xserver-xorg: backport fixes for CVE-2022-3550, CVE-2022-3551 and CVE-2022-3553

<CVE-2022-3550> xkb: proof GetCountedString against request length attacks Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e] <CVE-2022-3551> xkb: fix some possible memleaks in XkbGetKbdByName Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2] <CVE-2022-3553> xquartz: Fix a possible crash when editing the Application menu due to mutaing immutable arrays Upstream-Status: Backport[https://cgit.freedesktop.org/xorg/xserver/commit/?id=dfd057996b26420309c324ec844a5ba6dd07eda3] (From OE-Core rev: 081ac12677096886b25023a03df06b99585ef18c) Signed-off-by:Minjae Kim <flowergom@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Minjae Kim <flowergom@gmail.com> 2022-12-04 18:39:27 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-12-23 23:05:44 +0000
commit: cc26cf0eb4cff522aa69523346672d54604397da (patch)
tree: 541c1d40fb56ba641e056eb4bbddf3dd47cef50c
parent: eb5651b44399737c7357a6a225676f695dace80e (diff)
download: poky-cc26cf0eb4cff522aa69523346672d54604397da.tar.gz
4 files changed, 156 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch
new file mode 100644
index 0000000000..efec7b6b4e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch
@@ -0,0 +1,40 @@
+From d2dcbdc67c96c84dff301505072b0b7b022f1a14 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Sun, 4 Dec 2022 17:40:21 +0000
+Subject: [PATCH 1/3] xkb: proof GetCountedString against request length
+ attacks
+GetCountedString did a check for the whole string to be within the
+request buffer but not for the initial 2 bytes that contain the length
+field. A swapped client could send a malformed request to trigger a
+swaps() on those bytes, writing into random memory.
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Ustream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e]
+CVE: CVE-2022-3550
+Signed-off-by:Minjae Kim <flowergom@gmail.com>
+---
+ xkb/xkb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 68c59df..bf8aaa3 100644
+--- a/xkb/xkb.c
+++ b/xkb/xkb.c
+@@ -5138,6 +5138,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
+     CARD16 len;
+ 
+     wire = *wire_inout;
+
+    if (client->req_len <
+        bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
+       return BadValue;
+
+     len = *(CARD16 *) wire;
+     if (client->swapped) {
+         swaps(&len);
+-- 
+2.17.1
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
new file mode 100644
index 0000000000..a3b977aac9
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
@@ -0,0 +1,64 @@
+From d3787290f56165f5656ddd2123dbf676a32d0a68 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Sun, 4 Dec 2022 17:44:00 +0000
+Subject: [PATCH 2/3] xkb: fix some possible memleaks in XkbGetKbdByName
+GetComponentByName returns an allocated string, so let's free that if we
+fail somewhere.
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2]
+CVE: CVE-2022-3551
+Signed-off-by:Minjae Kim <flowergom@gmail.com>
+---
+ xkb/xkb.c | 26 +++++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 7 deletions(-)
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index bf8aaa3..f79d306 100644
+--- a/xkb/xkb.c
+++ b/xkb/xkb.c
+@@ -5908,19 +5908,31 @@ ProcXkbGetKbdByName(ClientPtr client)
+     xkb = dev->key->xkbInfo->desc;
+     status = Success;
+     str = (unsigned char *) &stuff[1];
+-    if (GetComponentSpec(&str, TRUE, &status))  /* keymap, unsupported */
+-        return BadMatch;
+    {
+        char *keymap = GetComponentSpec(&str, TRUE, &status);  /* keymap, unsupported */
+        if (keymap) {
+            free(keymap);
+            return BadMatch;
+        }
+    }
+     names.keycodes = GetComponentSpec(&str, TRUE, &status);
+     names.types = GetComponentSpec(&str, TRUE, &status);
+     names.compat = GetComponentSpec(&str, TRUE, &status);
+     names.symbols = GetComponentSpec(&str, TRUE, &status);
+     names.geometry = GetComponentSpec(&str, TRUE, &status);
+-    if (status != Success)
+-        return status;
+-    len = str - ((unsigned char *) stuff);
+-    if ((XkbPaddedSize(len) / 4) != stuff->length)
+-        return BadLength;
+    if (status == Success) {
+        len = str - ((unsigned char *) stuff);
+        if ((XkbPaddedSize(len) / 4) != stuff->length)
+            status = BadLength;
+    }
+ 
+    if (status != Success) {
+        free(names.keycodes);
+        free(names.types);
+        free(names.compat);
+        free(names.symbols);
+        free(names.geometry);
+    }
+     CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
+     CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
+ 
+-- 
+2.17.1
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch
new file mode 100644
index 0000000000..94cea77edc
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch
@@ -0,0 +1,49 @@
+From 57ad2c03730d56f8432b6d66b29c0e5a9f9b1ec2 Mon Sep 17 00:00:00 2001
+From: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Date: Sun, 4 Dec 2022 17:46:18 +0000
+Subject: [PATCH 3/3] xquartz: Fix a possible crash when editing the
+ Application menu due to mutaing immutable arrays
+Crashing on exception: -[__NSCFArray replaceObjectAtIndex:withObject:]: mutating method sent to immutable object
+Application Specific Backtrace 0:
+0   CoreFoundation                      0x00007ff80d2c5e9b __exceptionPreprocess + 242
+1   libobjc.A.dylib                     0x00007ff80d027e48 objc_exception_throw + 48
+2   CoreFoundation                      0x00007ff80d38167b _CFThrowFormattedException + 194
+3   CoreFoundation                      0x00007ff80d382a25 -[__NSCFArray removeObjectAtIndex:].cold.1 + 0
+4   CoreFoundation                      0x00007ff80d2e6c0b -[__NSCFArray replaceObjectAtIndex:withObject:] + 119
+5   X11.bin                             0x00000001003180f9 -[X11Controller tableView:setObjectValue:forTableColumn:row:] + 169
+Fixes: https://github.com/XQuartz/XQuartz/issues/267
+Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=dfd057996b26420309c324ec844a5ba6dd07eda3]
+CVE: CVE-2022-3553
+Signed-off-by:Minjae Kim <flowergom@gmail.com>
+---
+ hw/xquartz/X11Controller.m | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+diff --git a/hw/xquartz/X11Controller.m b/hw/xquartz/X11Controller.m
+index 3efda50..9870ff2 100644
+--- a/hw/xquartz/X11Controller.m
+++ b/hw/xquartz/X11Controller.m
+@@ -467,8 +467,12 @@ extern char *bundle_id_prefix;
+     self.table_apps = table_apps;
+ 
+     NSArray * const apps = self.apps;
+-    if (apps != nil)
+-        [table_apps addObjectsFromArray:apps];
+
+    if (apps != nil) {
+        for (NSArray <NSString *> * row in apps) {
+            [table_apps addObject:row.mutableCopy];
+        }
+    }
+ 
+     columns = [apps_table tableColumns];
+     [[columns objectAtIndex:0] setIdentifier:@"0"];
+-- 
+2.17.1
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
index d176f390a4..4f5528f78b 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
@@ -5,6 +5,9 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
           file://0001-test-xtest-Initialize-array-with-braces.patch \
           file://sdksyms-no-build-path.patch \
           file://0001-drmmode_display.c-add-missing-mi.h-include.patch \
+           file://CVE-2022-3550.patch \
+           file://CVE-2022-3551.patch \
+           file://CVE-2022-3553.patch \
           "
 SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"
 SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"
author	Minjae Kim <flowergom@gmail.com>	2022-12-04 18:39:27 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-12-23 23:05:44 +0000
commit	cc26cf0eb4cff522aa69523346672d54604397da (patch)
tree	541c1d40fb56ba641e056eb4bbddf3dd47cef50c
parent	eb5651b44399737c7357a6a225676f695dace80e (diff)
download	poky-cc26cf0eb4cff522aa69523346672d54604397da.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch new file mode 100644 index 0000000000..efec7b6b4e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch
@@ -0,0 +1,40 @@
		1	From d2dcbdc67c96c84dff301505072b0b7b022f1a14 Mon Sep 17 00:00:00 2001
		2	From: Peter Hutterer <peter.hutterer@who-t.net>
		3	Date: Sun, 4 Dec 2022 17:40:21 +0000
		4	Subject: [PATCH 1/3] xkb: proof GetCountedString against request length
		5	attacks
		6
		7	GetCountedString did a check for the whole string to be within the
		8	request buffer but not for the initial 2 bytes that contain the length
		9	field. A swapped client could send a malformed request to trigger a
		10	swaps() on those bytes, writing into random memory.
		11
		12	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
		13
		14	Ustream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e]
		15	CVE: CVE-2022-3550
		16	Signed-off-by:Minjae Kim <flowergom@gmail.com>
		17
		18	---
		19	xkb/xkb.c \| 5 +++++
		20	1 file changed, 5 insertions(+)
		21
		22	diff --git a/xkb/xkb.c b/xkb/xkb.c
		23	index 68c59df..bf8aaa3 100644
		24	--- a/xkb/xkb.c
		25	+++ b/xkb/xkb.c
		26	@@ -5138,6 +5138,11 @@ _GetCountedString(char wire_inout, ClientPtr client, char str)
		27	CARD16 len;
		28
		29	wire = *wire_inout;
		30	+
		31	+ if (client->req_len <
		32	+ bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
		33	+ return BadValue;
		34	+
		35	len = (CARD16 ) wire;
		36	if (client->swapped) {
		37	swaps(&len);
		38	--
		39	2.17.1
		40


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch new file mode 100644 index 0000000000..a3b977aac9 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
@@ -0,0 +1,64 @@
		1	From d3787290f56165f5656ddd2123dbf676a32d0a68 Mon Sep 17 00:00:00 2001
		2	From: Peter Hutterer <peter.hutterer@who-t.net>
		3	Date: Sun, 4 Dec 2022 17:44:00 +0000
		4	Subject: [PATCH 2/3] xkb: fix some possible memleaks in XkbGetKbdByName
		5
		6	GetComponentByName returns an allocated string, so let's free that if we
		7	fail somewhere.
		8
		9	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
		10
		11	Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2]
		12	CVE: CVE-2022-3551
		13	Signed-off-by:Minjae Kim <flowergom@gmail.com>
		14
		15	---
		16	xkb/xkb.c \| 26 +++++++++++++++++++-------
		17	1 file changed, 19 insertions(+), 7 deletions(-)
		18
		19	diff --git a/xkb/xkb.c b/xkb/xkb.c
		20	index bf8aaa3..f79d306 100644
		21	--- a/xkb/xkb.c
		22	+++ b/xkb/xkb.c
		23	@@ -5908,19 +5908,31 @@ ProcXkbGetKbdByName(ClientPtr client)
		24	xkb = dev->key->xkbInfo->desc;
		25	status = Success;
		26	str = (unsigned char *) &stuff[1];
		27	- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */
		28	- return BadMatch;
		29	+ {
		30	+ char keymap = GetComponentSpec(&str, TRUE, &status); / keymap, unsupported */
		31	+ if (keymap) {
		32	+ free(keymap);
		33	+ return BadMatch;
		34	+ }
		35	+ }
		36	names.keycodes = GetComponentSpec(&str, TRUE, &status);
		37	names.types = GetComponentSpec(&str, TRUE, &status);
		38	names.compat = GetComponentSpec(&str, TRUE, &status);
		39	names.symbols = GetComponentSpec(&str, TRUE, &status);
		40	names.geometry = GetComponentSpec(&str, TRUE, &status);
		41	- if (status != Success)
		42	- return status;
		43	- len = str - ((unsigned char *) stuff);
		44	- if ((XkbPaddedSize(len) / 4) != stuff->length)
		45	- return BadLength;
		46	+ if (status == Success) {
		47	+ len = str - ((unsigned char *) stuff);
		48	+ if ((XkbPaddedSize(len) / 4) != stuff->length)
		49	+ status = BadLength;
		50	+ }
		51
		52	+ if (status != Success) {
		53	+ free(names.keycodes);
		54	+ free(names.types);
		55	+ free(names.compat);
		56	+ free(names.symbols);
		57	+ free(names.geometry);
		58	+ }
		59	CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
		60	CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
		61
		62	--
		63	2.17.1
		64


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch new file mode 100644 index 0000000000..94cea77edc --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch
@@ -0,0 +1,49 @@
		1	From 57ad2c03730d56f8432b6d66b29c0e5a9f9b1ec2 Mon Sep 17 00:00:00 2001
		2	From: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
		3	Date: Sun, 4 Dec 2022 17:46:18 +0000
		4	Subject: [PATCH 3/3] xquartz: Fix a possible crash when editing the
		5	Application menu due to mutaing immutable arrays
		6
		7	Crashing on exception: -[__NSCFArray replaceObjectAtIndex:withObject:]: mutating method sent to immutable object
		8
		9	Application Specific Backtrace 0:
		10	0 CoreFoundation 0x00007ff80d2c5e9b __exceptionPreprocess + 242
		11	1 libobjc.A.dylib 0x00007ff80d027e48 objc_exception_throw + 48
		12	2 CoreFoundation 0x00007ff80d38167b _CFThrowFormattedException + 194
		13	3 CoreFoundation 0x00007ff80d382a25 -[__NSCFArray removeObjectAtIndex:].cold.1 + 0
		14	4 CoreFoundation 0x00007ff80d2e6c0b -[__NSCFArray replaceObjectAtIndex:withObject:] + 119
		15	5 X11.bin 0x00000001003180f9 -[X11Controller tableView:setObjectValue:forTableColumn:row:] + 169
		16
		17	Fixes: https://github.com/XQuartz/XQuartz/issues/267
		18	Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
		19
		20	Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=dfd057996b26420309c324ec844a5ba6dd07eda3]
		21	CVE: CVE-2022-3553
		22	Signed-off-by:Minjae Kim <flowergom@gmail.com>
		23
		24	---
		25	hw/xquartz/X11Controller.m \| 8 ++++++--
		26	1 file changed, 6 insertions(+), 2 deletions(-)
		27
		28	diff --git a/hw/xquartz/X11Controller.m b/hw/xquartz/X11Controller.m
		29	index 3efda50..9870ff2 100644
		30	--- a/hw/xquartz/X11Controller.m
		31	+++ b/hw/xquartz/X11Controller.m
		32	@@ -467,8 +467,12 @@ extern char *bundle_id_prefix;
		33	self.table_apps = table_apps;
		34
		35	NSArray * const apps = self.apps;
		36	- if (apps != nil)
		37	- [table_apps addObjectsFromArray:apps];
		38	+
		39	+ if (apps != nil) {
		40	+ for (NSArray <NSString > row in apps) {
		41	+ [table_apps addObject:row.mutableCopy];
		42	+ }
		43	+ }
		44
		45	columns = [apps_table tableColumns];
		46	[[columns objectAtIndex:0] setIdentifier:@"0"];
		47	--
		48	2.17.1
		49


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb index d176f390a4..4f5528f78b 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
@@ -5,6 +5,9 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
5	file://0001-test-xtest-Initialize-array-with-braces.patch \	5	file://0001-test-xtest-Initialize-array-with-braces.patch \
6	file://sdksyms-no-build-path.patch \	6	file://sdksyms-no-build-path.patch \
7	file://0001-drmmode_display.c-add-missing-mi.h-include.patch \	7	file://0001-drmmode_display.c-add-missing-mi.h-include.patch \
		8	file://CVE-2022-3550.patch \
		9	file://CVE-2022-3551.patch \
		10	file://CVE-2022-3553.patch \
8	"	11	"
9	SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"	12	SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"
10	SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"	13	SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"