diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2024-01-25 12:35:06 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-01-31 03:51:10 -1000 |
commit | 4bda99df75e25df5ba6dccbd6df9ab3f089bb134 (patch) | |
tree | c880e7a1452ded8ad8fefe6bd97c65614377dd97 /meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch | |
parent | 70de5ee7d1203779901b54d29fc7a1ee39a55ad3 (diff) | |
download | poky-4bda99df75e25df5ba6dccbd6df9ab3f089bb134.tar.gz |
xserver-xorg: Multiple CVE fixes
Fix below CVE's
CVE-2023-6816
CVE-2024-0229
CVE-2024-21885
CVE-2024-21886
CVE-2024-0408
CVE-2024-0409
(From OE-Core rev: 14ffb41e7a49a4c0076db9ec4449a97c0f143b67)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch')
-rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch new file mode 100644 index 0000000000..80ebc64e59 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch | |||
@@ -0,0 +1,87 @@ | |||
1 | From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Mon, 18 Dec 2023 14:27:50 +1000 | ||
4 | Subject: [PATCH] dix: Allocate sufficient xEvents for our DeviceStateNotify | ||
5 | |||
6 | If a device has both a button class and a key class and numButtons is | ||
7 | zero, we can get an OOB write due to event under-allocation. | ||
8 | |||
9 | This function seems to assume a device has either keys or buttons, not | ||
10 | both. It has two virtually identical code paths, both of which assume | ||
11 | they're applying to the first event in the sequence. | ||
12 | |||
13 | A device with both a key and button class triggered a logic bug - only | ||
14 | one xEvent was allocated but the deviceStateNotify pointer was pushed on | ||
15 | once per type. So effectively this logic code: | ||
16 | |||
17 | int count = 1; | ||
18 | if (button && nbuttons > 32) count++; | ||
19 | if (key && nbuttons > 0) count++; | ||
20 | if (key && nkeys > 32) count++; // this is basically always true | ||
21 | // count is at 2 for our keys + zero button device | ||
22 | |||
23 | ev = alloc(count * sizeof(xEvent)); | ||
24 | FixDeviceStateNotify(ev); | ||
25 | if (button) | ||
26 | FixDeviceStateNotify(ev++); | ||
27 | if (key) | ||
28 | FixDeviceStateNotify(ev++); // santa drops into the wrong chimney here | ||
29 | |||
30 | If the device has more than 3 valuators, the OOB is pushed back - we're | ||
31 | off by one so it will happen when the last deviceValuator event is | ||
32 | written instead. | ||
33 | |||
34 | Fix this by allocating the maximum number of events we may allocate. | ||
35 | Note that the current behavior is not protocol-correct anyway, this | ||
36 | patch fixes only the allocation issue. | ||
37 | |||
38 | Note that this issue does not trigger if the device has at least one | ||
39 | button. While the server does not prevent a button class with zero | ||
40 | buttons, it is very unlikely. | ||
41 | |||
42 | CVE-2024-0229, ZDI-CAN-22678 | ||
43 | |||
44 | This vulnerability was discovered by: | ||
45 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
46 | |||
47 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ece23be888a93b741aa1209d1dbf64636109d6a5] | ||
48 | CVE: CVE-2024-0229 | ||
49 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
50 | --- | ||
51 | dix/enterleave.c | 6 +++--- | ||
52 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
53 | |||
54 | diff --git a/dix/enterleave.c b/dix/enterleave.c | ||
55 | index ded8679d76..17964b00a4 100644 | ||
56 | --- a/dix/enterleave.c | ||
57 | +++ b/dix/enterleave.c | ||
58 | @@ -675,7 +675,8 @@ static void | ||
59 | DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) | ||
60 | { | ||
61 | int evcount = 1; | ||
62 | - deviceStateNotify *ev, *sev; | ||
63 | + deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3]; | ||
64 | + deviceStateNotify *ev; | ||
65 | deviceKeyStateNotify *kev; | ||
66 | deviceButtonStateNotify *bev; | ||
67 | |||
68 | @@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) | ||
69 | } | ||
70 | } | ||
71 | |||
72 | - sev = ev = xallocarray(evcount, sizeof(xEvent)); | ||
73 | + ev = sev; | ||
74 | FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first); | ||
75 | |||
76 | if (b != NULL) { | ||
77 | @@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) | ||
78 | |||
79 | DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount, | ||
80 | DeviceStateNotifyMask, NullGrab); | ||
81 | - free(sev); | ||
82 | } | ||
83 | |||
84 | void | ||
85 | -- | ||
86 | GitLab | ||
87 | |||