xserver-xorg: Fix for CVE-2024-31080 and CVE-2024-31081

Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b & https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee (From OE-Core rev: 223950f9c748f89ee1b2a9df9cd77a0099e74581) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2024-04-10 06:19:31 +0530
committer: Steve Sakoman <steve@sakoman.com> 2024-04-19 04:50:38 -0700
commit: 0603438c81bc53a807ed85ebe1538f52a7b78887 (patch)
tree: cc1ae4b444d54831a9ba89fb45fdd886127f1648
parent: a095c9e6a349ecf5e73e74d05cb6a815877155bf (diff)
download: poky-0603438c81bc53a807ed85ebe1538f52a7b78887.tar.gz
3 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch
new file mode 100644
index 0000000000..40296903cd
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch
@@ -0,0 +1,49 @@
+From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 22 Mar 2024 18:51:45 -0700
+Subject: [PATCH] Xi: ProcXIGetSelectedEvents needs to use unswapped length to
+ send reply
+CVE-2024-31080
+Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
+Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b]
+CVE: CVE-2024-31080
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xi/xiselectev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
+index edcb8a0d36..ac14949871 100644
+--- a/Xi/xiselectev.c
+++ b/Xi/xiselectev.c
+@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
+     InputClientsPtr others = NULL;
+     xXIEventMask *evmask = NULL;
+     DeviceIntPtr dev;
+    uint32_t length;
+ 
+     REQUEST(xXIGetSelectedEventsReq);
+     REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
+@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
+         }
+     }
+ 
+    /* save the value before SRepXIGetSelectedEvents swaps it */
+    length = reply.length;
+     WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
+ 
+     if (reply.num_masks)
+-        WriteToClient(client, reply.length * 4, buffer);
+        WriteToClient(client, length * 4, buffer);
+ 
+     free(buffer);
+     return Success;
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch
new file mode 100644
index 0000000000..4380004700
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch
@@ -0,0 +1,47 @@
+From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 22 Mar 2024 18:56:27 -0700
+Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to
+ send reply
+CVE-2024-31081
+Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee]
+CVE: CVE-2024-31081
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xi/xipassivegrab.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
+index c9ac2f8553..896233bec2 100644
+--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
+@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+     GrabParameters param;
+     void *tmp;
+     int mask_len;
+    uint32_t length;
+ 
+     REQUEST(xXIPassiveGrabDeviceReq);
+     REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
+@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+         }
+     }
+ 
+    /* save the value before SRepXIPassiveGrabDevice swaps it */
+    length = rep.length;
+     WriteReplyToClient(client, sizeof(rep), &rep);
+     if (rep.num_modifiers)
+-        WriteToClient(client, rep.length * 4, modifiers_failed);
+        WriteToClient(client, length * 4, modifiers_failed);
+ 
+  out:
+     free(modifiers_failed);
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
index e62babd4cb..b9eed92103 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -16,6 +16,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
           file://CVE-2024-21886-2.patch \
           file://CVE-2024-0408.patch \
           file://CVE-2024-0409.patch \
+           file://CVE-2024-31080.patch \
+           file://CVE-2024-31081.patch \
           "
 SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
author	Vijay Anusuri <vanusuri@mvista.com>	2024-04-10 06:19:31 +0530
committer	Steve Sakoman <steve@sakoman.com>	2024-04-19 04:50:38 -0700
commit	0603438c81bc53a807ed85ebe1538f52a7b78887 (patch)
tree	cc1ae4b444d54831a9ba89fb45fdd886127f1648
parent	a095c9e6a349ecf5e73e74d05cb6a815877155bf (diff)
download	poky-0603438c81bc53a807ed85ebe1538f52a7b78887.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch new file mode 100644 index 0000000000..40296903cd --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch
@@ -0,0 +1,49 @@
		1	From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001
		2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
		3	Date: Fri, 22 Mar 2024 18:51:45 -0700
		4	Subject: [PATCH] Xi: ProcXIGetSelectedEvents needs to use unswapped length to
		5	send reply
		6
		7	CVE-2024-31080
		8
		9	Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
		10	Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
		11	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
		12	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
		13
		14	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b]
		15	CVE: CVE-2024-31080
		16	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		17	---
		18	Xi/xiselectev.c \| 5 ++++-
		19	1 file changed, 4 insertions(+), 1 deletion(-)
		20
		21	diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
		22	index edcb8a0d36..ac14949871 100644
		23	--- a/Xi/xiselectev.c
		24	+++ b/Xi/xiselectev.c
		25	@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
		26	InputClientsPtr others = NULL;
		27	xXIEventMask *evmask = NULL;
		28	DeviceIntPtr dev;
		29	+ uint32_t length;
		30
		31	REQUEST(xXIGetSelectedEventsReq);
		32	REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
		33	@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
		34	}
		35	}
		36
		37	+ /* save the value before SRepXIGetSelectedEvents swaps it */
		38	+ length = reply.length;
		39	WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
		40
		41	if (reply.num_masks)
		42	- WriteToClient(client, reply.length * 4, buffer);
		43	+ WriteToClient(client, length * 4, buffer);
		44
		45	free(buffer);
		46	return Success;
		47	--
		48	GitLab
		49


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch new file mode 100644 index 0000000000..4380004700 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch
@@ -0,0 +1,47 @@
		1	From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001
		2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
		3	Date: Fri, 22 Mar 2024 18:56:27 -0700
		4	Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to
		5	send reply
		6
		7	CVE-2024-31081
		8
		9	Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
		10	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
		11	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
		12
		13	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee]
		14	CVE: CVE-2024-31081
		15	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		16	---
		17	Xi/xipassivegrab.c \| 5 ++++-
		18	1 file changed, 4 insertions(+), 1 deletion(-)
		19
		20	diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
		21	index c9ac2f8553..896233bec2 100644
		22	--- a/Xi/xipassivegrab.c
		23	+++ b/Xi/xipassivegrab.c
		24	@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
		25	GrabParameters param;
		26	void *tmp;
		27	int mask_len;
		28	+ uint32_t length;
		29
		30	REQUEST(xXIPassiveGrabDeviceReq);
		31	REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
		32	@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
		33	}
		34	}
		35
		36	+ /* save the value before SRepXIPassiveGrabDevice swaps it */
		37	+ length = rep.length;
		38	WriteReplyToClient(client, sizeof(rep), &rep);
		39	if (rep.num_modifiers)
		40	- WriteToClient(client, rep.length * 4, modifiers_failed);
		41	+ WriteToClient(client, length * 4, modifiers_failed);
		42
		43	out:
		44	free(modifiers_failed);
		45	--
		46	GitLab
		47


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index e62babd4cb..b9eed92103 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -16,6 +16,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
16	file://CVE-2024-21886-2.patch \	16	file://CVE-2024-21886-2.patch \
17	file://CVE-2024-0408.patch \	17	file://CVE-2024-0408.patch \
18	file://CVE-2024-0409.patch \	18	file://CVE-2024-0409.patch \
		19	file://CVE-2024-31080.patch \
		20	file://CVE-2024-31081.patch \
19	"	21	"
20	SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"	22	SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
21		23