xkb: Fix buffer overflow in _XkbSetCompatMap()

The _XkbSetCompatMap() function attempts to resize the `sym_interpret` buffer. However, It didn't update its size properly. It updated `num_si` only, without updating `size_si`. This may lead to local privilege escalation if the server is run as root or remote code execution (e.g. x11 over ssh). CVE-2024-9632, ZDI-CAN-24756 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Tested-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: José Expósito <jexposit@redhat.com> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1733>
2024-10-10 10:37:28 +02:00 · 2024-10-10 10:37:28 +02:00 · 07a0acd246
parent 7cc0695cf7
commit 07a0acd246
1 changed files with 4 additions and 4 deletions
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@ -2996,13 +2996,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
        XkbSymInterpretPtr sym;
        unsigned int skipped = 0;

-        if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) {
-            compat->num_si = req->firstSI + req->nSI;
+        if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
+            compat->num_si = compat->size_si = req->firstSI + req->nSI;
            compat->sym_interpret = reallocarray(compat->sym_interpret,
-                                                 compat->num_si,
+                                                 compat->size_si,
                                                 sizeof(XkbSymInterpretRec));
            if (!compat->sym_interpret) {
-                compat->num_si = 0;
+                compat->num_si = compat->size_si = 0;
                return BadAlloc;
            }
        }