xserver-xorg: Fix CVE-2017-10971

Backport 3 patches to fix CVE-2017-10971: In the X.Org X server before 2017-06-19, a user authenticated to an X Session could crash or execute code in the context of the X Server by exploiting a stack overflow in the endianness conversion of X Events. Reference: https://nvd.nist.gov/vuln/detail/CVE-2017-10971 (From OE-Core rev: 20428f660f2c046c63bbf63c4e4af95dac9f2b3d) Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Jackie Huang <jackie.huang@windriver.com> 2017-08-17 15:39:13 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-08-18 23:46:37 +0100
commit: 583225d94ae7631f82afd618a00ca0f9ed63fce0 (patch)
tree: 0c9023523b5e155fc6ef1bd7b8b4481dc3b7ec82 /meta/recipes-graphics/xorg-xserver
parent: 88a82e74899b4152fcbda9e88aa1e8e77701b5e2 (diff)
download: poky-583225d94ae7631f82afd618a00ca0f9ed63fce0.tar.gz
4 files changed, 184 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch
new file mode 100644
index 0000000000..23c8049896
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch
@@ -0,0 +1,76 @@
+From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Wed, 24 May 2017 15:54:40 +0300
+Subject: [PATCH] dix: Disallow GenericEvent in SendEvent request.
+The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
+no less. Both ProcSendEvent and SProcSendEvent verify that the received data
+exactly match the request size. However nothing stops the client from passing
+in event with xEvent::type = GenericEvent and any value of
+xGenericEvent::length.
+In the case of ProcSendEvent, the event will be eventually passed to
+WriteEventsToClient which will see that it is Generic event and copy the
+arbitrary length from the receive buffer (and possibly past it) and send it to
+the other client. This allows clients to copy unitialized heap memory out of X
+server or to crash it.
+In case of SProcSendEvent, it will attempt to swap the incoming event by
+calling a swapping function from the EventSwapVector array. The swapped event
+is written to target buffer, which in this case is local xEvent variable. The
+xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
+expect that the target buffer has size matching the size of the source
+GenericEvent. This allows clients to cause stack buffer overflows.
+Signed-off-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+CVE: CVE-2017-10971
+Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=215f894965df5fb0bb45b107d84524e700d2073c]
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+---
+ dix/events.c  |    6 ++++++
+ dix/swapreq.c |    7 +++++++
+ 2 files changed, 13 insertions(+)
+diff --git a/dix/events.c b/dix/events.c
+index 3e3a01e..d3a33ea 100644
+--- a/dix/events.c
+++ b/dix/events.c
+@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client)
+         client->errorValue = stuff->event.u.u.type;
+         return BadValue;
+     }
+    /* Generic events can have variable size, but SendEvent request holds
+       exactly 32B of event data. */
+    if (stuff->event.u.u.type == GenericEvent) {
+        client->errorValue = stuff->event.u.u.type;
+        return BadValue;
+    }
+     if (stuff->event.u.u.type == ClientMessage &&
+         stuff->event.u.u.detail != 8 &&
+         stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) {
+diff --git a/dix/swapreq.c b/dix/swapreq.c
+index 719e9b8..6785059 100644
+--- a/dix/swapreq.c
+++ b/dix/swapreq.c
+@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client)
+     swapl(&stuff->destination);
+     swapl(&stuff->eventMask);
+ 
+    /* Generic events can have variable size, but SendEvent request holds
+       exactly 32B of event data. */
+    if (stuff->event.u.u.type == GenericEvent) {
+        client->errorValue = stuff->event.u.u.type;
+        return BadValue;
+    }
+
+     /* Swap event */
+     proc = EventSwapVector[stuff->event.u.u.type & 0177];
+     if (!proc || proc == NotImplemented)        /* no swapping proc; invalid event type? */
+-- 
+1.7.9.5
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch
new file mode 100644
index 0000000000..5c9887afa1
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch
@@ -0,0 +1,55 @@
+From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Wed, 24 May 2017 15:54:41 +0300
+Subject: [PATCH] Xi: Verify all events in ProcXSendExtensionEvent.
+The requirement is that events have type in range
+EXTENSION_EVENT_BASE..lastEvent, but it was tested
+only for first event of all.
+Signed-off-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+CVE: CVE-2017-10971
+Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d]
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+---
+ Xi/sendexev.c |   12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 1cf118a..5e63bfc 100644
+--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
+@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client)
+ int
+ ProcXSendExtensionEvent(ClientPtr client)
+ {
+-    int ret;
+    int ret, i;
+     DeviceIntPtr dev;
+     xEvent *first;
+     XEventClass *list;
+@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client)
+     /* The client's event type must be one defined by an extension. */
+ 
+     first = ((xEvent *) &stuff[1]);
+-    if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
+-          (first->u.u.type < lastEvent))) {
+-        client->errorValue = first->u.u.type;
+-        return BadValue;
+    for (i = 0; i < stuff->num_events; i++) {
+        if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
+            (first[i].u.u.type < lastEvent))) {
+            client->errorValue = first[i].u.u.type;
+            return BadValue;
+        }
+     }
+ 
+     list = (XEventClass *) (first + stuff->num_events);
+-- 
+1.7.9.5
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch
new file mode 100644
index 0000000000..54ba481024
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch
@@ -0,0 +1,50 @@
+From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Wed, 24 May 2017 15:54:42 +0300
+Subject: [PATCH] Xi: Do not try to swap GenericEvent.
+The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
+it is assuming that the event has fixed size and gives the swapping function
+xEvent-sized buffer.
+A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
+Signed-off-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+CVE: CVE-2017-10971
+Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=ba336b24052122b136486961c82deac76bbde455]
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+---
+ Xi/sendexev.c |   10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 5e63bfc..5c2e0fc 100644
+--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
+@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client)
+ 
+     eventP = (xEvent *) &stuff[1];
+     for (i = 0; i < stuff->num_events; i++, eventP++) {
+        if (eventP->u.u.type == GenericEvent) {
+            client->errorValue = eventP->u.u.type;
+            return BadValue;
+        }
+
+         proc = EventSwapVector[eventP->u.u.type & 0177];
+-        if (proc == NotImplemented)     /* no swapping proc; invalid event type? */
+        /* no swapping proc; invalid event type? */
+        if (proc == NotImplemented) {
+            client->errorValue = eventP->u.u.type;
+             return BadValue;
+        }
+         (*proc) (eventP, &eventT);
+         *eventP = eventT;
+     }
+-- 
+1.7.9.5
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb
index 606367d1e9..65ef6c683b 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb
@@ -5,6 +5,9 @@ SRC_URI += "file://musl-arm-inb-outb.patch \
            file://0002-configure.ac-Fix-wayland-scanner-and-protocols-locat.patch \
            file://0003-modesetting-Fix-16-bit-depth-bpp-mode.patch \
            file://0003-Remove-check-for-useSIGIO-option.patch \
+            file://CVE-2017-10971-1.patch \
+            file://CVE-2017-10971-2.patch \
+            file://CVE-2017-10971-3.patch \
            "
 SRC_URI[md5sum] = "015d2fc4b9f2bfe7a626edb63a62c65e"
 SRC_URI[sha256sum] = "677a8166e03474719238dfe396ce673c4234735464d6dadf2959b600d20e5a98"
author	Jackie Huang <jackie.huang@windriver.com>	2017-08-17 15:39:13 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-08-18 23:46:37 +0100
commit	583225d94ae7631f82afd618a00ca0f9ed63fce0 (patch)
tree	0c9023523b5e155fc6ef1bd7b8b4481dc3b7ec82 /meta/recipes-graphics/xorg-xserver
parent	88a82e74899b4152fcbda9e88aa1e8e77701b5e2 (diff)
download	poky-583225d94ae7631f82afd618a00ca0f9ed63fce0.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch new file mode 100644 index 0000000000..23c8049896 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch
@@ -0,0 +1,76 @@
		1	From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001
		2	From: Michal Srb <msrb@suse.com>
		3	Date: Wed, 24 May 2017 15:54:40 +0300
		4	Subject: [PATCH] dix: Disallow GenericEvent in SendEvent request.
		5
		6	The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
		7	no less. Both ProcSendEvent and SProcSendEvent verify that the received data
		8	exactly match the request size. However nothing stops the client from passing
		9	in event with xEvent::type = GenericEvent and any value of
		10	xGenericEvent::length.
		11
		12	In the case of ProcSendEvent, the event will be eventually passed to
		13	WriteEventsToClient which will see that it is Generic event and copy the
		14	arbitrary length from the receive buffer (and possibly past it) and send it to
		15	the other client. This allows clients to copy unitialized heap memory out of X
		16	server or to crash it.
		17
		18	In case of SProcSendEvent, it will attempt to swap the incoming event by
		19	calling a swapping function from the EventSwapVector array. The swapped event
		20	is written to target buffer, which in this case is local xEvent variable. The
		21	xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
		22	expect that the target buffer has size matching the size of the source
		23	GenericEvent. This allows clients to cause stack buffer overflows.
		24
		25	Signed-off-by: Michal Srb <msrb@suse.com>
		26	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		27	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
		28
		29	CVE: CVE-2017-10971
		30
		31	Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=215f894965df5fb0bb45b107d84524e700d2073c]
		32
		33	Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
		34	---
		35	dix/events.c \| 6 ++++++
		36	dix/swapreq.c \| 7 +++++++
		37	2 files changed, 13 insertions(+)
		38
		39	diff --git a/dix/events.c b/dix/events.c
		40	index 3e3a01e..d3a33ea 100644
		41	--- a/dix/events.c
		42	+++ b/dix/events.c
		43	@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client)
		44	client->errorValue = stuff->event.u.u.type;
		45	return BadValue;
		46	}
		47	+ /* Generic events can have variable size, but SendEvent request holds
		48	+ exactly 32B of event data. */
		49	+ if (stuff->event.u.u.type == GenericEvent) {
		50	+ client->errorValue = stuff->event.u.u.type;
		51	+ return BadValue;
		52	+ }
		53	if (stuff->event.u.u.type == ClientMessage &&
		54	stuff->event.u.u.detail != 8 &&
		55	stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) {
		56	diff --git a/dix/swapreq.c b/dix/swapreq.c
		57	index 719e9b8..6785059 100644
		58	--- a/dix/swapreq.c
		59	+++ b/dix/swapreq.c
		60	@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client)
		61	swapl(&stuff->destination);
		62	swapl(&stuff->eventMask);
		63
		64	+ /* Generic events can have variable size, but SendEvent request holds
		65	+ exactly 32B of event data. */
		66	+ if (stuff->event.u.u.type == GenericEvent) {
		67	+ client->errorValue = stuff->event.u.u.type;
		68	+ return BadValue;
		69	+ }
		70	+
		71	/* Swap event */
		72	proc = EventSwapVector[stuff->event.u.u.type & 0177];
		73	if (!proc \|\| proc == NotImplemented) /* no swapping proc; invalid event type? */
		74	--
		75	1.7.9.5
		76


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch new file mode 100644 index 0000000000..5c9887afa1 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch
@@ -0,0 +1,55 @@
		1	From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001
		2	From: Michal Srb <msrb@suse.com>
		3	Date: Wed, 24 May 2017 15:54:41 +0300
		4	Subject: [PATCH] Xi: Verify all events in ProcXSendExtensionEvent.
		5
		6	The requirement is that events have type in range
		7	EXTENSION_EVENT_BASE..lastEvent, but it was tested
		8	only for first event of all.
		9
		10	Signed-off-by: Michal Srb <msrb@suse.com>
		11	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		12	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
		13
		14	CVE: CVE-2017-10971
		15
		16	Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d]
		17
		18	Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
		19	---
		20	Xi/sendexev.c \| 12 +++++++-----
		21	1 file changed, 7 insertions(+), 5 deletions(-)
		22
		23	diff --git a/Xi/sendexev.c b/Xi/sendexev.c
		24	index 1cf118a..5e63bfc 100644
		25	--- a/Xi/sendexev.c
		26	+++ b/Xi/sendexev.c
		27	@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client)
		28	int
		29	ProcXSendExtensionEvent(ClientPtr client)
		30	{
		31	- int ret;
		32	+ int ret, i;
		33	DeviceIntPtr dev;
		34	xEvent *first;
		35	XEventClass *list;
		36	@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client)
		37	/* The client's event type must be one defined by an extension. */
		38
		39	first = ((xEvent *) &stuff[1]);
		40	- if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
		41	- (first->u.u.type < lastEvent))) {
		42	- client->errorValue = first->u.u.type;
		43	- return BadValue;
		44	+ for (i = 0; i < stuff->num_events; i++) {
		45	+ if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
		46	+ (first[i].u.u.type < lastEvent))) {
		47	+ client->errorValue = first[i].u.u.type;
		48	+ return BadValue;
		49	+ }
		50	}
		51
		52	list = (XEventClass *) (first + stuff->num_events);
		53	--
		54	1.7.9.5
		55


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch new file mode 100644 index 0000000000..54ba481024 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch
@@ -0,0 +1,50 @@
		1	From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001
		2	From: Michal Srb <msrb@suse.com>
		3	Date: Wed, 24 May 2017 15:54:42 +0300
		4	Subject: [PATCH] Xi: Do not try to swap GenericEvent.
		5
		6	The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
		7	it is assuming that the event has fixed size and gives the swapping function
		8	xEvent-sized buffer.
		9
		10	A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
		11
		12	Signed-off-by: Michal Srb <msrb@suse.com>
		13	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		14	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
		15
		16	CVE: CVE-2017-10971
		17
		18	Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=ba336b24052122b136486961c82deac76bbde455]
		19
		20	Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
		21	---
		22	Xi/sendexev.c \| 10 +++++++++-
		23	1 file changed, 9 insertions(+), 1 deletion(-)
		24
		25	diff --git a/Xi/sendexev.c b/Xi/sendexev.c
		26	index 5e63bfc..5c2e0fc 100644
		27	--- a/Xi/sendexev.c
		28	+++ b/Xi/sendexev.c
		29	@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client)
		30
		31	eventP = (xEvent *) &stuff[1];
		32	for (i = 0; i < stuff->num_events; i++, eventP++) {
		33	+ if (eventP->u.u.type == GenericEvent) {
		34	+ client->errorValue = eventP->u.u.type;
		35	+ return BadValue;
		36	+ }
		37	+
		38	proc = EventSwapVector[eventP->u.u.type & 0177];
		39	- if (proc == NotImplemented) /* no swapping proc; invalid event type? */
		40	+ /* no swapping proc; invalid event type? */
		41	+ if (proc == NotImplemented) {
		42	+ client->errorValue = eventP->u.u.type;
		43	return BadValue;
		44	+ }
		45	(*proc) (eventP, &eventT);
		46	*eventP = eventT;
		47	}
		48	--
		49	1.7.9.5
		50


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb index 606367d1e9..65ef6c683b 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb
@@ -5,6 +5,9 @@ SRC_URI += "file://musl-arm-inb-outb.patch \
5	file://0002-configure.ac-Fix-wayland-scanner-and-protocols-locat.patch \	5	file://0002-configure.ac-Fix-wayland-scanner-and-protocols-locat.patch \
6	file://0003-modesetting-Fix-16-bit-depth-bpp-mode.patch \	6	file://0003-modesetting-Fix-16-bit-depth-bpp-mode.patch \
7	file://0003-Remove-check-for-useSIGIO-option.patch \	7	file://0003-Remove-check-for-useSIGIO-option.patch \
		8	file://CVE-2017-10971-1.patch \
		9	file://CVE-2017-10971-2.patch \
		10	file://CVE-2017-10971-3.patch \
8	"	11	"
9	SRC_URI[md5sum] = "015d2fc4b9f2bfe7a626edb63a62c65e"	12	SRC_URI[md5sum] = "015d2fc4b9f2bfe7a626edb63a62c65e"
10	SRC_URI[sha256sum] = "677a8166e03474719238dfe396ce673c4234735464d6dadf2959b600d20e5a98"	13	SRC_URI[sha256sum] = "677a8166e03474719238dfe396ce673c4234735464d6dadf2959b600d20e5a98"