Bug 1193030 - (CVE-2021-4008) VUL-0: CVE-2021-4008: xorg-x11-server: X.Org Server SProcRenderCompositeGlyphs Out-Of-Bounds Access Privilege Escalation Vulnerability (ZDI-CAN-14192)
(CVE-2021-4008)
VUL-0: CVE-2021-4008: xorg-x11-server: X.Org Server SProcRenderCompositeGlyph...
Status: CONFIRMED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/315784/
CVSSv3.1:SUSE:CVE-2021-4008:7.8:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-11-24 09:23 UTC by Gianluca Gabrielli
Modified: 2021-12-15 14:22 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Researcher proposed patch (944 bytes, patch)
2021-11-24 09:24 UTC, Gianluca Gabrielli
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-11-24 09:23:35 UTC
ZDI-CAN-14192: X.Org Server SProcRenderCompositeGlyphs Out-Of-Bounds Access Privilege Escalation Vulnerability

-- CVSS -----------------------------------------

7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
X.Org - Server

-- VULNERABILITY DETAILS ------------------------
* Version tested:1.20.4
* Installer file:debian-10.10.0-amd64-xfce-CD-1.iso
* Platform tested:debian-10.10.0-amd64-xfce-CD-1.iso

---

### Analysis

```
the exploit doesn't work if the OS installed on vmware and default virtualbox
it works on virtualbox with VBoxVGA graphic controller

OOB access bug exist in xserver, SProcRenderCompositeGlyphs()
https://gitlab.freedesktop.org/xorg/xserver/-/blob/236d1775509404b0dcf44873422dd8652b1e9588/render/render.c#L2323
exploit use pixmap to spray and achieve the arbitrary read/write
it leads to LPE for some distribution (xorg in debian is run as root under specific display driver) and RCE for ssh x11 forwarding environmnet
```

~~~C++
static int _X_COLD
SProcRenderCompositeGlyphs(ClientPtr client)
{
...
    buffer = (CARD8 *) (stuff + 1); 		// input
    end = (CARD8 *) stuff + (client->req_len << 2);
    while (buffer + sizeof(xGlyphElt) < end) {
        elt = (xGlyphElt *) buffer;
        buffer += sizeof(xGlyphElt);

        swaps(&elt->deltax);
        swaps(&elt->deltay);

        i = elt->len;			// elt->len is controlled
        if (i == 0xff) {
            swapl((int *) buffer);
            buffer += 4;
        }
        else {
            space = size * i;
            switch (size) {
            case 1:
                buffer += i;
                break;
            case 2:
                while (i--) {
                    swaps((short *) buffer); 		// this loop didn't validate the length and swap OOB
                    buffer += 2;
                }
                break;
            case 4:
                while (i--) { 						// didn't validate the length also
                    swapl((int *) buffer);
                    buffer += 4;
                }
                break;
            }
            if (space & 3)
                buffer += 4 - (space & 3);
        }
    }
    return (*ProcRenderVector[stuff->renderReqType]) (client);
}

~~~


debug log
```
(gdb) b *0x55b5e8492000+0x12F392 if $al==0x19
Breakpoint 1 at 0x55b5e85c1392
(gdb) c
Continuing.

Thread 1 "Xorg" received signal SIGUSR1, User defined signal 1.
0x00007fe021e4d5f7 in ?? () from /lib/x86_64-linux-gnu/libpixman-1.so.0
(gdb) c
Continuing.

Thread 1 "Xorg" hit Breakpoint 1, 0x000055b5e85c1392 in ?? ()
(gdb) x/10xg $r14-0x10
0x55b5edffa438:	0x5151515151515151	0x5851515151515151
0x55b5edffa448:	0x00000000000a198b	0x0000000000000000
0x55b5edffa458:	0x0000000000000000	0x0000000900000000 		// 9 is the controlled
0x55b5edffa468:	0x0000000000000000	0x0000000000000000
0x55b5edffa478:	0x00000000a1020100	0x8008600201000101 		// another buffer
(gdb) c
Continuing.

Thread 1 "Xorg" hit Breakpoint 1, 0x000055b5e85c1392 in ?? ()
1: x/i $pc
=> 0x55b5e85c1392:	cmp    al,0x18
(gdb) x/10xg $r14-0x10
0x55b5edffa438:	0x5151515151515151	0x5151515151515151
0x55b5edffa448:	0x00000000000a198b	0x0000000000000000
0x55b5edffa458:	0x0000000000000000	0x0000000800000000
0x55b5edffa468:	0x0000000000000000	0x0000000000000000
0x55b5edffa478:	0x00000000000102a1	0x0260088001010001		// OOB swap and corrupt another buffer
(gdb) bt
#0  0x000055b5e85c1392 in ?? ()
#1  0x000055b5e84ec99e in ?? ()
#2  0x000055b5e84f0986 in ?? ()
#3  0x00007fe02115c09b in __libc_start_main (main=0x55b5e84da640, argc=10, argv=0x7fffe58eccc8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffe58eccb8) at ../csu/libc-start.c:308
#4  0x000055b5e84da67a in _start ()
(gdb) c
Continuing.

Thread 1 "Xorg" received signal SIGSEGV, Segmentation fault.
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:312
312	../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
1: x/i $pc
=> 0x7fe021294733 <__memmove_avx_unaligned_erms+131>:	mov    rcx,QWORD PTR [rsi+rdx*1-0x8]
(gdb) bt
#0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:312
#1  0x00007fe0200d4b42 in fbBlt () from /usr/lib/xorg/modules/libfb.so
#2  0x00007fe0200d58a6 in fbBltStip () from /usr/lib/xorg/modules/libfb.so
#3  0x00007fe0200d9d30 in fbGetImage () from /usr/lib/xorg/modules/libfb.so
#4  0x000055b5e8638410 in ?? ()
#5  0x000055b5e8574b3b in ?? ()
#6  0x000055b5e84e9849 in ?? ()
#7  0x000055b5e84ec99e in ?? ()
#8  0x000055b5e84f0986 in ?? ()
#9  0x00007fe02115c09b in __libc_start_main (main=0x55b5e84da640, argc=10, argv=0x7fffe58eccc8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffe58eccb8) at ../csu/libc-start.c:308
#10 0x000055b5e84da67a in _start ()
(gdb)
```



-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

-- FURTHER DETAILS ------------------------------

If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
zdi-disclosures@trendmicro.com

The PGP key used for all ZDI vendor communications is available from:

  http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contact us for further details or refer to:

  http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

  http://www.zerodayinitiative.com/advisories/disclosure_policy/
Comment 2 Gianluca Gabrielli 2021-11-24 09:24:57 UTC
Created attachment 853995 [details]
Researcher proposed patch
Comment 7 Gianluca Gabrielli 2021-11-24 10:50:21 UTC
Affected packages:
 - SUSE:SLE-11-SP1:Update/xorg-x11-server
 - SUSE:SLE-11-SP3:Update/xorg-x11-server
 - SUSE:SLE-12-SP2:Update/xorg-x11-server
 - SUSE:SLE-12-SP4:Update/xorg-x11-server
 - SUSE:SLE-12-SP5:Update/xorg-x11-server
 - SUSE:SLE-15:Update/xorg-x11-server
 - SUSE:SLE-15-SP1:Update/xorg-x11-server
 - SUSE:SLE-15-SP2:Update/xorg-x11-server
 - openSUSE:Factory/xorg-x11-server
Comment 9 Stefan Dirsch 2021-11-25 11:58:31 UTC
According to is_maintained only these are needed.

SUSE:SLE-11-SP1:Update
SUSE:SLE-11-SP3:Update
SUSE:SLE-12-SP2:Update
SUSE:SLE-12-SP5:Update
SUSE:SLE-15-SP1:GA
SUSE:SLE-15-SP2:Update

Instead of SUSE:SLE-15-SP1:GA I'll do the update for SUSE:SLE-15-SP1:Update. Are you sure these are also needed?

SUSE:SLE-12-SP4:Update/xorg-x11-server
SUSE:SLE-15:Update/xorg-x11-server

I'll care of openSUSE:Factory/xorg-x11-server tomorrow.
Comment 10 Stefan Dirsch 2021-11-25 12:14:26 UTC
(In reply to Stefan Dirsch from comment #9)
> According to is_maintained only these are needed.
> 
> SUSE:SLE-11-SP1:Update
> SUSE:SLE-11-SP3:Update
> SUSE:SLE-12-SP2:Update
> SUSE:SLE-12-SP5:Update
> SUSE:SLE-15-SP1:GA
> SUSE:SLE-15-SP2:Update
> 
> Instead of SUSE:SLE-15-SP1:GA I'll do the update for SUSE:SLE-15-SP1:Update.

Done. 6 submit requests.
Comment 11 Gianluca Gabrielli 2021-11-25 12:37:05 UTC
(In reply to Stefan Dirsch from comment #9)
> According to is_maintained only these are needed.
> 
> SUSE:SLE-11-SP1:Update
> SUSE:SLE-11-SP3:Update
> SUSE:SLE-12-SP2:Update
> SUSE:SLE-12-SP5:Update
> SUSE:SLE-15-SP1:GA
> SUSE:SLE-15-SP2:Update
> 
> Instead of SUSE:SLE-15-SP1:GA I'll do the update for SUSE:SLE-15-SP1:Update.
> Are you sure these are also needed?

Right, please use SUSE:SLE-15-SP1:Update. Maintainers should never submit to :GA projects.

> SUSE:SLE-12-SP4:Update/xorg-x11-server
> SUSE:SLE-15:Update/xorg-x11-server

Yes please.

> I'll care of openSUSE:Factory/xorg-x11-server tomorrow.
Comment 12 Stefan Dirsch 2021-11-25 13:13:10 UTC
(In reply to Gianluca Gabrielli from comment #11)
> > SUSE:SLE-12-SP4:Update/xorg-x11-server
> > SUSE:SLE-15:Update/xorg-x11-server
> 
> Yes please.

Submitted.
Comment 21 Robert Frohl 2021-12-14 13:50:09 UTC
public via oss-security:

X.Org Security Advisory: December 14, 2021

Multiple input validation failures in X server extensions
=========================================================

All of the following issues can lead to local privileges elevation on
systems where the X server is running privileged and remote code
execution for ssh X forwarding sessions.

* CVE-2021-4008/ZDI-CAN-14192 SProcRenderCompositeGlyphs out-of-bounds
access

The handler for the CompositeGlyphs request of the Render extension does
not properly validate the request length leading to out of bounds memory
write.

* CVE-2021-4009/ZDI-CAN 14950 SProcXFixesCreatePointerBarrier
out-of-bounds access

The handler for the CreatePointerBarrier request of the XFixes extension
does not properly validate the request length leading to out of bounds
memory write.

* CVE-2021-4010/ZDI-CAN-14951 SProcScreenSaverSuspend out-of-bounds access

The handler for the Suspend request of the Screen Saver extension does
not properly validate the request length leading to out of bounds memory
write.

* CVE-2021-4011/ZDI-CAN-14952 SwapCreateRegister out-of-bounds access

The handlers for the RecordCreateContext and RecordRegisterClients
requests of the Record extension do not properly validate the request
length leading to out of bounds memory write.

Patches
-------

Patches for this issues have been commited to the xorg server git
repository (https://gitlab.freedesktop.org/xorg/xserver). xorg-server
21.1.2 will be released shortly and will include these patches.

commit ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60

    render: Fix out of bounds access in SProcRenderCompositeGlyphs()

    ZDI-CAN-14192, CVE-2021-4008

    This vulnerability was discovered and the fix was suggested by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

commit b5196750099ae6ae582e1f46bd0a6dad29550e02

    xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier()

    ZDI-CAN-14950, CVE-2021-4009

    This vulnerability was discovered and the fix was suggested by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

commit 6c4c53010772e3cb4cb8acd54950c8eec9c00d21

    Xext: Fix out of bounds access in SProcScreenSaverSuspend()

    ZDI-CAN-14951, CVE-2021-4010

    This vulnerability was discovered and the fix was suggested by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

commit e56f61c79fc3cee26d83cda0f84ae56d5979f768

    record: Fix out of bounds access in SwapCreateRegister()

    ZDI-CAN-14952, CVE-2021-4011

    This vulnerability was discovered and the fix was suggested by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Thanks
======

This vulnerability was discovered by Jan-Niklas Sohn working with
Trend Micro Zero Day Initiative.

--
Povilas Kanapickas
Comment 22 OBSbugzilla Bot 2021-12-14 16:20:04 UTC
This is an autogenerated message for OBS integration:
This bug (1193030) was mentioned in
https://build.opensuse.org/request/show/940510 Factory / xorg-x11-server
Comment 24 Stefan Dirsch 2021-12-14 16:42:19 UTC
Considered done. Reassingin back to security team.
Comment 25 Swamp Workflow Management 2021-12-14 17:17:53 UTC
openSUSE-SU-2021:4070-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1193030
CVE References: CVE-2021-4008
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    xorg-x11-server-1.20.3-22.5.39.1
Comment 26 Swamp Workflow Management 2021-12-14 17:21:09 UTC
SUSE-SU-2021:4064-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1193030
CVE References: CVE-2021-4008
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xorg-x11-server-1.19.6-4.25.1
SUSE OpenStack Cloud 9 (src):    xorg-x11-server-1.19.6-4.25.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xorg-x11-server-1.19.6-4.25.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xorg-x11-server-1.19.6-4.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2021-12-14 17:22:29 UTC
SUSE-SU-2021:4071-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1193030
CVE References: CVE-2021-4008
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.19.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    xorg-x11-server-1.20.3-14.5.19.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    xorg-x11-server-1.20.3-14.5.19.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    xorg-x11-server-1.20.3-14.5.19.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    xorg-x11-server-1.20.3-14.5.19.1
SUSE Enterprise Storage 6 (src):    xorg-x11-server-1.20.3-14.5.19.1
SUSE CaaS Platform 4.0 (src):    xorg-x11-server-1.20.3-14.5.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Swamp Workflow Management 2021-12-14 17:23:52 UTC
SUSE-SU-2021:14863-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1193030
CVE References: CVE-2021-4008
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xorg-x11-server-7.4-27.122.43.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xorg-x11-server-7.4-27.122.43.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xorg-x11-server-7.4-27.122.43.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xorg-x11-server-7.4-27.122.43.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Swamp Workflow Management 2021-12-14 17:26:27 UTC
SUSE-SU-2021:4069-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1193030
CVE References: CVE-2021-4008
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xorg-x11-server-7.6_1.18.3-76.43.1
SUSE OpenStack Cloud 8 (src):    xorg-x11-server-7.6_1.18.3-76.43.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xorg-x11-server-7.6_1.18.3-76.43.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xorg-x11-server-7.6_1.18.3-76.43.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xorg-x11-server-7.6_1.18.3-76.43.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xorg-x11-server-7.6_1.18.3-76.43.1
HPE Helion Openstack 8 (src):    xorg-x11-server-7.6_1.18.3-76.43.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Swamp Workflow Management 2021-12-14 17:29:06 UTC
SUSE-SU-2021:4066-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1193030
CVE References: CVE-2021-4008
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xorg-x11-server-1.19.6-10.26.1
SUSE Linux Enterprise Server 12-SP5 (src):    xorg-x11-server-1.19.6-10.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Swamp Workflow Management 2021-12-14 17:33:05 UTC
SUSE-SU-2021:4070-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1193030
CVE References: CVE-2021-4008
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    xorg-x11-server-1.20.3-22.5.39.1
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.39.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    xorg-x11-server-1.20.3-22.5.39.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.39.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    xorg-x11-server-1.20.3-22.5.39.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Swamp Workflow Management 2021-12-14 17:34:22 UTC
SUSE-SU-2021:4065-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1193030
CVE References: CVE-2021-4008
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xorg-x11-server-1.19.6-8.33.1
SUSE Linux Enterprise Server 15-LTSS (src):    xorg-x11-server-1.19.6-8.33.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xorg-x11-server-1.19.6-8.33.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xorg-x11-server-1.19.6-8.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 34 OBSbugzilla Bot 2021-12-14 21:00:15 UTC
This is an autogenerated message for OBS integration:
This bug (1193030) was mentioned in
https://build.opensuse.org/request/show/940574 Factory / xorg-x11-server
Comment 36 Swamp Workflow Management 2021-12-15 14:22:21 UTC
openSUSE-SU-2021:1587-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1193030
CVE References: CVE-2021-4008
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xorg-x11-server-1.20.3-lp152.8.33.1