X.Org Security Advisory: Dec. 9, 2014
Protocol handling issues in X Window System servers
Description
Ilja van Sprundel, a security researcher with IOActive, has discovered a large number of issues in the way the X server code base handles requests from X clients, and has worked with X.Org's security team to analyze, confirm, and fix these issues.
Ilja's talk at the 30th Chaos Communication Congress (30C3) in Hamburg last year (X Security: it's worse than it looks) gave a preview of these issues and discussed the general form of many of these, but did not disclose the exact details of them.
The vulnerabilities could be exploited to cause the X server to access uninitialized memory or overwrite arbitrary memory in the X server process. This can cause a denial of service (e.g., an X server segmentation fault), or could be exploited to achieve arbitrary code execution.
How critical these vulnerabilities are to any given installation depends on whether they run an X server with root privileges or reduced privileges; whether they run X servers exposed to network clients or limited to local connections; and whether or not they allow use of the affected protocol extensions, especially the GLX extension.
The GLX extension to the X Window System allows an X client to send X protocol to the X server, to request that the X server perform OpenGL rendering on behalf of the X client. This is known as “GLX indirect rendering”, as opposed to “GLX direct rendering” where the X client submits OpenGL rendering commands directly to the GPU, bypassing the X server and avoiding the X server code for GLX protocol handling.
Most GLX indirect rendering implementations share some common ancestry, dating back to “Sample Implementation” code from Silicon Graphics, Inc (SGI), which SGI originally commercially licensed to other Unix workstation and graphics vendors, and later released as open source, so those vulnerabilities may affect other licensees of SGI's code base beyond those running code from the X.Org Foundation or the XFree86 Project.
The vulnerabilities include:
- denial of service due to unchecked malloc in client authentication
-
CVE-2014-8091: In servers built with support for SUN-DES-1 (Secure RPC) authentication credentials, an unauthenticated client may be able to crash the X server by sending a connection request specifying values that cause malloc to fail, causing the authentication routines to attempt to write data to the returned NULL pointer. Since the request is limited to an unsigned 16-bit integer for the allocation size, it is unlikely to fail unless the server is severely memory constrained.
Introduced in the initial revision of Secure RPC support in X11R5 (1991).
- integer overflows calculating memory needs for requests
-
These calls do not check that their calculations for how much memory is needed to handle the client's request have not overflowed, so can result in out of bounds reads or writes. These calls all occur only after a client has successfully authenticated itself.
- CVE-2014-8092: X11 core protocol requests
Affected functions: ProcPutImage(), GetHosts(), RegionSizeof(), REQUEST_FIXED_SIZE()
Introduced in X11R1 (1987).
- CVE-2014-8093: GLX extension
Affected functions: __glXDisp_ReadPixels(), __glXDispSwap_ReadPixels(), __glXDisp_GetTexImage(), __glXDispSwap_GetTexImage(), GetSeparableFilter(), GetConvolutionFilter(), GetHistogram(), GetMinmax(), GetColorTable(), __glXGetAnswerBuffer(), __GLX_GET_ANSWER_BUFFER(), __glXMap1dReqSize(), __glXMap1fReqSize(), Map2Size(), __glXMap2dReqSize(), __glXMap2fReqSize(), __glXImageSize(), __glXSeparableFilter2DReqSize()
Originally developed by SGI and licensed to multiple vendors prior to SGI open sourcing the code in 1999.
Included in XFree86 releases starting in XFree86 4.0 (2000).
Included in X.Org releases starting in X11R6.7 (2004).- CVE-2014-8094: DRI2 extension
Affected functions: ProcDRI2GetBuffers()
Introduced in xorg-server-1.7.0 (2009).
- out of bounds access due to not validating length or offset values in requests
-
These calls do not check that the lengths and/or indexes sent by the client are within the bounds specified by the caller or the bounds of the memory allocated to hold the request read from the client, so could read or write past the bounds of allocated memory while processing the request. These calls all occur only after a client has successfully authenticated itself.
- CVE-2014-8095: XInput extension
Affected functions: SProcXChangeDeviceControl(), ProcXChangeDeviceControl(), ProcXChangeFeedbackControl(), ProcXSendExtensionEvent(), SProcXIAllowEvents(), SProcXIChangeCursor(), ProcXIChangeHierarchy(), SProcXIGetClientPointer(), SProcXIGrabDevice(), SProcXIUngrabDevice(), ProcXIUngrabDevice(), SProcXIPassiveGrabDevice(), ProcXIPassiveGrabDevice(), SProcXIPassiveUngrabDevice(), ProcXIPassiveUngrabDevice(), SProcXListDeviceProperties(), SProcXDeleteDeviceProperty(), SProcXIListProperties(), SProcXIDeleteProperty(), SProcXIGetProperty(), SProcXIQueryDevice(), SProcXIQueryPointer(), SProcXISelectEvents(), SProcXISetClientPointer(), SProcXISetFocus(), SProcXIGetFocus(), SProcXIWarpPointer()
Introduced in X11R4 (1989).
- CVE-2014-8096: XC-MISC extension
Affected functions: SProcXCMiscGetXIDList()
Introduced in X11R6.0 (1994).
- CVE-2014-8097: DBE extension
Affected functions: ProcDbeSwapBuffers(), SProcDbeSwapBuffers()
Introduced in X11R6.1 (1996).
- CVE-2014-8098: GLX extension
Affected functions: __glXDisp_Render(), __glXDisp_RenderLarge(), __glXDispSwap_VendorPrivate(), __glXDispSwap_VendorPrivateWithReply(), set_client_info(), __glXDispSwap_SetClientInfoARB(), DoSwapInterval(), DoGetProgramString(), DoGetString(), __glXDispSwap_RenderMode(), __glXDisp_GetCompressedTexImage(), __glXDispSwap_GetCompressedTexImage(), __glXDisp_FeedbackBuffer(), __glXDispSwap_FeedbackBuffer(), __glXDisp_SelectBuffer(), __glXDispSwap_SelectBuffer(), __glXDisp_Flush(), __glXDispSwap_Flush(), __glXDisp_Finish(), __glXDispSwap_Finish(), __glXDisp_ReadPixels(), __glXDispSwap_ReadPixels(), __glXDisp_GetTexImage(), __glXDispSwap_GetTexImage(), __glXDisp_GetPolygonStipple(), __glXDispSwap_GetPolygonStipple(), __glXDisp_GetSeparableFilter(), __glXDisp_GetSeparableFilterEXT(), __glXDisp_GetConvolutionFilter(), __glXDisp_GetConvolutionFilterEXT(), __glXDisp_GetHistogram(), __glXDisp_GetHistogramEXT(), __glXDisp_GetMinmax(), __glXDisp_GetMinmaxEXT(), __glXDisp_GetColorTable(), __glXDisp_GetColorTableSGI(), GetSeparableFilter(), GetConvolutionFilter(), GetHistogram(), GetMinmax(), GetColorTable()
Originally developed by SGI and licensed to multiple vendors prior to SGI open sourcing the code in 1999.
Included in XFree86 releases starting in XFree86 4.0 (2000).
Included in X.Org releases starting in X11R6.7 (2004).- CVE-2014-8099: XVideo extension
Affected functions: SProcXvQueryExtension(), SProcXvQueryAdaptors(), SProcXvQueryEncodings(), SProcXvGrabPort(), SProcXvUngrabPort(), SProcXvPutVideo(), SProcXvPutStill(), SProcXvGetVideo(), SProcXvGetStill(), SProcXvPutImage(), SProcXvShmPutImage(), SProcXvSelectVideoNotify(), SProcXvSelectPortNotify(), SProcXvStopVideo(), SProcXvSetPortAttribute(), SProcXvGetPortAttribute(), SProcXvQueryBestSize(), SProcXvQueryPortAttributes(), SProcXvQueryImageAttributes(), SProcXvListImageFormats()
Introduced in XFree86 4.0.0 (2000).
Included in X.Org releases starting in X11R6.7 (2004).- CVE-2014-8100: Render extension
Affected functions: ProcRenderQueryVersion(), SProcRenderQueryVersion(), SProcRenderQueryPictFormats(), SProcRenderQueryPictIndexValues(), SProcRenderCreatePicture(), SProcRenderChangePicture(), SProcRenderSetPictureClipRectangles(), SProcRenderFreePicture(), SProcRenderComposite(), SProcRenderScale(), SProcRenderCreateGlyphSet(), SProcRenderReferenceGlyphSet(), SProcRenderFreeGlyphSet(), SProcRenderFreeGlyphs(), SProcRenderCompositeGlyphs()
Introduced in XFree86 4.0.1 (2000).
Included in X.Org releases starting in X11R6.7 (2004).- CVE-2014-8101: RandR extension
Affected functions: SProcRRQueryVersion(), SProcRRGetScreenInfo(), SProcRRSelectInput(), SProcRRConfigureOutputProperty()
Introduced in XFree86 4.2.0 (2002).
Included in X.Org releases starting in X11R6.7 (2004).- CVE-2014-8102: XFixes extension
Affected functions: SProcXFixesSelectSelectionInput()
Introduced in X11R6.8.0 (2004).
- CVE-2014-8103: DRI3 & Present extensions
Affected functions: sproc_dri3_query_version(), sproc_dri3_open(), sproc_dri3_pixmap_from_buffer(), sproc_dri3_buffer_from_pixmap(), sproc_dri3_fence_from_fd(), sproc_dri3_fd_from_fence(), proc_present_query_capabilities(), sproc_present_query_version(), sproc_present_pixmap(), sproc_present_notify_msc(), sproc_present_select_input(), sproc_present_query_capabilities()
Introduced in xorg-server-1.15.0 (2013).
Affected Versions
X.Org believes all versions of the affected functions contain these flaws, dating back to their introduction. In the above listings, we've listed the earliest date of any of the affected functions in a given protocol or area - some functions listed may not have been introduced until later versions.
Fixes
Fixes are available in these git commits:
Note that many of these patches depend on being applied in the same order as they are in git, or on other non-CVE patches in git, and won't necessarily apply as is to previous tarball releases.
- 90cc925c5991fcb203f72d00b04419cd754a9b2c unchecked malloc may allow unauthed client to crash Xserver [CVE-2014-8091]
- eeae42d60bf3d5663ea088581f6c28a82cd17829 dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]
- bc8e20430b6f6378daf6ce4329029248a88af08b dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]
- 97015a07b9e15d8ec5608b95d95ec0eb51202acb dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4]
- e0e11644622a589129a01e11e5d105dc74a098de dix: integer overflow in REQUEST_FIXED_SIZE() [CVE-2014-8092 4/4]
- 6692670fde081bbfe9313f17d84037ae9116702a dri2: integer overflow in ProcDRI2GetBuffers() [CVE-2014-8094]
- 2ef42519c41e793579c9cea699c866fee3d9321f dbe: unvalidated lengths in DbeSwapBuffers calls [CVE-2014-8097]
- 73c63afb93c0af1bfd1969bf6e71c9edca586c77 Xi: unvalidated lengths in Xinput extension [CVE-2014-8095]
- 7553082b9b883b5f130044f3d53bce2f0b660e52 xcmisc: unvalidated length in SProcXCMiscGetXIDList() [CVE-2014-8096]
- 32a95fb7c7dbe22c9441c62762dfa4a8ec54d6c3 Xv: unvalidated lengths in XVideo extension swapped procs [CVE-2014-8099]
- 0a6085aaf3581cca558d960ea176ddf3a41a2213 dri3: unvalidated lengths in DRI3 extension swapped procs [CVE-2014-8103 1/2]
- d155b7a8e38e74aee96bf52c20c8b6a330d7d462 present: unvalidated lengths in Present extension procs [CVE-2014-8103 2/2]
- 3df2fcf12499ebdb26b9b67419ea485a42041f33 randr: unvalidated lengths in RandR extension swapped procs [CVE-2014-8101]
- b5f9ef03df6a650571b29d3d1c1d2b67c6e84336 render: check request size before reading it [CVE-2014-8100 1/2]
- 5d3a788aeb2fbd3ca2812747dc18c94a8b981c63 render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2]
- a0ece23a8bd300c8be10812d368dc8058c97c63e xfixes: unvalidated length in SProcXFixesSelectSelectionInput [CVE-2014-8102]
- d153a85f7478a7a67ccb02fbca6390b0ab1732ee Add request length checking test cases for some Xinput 1.x requests
- 2df83bb122debc3c20cfc3d3b0edc85cd0270f79 Add request length checking test cases for some Xinput 2.x requests
- f4afd53f2aeaddf509bf9f71d1716dd273fd6e14 Add REQUEST_FIXED_SIZE testcases to test/misc.c
- 23fe7718bb171e71db2d1a30505c2ca2988799d9 glx: Be more paranoid about variable-length requests [CVE-2014-8093 1/6]
- ab2ba9338aa5e85b4487bc7fbe69985c76483e01 glx: Be more strict about rejecting invalid image sizes [CVE-2014-8093 2/6]
- 717a1b37767b41e14859e5022ae9e679152821a9 glx: Additional paranoia in glXGetAnswerBuffer / _GLXGET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
- 13d36923e0ddb077f4854e354c3d5c80590b5d9d glx: Fix image size computation for EXT_texture_integer [CVE-2014-8098 1/8]
- 2a5cbc17fc72185bf0fa06fef26d1f782de72595 glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6]
- be09e0c988ffdb0371293af49fb4ea8f49ed324a glx: Length checking for GLXRender requests (v2) [CVE-2014-8098 2/8]
- 698888e6671d54c7ae41e9d456f7f5483a3459d2 glx: Integer overflow protection for non-generated render requests (v3) [CVE-2014-8093 5/6]
- a33a939e6abb255b14d8dbc85fcbd2c55b958bae glx: Length checking for RenderLarge requests (v2) [CVE-2014-8098 3/8]
- c91e4abc3b892f42802efa20fef7ada442c2d3f5 glx: Top-level length checking for swapped VendorPrivate requests [CVE-2014-8098 4/8]
- afe177020d1fb776c6163f21eddc82cb185b95ca glx: Request length checks for SetClientInfoARB [CVE-2014-8098 5/8]
- 44ba149f28ece93c2fbfc9cc980588de5322dd4b glx: Length-checking for non-generated vendor private requests [CVE-2014-8098 6/8]
- 984583a497c813df5827ae22483133e704fee79c glx: Length checking for non-generated single requests (v2) [CVE-2014-8098 7/8]
- e883c170c15493ab3637c0a01890f5a7ca4e16a5 glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8]
- 7e7630bbb775573eea2a2335adb9d190c3e1e971 glx: Fix mask truncation in __glXGetAnswerBuffer [CVE-2014-8093 6/6]
- b20912c3d45cbbde3c443e6c3d9e189092fe65e1 dbe: Call to DDX SwapBuffers requires address of int, not unsigned int [CVE-2014-8097 pt. 2]
- 61b17c0f10307e25e51e30e6fb1d3e3127f82d86 glx: Can't mix declarations and code in X.org sources [CVE-2014-8098 pt. 9]
- 9802a0162f738de03585ca3f3b8a8266494f7d45 Missing parens in REQUEST_FIXED_SIZE macro [CVE-2014-8092 pt. 5]
- 1559a94395258fd73e369f1a2c98a44bfe21a486 dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6]
Fixes are also planned to be included in the xorg-server-1.17.0 and xorg-server-1.16.3 releases.
Other providers of Xserver or GLX implementations based on the same code base (the X Consortium or X.Org Foundation X sources, or the SGI GLX sources) will announce the availability of any fixes necessary for their implementations.
Mitigation
While the fixes cover all the cases currently known to X.Org, these are not the first issues in this area and are unlikely to be the last.
Users can reduce their exposure to issues similar to the ones in this advisory via these methods:
Configure the X server to prohibit X connections from the network by passing the -nolisten tcp command line option to the X server. Many OS distributions already set this option by default, and it will be set by default in the upstream X.Org release starting with Xorg 1.17.
Disable GLX indirect contexts. Some implementations have a configuration option for this. In Xorg 1.16 or newer, this can be achieved by setting the -iglx X server command line option. This option will be the default in Xorg 1.17 and later releases.
Consult your operating system's documentation for details on setting X server command line options, as X servers are started by a variety of different methods on different platforms (startx, gdm, kdm, xdm, etc.).
Thanks
X.Org thanks Ilja van Sprundel of IOActive for reporting these issues to our security team and assisting them in understanding them and evaluating our fixes, and the following X.Org contributors for developing and reviewing the fixes, tests, and advisory for these issues, and coordinating the X.Org response to them:
- Adam Jackson (Red Hat)
- Alan Coopersmith (Oracle)
- Andy Ritger (NVIDIA)
- Julien Cristau (Debian)
- Keith Packard (Intel)
- Michal Srb (SuSE)
- Peter Hutterer (Red Hat)
- Robert Morell (NVIDIA)