diff options
author | Minjae Kim <flowergom@gmail.com> | 2022-12-04 18:39:27 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-12-23 23:05:44 +0000 |
commit | cc26cf0eb4cff522aa69523346672d54604397da (patch) | |
tree | 541c1d40fb56ba641e056eb4bbddf3dd47cef50c | |
parent | eb5651b44399737c7357a6a225676f695dace80e (diff) | |
download | poky-cc26cf0eb4cff522aa69523346672d54604397da.tar.gz |
xserver-xorg: backport fixes for CVE-2022-3550, CVE-2022-3551 and CVE-2022-3553
<CVE-2022-3550>
xkb: proof GetCountedString against request length attacks
Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e]
<CVE-2022-3551>
xkb: fix some possible memleaks in XkbGetKbdByName
Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2]
<CVE-2022-3553>
xquartz: Fix a possible crash when editing the Application
menu due to mutaing immutable arrays
Upstream-Status: Backport[https://cgit.freedesktop.org/xorg/xserver/commit/?id=dfd057996b26420309c324ec844a5ba6dd07eda3]
(From OE-Core rev: 081ac12677096886b25023a03df06b99585ef18c)
Signed-off-by:Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
4 files changed, 156 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch new file mode 100644 index 0000000000..efec7b6b4e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From d2dcbdc67c96c84dff301505072b0b7b022f1a14 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Sun, 4 Dec 2022 17:40:21 +0000 | ||
4 | Subject: [PATCH 1/3] xkb: proof GetCountedString against request length | ||
5 | attacks | ||
6 | |||
7 | GetCountedString did a check for the whole string to be within the | ||
8 | request buffer but not for the initial 2 bytes that contain the length | ||
9 | field. A swapped client could send a malformed request to trigger a | ||
10 | swaps() on those bytes, writing into random memory. | ||
11 | |||
12 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
13 | |||
14 | Ustream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e] | ||
15 | CVE: CVE-2022-3550 | ||
16 | Signed-off-by:Minjae Kim <flowergom@gmail.com> | ||
17 | |||
18 | --- | ||
19 | xkb/xkb.c | 5 +++++ | ||
20 | 1 file changed, 5 insertions(+) | ||
21 | |||
22 | diff --git a/xkb/xkb.c b/xkb/xkb.c | ||
23 | index 68c59df..bf8aaa3 100644 | ||
24 | --- a/xkb/xkb.c | ||
25 | +++ b/xkb/xkb.c | ||
26 | @@ -5138,6 +5138,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) | ||
27 | CARD16 len; | ||
28 | |||
29 | wire = *wire_inout; | ||
30 | + | ||
31 | + if (client->req_len < | ||
32 | + bytes_to_int32(wire + 2 - (char *) client->requestBuffer)) | ||
33 | + return BadValue; | ||
34 | + | ||
35 | len = *(CARD16 *) wire; | ||
36 | if (client->swapped) { | ||
37 | swaps(&len); | ||
38 | -- | ||
39 | 2.17.1 | ||
40 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch new file mode 100644 index 0000000000..a3b977aac9 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From d3787290f56165f5656ddd2123dbf676a32d0a68 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Sun, 4 Dec 2022 17:44:00 +0000 | ||
4 | Subject: [PATCH 2/3] xkb: fix some possible memleaks in XkbGetKbdByName | ||
5 | |||
6 | GetComponentByName returns an allocated string, so let's free that if we | ||
7 | fail somewhere. | ||
8 | |||
9 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
10 | |||
11 | Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2] | ||
12 | CVE: CVE-2022-3551 | ||
13 | Signed-off-by:Minjae Kim <flowergom@gmail.com> | ||
14 | |||
15 | --- | ||
16 | xkb/xkb.c | 26 +++++++++++++++++++------- | ||
17 | 1 file changed, 19 insertions(+), 7 deletions(-) | ||
18 | |||
19 | diff --git a/xkb/xkb.c b/xkb/xkb.c | ||
20 | index bf8aaa3..f79d306 100644 | ||
21 | --- a/xkb/xkb.c | ||
22 | +++ b/xkb/xkb.c | ||
23 | @@ -5908,19 +5908,31 @@ ProcXkbGetKbdByName(ClientPtr client) | ||
24 | xkb = dev->key->xkbInfo->desc; | ||
25 | status = Success; | ||
26 | str = (unsigned char *) &stuff[1]; | ||
27 | - if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */ | ||
28 | - return BadMatch; | ||
29 | + { | ||
30 | + char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */ | ||
31 | + if (keymap) { | ||
32 | + free(keymap); | ||
33 | + return BadMatch; | ||
34 | + } | ||
35 | + } | ||
36 | names.keycodes = GetComponentSpec(&str, TRUE, &status); | ||
37 | names.types = GetComponentSpec(&str, TRUE, &status); | ||
38 | names.compat = GetComponentSpec(&str, TRUE, &status); | ||
39 | names.symbols = GetComponentSpec(&str, TRUE, &status); | ||
40 | names.geometry = GetComponentSpec(&str, TRUE, &status); | ||
41 | - if (status != Success) | ||
42 | - return status; | ||
43 | - len = str - ((unsigned char *) stuff); | ||
44 | - if ((XkbPaddedSize(len) / 4) != stuff->length) | ||
45 | - return BadLength; | ||
46 | + if (status == Success) { | ||
47 | + len = str - ((unsigned char *) stuff); | ||
48 | + if ((XkbPaddedSize(len) / 4) != stuff->length) | ||
49 | + status = BadLength; | ||
50 | + } | ||
51 | |||
52 | + if (status != Success) { | ||
53 | + free(names.keycodes); | ||
54 | + free(names.types); | ||
55 | + free(names.compat); | ||
56 | + free(names.symbols); | ||
57 | + free(names.geometry); | ||
58 | + } | ||
59 | CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask); | ||
60 | CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask); | ||
61 | |||
62 | -- | ||
63 | 2.17.1 | ||
64 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch new file mode 100644 index 0000000000..94cea77edc --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 57ad2c03730d56f8432b6d66b29c0e5a9f9b1ec2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jeremy Huddleston Sequoia <jeremyhu@apple.com> | ||
3 | Date: Sun, 4 Dec 2022 17:46:18 +0000 | ||
4 | Subject: [PATCH 3/3] xquartz: Fix a possible crash when editing the | ||
5 | Application menu due to mutaing immutable arrays | ||
6 | |||
7 | Crashing on exception: -[__NSCFArray replaceObjectAtIndex:withObject:]: mutating method sent to immutable object | ||
8 | |||
9 | Application Specific Backtrace 0: | ||
10 | 0 CoreFoundation 0x00007ff80d2c5e9b __exceptionPreprocess + 242 | ||
11 | 1 libobjc.A.dylib 0x00007ff80d027e48 objc_exception_throw + 48 | ||
12 | 2 CoreFoundation 0x00007ff80d38167b _CFThrowFormattedException + 194 | ||
13 | 3 CoreFoundation 0x00007ff80d382a25 -[__NSCFArray removeObjectAtIndex:].cold.1 + 0 | ||
14 | 4 CoreFoundation 0x00007ff80d2e6c0b -[__NSCFArray replaceObjectAtIndex:withObject:] + 119 | ||
15 | 5 X11.bin 0x00000001003180f9 -[X11Controller tableView:setObjectValue:forTableColumn:row:] + 169 | ||
16 | |||
17 | Fixes: https://github.com/XQuartz/XQuartz/issues/267 | ||
18 | Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> | ||
19 | |||
20 | Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=dfd057996b26420309c324ec844a5ba6dd07eda3] | ||
21 | CVE: CVE-2022-3553 | ||
22 | Signed-off-by:Minjae Kim <flowergom@gmail.com> | ||
23 | |||
24 | --- | ||
25 | hw/xquartz/X11Controller.m | 8 ++++++-- | ||
26 | 1 file changed, 6 insertions(+), 2 deletions(-) | ||
27 | |||
28 | diff --git a/hw/xquartz/X11Controller.m b/hw/xquartz/X11Controller.m | ||
29 | index 3efda50..9870ff2 100644 | ||
30 | --- a/hw/xquartz/X11Controller.m | ||
31 | +++ b/hw/xquartz/X11Controller.m | ||
32 | @@ -467,8 +467,12 @@ extern char *bundle_id_prefix; | ||
33 | self.table_apps = table_apps; | ||
34 | |||
35 | NSArray * const apps = self.apps; | ||
36 | - if (apps != nil) | ||
37 | - [table_apps addObjectsFromArray:apps]; | ||
38 | + | ||
39 | + if (apps != nil) { | ||
40 | + for (NSArray <NSString *> * row in apps) { | ||
41 | + [table_apps addObject:row.mutableCopy]; | ||
42 | + } | ||
43 | + } | ||
44 | |||
45 | columns = [apps_table tableColumns]; | ||
46 | [[columns objectAtIndex:0] setIdentifier:@"0"]; | ||
47 | -- | ||
48 | 2.17.1 | ||
49 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb index d176f390a4..4f5528f78b 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb | |||
@@ -5,6 +5,9 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat | |||
5 | file://0001-test-xtest-Initialize-array-with-braces.patch \ | 5 | file://0001-test-xtest-Initialize-array-with-braces.patch \ |
6 | file://sdksyms-no-build-path.patch \ | 6 | file://sdksyms-no-build-path.patch \ |
7 | file://0001-drmmode_display.c-add-missing-mi.h-include.patch \ | 7 | file://0001-drmmode_display.c-add-missing-mi.h-include.patch \ |
8 | file://CVE-2022-3550.patch \ | ||
9 | file://CVE-2022-3551.patch \ | ||
10 | file://CVE-2022-3553.patch \ | ||
8 | " | 11 | " |
9 | SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf" | 12 | SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf" |
10 | SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066" | 13 | SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066" |