From Fedora Project Wiki

Revision as of 21:57, 21 December 2022 by Bcotton (talk | contribs) (Announcing the Change proposal)


X Server Prohibits Byte-swapped Clients

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

X server implementations (e.g. Xorg and Xwayland) will (by default) no longer allow clients with different endianess to connect.

Owner

Current status

  • Targeted release: Fedora Linux 38
  • Last updated: 2022-12-21
  • devel thread
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

X server implementations (e.g. Xorg and Xwayland) allow clients with an endianess different to that of the server to connect. Protocol messages to and from these clients are byte-swapped by the X server. However, the code in the X server that does this is virtually untested, providing a large attack surface for malicious clients. One needs to only look at e.g. this X.Org security advisory and count the SProc mentions for an indication on how bad this is. A simple solution to remove this attack surface is to prohibit clients with a different endianess. These clients will simply fail, in a matter similar to failing to authenticate against an X server.

The use-case for clients with different endianess is very niche. It was common in the 1980s when X was originally developed but at this point a vanishingly small number of users run clients and X servers on different machines, let alone on different machines with different endianess. I'd be surprised if Fedora had any users requiring this feature.

Note:

  • this only affects use-cases where the server runs on a little endian host and the client on a Big Endian host (or vice versa).
  • this is a change in the default behavior only and can be changed via configuration options (for Xorg) and/or commandline arguments (all X servers).
  • this is a change in the upstream default behavior that Fedora will follow along with. This Change is primarily to increase the exposure.


Feedback

Benefit to Fedora

This change removes a large potential attack surface that can be used by malicious clients to expose memory locations, crash the X server and/or do other entertaining things malicious programs like to do.

Scope

  • Proposal owners:
  1. Merge upstream PR
  2. Backport patch to Fedora's xorg-x11-server and xorg-x11-server-Xwayland packages
  • Other developers:
  1. This is labelled as system-wide change simply because it's a change in Xorg/Xwayland. It is otherwise self-contained in that no other packages need updating, unless they want to opt-out of this default. Which is better left to system-specific configuration anyway.
  1. This feature does not require coordination with release engineering
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

For the extremely niche use-case of users that run X clients on a remote machine with a different endianess, these clients will no longer be able to connect by default. For Xorg, the following xorg.conf.d snippet will re-enable the old behavior:

Section "ServerFlags"
   Option "AllowSwappedClients" "on"
EndSection

Wayland users (and thus Xwayland) need to employ compositor-specific configuration to pass the +byteswappedclients flag to Xwayland. At the time of writing, GNOME does not yet provide such a configuration.

How To Test

To test the impact of this change, you need:

  • an X server running on a little endian architecture and an X client running on a Big Endian architecture (or the other way around)
  • set up the X server to accept remote connections, either via TCP or through SSH
  • run the X client which will fail to connect

Alternatively, a test client is available in the upstream PR. This test client pretends to be BigEndian and will fail to connect when run against a little endian X server.


User Experience

For virtually all users, there is no change in behavior.

Users with X server and client on two different machines must add the xorg.conf.d snippet shown above on affected systems.

Dependencies

No other RPMs depend on this change.


Contingency Plan

This change depends on whether upstream merges this new default behavior. If upstream does not merged the feature in time, this Change will be postponed until the next Fedora version to avoid potential incompatibilities between configurations or commandline options.

  • Contingency mechanism: keep current behavior, try again with next Fedora version
  • Contingency deadline: beta freeze
  • Blocks release? No


Documentation

N/A (not a System Wide Change)

Release Notes