Bugzilla – Bug 1194179
VUL-0: CVE-2022-2319: ZDI-CAN-16062: xorg-x11-server: OOB access in _CheckSetSections()
Last modified: 2022-09-12 08:31:34 UTC
-- ABSTRACT ------------------------------------- Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: X.Org - Server -- VULNERABILITY DETAILS ------------------------ * Version tested: 1.20.11 * Installer file: debian-live-11.1.0-amd64-xfce.iso * Platform tested: debian-live-11.1.0-amd64-xfce --- ### Analysis ``` the exploit doesn't work if the OS installed on vmware and default virtualbox it works on virtualbox with VBoxVGA graphic controller OOB access bug exist in xserver, _CheckSetSections() https://gitlab.freedesktop.org/xorg/xserver/-/blob/master/xkb/xkb.c#L5332 exploit use pixmap to spray and achieve the arbitrary read/write it leads to LPE for some distribution (xorg in debian xfce is run as root under specific display driver) and RCE for ssh x11 forwarding environmnet ``` ~~~C++ int ProcXkbSetGeometry(ClientPtr client) { DeviceIntPtr dev; int rc; REQUEST(xkbSetGeometryReq); REQUEST_AT_LEAST_SIZE(xkbSetGeometryReq); if (!(client->xkbClientFlags & _XkbClientInitialized)) return BadAccess; CHK_KBD_DEVICE(dev, stuff->deviceSpec, client, DixManageAccess); CHK_ATOM_OR_NONE(stuff->name); rc = _XkbSetGeometry(client, dev, stuff); // (1) ... } static int _XkbSetGeometry(ClientPtr client, DeviceIntPtr dev, xkbSetGeometryReq * stuff) { XkbDescPtr xkb; Bool new_name; xkbNewKeyboardNotify nkn; XkbGeometryPtr geom, old; XkbGeometrySizesRec sizes; Status status; xkb = dev->key->xkbInfo->desc; old = xkb->geom; xkb->geom = NULL; ... geom = xkb->geom; geom->name = stuff->name; geom->width_mm = stuff->widthMM; geom->height_mm = stuff->heightMM; if ((status = _CheckSetGeom(geom, stuff, client)) != Success) { // (2) XkbFreeGeometry(geom, XkbGeomAllMask, TRUE); xkb->geom = old; return status; } ... } static Status _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client) { ... if ((status = _CheckSetSections(geom, req, &wire, client)) != Success) // (3) return status; ... } static Status _CheckSetSections(XkbGeometryPtr geom, xkbSetGeometryReq * req, char **wire_inout, ClientPtr client) { Status status; register int s; char *wire; xkbSectionWireDesc *sWire; XkbSectionPtr section; wire = *wire_inout; if (req->nSections < 1) return Success; sWire = (xkbSectionWireDesc *) wire; for (s = 0; s < req->nSections; s++) { // (4) req->nSections is controlled and didn't validate register int r; xkbRowWireDesc *rWire; if (client->swapped) { swapl(&sWire->name); // (5) OOB access swaps(&sWire->top); swaps(&sWire->left); swaps(&sWire->width); swaps(&sWire->height); swaps(&sWire->angle); } CHK_ATOM_ONLY(sWire->name); ... rWire = (xkbRowWireDesc *) &sWire[1]; for (r = 0; r < sWire->nRows; r++) { // (4) sWire->nRows is controlled and didn't validate register int k; XkbRowPtr row; xkbKeyWireDesc *kWire; if (client->swapped) { swaps(&rWire->top); // (5) OOB access swaps(&rWire->left); } ... kWire = (xkbKeyWireDesc *) &rWire[1]; for (k = 0; k < rWire->nKeys; k++) { // (4) rWire->nKeys is controlled and didn't validate XkbKeyPtr key; ... } rWire = (xkbRowWireDesc *) &kWire[rWire->nKeys]; } wire = (char *) rWire; ... sWire = (xkbSectionWireDesc *) wire; } wire = (char *) sWire; *wire_inout = wire; return Success; } ~~~ debug log ``` (gdb) b *0x559599821000+0x15924B Breakpoint 1 at 0x55959997a24b (gdb) b *0x559599821000+0x159304 Breakpoint 2 at 0x55959997a304 (gdb) c Continuing. Thread 1 "Xorg" hit Breakpoint 1, 0x000055959997a24b in ?? () (gdb) x/10i $pc => 0x55959997a24b: mov DWORD PTR [r15],edi // swapl(&sWire->name); 0x55959997a24e: rol WORD PTR [r15+0x4],0x8 0x55959997a254: rol WORD PTR [r15+0x6],0x8 0x55959997a25a: rol WORD PTR [r15+0x8],0x8 0x55959997a260: rol WORD PTR [r15+0xa],0x8 0x55959997a266: rol WORD PTR [r15+0xc],0x8 0x55959997a26c: test edi,edi 0x55959997a26e: je 0x55959997a634 0x55959997a274: call 0x55959986a340 <ValidAtom> 0x55959997a279: test eax,eax (gdb) x/64xb $r15 0x5595a0b65848: 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x5595a0b65850: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x02 0x5595a0b65858: 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x5595a0b65860: 0x03 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x5595a0b65868: 0xa1 0x02 0x01 0x00 0x00 0x00 0x00 0x00 0x5595a0b65870: 0x01 0x00 0x01 0x01 0x80 0x08 0x80 0x03 0x5595a0b65878: 0x00 0x00 0x00 0x00 0x40 0x00 0x40 0x20 0x5595a0b65880: 0x70 0x3f 0x62 0x9b 0x95 0x55 0x00 0x00 (gdb) x/10xg 0x5595a0b65860 0x5595a0b65860: 0x0000000000000003 0x00000000000102a1 0x5595a0b65870: 0x0380088001010001 0x2040004000000000 // next chunk body 0x5595a0b65880: 0x000055959b623f70 0x0000000000001a66 0x5595a0b65890: 0x00005595a0b658b8 0x0000000800000001 0x5595a0b658a0: 0x00005595a0b65908 0x0000000000000000 (gdb) c Continuing. Thread 1 "Xorg" hit Breakpoint 2, 0x000055959997a304 in ?? () (gdb) x/10i $pc => 0x55959997a304: rol WORD PTR [rbx],0x8 // swaps(&rWire->top); 0x55959997a308: rol WORD PTR [rbx+0x2],0x8 0x55959997a30d: movzx esi,BYTE PTR [rbx+0x4] 0x55959997a311: mov rdi,r13 0x55959997a314: call 0x5595999a2b40 0x55959997a319: mov rbp,rax 0x55959997a31c: test rax,rax 0x55959997a31f: je 0x55959997a3b0 0x55959997a325: movzx eax,WORD PTR [rbx] 0x55959997a328: mov WORD PTR [rbp+0x0],ax (gdb) i r $rbx rbx 0x5595a0b6585c 94101134792796 (gdb) c Continuing. Thread 1 "Xorg" hit Breakpoint 2, 0x000055959997a304 in ?? () (gdb) i r $rbx rbx 0x5595a0b6587c 94101134792828 (gdb) si 0x000055959997a308 in ?? () (gdb) si 0x000055959997a30d in ?? () (gdb) x/10xg 0x5595a0b65860 0x5595a0b65860: 0x0000000000000003 0x00000000000102a1 0x5595a0b65870: 0x0380088001010001 0x4020400000000000 // next chunk body is corrupted by swap() 0x5595a0b65880: 0x000055959b623f70 0x0000000000001a66 0x5595a0b65890: 0x00005595a0b658b8 0x0000000800000001 0x5595a0b658a0: 0x00005595a0b65908 0x0000000000000000 (gdb) bt #0 0x000055959997a30d in ?? () #1 0x00005595999831dc in ?? () #2 0x000055959987c544 in ?? () #3 0x0000559599880544 in ?? () #4 0x00007f6ee51efd0a in __libc_start_main (main=0x559599869ca0, argc=10, argv=0x7ffc117933f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc117933e8) at ../csu/libc-start.c:308 #5 0x0000559599869cda in _start () (gdb) c Continuing. Thread 1 "Xorg" received signal SIGSEGV, Segmentation fault. __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:333 333 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory. (gdb) bt #0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:333 #1 0x00007f6ee464fc61 in fbBlt () from /usr/lib/xorg/modules/libfb.so #2 0x00007f6ee4650a26 in fbBltStip () from /usr/lib/xorg/modules/libfb.so #3 0x00007f6ee4654ef0 in fbGetImage () from /usr/lib/xorg/modules/libfb.so #4 0x00005595999cd488 in ?? () #5 0x0000559599906ad5 in ?? () #6 0x000055959987952b in ?? () #7 0x000055959987c544 in ?? () #8 0x0000559599880544 in ?? () #9 0x00007f6ee51efd0a in __libc_start_main (main=0x559599869ca0, argc=10, argv=0x7ffc117933f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc117933e8) at ../csu/libc-start.c:308 #10 0x0000559599869cda in _start () (gdb) ``` -- CVSS ----------------------------------------- 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H -- CREDIT --------------------------------------- This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative -- FURTHER DETAILS ------------------------------ The PGP key used for all ZDI vendor communications is available from: http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc -- DISCLOSURE POLICY ---------------------------- Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/
Affected codestreams: - SUSE:SLE-11-SP1:Update 7.4-27.40.79.27.1 - SUSE:SLE-11-SP3:Update 7.4-27.122.40.1 - SUSE:SLE-12-SP2:Update 7.6_1.18.3-76.40.1 - SUSE:SLE-12-SP4:Update 1.19.6-4.22.1 - SUSE:SLE-12-SP5:Update 1.19.6-10.23.1 - SUSE:SLE-15:Update 1.19.6 - SUSE:SLE-15-SP1:Update 1.20.3-14.5.16.1 - SUSE:SLE-15-SP2:Update 1.20.3-22.5.36.1 - openSUSE:Leap:15.3:Update 1.20.3 - openSUSE:Factory 21.1.2
Is there already a proposal for a fix available?
(In reply to Stefan Dirsch from comment #5) > Is there already a proposal for a fix available? I can't find anything either, we received nothing from upstream and from ZDI. I will let you know once we have further information
Thanks for checking. I'll ask again in time for CRD. ;-)
SUSE:SLE-15-SP4:Update is also affected
Patches are still pending ...
Hmm. This is long overdue. Still no patches available ... can you ask again?
There is now hurried patch development. We will update the bug further. CVE is CVE-2022-2319
CRD: 2022-07-12 12:00 UTC
Created attachment 860031 [details] 0001-xkb-add-request-length-validation-for-XkbSetGeometry.patch From: Peter Hutterer <peter.hutterer@redhat.com> Please see v2 of the patch attached. Note that this patch requires the below MR (in particular the last commit from that MR): https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/933 This version uses the existing _XkbCheckRequestBounds() function for bounds checking, bringing it more in line with the other request handlers. Cheers, Peter
I have issues with SUSE:SLE-12-SP2:Update/xorg-x11-server When branching this. I don't have any build repositories defined. So I can't test the build.
(In reply to Stefan Dirsch from comment #16) > I have issues with > > SUSE:SLE-12-SP2:Update/xorg-x11-server > > When branching this. I don't have any build repositories defined. So I can't > test the build. Forget about this one. Was my fault. I checked this out years ago it seems.
(In reply to Thomas Leroy from comment #4) > Affected codestreams: > - SUSE:SLE-11-SP1:Update 7.4-27.40.79.27.1 rejected because product end-of-life > - SUSE:SLE-11-SP3:Update 7.4-27.122.40.1 > - SUSE:SLE-12-SP2:Update 7.6_1.18.3-76.40.1 > - SUSE:SLE-12-SP4:Update 1.19.6-4.22.1 > - SUSE:SLE-12-SP5:Update 1.19.6-10.23.1 > - SUSE:SLE-15:Update 1.19.6 > - SUSE:SLE-15-SP1:Update 1.20.3-14.5.16.1 > - SUSE:SLE-15-SP2:Update 1.20.3-22.5.36.1 submitted and already checked in. Can be QA'ed. > - openSUSE:Leap:15.3:Update 1.20.3 Need to check this still. Patches should be identical to SUSE:SLE-15-SP2:Update. > - openSUSE:Factory 21.1.2 Prepared. I'll submit this on CRD or the day after. Once I've seen the official announcement.
(In reply to Stefan Dirsch from comment #20) > > - openSUSE:Leap:15.3:Update 1.20.3 > > Need to check this still. Patches should be identical to > SUSE:SLE-15-SP2:Update. Sources are identical # iosc rdiff SUSE:SLE-15-SP2:Update xorg-x11-server openSUSE.org:openSUSE:Leap:15.3:Update xorg-x11-server # And sources of openSUSE:Leap:15.3:Update are inherited from SUSE:SLE-15-SP2:Update. # osc branch openSUSE:Leap:15.3:Update xorg-x11-server Note: The branch has been created of a different project, SUSE:SLE-15-SP2:Update, which is the primary location of where development for that package takes place. That's also where you would normally make changes against. A direct branch of the specified package can be forced with the --nodevelproject option. A working copy of the branched package can be checked out with: osc co home:sndirsch:branches:SUSE:SLE-15-SP2:Update/xorg-x11-server ==> So nothing more to do here.
Subject: X.Org Security Advisory: July 12, 2022 Date: Tue, 12 Jul 2022 15:55:05 +0300 From: Povilas Kanapickas <povilas@radix.lt> ... X.Org Security Advisory: July 12, 2022 Multiple input validation failures in X server extensions ========================================================= All theses issues can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions. * CVE-2022-2319/ZDI-CAN-16062: X.Org Server ProcXkbSetGeometry Out-Of-Bounds Access The handler for the ProcXkbSetGeometry request of the Xkb extension does not properly validate the request length leading to out of bounds memory write.
Thanks. Now also checked into devel project (X11:XOrg/xorg-x11-server) and submitted to factory/TW. https://build.opensuse.org/request/show/988635 Reassigning to security team.
SUSE-SU-2022:2373-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1194179,1194181 CVE References: CVE-2022-2319,CVE-2022-2320 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): xorg-x11-server-1.19.6-10.32.1 SUSE Linux Enterprise Server 12-SP5 (src): xorg-x11-server-1.19.6-10.32.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2370-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1194179,1194181,1200076 CVE References: CVE-2022-2319,CVE-2022-2320 JIRA References: Sources used: openSUSE Leap 15.4 (src): xorg-x11-server-1.20.3-150400.38.5.1 SUSE Linux Enterprise Module for Development Tools 15-SP4 (src): xorg-x11-server-1.20.3-150400.38.5.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): xorg-x11-server-1.20.3-150400.38.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2369-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1194179,1194181 CVE References: CVE-2022-2319,CVE-2022-2320 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): xorg-x11-server-1.19.6-4.31.1 SUSE OpenStack Cloud 9 (src): xorg-x11-server-1.19.6-4.31.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): xorg-x11-server-1.19.6-4.31.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): xorg-x11-server-1.19.6-4.31.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2371-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1194179,1194181 CVE References: CVE-2022-2319,CVE-2022-2320 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): xorg-x11-server-1.19.6-150000.8.39.1 SUSE Linux Enterprise Server 15-LTSS (src): xorg-x11-server-1.19.6-150000.8.39.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): xorg-x11-server-1.19.6-150000.8.39.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): xorg-x11-server-1.19.6-150000.8.39.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2372-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1194179,1194181 CVE References: CVE-2022-2319,CVE-2022-2320 JIRA References: Sources used: SUSE Linux Enterprise Server 12-SP3-BCL (src): xorg-x11-server-7.6_1.18.3-76.49.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): xorg-x11-server-7.6_1.18.3-76.49.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2375-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1194179,1194181 CVE References: CVE-2022-2319,CVE-2022-2320 JIRA References: Sources used: openSUSE Leap 15.4 (src): xorg-x11-server-1.20.3-150200.22.5.55.1 openSUSE Leap 15.3 (src): xorg-x11-server-1.20.3-150200.22.5.55.1 SUSE Manager Server 4.1 (src): xorg-x11-server-1.20.3-150200.22.5.55.1 SUSE Manager Retail Branch Server 4.1 (src): xorg-x11-server-1.20.3-150200.22.5.55.1 SUSE Manager Proxy 4.1 (src): xorg-x11-server-1.20.3-150200.22.5.55.1 SUSE Linux Enterprise Workstation Extension 15-SP4 (src): xorg-x11-server-1.20.3-150200.22.5.55.1 SUSE Linux Enterprise Workstation Extension 15-SP3 (src): xorg-x11-server-1.20.3-150200.22.5.55.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): xorg-x11-server-1.20.3-150200.22.5.55.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): xorg-x11-server-1.20.3-150200.22.5.55.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): xorg-x11-server-1.20.3-150200.22.5.55.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): xorg-x11-server-1.20.3-150200.22.5.55.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): xorg-x11-server-1.20.3-150200.22.5.55.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): xorg-x11-server-1.20.3-150200.22.5.55.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): xorg-x11-server-1.20.3-150200.22.5.55.1 SUSE Enterprise Storage 7 (src): xorg-x11-server-1.20.3-150200.22.5.55.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2374-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1194179,1194181 CVE References: CVE-2022-2319,CVE-2022-2320 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): xorg-x11-server-1.20.3-150100.14.5.25.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): xorg-x11-server-1.20.3-150100.14.5.25.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): xorg-x11-server-1.20.3-150100.14.5.25.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): xorg-x11-server-1.20.3-150100.14.5.25.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): xorg-x11-server-1.20.3-150100.14.5.25.1 SUSE Enterprise Storage 6 (src): xorg-x11-server-1.20.3-150100.14.5.25.1 SUSE CaaS Platform 4.0 (src): xorg-x11-server-1.20.3-150100.14.5.25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done