Skip to content

Security fixes for byte-swapping and ProcRenderAddGlyphs

Alan Coopersmith requested to merge alanc/xserver:security-master into master
  1. CVE-2024-31080: Heap buffer overread/data leakage in ProcXIGetSelectedEvents

Introduced in: xorg-server-1.7.0 (2009)
Found by: Alan Coopersmith of Oracle Solaris, while investigating https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762

The ProcXIGetSelectedEvents() function uses the byte-swapped length of the return data for the amount of data to return to the client, if the client has a different endianness than the X server.

  1. CVE-2024-31081: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice

Introduced in: xorg-server-1.7.0 (2009)
Found by: Alan Coopersmith of Oracle Solaris

The ProcXIPassiveGrabDevice() function uses the byte-swapped length of the return data for the amount of data to return to the client, if the client has a different endianness than the X server.

  1. CVE-2024-31082: Heap buffer overread/data leakage in ProcAppleDRICreatePixmap

Introduced in: xorg-server-1.12.0 (2012)
Found by: Alan Coopersmith of Oracle Solaris

The ProcAppleDRICreatePixmap() function uses the byte-swapped length of the return data for the amount of data to return to the client, if the client has a different endianness than the X server. This function is only found in the Xquartz server for MacOS systems, and not in Xwayland, Xorg, or any other X servers.

  1. CVE-2024-31083: User-after-free in ProcRenderAddGlyphs

Introduced in: prior to X11R6.7 (2004)
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

The ProcRenderAddGlyphs() function calls the AllocateGlyph() function to store new glyphs sent by the client to the X server. AllocateGlyph() would return a new glyph with refcount=0 and a re-used glyph would end up not changing the refcount at all. The resulting glyph_new array would thus have multiple entries pointing to the same non-refcounted glyphs.

ProcRenderAddGlyphs() may free a glyph, resulting in a use-after-free when the same glyph pointer is then later used.

Merge request reports

Loading