fix for Type Confusion alert no. 1893#17HaplessIdiot wants to merge 406 commits into
HaplessIdiot wants to merge 406 commits into
Conversation
https://cgit.freedesktop.org/xorg/xserver/commit/?id=2855f759b1e7bf7f5e57cac36c1f0d0e5ac1a683 auth: remove AuthToIDFunc and associated functions. Not used anymore. And the current code for MitToId has a use-after-free() issue. [Also remove the actual implementations - ajax] Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
https://cgit.freedesktop.org/xorg/xserver/commit/?id=d7ac755f0b618eb1259d93c8a16ec6e39a18627c Use timingsafe_memcmp() to compare MIT-MAGIC-COOKIES CVE-2017-2624 Provide the function definition for systems that don't have it. Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> and https://cgit.freedesktop.org/xorg/xserver/commit/?id=5c44169caed811e59a65ba346de1cadb46d266ec os: Squash missing declaration warning for timingsafe_memcmp timingsafe_memcmp.c:21:1: warning: no previous prototype for `timingsafe_memcmp' [-Wmissing-prototypes] timingsafe_memcmp(const void *b1, const void *b2, size_t len) Signed-off-by: Adam Jackson <ajax@redhat.com>
https://cgit.freedesktop.org/xorg/xserver/commit/?id=957e8db38f27932d353e86e9aa69cf16778b18f1 -- Use arc4random_buf(3) if available to generate cookies. Reviewed-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> --
https://cgit.freedesktop.org/xorg/xserver/commit/?id=ba336b24052122b136486961c82deac76bbde455 https://cgit.freedesktop.org/xorg/xserver/commit/?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d https://cgit.freedesktop.org/xorg/xserver/commit/?id=215f894965df5fb0bb45b107d84524e700d2073c https://cgit.freedesktop.org/xorg/xserver/commit/?id=05442de962d3dc624f79fc1a00eca3ffc5489ced XXX: pullup-[678] (6/7 also need xfree port.)
-- From 1b1d4c0 Mon Sep 17 00:00:00 2001 From: Nathan Kidd <nkidd@opentext.com> Date: Sun, 21 Dec 2014 01:10:03 -0500 Subject: hw/xfree86: unvalidated lengths This addresses: CVE-2017-12180 in XFree86-VidModeExtension CVE-2017-12181 in XFree86-DGA CVE-2017-12182 in XFree86-DRI -- From 211e05a Mon Sep 17 00:00:00 2001 From: Michal Srb <msrb@suse.com> Date: Fri, 7 Jul 2017 17:21:46 +0200 Subject: Xi: Test exact size of XIBarrierReleasePointer Otherwise a client can send any value of num_barriers and cause reading or swapping of values on heap behind the receive buffer. -- From 4ca68b8 Mon Sep 17 00:00:00 2001 From: Nathan Kidd <nkidd@opentext.com> Date: Fri, 9 Jan 2015 10:09:14 -0500 Subject: dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (CVE-2017-12177) v2: Protect against integer overflow (Alan Coopersmith) -- From 55caa8b Mon Sep 17 00:00:00 2001 From: Nathan Kidd <nkidd@opentext.com> Date: Fri, 9 Jan 2015 11:43:05 -0500 Subject: xfixes: unvalidated lengths (CVE-2017-12183) v2: Use before swap (Jeremy Huddleston Sequoia) v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith) -- From 859b08d Mon Sep 17 00:00:00 2001 From: Nathan Kidd <nkidd@opentext.com> Date: Wed, 24 Dec 2014 16:22:18 -0500 Subject: Xi: fix wrong extra length check in ProcXIChangeHierarchy (CVE-2017-12178) -- From 9c23685 Mon Sep 17 00:00:00 2001 From: Michal Srb <msrb@suse.com> Date: Fri, 7 Jul 2017 17:04:03 +0200 Subject: os: Make sure big requests have sufficient length. A client can send a big request where the 32B "length" field has value 0. When the big request header is removed and the length corrected, the value will underflow to 0xFFFFFFFF. Functions processing the request later will think that the client sent much more data and may touch memory beyond the receive buffer. -- From b747da5 Mon Sep 17 00:00:00 2001 From: Nathan Kidd <nkidd@opentext.com> Date: Fri, 9 Jan 2015 10:15:46 -0500 Subject: Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
…ializing 'present_get_ust_msc_ptr')
- BlockHandler() timeout value changed from struct timeval ** to int ** that has a millisecond value. - avoid a NULL ptr deref in ProcXF86BigfontQueryFont() and make some code actually able to be run.
Undo diff to upstream. There's a good chance we aren't using this code at all.
It was introduced as one of the patches fixing https://bugs.freedesktop.org/show_bug.cgi?id=28181 This is marked fixed upstream, and was spotted on non-NetBSD, so it's very likely to be unnecessary. This diff was causing a double-free, causing Xorg to crash when closing pkgsrc/emulators/{retroarch,nestopia}. This is most likely a problem that became more evident from jemalloc debug which is filling free'd memory with 0x5a5a5a... Fixes PR xsrc/54246.
Restore missing RAMDAC files
This code is extremely portable. It should work on all systems.
AMDGPU Driver from Joseph Crowell unified
Try to remove some old XWayland code
Fix SlowBcopy support
…ring Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
…ngerous function Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
… cause overflow Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Potential fix for code scanning alert no. 1776: Use of potentially dangerous function
Potential fix for code scanning alert no. 32: Non-constant format string
They are now in the main files
Apply patches used by GitHub Actions
Potential fix for code scanning alert no. 139: Uncontrolled format string
Potential fix for code scanning alert no. 16: Static array access may cause overflow
Potential fix for code scanning alert no. 1461: Unbounded write
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Potential fix for code scanning alert no. 28: Potential use after free
HaplessIdiot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Certain casts in C and C++ place no restrictions on the target type. For example, C style casts such as (MyClass*)p allows the programmer to cast any pointer p to an expression of type MyClass*. If the runtime type of p turns out to be a type that's incompatible with MyClass, this results in undefined behavior.
Recommendation
If possible, use dynamic_cast to safely cast between polymorphic types. If dynamic_cast is not an option, use static_cast to restrict the kinds of conversions that the compiler is allowed to perform. If C++ style casts is not an option, carefully check that all casts are safe.
Example
Consider the following class hierachy where we define a base class Shape and two derived classes Circle and Square that are mutually incompatible:
struct Shape {
virtual ~Shape();
virtual void draw() = 0;
};
struct Circle : public Shape {
Circle();
void draw() override {
/* ... */
}
int getRadius();
};
struct Square : public Shape {
Square();
void draw() override {
/* ... */
}
int getLength();
};
The following code demonstrates a type confusion vulnerability where the programmer assumes that the runtime type of p is always a Square. However, if p is a Circle, the cast will result in undefined behavior.
void allocate_and_draw_bad() {
Shape* shape = new Circle;
// ...
// BAD: Assumes that shape is always a Square
Square* square = static_cast<Square*>(shape);
int length = square->getLength();
}
The following code fixes the vulnerability by using dynamic_cast to safely cast between polymorphic types. If the cast fails, dynamic_cast returns a null pointer, which can be checked for and handled appropriately.
void allocate_and_draw_good() {
Shape* shape = new Circle;
// ...
// GOOD: Dynamically checks if shape is a Square
Square* square = dynamic_cast<Square*>(shape);
if(square) {
int length = square->getLength();
} else {
// handle error
}
}
References
Microsoft Learn: Type conversions and type safety.
Common Weakness Enumeration: CWE-843.