Xorg stack oveflow privilege scalation

If the user sets more number of visuals than the number of visuals of all screens, then the swap bucle can be abused.

Xext/EVI.c
ProcEVIGetVisualInfo(ClientPtr client)

+ for (i = 0; i < screenInfo.numScreens; i++)
+ total_visuals += screenInfo.screens[i]->numVisuals;
+ if (stuff->n_visual > total_visuals)
+ return BadValue;



more info soon.

Comentarios