Bug 1168688 (CVE-2014-8093)

Summary: CVE-2014-8093 xorg-x11-server: integer overflow in GLX extension requests when calculating memory needs for requests
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: airlied, ajax, chazlett, jrusnack, peter.hutterer, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Multiple integer overflow flaws were found in the way the X.Org server calculated memory requirements for certain GLX extension requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server or, potentially, execute arbitrary code with root privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-11 20:56:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1170916, 1170917, 1170918, 1170919, 1170932    
Bug Blocks: 1168310    
Attachments:
Description Flags
0020-glx_Be_more_paranoid_about_variable-length_requests_CVE-2014-8093_1-6.patch
none
0021-glx_Be_more_strict_about_rejecting_invalid_image_sizes_CVE-2014-8093_2-6.patch
none
0022-glx_Additional_paranoia_in___glXGetAnswerBuffer_-___GLX_GET_ANSWER_BUFFER_(v2)_CVE-2014-8093_3-6.patch
none
0024-glx_Add_safe_add,mul,pad_v3_CVE-2014-8093_4-6.patch
none
0026-glx_Integer_overflow_protection_for_non-generated_render_requests_(v3)_CVE-2014-8093_5-6.patch
none
0033-glx_Fix_mask_truncation_in___glXGetAnswerBuffer_CVE-2014-8093_6-6.patch none

Description Vasyl Kaigorodov 2014-11-27 15:30:42 UTC 
Various GLX extension functions calls do not check that their calculations for how much memory
is needed to handle the client's request have not overflowed, so can
result in out of bounds reads or writes.  These calls all occur only
after a client has successfully authenticated itself.

Affected functions:
 __glXDisp_ReadPixels()
 __glXDispSwap_ReadPixels()
 __glXDisp_GetTexImage()
 __glXDispSwap_GetTexImage()
 GetSeparableFilter()
 GetConvolutionFilter()
 GetHistogram()
 GetMinmax()
 GetColorTable()
 Map2Size()
 __glXGetAnswerBuffer()
 __GLX_GET_ANSWER_BUFFER()
 __glXMap1dReqSize()
 __glXMap1fReqSize()
 __glXMap2dReqSize()
 __glXMap2fReqSize()
 __glXImageSize()
 __glXSeparableFilter2DReqSize()

Originally developed by SGI and licensed to multiple vendors
prior to SGI open sourcing the code in 1999.
Included in XFree86 releases starting in XFree86 4.0 (2000).
Included in X.Org releases starting in X11R6.7 (2004).
Comment 1 Vasyl Kaigorodov 2014-11-27 15:33:08 UTC 
Created attachment 962120 [details]
0020-glx_Be_more_paranoid_about_variable-length_requests_CVE-2014-8093_1-6.patch
Comment 2 Vasyl Kaigorodov 2014-11-27 15:33:11 UTC 
Created attachment 962121 [details]
0021-glx_Be_more_strict_about_rejecting_invalid_image_sizes_CVE-2014-8093_2-6.patch
Comment 3 Vasyl Kaigorodov 2014-11-27 15:33:13 UTC 
Created attachment 962122 [details]
0022-glx_Additional_paranoia_in___glXGetAnswerBuffer_-___GLX_GET_ANSWER_BUFFER_(v2)_CVE-2014-8093_3-6.patch
Comment 4 Vasyl Kaigorodov 2014-11-27 15:33:16 UTC 
Created attachment 962123 [details]
0024-glx_Add_safe_add,mul,pad_v3_CVE-2014-8093_4-6.patch
Comment 5 Vasyl Kaigorodov 2014-11-27 15:33:18 UTC 
Created attachment 962124 [details]
0026-glx_Integer_overflow_protection_for_non-generated_render_requests_(v3)_CVE-2014-8093_5-6.patch
Comment 6 Vasyl Kaigorodov 2014-11-27 15:33:21 UTC 
Created attachment 962125 [details]
0033-glx_Fix_mask_truncation_in___glXGetAnswerBuffer_CVE-2014-8093_6-6.patch
Comment 7 Vasyl Kaigorodov 2014-11-27 15:40:24 UTC 
Created attachment 962127 [details]
0006-dri2_integer_overflow_in_ProcDRI2GetBuffers_CVE-2014-8094.patch
Comment 8 Huzaifa S. Sidhpurwala 2014-12-05 05:38:10 UTC 
Classical case of integer overflow and then malloc, resulting in authenticated-client controlled data being copied beyond buffer bounds. This time in GLX extension.
Comment 11 Vincent Danen 2014-12-09 20:17:43 UTC 
External References:

http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/
Comment 12 errata-xmlrpc 2014-12-11 17:35:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:1982 https://rhn.redhat.com/errata/RHSA-2014-1982.html
Comment 13 errata-xmlrpc 2014-12-11 19:42:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2014:1983 https://rhn.redhat.com/errata/RHSA-2014-1983.html