Bug 1194181 - (CVE-2022-2320) VUL-0: CVE-2022-2320: ZDI-CAN-16070: xorg-x11-server: OOB access in CheckSetDeviceIndicators()
(CVE-2022-2320)
VUL-0: CVE-2022-2320: ZDI-CAN-16070: xorg-x11-server: OOB access in CheckSet...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/319300/
CVSSv3.1:SUSE:CVE-2022-2320:7.8:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-12-30 14:28 UTC by Carlos López
Modified: 2022-10-18 08:09 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
0001-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch (7.22 KB, patch)
2022-07-06 07:19 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2021-12-30 14:28:34 UTC
ZDI-CAN-16070: X.Org Server ProcXkbSetDeviceInfo Out-Of-Bounds Access Local Privilege Escalation Vulnerability

-- CVSS -----------------------------------------

7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
X.Org - Server

-- VULNERABILITY DETAILS ------------------------
* Version tested: 1.20.11
* Installer file: debian-live-11.1.0-amd64-xfce.iso
* Platform tested: debian-live-11.1.0-amd64-xfce

---

### Analysis

```
the exploit doesn't work if the OS installed on vmware and default virtualbox
it works on virtualbox with VBoxVGA graphic controller

OOB access bug exist in xserver, CheckSetDeviceIndicators()
https://gitlab.freedesktop.org/xorg/xserver/-/blob/master/xkb/xkb.c#L6567
exploit use pixmap to spray and achieve the arbitrary read/write
it leads to LPE for some distribution (xorg in debian xfce is run as root under specific display driver) and RCE for ssh x11 forwarding environmnet
```

~~~C++
int
ProcXkbSetDeviceInfo(ClientPtr client)
{
        ...
        /* checks done, apply */
        rc = _XkbSetDeviceInfo(client, dev, stuff); // 1
        ...
}

static int
_XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev, xkbSetDeviceInfoReq * stuff)
{
        char *wire;
        wire = (char *) &stuff[1];
        ...
        if (stuff->change & XkbXI_IndicatorsMask) {
                int status = Success;
                wire = CheckSetDeviceIndicators(wire, dev, stuff->nDeviceLedFBs, &status, client); // 2, stuff->nDeviceLedFBs is controlled
        ...
}

static char *
CheckSetDeviceIndicators(char *wire,
                         DeviceIntPtr dev,
                         int num, int *status_rtrn, ClientPtr client)
{
    xkbDeviceLedsWireDesc *ledWire;
    int i;
    XkbSrvLedInfoPtr sli;

    ledWire = (xkbDeviceLedsWireDesc *) wire;
    for (i = 0; i < num; i++) {
        if (client->swapped) {
            swaps(&ledWire->ledClass);
            swaps(&ledWire->ledID);
            swapl(&ledWire->namesPresent);
            swapl(&ledWire->mapsPresent);
            swapl(&ledWire->physIndicators);            // OOB write here
        }
...
}


~~~

debug log
```
(gdb) b *0x556546b94000+0x158A4C
Breakpoint 1 at 0x556546ceca4c
(gdb) x/10i 0x556546b94000+0x158A4C
   0x556546ceca4c:      mov    eax,DWORD PTR [r13+0xc]                  // swapl(&ledWire->physIndicators);
   0x556546ceca50:      bswap  eax
   0x556546ceca52:      mov    DWORD PTR [r13+0xc],eax
   0x556546ceca56:      movzx  edx,dx
   0x556546ceca59:      movzx  esi,si
   0x556546ceca5c:      mov    ecx,0x1c
   0x556546ceca61:      mov    rdi,rbp
   0x556546ceca64:      call   0x556546cffd00 <XkbFindSrvLedInfo>
   0x556546ceca69:      test   rax,rax
   0x556546ceca6c:      je     0x556546cec9c8
(gdb) c
Continuing.

Thread 1 "Xorg" hit Breakpoint 1, 0x0000556546ceca4c in ?? ()
(gdb) x/32xb $r13
0x55654c6a1be8: 0x00    0x03    0x00    0x04    0x00    0x00    0x00    0x00
0x55654c6a1bf0: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x55654c6a1bf8: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x55654c6a1c00: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
(gdb) x/96xb 0x55654c6a1bd0
0x55654c6a1bd0: 0x51    0x51    0x51    0x51    0x51    0x51    0x51    0x51
0x55654c6a1bd8: 0x51    0x51    0x51    0x58    0x87    0x19    0x09    0x00            // request1
0x55654c6a1be0: 0x00    0x01    0x00    0x00    0x1c    0x00    0x02    0x00
0x55654c6a1be8: 0x00    0x03    0x00    0x04    0x00    0x00    0x00    0x00            // request2
0x55654c6a1bf0: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x55654c6a1bf8: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x55654c6a1c00: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x55654c6a1c08: 0xa1    0x00    0x01    0x00    0x00    0x00    0x00    0x00            // next chunk
0x55654c6a1c10: 0x01    0x00    0x01    0x01    0x7e    0x0a    0x60    0x03
0x55654c6a1c18: 0x00    0x00    0x00    0x00    0x40    0x00    0x00    0x20
0x55654c6a1c20: 0x90    0x3f    0x1c    0x47    0x65    0x55    0x00    0x00
0x55654c6a1c28: 0x42    0x3f    0x00    0x00    0x00    0x00    0x00    0x00
(gdb) c
Continuing.

Thread 1 "Xorg" hit Breakpoint 1, 0x0000556546ceca4c in ?? ()
(gdb) x/10xg $r13+0xc-8
0x55654c6a1c00: 0x0000000000000000      0x00000000000100a1
0x55654c6a1c10: 0x03600a7e01010001      0x2000004000000000
0x55654c6a1c20: 0x00005565471c3f90      0x0000000000003f42
0x55654c6a1c30: 0x000055654c6a1c58      0x0000000800000001
0x55654c6a1c40: 0x000055654c6a1ca8      0x0000000000000000
(gdb) bt
#0  0x0000556546ceca4c in ?? ()
#1  0x0000556546cf8243 in ?? ()
#2  0x0000556546bef544 in ?? ()
#3  0x0000556546bf3544 in ?? ()
#4  0x00007f367e379d0a in __libc_start_main (main=0x556546bdcca0, argc=10, argv=0x7ffd0defc608, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd0defc5f8) at ../csu/libc-start.c:308
#5  0x0000556546bdccda in _start ()
(gdb) si
0x0000556546ceca50 in ?? ()
(gdb) si
0x0000556546ceca52 in ?? ()
(gdb) si
0x0000556546ceca56 in ?? ()
(gdb) x/10xg $r13+0xc-8
0x55654c6a1c00: 0x0000000000000000      0x00000000a1000100              // next chunk header is corrupted
0x55654c6a1c10: 0x03600a7e01010001      0x2000004000000000
0x55654c6a1c20: 0x00005565471c3f90      0x0000000000003f42
0x55654c6a1c30: 0x000055654c6a1c58      0x0000000800000001
0x55654c6a1c40: 0x000055654c6a1ca8      0x0000000000000000
(gdb)
```



-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

-- FURTHER DETAILS ------------------------------

If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
zdi-disclosures@trendmicro.com

The PGP key used for all ZDI vendor communications is available from:

  http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contact us for further details or refer to:

  http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

  http://www.zerodayinitiative.com/advisories/disclosure_policy/

TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy<http://www.trendmicro.com/privacy>
Comment 3 Carlos López 2021-12-30 16:15:22 UTC
Affected:
 - SUSE:SLE-11-SP1:Update
 - SUSE:SLE-11-SP3:Update
 - SUSE:SLE-12-SP2:Update
 - SUSE:SLE-12-SP4:Update
 - SUSE:SLE-12-SP5:Update
 - SUSE:SLE-15:Update
 - SUSE:SLE-15-SP1:Update
 - SUSE:SLE-15-SP2:Update
 - openSUSE:Factory
Comment 4 Stefan Dirsch 2022-01-05 11:07:21 UTC
CRD already available?
Comment 6 Stefan Dirsch 2022-04-04 16:47:17 UTC
Is there already a proposal for a fix available?
Comment 8 Gabriele Sonnu 2022-04-12 13:44:03 UTC
SUSE:SLE-15-SP4:Update is also affected.
Comment 9 Stefan Dirsch 2022-04-28 08:53:03 UTC
Patches are still pending ...
Comment 10 Stefan Dirsch 2022-05-13 19:22:37 UTC
Hmm. This is long overdue. Still no patches available ... can you ask again?
Comment 13 Marcus Meissner 2022-07-06 07:04:04 UTC
CVE was assigned CVE-2022-2320

There is hurried patch development now.
Comment 15 Marcus Meissner 2022-07-06 07:19:11 UTC
Created attachment 860032 [details]
0001-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch

From: Peter Hutterer <peter.hutterer@redhat.com>

Attached is version 2 of the patch, please disregard the first one.

Turns out the problem was slightly more subtle but at least easy enough 
to fix. A naming error introduced (by me) 14 years ago resulted in two 
functions being named the inverse of what they're supposed to be, so 
values were processed before they were checked for validity. A simple 
name swap fixed the exploit provided in this thread, but the length 
checks needed to be moved to the correct function too to avoid 
triggering ZDI-CAN 11389 / CVE-2020-25712 again.

This should probably be two patches, but it's a lot easier to do both 
changes in one patch and have everyone fix it with one patch only.

Cheers,
   Peter
Comment 18 Stefan Dirsch 2022-07-06 15:58:12 UTC
I have issues with 

  SUSE:SLE-12-SP2:Update/xorg-x11-server

When branching this. I don't have any build repositories defined. So I can't test the build.
Comment 19 Stefan Dirsch 2022-07-06 16:05:17 UTC
(In reply to Stefan Dirsch from comment #18)
> I have issues with 
> 
>   SUSE:SLE-12-SP2:Update/xorg-x11-server
> 
> When branching this. I don't have any build repositories defined. So I can't
> test the build.

Forgot about this one. Was my fault. I checked this out years ago it seems.
Comment 22 Stefan Dirsch 2022-07-07 09:19:48 UTC
(In reply to Carlos López from comment #3)
> Affected:
>  - SUSE:SLE-11-SP1:Update

rejected because product end-of-life

>  - SUSE:SLE-11-SP3:Update
>  - SUSE:SLE-12-SP2:Update
>  - SUSE:SLE-12-SP4:Update
>  - SUSE:SLE-12-SP5:Update
>  - SUSE:SLE-15:Update
>  - SUSE:SLE-15-SP1:Update
>  - SUSE:SLE-15-SP2:Update

submitted and already checked in. Can be QA'ed.

>  - openSUSE:Factory

Prepared. I'll submit this on CRD or the day after. Once I've seen the official announcement.
Comment 23 Marcus Meissner 2022-07-12 13:22:36 UTC
Subject: X.Org Security Advisory: July 12, 2022
Date: Tue, 12 Jul 2022 15:55:05 +0300
From: Povilas Kanapickas <povilas@radix.lt>

X.Org Security Advisory: July 12, 2022

Multiple input validation failures in X server extensions
=========================================================

All theses issues can lead to local privileges elevation on systems
where the X server is running privileged and remote code execution for
ssh X forwarding sessions.

* CVE-2022-2320/ZDI-CAN-16070: X.Org Server ProcXkbSetDeviceInfo 
Out-Of-Bounds
Access

The handler for the ProcXkbSetDeviceInfo request of the Xkb extension
does not properly validate the request length leading to out of bounds
memory write.
Comment 24 Marcus Meissner 2022-07-12 13:22:51 UTC
is public
Comment 25 Stefan Dirsch 2022-07-12 13:33:51 UTC
Thanks. Now also checked into devel project (X11:XOrg/xorg-x11-server) and submitted to factory/TW.

https://build.opensuse.org/request/show/988635

Reassigning to security team.
Comment 26 Swamp Workflow Management 2022-07-12 19:15:47 UTC
SUSE-SU-2022:2373-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1194179,1194181
CVE References: CVE-2022-2319,CVE-2022-2320
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xorg-x11-server-1.19.6-10.32.1
SUSE Linux Enterprise Server 12-SP5 (src):    xorg-x11-server-1.19.6-10.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2022-07-12 19:16:30 UTC
SUSE-SU-2022:2370-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1194179,1194181,1200076
CVE References: CVE-2022-2319,CVE-2022-2320
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    xorg-x11-server-1.20.3-150400.38.5.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    xorg-x11-server-1.20.3-150400.38.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    xorg-x11-server-1.20.3-150400.38.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Swamp Workflow Management 2022-07-12 19:17:18 UTC
SUSE-SU-2022:2369-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1194179,1194181
CVE References: CVE-2022-2319,CVE-2022-2320
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xorg-x11-server-1.19.6-4.31.1
SUSE OpenStack Cloud 9 (src):    xorg-x11-server-1.19.6-4.31.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xorg-x11-server-1.19.6-4.31.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xorg-x11-server-1.19.6-4.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Swamp Workflow Management 2022-07-12 19:18:02 UTC
SUSE-SU-2022:2371-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1194179,1194181
CVE References: CVE-2022-2319,CVE-2022-2320
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xorg-x11-server-1.19.6-150000.8.39.1
SUSE Linux Enterprise Server 15-LTSS (src):    xorg-x11-server-1.19.6-150000.8.39.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xorg-x11-server-1.19.6-150000.8.39.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xorg-x11-server-1.19.6-150000.8.39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Swamp Workflow Management 2022-07-12 19:18:41 UTC
SUSE-SU-2022:2372-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1194179,1194181
CVE References: CVE-2022-2319,CVE-2022-2320
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xorg-x11-server-7.6_1.18.3-76.49.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xorg-x11-server-7.6_1.18.3-76.49.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Swamp Workflow Management 2022-07-12 19:19:34 UTC
SUSE-SU-2022:2375-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1194179,1194181
CVE References: CVE-2022-2319,CVE-2022-2320
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    xorg-x11-server-1.20.3-150200.22.5.55.1
openSUSE Leap 15.3 (src):    xorg-x11-server-1.20.3-150200.22.5.55.1
SUSE Manager Server 4.1 (src):    xorg-x11-server-1.20.3-150200.22.5.55.1
SUSE Manager Retail Branch Server 4.1 (src):    xorg-x11-server-1.20.3-150200.22.5.55.1
SUSE Manager Proxy 4.1 (src):    xorg-x11-server-1.20.3-150200.22.5.55.1
SUSE Linux Enterprise Workstation Extension 15-SP4 (src):    xorg-x11-server-1.20.3-150200.22.5.55.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    xorg-x11-server-1.20.3-150200.22.5.55.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    xorg-x11-server-1.20.3-150200.22.5.55.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    xorg-x11-server-1.20.3-150200.22.5.55.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    xorg-x11-server-1.20.3-150200.22.5.55.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    xorg-x11-server-1.20.3-150200.22.5.55.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    xorg-x11-server-1.20.3-150200.22.5.55.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    xorg-x11-server-1.20.3-150200.22.5.55.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    xorg-x11-server-1.20.3-150200.22.5.55.1
SUSE Enterprise Storage 7 (src):    xorg-x11-server-1.20.3-150200.22.5.55.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Swamp Workflow Management 2022-07-12 19:20:20 UTC
SUSE-SU-2022:2374-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1194179,1194181
CVE References: CVE-2022-2319,CVE-2022-2320
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    xorg-x11-server-1.20.3-150100.14.5.25.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    xorg-x11-server-1.20.3-150100.14.5.25.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    xorg-x11-server-1.20.3-150100.14.5.25.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    xorg-x11-server-1.20.3-150100.14.5.25.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    xorg-x11-server-1.20.3-150100.14.5.25.1
SUSE Enterprise Storage 6 (src):    xorg-x11-server-1.20.3-150100.14.5.25.1
SUSE CaaS Platform 4.0 (src):    xorg-x11-server-1.20.3-150100.14.5.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 33 Carlos López 2022-10-18 08:09:11 UTC
All done, closing.