xkb: Fix buffer overflow in _XkbSetCompatMap()

The _XkbSetCompatMap() function attempts to resize the `sym_interpret` buffer. However, It didn't update its size properly. It updated `num_si` only, without updating `size_si`. This may lead to local privilege escalation if the server is run as root or remote code execution (e.g. x11 over ssh). CVE-2024-9632, ZDI-CAN-24756 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Reviewed-by: Peter Hutterer <[email protected]> Tested-by: Peter Hutterer <[email protected]> Reviewed-by: José Expósito <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1733>
TurboVNC · Dec 19, 2024 · cab07e5 · cab07e5
1 parent 1b9aa53
commit cab07e5
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/unix/Xvnc/programs/Xserver/xkb/xkb.c b/unix/Xvnc/programs/Xserver/xkb/xkb.c
@@ -2993,13 +2993,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
         XkbSymInterpretPtr sym;
         unsigned int skipped = 0;
 
-        if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) {
-            compat->num_si = req->firstSI + req->nSI;
+        if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
+            compat->num_si = compat->size_si = req->firstSI + req->nSI;
             compat->sym_interpret = reallocarray(compat->sym_interpret,
-                                                 compat->num_si,
+                                                 compat->size_si,
                                                  sizeof(XkbSymInterpretRec));
             if (!compat->sym_interpret) {
-                compat->num_si = 0;
+                compat->num_si = compat->size_si = 0;
                 return BadAlloc;
             }
         }