Bug 740954 (CVE-2010-4818)

Summary: CVE-2010-4818 X.org: multiple GLX input sanitization flaws
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ajax, jlieskov, rcvalle, xgl-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-24 04:15:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 741649, 741650, 741651, 741652, 741654, 744008    
Bug Blocks: 740962    

Description Vincent Danen 2011-09-23 21:21:48 UTC
It was reported [1] that a number of GLX X calls were lacking proper input sanitization.  This could allow an attacker with access to the GLX calls to crash the X server or, possibly, execute arbitrary code within it (typically, this would just be the logged in user).

These were fixed in upstream git [2] with the following commits:

402b329c3aa8ddbebaa1f593306a02d4cd6fed26
1137c11be0f82049d28024eaf963c6f76e0d4334
a883cf1545abd89bb2cadfa659718884b56fd234
d9225b9602c85603ae616a7381c784f5cf5e811c
62319e8381ebd645ae36b25e5fc3c0e9b098387b
6c69235a9dfc52e4b4e47630ff4bab1a820eb543
ec9c97c6bf70b523bc500bd3adf62176f1bb33a4
3f0d3f4d97bce75c1828635c322b6560a45a037f

[1] https://bugs.freedesktop.org/show_bug.cgi?id=28823
[2] http://cgit.freedesktop.org/xorg/xserver

Comment 1 Vincent Danen 2011-09-23 21:27:20 UTC
I emailed Adam regarding this, with concern about possible WebGL ramifications and he returned the following analysis:

402b329c3aa8ddbebaa1f593306a02d4cd6fed26 has no security implications.
It works around a bug in older Mesa versions by allowing certain
requests with excess data (and ignoring that data).

1137c11be0f82049d28024eaf963c6f76e0d4334 has no security implications.
It corrects a bug in processing of that request: it is allowed to be
followed by a variable-length list of attributes, but we were requiring
a fixed size.

a883cf1545abd89bb2cadfa659718884b56fd234 has no security implications,
for the same reasons as 1137c11.

d9225b9602c85603ae616a7381c784f5cf5e811c has no security implications.
In the worst case it prevents reading from arbitrary server memory
(linearly, so anything you're interested in has to be above you in
memory), and the memory so read does not propagate back to the client so
it can't be used to discover the server's memory map.

d9225b9602c85603ae616a7381c784f5cf5e811c has no security implications.
It simply corrects the endianness of a list of attributes when the X
client is the other endianness from the server.

6c69235a9dfc52e4b4e47630ff4bab1a820eb543 allows swapped clients to
overwrite malloc bookkeeping information if a suitably truncated request
happens to fall close enough to the end of the request buffer.  Coercing
the server to free request buffers is mildly difficult but feasible.
You'd need to do your own protocol, libGL won't create malformed
requests like this.  The attack then follows the normal free() exploit
path.


ec9c97c6bf70b523bc500bd3adf62176f1bb33a4 could be a code injection
attack if you can precisely craft the 'length' field of the request (ie,
if you're not interfacing through libGL, like WebGL does).  This would
involve arranging for a pixmap at a known location in server memory,
with fairly precise contents (that _depend_ on the location in memory,
as there's complicated sequences of pointer chasing involved), which
would eventually contain a function pointer that you can trigger a call
to later in the request.  So that'd be shellcode, assuming you can probe
the memory layout, or you get lucky.

3f0d3f4d97bce75c1828635c322b6560a45a037f could be a code injection
attack if you can precisely set the 'screen' field of the request,
following the same attack as ec9c97c.  Again, this vector requires that
you write your own protocol, since libGL does not send invalid screen
numbers (and actually checks on the client side).

So, three that are theoretical code injections, but none that are
exposed through typical use of GLX.  As always, you'd need to be able
and authorized to connect to the display server already.  Disabling GLX
is an effective workaround.

Comment 2 Vincent Danen 2011-09-23 22:12:14 UTC
For Fedora 14, the code change in 3f0d3f4 is present, but it doesn't look like the code in ec9c97c is.  Likewise the code changes in 6c69235 is not present either, so I believe this would affect Fedora 14's xorg-server-1.9.5.

For Fedora 15, it looks all code changes are present (xorg-server-1.10.4).

Comment 4 Kurt Seifried 2011-09-23 22:42:55 UTC
The RHEL6 rpm ships xorg-server 1.7.7, which has the vulnerable code for :

6c69235a9dfc52e4b4e47630ff4bab1a820eb543
ec9c97c6bf70b523bc500bd3adf62176f1bb33a4
3f0d3f4d97bce75c1828635c322b6560a45a037f

also please note that 3f0d3f4d97bce75c1828635c322b6560a45a037f introduces a regression fixed later on https://bugs.freedesktop.org/show_bug.cgi?id=33324

Comment 5 Kurt Seifried 2011-09-23 23:16:50 UTC
The RHEL5 rpm ships xorg-server 1.1.1 and RHEL4 rpm ships X11R6.8.1 which has the vulnerable code (different function names but the code is nearly identical otherwise) for :

6c69235a9dfc52e4b4e47630ff4bab1a820eb543
ec9c97c6bf70b523bc500bd3adf62176f1bb33a4
3f0d3f4d97bce75c1828635c322b6560a45a037f

also please note that 3f0d3f4d97bce75c1828635c322b6560a45a037f introduces a
regression fixed later on https://bugs.freedesktop.org/show_bug.cgi?id=33324

Comment 10 errata-xmlrpc 2011-10-06 17:46:20 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:1359 https://rhn.redhat.com/errata/RHSA-2011-1359.html

Comment 11 errata-xmlrpc 2011-10-06 18:07:41 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:1360 https://rhn.redhat.com/errata/RHSA-2011-1360.html

Comment 12 Vincent Danen 2011-10-06 18:17:39 UTC
Created xorg-x11-server tracking bugs for this issue

Affects: fedora-14 [bug 744008]