1168688 – (CVE-2014-8093) CVE-2014-8093 xorg-x11-server: integer overflow in GLX extension requests when calculating memory needs for requests

Bug 1168688 (CVE-2014-8093) - CVE-2014-8093 xorg-x11-server: integer overflow in GLX extension requests when calculating memory needs for requests

Summary: CVE-2014-8093 xorg-x11-server: integer overflow in GLX extension requests whe...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2014-8093
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1170916 1170917 1170918 1170919 1170932
Blocks:	1168310
TreeView+	depends on / blocked

Reported:	2014-11-27 15:30 UTC by Vasyl Kaigorodov
Modified:	2021-02-17 05:57 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Multiple integer overflow flaws were found in the way the X.Org server calculated memory requirements for certain GLX extension requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server or, potentially, execute arbitrary code with root privileges.
Clone Of:
Environment:
Last Closed:	2014-12-11 20:56:22 UTC
Embargoed:

Attachments	(Terms of Use)
0020-glx_Be_more_paranoid_about_variable-length_requests_CVE-2014-8093_1-6.patch (1.87 KB, text/plain) 2014-11-27 15:33 UTC, Vasyl Kaigorodov	no flags	Details
0021-glx_Be_more_strict_about_rejecting_invalid_image_sizes_CVE-2014-8093_2-6.patch (6.16 KB, text/plain) 2014-11-27 15:33 UTC, Vasyl Kaigorodov	no flags	Details
0022-glx_Additional_paranoia_in___glXGetAnswerBuffer_-___GLX_GET_ANSWER_BUFFER_(v2)_CVE-2014-8093_3-6.patch (2.05 KB, text/plain) 2014-11-27 15:33 UTC, Vasyl Kaigorodov	no flags	Details
0024-glx_Add_safe_add,mul,pad_v3_CVE-2014-8093_4-6.patch (2.14 KB, text/plain) 2014-11-27 15:33 UTC, Vasyl Kaigorodov	no flags	Details
0026-glx_Integer_overflow_protection_for_non-generated_render_requests_(v3)_CVE-2014-8093_5-6.patch (6.58 KB, text/plain) 2014-11-27 15:33 UTC, Vasyl Kaigorodov	no flags	Details
0033-glx_Fix_mask_truncation_in___glXGetAnswerBuffer_CVE-2014-8093_6-6.patch (1.20 KB, text/plain) 2014-11-27 15:33 UTC, Vasyl Kaigorodov	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:1982	0	normal	SHIPPED_LIVE	Important: xorg-x11-server security update	2014-12-11 22:34:45 UTC
Red Hat Product Errata	RHSA-2014:1983	0	normal	SHIPPED_LIVE	Important: xorg-x11-server security update	2014-12-12 00:41:58 UTC

Description Vasyl Kaigorodov 2014-11-27 15:30:42 UTC

Various GLX extension functions calls do not check that their calculations for how much memory
is needed to handle the client's request have not overflowed, so can
result in out of bounds reads or writes.  These calls all occur only
after a client has successfully authenticated itself.

Affected functions:
 __glXDisp_ReadPixels()
 __glXDispSwap_ReadPixels()
 __glXDisp_GetTexImage()
 __glXDispSwap_GetTexImage()
 GetSeparableFilter()
 GetConvolutionFilter()
 GetHistogram()
 GetMinmax()
 GetColorTable()
 Map2Size()
 __glXGetAnswerBuffer()
 __GLX_GET_ANSWER_BUFFER()
 __glXMap1dReqSize()
 __glXMap1fReqSize()
 __glXMap2dReqSize()
 __glXMap2fReqSize()
 __glXImageSize()
 __glXSeparableFilter2DReqSize()

Originally developed by SGI and licensed to multiple vendors
prior to SGI open sourcing the code in 1999.
Included in XFree86 releases starting in XFree86 4.0 (2000).
Included in X.Org releases starting in X11R6.7 (2004).

Comment 1 Vasyl Kaigorodov 2014-11-27 15:33:08 UTC

Created attachment 962120 [details]
0020-glx_Be_more_paranoid_about_variable-length_requests_CVE-2014-8093_1-6.patch

Comment 2 Vasyl Kaigorodov 2014-11-27 15:33:11 UTC

Created attachment 962121 [details]
0021-glx_Be_more_strict_about_rejecting_invalid_image_sizes_CVE-2014-8093_2-6.patch

Comment 3 Vasyl Kaigorodov 2014-11-27 15:33:13 UTC

Created attachment 962122 [details]
0022-glx_Additional_paranoia_in___glXGetAnswerBuffer_-___GLX_GET_ANSWER_BUFFER_(v2)_CVE-2014-8093_3-6.patch

Comment 4 Vasyl Kaigorodov 2014-11-27 15:33:16 UTC

Created attachment 962123 [details]
0024-glx_Add_safe_add,mul,pad_v3_CVE-2014-8093_4-6.patch

Comment 5 Vasyl Kaigorodov 2014-11-27 15:33:18 UTC

Created attachment 962124 [details]
0026-glx_Integer_overflow_protection_for_non-generated_render_requests_(v3)_CVE-2014-8093_5-6.patch

Comment 6 Vasyl Kaigorodov 2014-11-27 15:33:21 UTC

Created attachment 962125 [details]
0033-glx_Fix_mask_truncation_in___glXGetAnswerBuffer_CVE-2014-8093_6-6.patch

Comment 7 Vasyl Kaigorodov 2014-11-27 15:40:24 UTC

Created attachment 962127 [details]
0006-dri2_integer_overflow_in_ProcDRI2GetBuffers_CVE-2014-8094.patch

Comment 8 Huzaifa S. Sidhpurwala 2014-12-05 05:38:10 UTC

Classical case of integer overflow and then malloc, resulting in authenticated-client controlled data being copied beyond buffer bounds. This time in GLX extension.

Comment 11 Vincent Danen 2014-12-09 20:17:43 UTC

External References:

http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/

Comment 12 errata-xmlrpc 2014-12-11 17:35:04 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:1982 https://rhn.redhat.com/errata/RHSA-2014-1982.html

Comment 13 errata-xmlrpc 2014-12-11 19:42:19 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2014:1983 https://rhn.redhat.com/errata/RHSA-2014-1983.html

Note You need to log in before you can comment on or make changes to this bug.