Hutterer: X servers no longer allow byte-swapped clients
Hutterer: X servers no longer allow byte-swapped clients
Posted Jan 10, 2023 16:22 UTC (Tue) by farnz (subscriber, #17727)In reply to: Hutterer: X servers no longer allow byte-swapped clients by jem
Parent article: Hutterer: X servers no longer allow byte-swapped clients
In this case, it's worth doing because Xorg runs extra code when dealing with an other-endianness client, and that code has been a great source of security bugs over the years. By disabling other-endianness clients, you get to cut out a whole pile of unmaintained code that's also rarely used.
The cases that are well-tested, and maintained, are big endian client connecting to big endian server, and little endian client connecting to little endian server. The cases that are problematic, and will now be disabled by default, are little endian client connecting to big endian server, and big endian client connecting to little endian server; these run "SProcs" - code which swaps endianness inside structures - which are not run at all if you have the same endianness on both sides of the link.
The two fundamental causes of trouble here are:
- X11 was designed when a malicious client was simply not a thing, so SProcs have to be written for each and every message, and have to understand the semantic meaning of each message so that they can correctly only the fields that need swapping (e.g. a message that's 2 bytes, followed by a uint16_t, followed by a uint64_t needs no byte swapping on the first two bytes, then a 16 bit byte swap, then an 8 byte reversal). This is manual effort that not everyone working on the X server will remember - and if you forget, it won't normally break your test setup (unless you deliberately test cross-endian, which involves remembering that the other endianness to your normal test system is a Thing that you need to care about, and either having more hardware, or setting up QEMU emulation of a wrong endian system).
- The X11 endianness "negotiation" is too simple: the client tells the server "I am this endianness" as the very first thing it does, and simply assumes that the server will handle endianness swapping. Thus, there's no way to move the pain to the client easily - you want native endianness when going to a server on the same host (for performance), but different endianness over the network.
If X11 had been designed with all the knowledge we acquired in the first 15 years since its release in 1987, it'd have had a true negotiation, and the server could tell the client "I only handle little endian" or "I only handle big endian" (as well as "I handle both endian choices"), making this something we could push to the client over time. But that'd involve a time machine.
Similarly, if someone cared enough to do the work of changing all of the X11 protocol handling from hand-crafted C to machine-generated code that always did the right thing, it'd be solved. But no-one's stepped up to do that since the people working on XCB moved onto working on Wayland instead.
Posted Jan 10, 2023 20:31 UTC (Tue)
by geert (subscriber, #98403)
[Link] (4 responses)
As jem noted, 2 is still an attack surface in case no byte-swapping is done.
W.r.t. 1, I guess the number of different messages is fairly constant, as X is an old, mature protocol. As mixing little and big endian clients and servers was much more popular in the past, I expect this code to actually be mature as well.
To ensure correctness, you can use tools to generate the swapping code from the structs, or anotate the struct members, and use sparse (cfr. the __leX annotations used in the Linux kernel).
One of the key features of X11 is interoperability. It would be a real pity to make that a thing of the past...
Posted Jan 10, 2023 21:50 UTC (Tue)
by farnz (subscriber, #17727)
[Link] (3 responses)
There's still plenty of messages that have bad SProcs, unfortunately - it's been one of the biggest attack vectors over the last 10 years. And many of the thousands of messages a modern X server can interpret are relatively new, not well-aged code.
Yes, correctness could be done with tools to generate the swapping code from the structs. But no-one who cares about mixed-endianness operation has stepped up to do the work, which is why it hasn't happened :-(
Unfortunately, if no-one's going to do the work to maintain the code, the easy option is to remove it- this is what the Linux kernel does, too.
Posted Jan 11, 2023 0:06 UTC (Wed)
by marcH (subscriber, #57642)
[Link] (2 responses)
This is much NICER than what the kernel (and other projects) do. The kernel deletes the code, whereas this can be turned on again _at run-time_! Not even a need to recompile anything. This is closer to a "Are you sure?" dialog box than to what the kernel does.
Posted Jan 11, 2023 13:40 UTC (Wed)
by geert (subscriber, #98403)
[Link] (1 responses)
2. While technically this can be re-enabled at "run-time" instead of at "compile-time", I'd rather call it at "boot-time", as having to restart my X server causes almost as much inconvenience as having to reboot my machine.
BTW, Xorg removed Xfbdev, which was the only remaining server variant supporting non-chunky frame buffer formats.
Posted Jan 11, 2023 18:09 UTC (Wed)
by marcH (subscriber, #57642)
[Link]
Good point.
> as having to restart my X server causes almost as much inconvenience as having to reboot my machine.
You're not going to hit this issue until you upgrade the X server on your workstation and _restart it anyway_. Then it will be a one-line and _once off_ configuration change.
It is for sure an inconvenience but it is being repeatedly blown out of proportion; these complaints look more and more like bad faith.
> I guess lots of bugs (and security issues) are lurking there...
Again: "let's not reduce the attack surface because there's more elsewhere"?
Hutterer: X servers no longer allow byte-swapped clients
1. The SProcs code that takes care of byte-swapping messages.
2. The code that validates the contents of messages, and acts upon them.
Hutterer: X servers no longer allow byte-swapped clients
Hutterer: X servers no longer allow byte-swapped clients
Hutterer: X servers no longer allow byte-swapped clients
From a quick glance at the remaining fbdev support code, Xorg doesn't perform any checks on the actual frame buffer layout, and treats everything like packed pixels. I guess lots of bugs (and security issues) are lurking there...
Hutterer: X servers no longer allow byte-swapped clients