viernes, febrero 01, 2008

Xorg stack oveflow privilege scalation

If the user sets more number of visuals than the number of visuals of all screens, then the swap bucle can be abused.

Xext/EVI.c
ProcEVIGetVisualInfo(ClientPtr client)

+ for (i = 0; i < screenInfo.numScreens; i++)
+ total_visuals += screenInfo.screens[i]->numVisuals;
+ if (stuff->n_visual > total_visuals)
+ return BadValue;



more info soon.