Bug 1190487 (CVE-2021-4009)

Summary: VUL-0: CVE-2021-4009: xorg-x11-server: SProcXFixesCreatePointerBarrier Out-Of-Bounds Access Local Privilege Escalation Vulnerability (ZDI-CAN-14950)
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez, gfx-enterprise-bugs, rfrohl, sndirsch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/309971/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-4009:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Researcher proposed patch

Description Gianluca Gabrielli 2021-09-14 14:32:47 UTC
ZDI-CAN-14950: X.Org Server SProcXFixesCreatePointerBarrier Out-Of-Bounds Access Local Privilege Escalation Vulnerability

-- CVSS -----------------------------------------

7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
X.Org - Server

-- VULNERABILITY DETAILS ------------------------
* Version tested:1.20.4
* Installer file:debian-10.10.0-amd64-xfce-CD-1.iso
* Platform tested:debian-10.10.0-amd64-xfce-CD-1.iso

---

### Analysis

```
the exploit doesn't work if the OS installed on vmware and default virtualbox
it works on virtualbox with VBoxVGA graphic controller

OOB access bug exist in xserver, SProcXFixesCreatePointerBarrier()
https://gitlab.freedesktop.org/xorg/xserver/-/blob/236d1775509404b0dcf44873422dd8652b1e9588/render/render.c#L2323
exploit use pixmap to spray and achieve the arbitrary read/write
it leads to LPE for some distribution (xorg in debian is run as root under specific display driver) and RCE for ssh x11 forwarding environmnet
```

~~~C++
SProcXFixesCreatePointerBarrier(ClientPtr client)
{
    REQUEST(xXFixesCreatePointerBarrierReq);
    int i;
    CARD16 *in_devices = (CARD16 *) &stuff[1];

    REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq);

    swaps(&stuff->length);
    swaps(&stuff->num_devices);
    REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));		// check buffer with stuff->num_devices

    swapl(&stuff->barrier);
    swapl(&stuff->window);
    swaps(&stuff->x1);
    swaps(&stuff->y1);
    swaps(&stuff->x2);
    swaps(&stuff->y2);
    swapl(&stuff->directions);
    for (i = 0; i < stuff->num_devices; i++) {
        swaps(in_devices + i);		// but write buffer with stuff->num_devices*2, OOB access here
    }

    return ProcXFixesVector[stuff->xfixesReqType] (client);
}
~~~


debug log
```
(gdb) b *0x55b5e8492000+0x41143
Breakpoint 2 at 0x55b5e84d3143
(gdb) c
Continuing.

Thread 1 "Xorg" hit Breakpoint 2, 0x000055b5e84d3143 in ?? ()
1: x/i $pc
=> 0x55b5e84d3143:	rol    WORD PTR [rax+rdx*2+0x1c],0x8	// swaps(in_devices + i);
(gdb) x/10xg $rax
0x55b5ee000c70:	0x0000000000101f8a	0x0000000000000000
0x55b5ee000c80:	0x0000000000000000	0x0000000000210000
0x55b5ee000c90:	0x0000000000000000	0x0000000000000000
0x55b5ee000ca0:	0x0000000000000000	0x0000000000000000
0x55b5ee000cb0:	0x0000000000000000	0x00000000000102a1 	// before corruption
(gdb) i r $rdx
rdx            0x0                 0
(gdb) si
0x000055b5e84d3149 in ?? ()
1: x/i $pc
=> 0x55b5e84d3149:	inc    rdx
(gdb)
0x000055b5e84d314c in ?? ()
1: x/i $pc
=> 0x55b5e84d314c:	jmp    0x55b5e84d313b
(gdb)
0x000055b5e84d313b in ?? ()
1: x/i $pc
=> 0x55b5e84d313b:	movzx  ecx,WORD PTR [rax+0x1a]
(gdb)
0x000055b5e84d313f in ?? ()
1: x/i $pc
=> 0x55b5e84d313f:	cmp    ecx,edx
(gdb) i r $ecx
ecx            0x21                33		// loop count
(gdb) si
0x000055b5e84d3141 in ?? ()
1: x/i $pc
=> 0x55b5e84d3141:	jle    0x55b5e84d314e
(gdb)

Thread 1 "Xorg" hit Breakpoint 2, 0x000055b5e84d3143 in ?? ()
1: x/i $pc
=> 0x55b5e84d3143:	rol    WORD PTR [rax+rdx*2+0x1c],0x8
(gdb)
0x000055b5e84d3149 in ?? ()
1: x/i $pc
=> 0x55b5e84d3149:	inc    rdx
(gdb)
0x000055b5e84d314c in ?? ()
1: x/i $pc
=> 0x55b5e84d314c:	jmp    0x55b5e84d313b
(gdb)
0x000055b5e84d313b in ?? ()
1: x/i $pc
=> 0x55b5e84d313b:	movzx  ecx,WORD PTR [rax+0x1a]
(gdb)
0x000055b5e84d313f in ?? ()
1: x/i $pc
=> 0x55b5e84d313f:	cmp    ecx,edx
(gdb)
0x000055b5e84d3141 in ?? ()
1: x/i $pc
=> 0x55b5e84d3141:	jle    0x55b5e84d314e
(gdb)

...
...

Thread 1 "Xorg" hit Breakpoint 2, 0x000055b5e84d3143 in ?? ()
1: x/i $pc
=> 0x55b5e84d3143:	rol    WORD PTR [rax+rdx*2+0x1c],0x8
(gdb) x/xg $rax+$rdx*2+0x1c
0x55b5ee000cb8:	0x00000000000102a1
(gdb) si
0x000055b5e84d3149 in ?? ()
1: x/i $pc
=> 0x55b5e84d3149:	inc    rdx
(gdb) x/xg $rax+$rdx*2+0x1c
0x55b5ee000cb8:	0x000000000001a102
(gdb) x/10xg 0x55b5ee000c70
0x55b5ee000c70:	0x0000000000101f8a	0x0000000000000000
0x55b5ee000c80:	0x0000000000000000	0x0000000000210000
0x55b5ee000c90:	0x0000000000000000	0x0000000000000000
0x55b5ee000ca0:	0x0000000000000000	0x0000000000000000
0x55b5ee000cb0:	0x0000000000000000	0x000000000001a102		// after corruption
(gdb) bt
#0  0x000055b5e84d3149 in ?? ()
#1  0x000055b5e84ec99e in ?? ()
#2  0x000055b5e84f0986 in ?? ()
#3  0x00007fe02115c09b in __libc_start_main (main=0x55b5e84da640, argc=10, argv=0x7fffe58eccc8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffe58eccb8) at ../csu/libc-start.c:308
#4  0x000055b5e84da67a in _start ()
(gdb) c
Continuing.

Thread 1 "Xorg" received signal SIGSEGV, Segmentation fault.
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:312
312	../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
(gdb) bt
#0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:312
#1  0x00007fe0200d4b42 in fbBlt () from /usr/lib/xorg/modules/libfb.so
#2  0x00007fe0200d58a6 in fbBltStip () from /usr/lib/xorg/modules/libfb.so
#3  0x00007fe0200d9d30 in fbGetImage () from /usr/lib/xorg/modules/libfb.so
#4  0x000055b5e8638410 in ?? ()
#5  0x000055b5e8574b3b in ?? ()
#6  0x000055b5e84e9849 in ?? ()
#7  0x000055b5e84ec99e in ?? ()
#8  0x000055b5e84f0986 in ?? ()
#9  0x00007fe02115c09b in __libc_start_main (main=0x55b5e84da640, argc=10, argv=0x7fffe58eccc8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffe58eccb8) at ../csu/libc-start.c:308
#10 0x000055b5e84da67a in _start ()
(gdb)
```


-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

-- FURTHER DETAILS ------------------------------

If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
zdi-disclosures@trendmicro.com

The PGP key used for all ZDI vendor communications is available from:

  http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contact us for further details or refer to:

  http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

  http://www.zerodayinitiative.com/advisories/disclosure_policy/
Comment 2 Gianluca Gabrielli 2021-09-14 14:42:50 UTC
Created attachment 852508 [details]
Researcher proposed patch
Comment 4 Gianluca Gabrielli 2021-09-15 15:27:17 UTC
Affected packages:
 - SUSE:SLE-12-SP2:Update/xorg-x11-server
 - SUSE:SLE-12-SP4:Update/xorg-x11-server
 - SUSE:SLE-12-SP5:Update/xorg-x11-server
 - SUSE:SLE-15-SP1:Update/xorg-x11-server
 - SUSE:SLE-15-SP2:Update/xorg-x11-server
 - SUSE:SLE-15:Update/xorg-x11-server
 - openSUSE:Factory/xorg-x11-server
Comment 9 Robert Frohl 2021-12-14 13:51:18 UTC
public via oss-security
Comment 12 Stefan Dirsch 2021-12-14 19:32:44 UTC
BTW, sle11 is not affected by this issue.
Comment 14 Stefan Dirsch 2021-12-14 20:38:21 UTC
Submitted for sle12, sle15 products, Tumbleweed and sle15-sp4.
Comment 15 Stefan Dirsch 2021-12-14 20:39:03 UTC
Reassigning to security team.
Comment 16 OBSbugzilla Bot 2021-12-14 21:00:04 UTC
This is an autogenerated message for OBS integration:
This bug (1190487) was mentioned in
https://build.opensuse.org/request/show/940574 Factory / xorg-x11-server
Comment 18 Swamp Workflow Management 2021-12-20 17:17:04 UTC
SUSE-SU-2021:4120-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190489
CVE References: CVE-2021-4009,CVE-2021-4011
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xorg-x11-server-1.19.6-4.28.1
SUSE OpenStack Cloud 9 (src):    xorg-x11-server-1.19.6-4.28.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xorg-x11-server-1.19.6-4.28.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xorg-x11-server-1.19.6-4.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2021-12-20 17:18:26 UTC
SUSE-SU-2021:4124-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190489
CVE References: CVE-2021-4009,CVE-2021-4011
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xorg-x11-server-7.6_1.18.3-76.46.1
SUSE OpenStack Cloud 8 (src):    xorg-x11-server-7.6_1.18.3-76.46.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xorg-x11-server-7.6_1.18.3-76.46.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xorg-x11-server-7.6_1.18.3-76.46.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xorg-x11-server-7.6_1.18.3-76.46.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xorg-x11-server-7.6_1.18.3-76.46.1
HPE Helion Openstack 8 (src):    xorg-x11-server-7.6_1.18.3-76.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2021-12-20 17:19:50 UTC
SUSE-SU-2021:4122-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190488,1190489
CVE References: CVE-2021-4009,CVE-2021-4010,CVE-2021-4011
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.22.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    xorg-x11-server-1.20.3-14.5.22.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    xorg-x11-server-1.20.3-14.5.22.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    xorg-x11-server-1.20.3-14.5.22.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    xorg-x11-server-1.20.3-14.5.22.1
SUSE Enterprise Storage 6 (src):    xorg-x11-server-1.20.3-14.5.22.1
SUSE CaaS Platform 4.0 (src):    xorg-x11-server-1.20.3-14.5.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2021-12-20 17:22:28 UTC
SUSE-SU-2021:4121-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190489
CVE References: CVE-2021-4009,CVE-2021-4011
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xorg-x11-server-1.19.6-8.36.1
SUSE Linux Enterprise Server 15-LTSS (src):    xorg-x11-server-1.19.6-8.36.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xorg-x11-server-1.19.6-8.36.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xorg-x11-server-1.19.6-8.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2021-12-20 17:23:50 UTC
SUSE-SU-2021:4119-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190489
CVE References: CVE-2021-4009,CVE-2021-4011
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xorg-x11-server-1.19.6-10.29.1
SUSE Linux Enterprise Server 12-SP5 (src):    xorg-x11-server-1.19.6-10.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2021-12-21 20:16:37 UTC
openSUSE-SU-2021:4136-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190488,1190489
CVE References: CVE-2021-4009,CVE-2021-4010,CVE-2021-4011
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    xorg-x11-server-1.20.3-22.5.42.1
Comment 24 Swamp Workflow Management 2021-12-21 20:18:16 UTC
SUSE-SU-2021:4136-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190488,1190489
CVE References: CVE-2021-4009,CVE-2021-4010,CVE-2021-4011
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Manager Retail Branch Server 4.1 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Manager Proxy 4.1 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Enterprise Storage 7 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE CaaS Platform 4.5 (src):    xorg-x11-server-1.20.3-22.5.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Swamp Workflow Management 2021-12-22 11:18:42 UTC
openSUSE-SU-2021:1606-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190488,1190489
CVE References: CVE-2021-4009,CVE-2021-4010,CVE-2021-4011
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xorg-x11-server-1.20.3-lp152.8.36.1
Comment 26 Swamp Workflow Management 2022-02-17 11:25:12 UTC
SUSE-SU-2021:4136-2: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190488,1190489
CVE References: CVE-2021-4009,CVE-2021-4010,CVE-2021-4011
JIRA References: 
Sources used:
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2022-02-17 11:29:43 UTC
openSUSE-SU-2021:4136-2: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190488,1190489
CVE References: CVE-2021-4009,CVE-2021-4010,CVE-2021-4011
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    xorg-x11-server-1.20.3-22.5.42.1
Comment 28 Carlos López 2022-09-20 11:20:58 UTC
Done, closing.