summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLi Zhou <li.zhou@windriver.com>2015-04-07 15:49:56 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-04-10 18:10:26 +0100
commit77a44c253b80e0a01ebfca90e5682469df636bee (patch)
treea3aa37e5d97c3a840ebe34c46766004ff6d390bc
parent6cbfe0f354a62dbd9252c58a0af24bec68dfeb5f (diff)
downloadpoky-77a44c253b80e0a01ebfca90e5682469df636bee.tar.gz
xorg-server: Security Advisory - xorg-server - CVE-2015-0255
Updated x11-server packages fix security vulnerability: Olivier Fourdan from Red Hat has discovered a protocol handling issue in the way the X server code base handles the XkbSetGeometry request, where the server trusts the client to send valid string lengths. A malicious client with string lengths exceeding the request length can cause the server to copy adjacent memory data into the XKB structs. This data is then available to the client via the XkbGetGeometry request. This can lead to information disclosure issues, as well as possibly a denial of service if a similar request can cause the server to crash (CVE-2015-0255). (From OE-Core rev: 564e2f9732ac4318bb5923dd1ff771514c9afd2f) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Check-strings-length-against-request-size.patch145
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch109
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg_1.16.3.bb2
3 files changed, 256 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Check-strings-length-against-request-size.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Check-strings-length-against-request-size.patch
new file mode 100644
index 0000000000..b0e2bcad43
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Check-strings-length-against-request-size.patch
@@ -0,0 +1,145 @@
1From 20079c36cf7d377938ca5478447d8b9045cb7d43 Mon Sep 17 00:00:00 2001
2From: Olivier Fourdan <ofourdan@redhat.com>
3Date: Fri, 16 Jan 2015 08:44:45 +0100
4Subject: [PATCH] xkb: Check strings length against request size
5
6Ensure that the given strings length in an XkbSetGeometry request remain
7within the limits of the size of the request.
8
9Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
10Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
11Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
12
13Upstream-Status: backport
14
15Signed-off-by: Li Zhou <li.zhou@windriver.com>
16---
17 xkb/xkb.c | 65 +++++++++++++++++++++++++++++++++++++------------------------
18 1 file changed, 40 insertions(+), 25 deletions(-)
19
20diff --git a/xkb/xkb.c b/xkb/xkb.c
21index b9a3ac4..f3988f9 100644
22--- a/xkb/xkb.c
23+++ b/xkb/xkb.c
24@@ -4957,25 +4957,29 @@ ProcXkbGetGeometry(ClientPtr client)
25
26 /***====================================================================***/
27
28-static char *
29-_GetCountedString(char **wire_inout, Bool swap)
30+static Status
31+_GetCountedString(char **wire_inout, ClientPtr client, char **str)
32 {
33- char *wire, *str;
34+ char *wire, *next;
35 CARD16 len;
36
37 wire = *wire_inout;
38 len = *(CARD16 *) wire;
39- if (swap) {
40+ if (client->swapped) {
41 swaps(&len);
42 }
43- str = malloc(len + 1);
44- if (str) {
45- memcpy(str, &wire[2], len);
46- str[len] = '\0';
47- }
48- wire += XkbPaddedSize(len + 2);
49- *wire_inout = wire;
50- return str;
51+ next = wire + XkbPaddedSize(len + 2);
52+ /* Check we're still within the size of the request */
53+ if (client->req_len <
54+ bytes_to_int32(next - (char *) client->requestBuffer))
55+ return BadValue;
56+ *str = malloc(len + 1);
57+ if (!*str)
58+ return BadAlloc;
59+ memcpy(*str, &wire[2], len);
60+ *(*str + len) = '\0';
61+ *wire_inout = next;
62+ return Success;
63 }
64
65 static Status
66@@ -4987,6 +4991,7 @@ _CheckSetDoodad(char **wire_inout,
67 xkbAnyDoodadWireDesc any;
68 xkbTextDoodadWireDesc text;
69 XkbDoodadPtr doodad;
70+ Status status;
71
72 dWire = (xkbDoodadWireDesc *) (*wire_inout);
73 any = dWire->any;
74@@ -5036,8 +5041,14 @@ _CheckSetDoodad(char **wire_inout,
75 doodad->text.width = text.width;
76 doodad->text.height = text.height;
77 doodad->text.color_ndx = dWire->text.colorNdx;
78- doodad->text.text = _GetCountedString(&wire, client->swapped);
79- doodad->text.font = _GetCountedString(&wire, client->swapped);
80+ status = _GetCountedString(&wire, client, &doodad->text.text);
81+ if (status != Success)
82+ return status;
83+ status = _GetCountedString(&wire, client, &doodad->text.font);
84+ if (status != Success) {
85+ free (doodad->text.text);
86+ return status;
87+ }
88 break;
89 case XkbIndicatorDoodad:
90 if (dWire->indicator.onColorNdx >= geom->num_colors) {
91@@ -5072,7 +5083,9 @@ _CheckSetDoodad(char **wire_inout,
92 }
93 doodad->logo.color_ndx = dWire->logo.colorNdx;
94 doodad->logo.shape_ndx = dWire->logo.shapeNdx;
95- doodad->logo.logo_name = _GetCountedString(&wire, client->swapped);
96+ status = _GetCountedString(&wire, client, &doodad->logo.logo_name);
97+ if (status != Success)
98+ return status;
99 break;
100 default:
101 client->errorValue = _XkbErrCode2(0x4F, dWire->any.type);
102@@ -5304,18 +5317,20 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
103 char *wire;
104
105 wire = (char *) &req[1];
106- geom->label_font = _GetCountedString(&wire, client->swapped);
107+ status = _GetCountedString(&wire, client, &geom->label_font);
108+ if (status != Success)
109+ return status;
110
111 for (i = 0; i < req->nProperties; i++) {
112 char *name, *val;
113
114- name = _GetCountedString(&wire, client->swapped);
115- if (!name)
116- return BadAlloc;
117- val = _GetCountedString(&wire, client->swapped);
118- if (!val) {
119+ status = _GetCountedString(&wire, client, &name);
120+ if (status != Success)
121+ return status;
122+ status = _GetCountedString(&wire, client, &val);
123+ if (status != Success) {
124 free(name);
125- return BadAlloc;
126+ return status;
127 }
128 if (XkbAddGeomProperty(geom, name, val) == NULL) {
129 free(name);
130@@ -5349,9 +5364,9 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
131 for (i = 0; i < req->nColors; i++) {
132 char *name;
133
134- name = _GetCountedString(&wire, client->swapped);
135- if (!name)
136- return BadAlloc;
137+ status = _GetCountedString(&wire, client, &name);
138+ if (status != Success)
139+ return status;
140 if (!XkbAddGeomColor(geom, name, geom->num_colors)) {
141 free(name);
142 return BadAlloc;
143--
1441.7.9.5
145
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch
new file mode 100644
index 0000000000..c841dbe87e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch
@@ -0,0 +1,109 @@
1From 81c90dc8f0aae3b65730409b1b615b5fa7280ebd Mon Sep 17 00:00:00 2001
2From: Olivier Fourdan <ofourdan@redhat.com>
3Date: Fri, 16 Jan 2015 20:08:59 +0100
4Subject: [PATCH] xkb: Don't swap XkbSetGeometry data in the input buffer
5
6The XkbSetGeometry request embeds data which needs to be swapped when the
7server and the client have different endianess.
8
9_XkbSetGeometry() invokes functions that swap these data directly in the
10input buffer.
11
12However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
13(if there is more than one keyboard), thus causing on swapped clients the
14same data to be swapped twice in memory, further causing a server crash
15because the strings lengths on the second time are way off bounds.
16
17To allow _XkbSetGeometry() to run reliably more than once with swapped
18clients, do not swap the data in the buffer, use variables instead.
19
20Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
21Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
22
23Upstream-Status: backport
24
25Signed-off-by: Li Zhou <li.zhou@windriver.com>
26---
27 xkb/xkb.c | 35 +++++++++++++++++++----------------
28 1 file changed, 19 insertions(+), 16 deletions(-)
29
30diff --git a/xkb/xkb.c b/xkb/xkb.c
31index 15c7f34..b9a3ac4 100644
32--- a/xkb/xkb.c
33+++ b/xkb/xkb.c
34@@ -4961,14 +4961,13 @@ static char *
35 _GetCountedString(char **wire_inout, Bool swap)
36 {
37 char *wire, *str;
38- CARD16 len, *plen;
39+ CARD16 len;
40
41 wire = *wire_inout;
42- plen = (CARD16 *) wire;
43+ len = *(CARD16 *) wire;
44 if (swap) {
45- swaps(plen);
46+ swaps(&len);
47 }
48- len = *plen;
49 str = malloc(len + 1);
50 if (str) {
51 memcpy(str, &wire[2], len);
52@@ -4985,25 +4984,28 @@ _CheckSetDoodad(char **wire_inout,
53 {
54 char *wire;
55 xkbDoodadWireDesc *dWire;
56+ xkbAnyDoodadWireDesc any;
57+ xkbTextDoodadWireDesc text;
58 XkbDoodadPtr doodad;
59
60 dWire = (xkbDoodadWireDesc *) (*wire_inout);
61+ any = dWire->any;
62 wire = (char *) &dWire[1];
63 if (client->swapped) {
64- swapl(&dWire->any.name);
65- swaps(&dWire->any.top);
66- swaps(&dWire->any.left);
67- swaps(&dWire->any.angle);
68+ swapl(&any.name);
69+ swaps(&any.top);
70+ swaps(&any.left);
71+ swaps(&any.angle);
72 }
73 CHK_ATOM_ONLY(dWire->any.name);
74- doodad = XkbAddGeomDoodad(geom, section, dWire->any.name);
75+ doodad = XkbAddGeomDoodad(geom, section, any.name);
76 if (!doodad)
77 return BadAlloc;
78 doodad->any.type = dWire->any.type;
79 doodad->any.priority = dWire->any.priority;
80- doodad->any.top = dWire->any.top;
81- doodad->any.left = dWire->any.left;
82- doodad->any.angle = dWire->any.angle;
83+ doodad->any.top = any.top;
84+ doodad->any.left = any.left;
85+ doodad->any.angle = any.angle;
86 switch (doodad->any.type) {
87 case XkbOutlineDoodad:
88 case XkbSolidDoodad:
89@@ -5026,12 +5028,13 @@ _CheckSetDoodad(char **wire_inout,
90 dWire->text.colorNdx);
91 return BadMatch;
92 }
93+ text = dWire->text;
94 if (client->swapped) {
95- swaps(&dWire->text.width);
96- swaps(&dWire->text.height);
97+ swaps(&text.width);
98+ swaps(&text.height);
99 }
100- doodad->text.width = dWire->text.width;
101- doodad->text.height = dWire->text.height;
102+ doodad->text.width = text.width;
103+ doodad->text.height = text.height;
104 doodad->text.color_ndx = dWire->text.colorNdx;
105 doodad->text.text = _GetCountedString(&wire, client->swapped);
106 doodad->text.font = _GetCountedString(&wire, client->swapped);
107--
1081.7.9.5
109
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.16.3.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.16.3.bb
index 9d9ede2afc..cfbc491fcc 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.16.3.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.16.3.bb
@@ -6,6 +6,8 @@ SRC_URI += "file://fix_open_max_preprocessor_error.patch \
6 file://xshmfence-option.patch \ 6 file://xshmfence-option.patch \
7 file://Fix-subwindow-in-Xi-emulated-events.patch \ 7 file://Fix-subwindow-in-Xi-emulated-events.patch \
8 file://xtrans.patch \ 8 file://xtrans.patch \
9 file://0001-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch \
10 file://0001-xkb-Check-strings-length-against-request-size.patch \
9 " 11 "
10 12
11SRC_URI[md5sum] = "afd93977235584a9caa7528a737c1b52" 13SRC_URI[md5sum] = "afd93977235584a9caa7528a737c1b52"