xorg-server: Security Advisory - xorg-server - CVE-2015-0255

Updated x11-server packages fix security vulnerability: Olivier Fourdan from Red Hat has discovered a protocol handling issue in the way the X server code base handles the XkbSetGeometry request, where the server trusts the client to send valid string lengths. A malicious client with string lengths exceeding the request length can cause the server to copy adjacent memory data into the XKB structs. This data is then available to the client via the XkbGetGeometry request. This can lead to information disclosure issues, as well as possibly a denial of service if a similar request can cause the server to crash (CVE-2015-0255). (From OE-Core rev: 564e2f9732ac4318bb5923dd1ff771514c9afd2f) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Li Zhou <li.zhou@windriver.com> 2015-04-07 15:49:56 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-04-10 18:10:26 +0100
commit: 77a44c253b80e0a01ebfca90e5682469df636bee (patch)
tree: a3aa37e5d97c3a840ebe34c46766004ff6d390bc /meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch
parent: 6cbfe0f354a62dbd9252c58a0af24bec68dfeb5f (diff)
download: poky-77a44c253b80e0a01ebfca90e5682469df636bee.tar.gz
1 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch
new file mode 100644
index 0000000000..c841dbe87e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch
@@ -0,0 +1,109 @@
+From 81c90dc8f0aae3b65730409b1b615b5fa7280ebd Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Fri, 16 Jan 2015 20:08:59 +0100
+Subject: [PATCH] xkb: Don't swap XkbSetGeometry data in the input buffer
+The XkbSetGeometry request embeds data which needs to be swapped when the
+server and the client have different endianess.
+_XkbSetGeometry() invokes functions that swap these data directly in the
+input buffer.
+However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
+(if there is more than one keyboard), thus causing on swapped clients the
+same data to be swapped twice in memory, further causing a server crash
+because the strings lengths on the second time are way off bounds.
+To allow _XkbSetGeometry() to run reliably more than once with swapped
+clients, do not swap the data in the buffer, use variables instead.
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Upstream-Status: backport
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ xkb/xkb.c |   35 +++++++++++++++++++----------------
+ 1 file changed, 19 insertions(+), 16 deletions(-)
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 15c7f34..b9a3ac4 100644
+--- a/xkb/xkb.c
+++ b/xkb/xkb.c
+@@ -4961,14 +4961,13 @@ static char *
+ _GetCountedString(char **wire_inout, Bool swap)
+ {
+     char *wire, *str;
+-    CARD16 len, *plen;
+    CARD16 len;
+ 
+     wire = *wire_inout;
+-    plen = (CARD16 *) wire;
+    len = *(CARD16 *) wire;
+     if (swap) {
+-        swaps(plen);
+        swaps(&len);
+     }
+-    len = *plen;
+     str = malloc(len + 1);
+     if (str) {
+         memcpy(str, &wire[2], len);
+@@ -4985,25 +4984,28 @@ _CheckSetDoodad(char **wire_inout,
+ {
+     char *wire;
+     xkbDoodadWireDesc *dWire;
+    xkbAnyDoodadWireDesc any;
+    xkbTextDoodadWireDesc text;
+     XkbDoodadPtr doodad;
+ 
+     dWire = (xkbDoodadWireDesc *) (*wire_inout);
+    any = dWire->any;
+     wire = (char *) &dWire[1];
+     if (client->swapped) {
+-        swapl(&dWire->any.name);
+-        swaps(&dWire->any.top);
+-        swaps(&dWire->any.left);
+-        swaps(&dWire->any.angle);
+        swapl(&any.name);
+        swaps(&any.top);
+        swaps(&any.left);
+        swaps(&any.angle);
+     }
+     CHK_ATOM_ONLY(dWire->any.name);
+-    doodad = XkbAddGeomDoodad(geom, section, dWire->any.name);
+    doodad = XkbAddGeomDoodad(geom, section, any.name);
+     if (!doodad)
+         return BadAlloc;
+     doodad->any.type = dWire->any.type;
+     doodad->any.priority = dWire->any.priority;
+-    doodad->any.top = dWire->any.top;
+-    doodad->any.left = dWire->any.left;
+-    doodad->any.angle = dWire->any.angle;
+    doodad->any.top = any.top;
+    doodad->any.left = any.left;
+    doodad->any.angle = any.angle;
+     switch (doodad->any.type) {
+     case XkbOutlineDoodad:
+     case XkbSolidDoodad:
+@@ -5026,12 +5028,13 @@ _CheckSetDoodad(char **wire_inout,
+                                               dWire->text.colorNdx);
+             return BadMatch;
+         }
+        text = dWire->text;
+         if (client->swapped) {
+-            swaps(&dWire->text.width);
+-            swaps(&dWire->text.height);
+            swaps(&text.width);
+            swaps(&text.height);
+         }
+-        doodad->text.width = dWire->text.width;
+-        doodad->text.height = dWire->text.height;
+        doodad->text.width = text.width;
+        doodad->text.height = text.height;
+         doodad->text.color_ndx = dWire->text.colorNdx;
+         doodad->text.text = _GetCountedString(&wire, client->swapped);
+         doodad->text.font = _GetCountedString(&wire, client->swapped);
+-- 
+1.7.9.5
author	Li Zhou <li.zhou@windriver.com>	2015-04-07 15:49:56 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-04-10 18:10:26 +0100
commit	77a44c253b80e0a01ebfca90e5682469df636bee (patch)
tree	a3aa37e5d97c3a840ebe34c46766004ff6d390bc /meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch
parent	6cbfe0f354a62dbd9252c58a0af24bec68dfeb5f (diff)
download	poky-77a44c253b80e0a01ebfca90e5682469df636bee.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch new file mode 100644 index 0000000000..c841dbe87e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch
@@ -0,0 +1,109 @@
	1	From 81c90dc8f0aae3b65730409b1b615b5fa7280ebd Mon Sep 17 00:00:00 2001
	2	From: Olivier Fourdan <ofourdan@redhat.com>
	3	Date: Fri, 16 Jan 2015 20:08:59 +0100
	4	Subject: [PATCH] xkb: Don't swap XkbSetGeometry data in the input buffer
	5
	6	The XkbSetGeometry request embeds data which needs to be swapped when the
	7	server and the client have different endianess.
	8
	9	_XkbSetGeometry() invokes functions that swap these data directly in the
	10	input buffer.
	11
	12	However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
	13	(if there is more than one keyboard), thus causing on swapped clients the
	14	same data to be swapped twice in memory, further causing a server crash
	15	because the strings lengths on the second time are way off bounds.
	16
	17	To allow _XkbSetGeometry() to run reliably more than once with swapped
	18	clients, do not swap the data in the buffer, use variables instead.
	19
	20	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
	21	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
	22
	23	Upstream-Status: backport
	24
	25	Signed-off-by: Li Zhou <li.zhou@windriver.com>
	26	---
	27	xkb/xkb.c \| 35 +++++++++++++++++++----------------
	28	1 file changed, 19 insertions(+), 16 deletions(-)
	29
	30	diff --git a/xkb/xkb.c b/xkb/xkb.c
	31	index 15c7f34..b9a3ac4 100644
	32	--- a/xkb/xkb.c
	33	+++ b/xkb/xkb.c
	34	@@ -4961,14 +4961,13 @@ static char *
	35	_GetCountedString(char **wire_inout, Bool swap)
	36	{
	37	char wire, str;
	38	- CARD16 len, *plen;
	39	+ CARD16 len;
	40
	41	wire = *wire_inout;
	42	- plen = (CARD16 *) wire;
	43	+ len = (CARD16 ) wire;
	44	if (swap) {
	45	- swaps(plen);
	46	+ swaps(&len);
	47	}
	48	- len = *plen;
	49	str = malloc(len + 1);
	50	if (str) {
	51	memcpy(str, &wire[2], len);
	52	@@ -4985,25 +4984,28 @@ _CheckSetDoodad(char **wire_inout,
	53	{
	54	char *wire;
	55	xkbDoodadWireDesc *dWire;
	56	+ xkbAnyDoodadWireDesc any;
	57	+ xkbTextDoodadWireDesc text;
	58	XkbDoodadPtr doodad;
	59
	60	dWire = (xkbDoodadWireDesc ) (wire_inout);
	61	+ any = dWire->any;
	62	wire = (char *) &dWire[1];
	63	if (client->swapped) {
	64	- swapl(&dWire->any.name);
	65	- swaps(&dWire->any.top);
	66	- swaps(&dWire->any.left);
	67	- swaps(&dWire->any.angle);
	68	+ swapl(&any.name);
	69	+ swaps(&any.top);
	70	+ swaps(&any.left);
	71	+ swaps(&any.angle);
	72	}
	73	CHK_ATOM_ONLY(dWire->any.name);
	74	- doodad = XkbAddGeomDoodad(geom, section, dWire->any.name);
	75	+ doodad = XkbAddGeomDoodad(geom, section, any.name);
	76	if (!doodad)
	77	return BadAlloc;
	78	doodad->any.type = dWire->any.type;
	79	doodad->any.priority = dWire->any.priority;
	80	- doodad->any.top = dWire->any.top;
	81	- doodad->any.left = dWire->any.left;
	82	- doodad->any.angle = dWire->any.angle;
	83	+ doodad->any.top = any.top;
	84	+ doodad->any.left = any.left;
	85	+ doodad->any.angle = any.angle;
	86	switch (doodad->any.type) {
	87	case XkbOutlineDoodad:
	88	case XkbSolidDoodad:
	89	@@ -5026,12 +5028,13 @@ _CheckSetDoodad(char **wire_inout,
	90	dWire->text.colorNdx);
	91	return BadMatch;
	92	}
	93	+ text = dWire->text;
	94	if (client->swapped) {
	95	- swaps(&dWire->text.width);
	96	- swaps(&dWire->text.height);
	97	+ swaps(&text.width);
	98	+ swaps(&text.height);
	99	}
	100	- doodad->text.width = dWire->text.width;
	101	- doodad->text.height = dWire->text.height;
	102	+ doodad->text.width = text.width;
	103	+ doodad->text.height = text.height;
	104	doodad->text.color_ndx = dWire->text.colorNdx;
	105	doodad->text.text = _GetCountedString(&wire, client->swapped);
	106	doodad->text.font = _GetCountedString(&wire, client->swapped);
	107	--
	108	1.7.9.5
	109