xorg: Security fix for CVE-2020-14345

Source: freedesktop.org MR: 105894 Type: Security Fix Disposition: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/f7cd1276bbd4fe3a9700096dec33b52b8440788d ChangeID: 2c6b7553d8e5bc152258ad1794d95cb7d8b215eb Description: CVE-2020-14345 fix (From OE-Core rev: 16e30186afd13650407c67a2f6a598412f214bd1) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2021-01-14 10:15:12 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-01-21 23:08:16 +0000
commit: 26ebdf3f4f6d43a3aaac579a676ed0bc56a00336 (patch)
tree: 6bb98f4ac8ed5b8e8761468e947713dc9430f5fd /meta/recipes-graphics/xorg-xserver
parent: d5a1834e4fb666dd2348b7dca59ab3052d25468d (diff)
download: poky-26ebdf3f4f6d43a3aaac579a676ed0bc56a00336.tar.gz
2 files changed, 183 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch
new file mode 100644
index 0000000000..fb3a37c474
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch
@@ -0,0 +1,182 @@
+From f7cd1276bbd4fe3a9700096dec33b52b8440788d Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:46:32 +0200
+Subject: [PATCH] Correct bounds checking in XkbSetNames()
+CVE-2020-14345 / ZDI 11428
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Upstream-Status: Backport
+CVE: CVE-2020-14345
+Affects < 1.20.9
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ xkb/xkb.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 48 insertions(+)
+Index: xorg-server-1.20.8/xkb/xkb.c
+===================================================================
+--- xorg-server-1.20.8.orig/xkb/xkb.c
+++ xorg-server-1.20.8/xkb/xkb.c
+@@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT;
+ #define        CHK_REQ_KEY_RANGE(err,first,num,r)  \
+        CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue)
+ 
+static Bool
+_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) {
+    char *cstuff = (char *)stuff;
+    char *cfrom = (char *)from;
+    char *cto = (char *)to;
+
+    return cfrom < cto &&
+           cfrom >= cstuff &&
+           cfrom < cstuff + ((size_t)client->req_len << 2) &&
+           cto >= cstuff &&
+           cto <= cstuff + ((size_t)client->req_len << 2);
+}
+
+ /***====================================================================***/
+ 
+ int
+@@ -4045,6 +4058,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+             client->errorValue = _XkbErrCode2(0x04, stuff->firstType);
+             return BadAccess;
+         }
+        if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nTypes))
+            return BadLength;
+         old = tmp;
+         tmp = _XkbCheckAtoms(tmp, stuff->nTypes, client->swapped, &bad);
+         if (!tmp) {
+@@ -4074,6 +4089,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+         }
+         width = (CARD8 *) tmp;
+         tmp = (CARD32 *) (((char *) tmp) + XkbPaddedSize(stuff->nKTLevels));
+        if (!_XkbCheckRequestBounds(client, stuff, width, tmp))
+            return BadLength;
+         type = &xkb->map->types[stuff->firstKTLevel];
+         for (i = 0; i < stuff->nKTLevels; i++, type++) {
+             if (width[i] == 0)
+@@ -4083,6 +4100,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+                                                   type->num_levels, width[i]);
+                 return BadMatch;
+             }
+            if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + width[i]))
+                return BadLength;
+             tmp = _XkbCheckAtoms(tmp, width[i], client->swapped, &bad);
+             if (!tmp) {
+                 client->errorValue = bad;
+@@ -4095,6 +4114,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+             client->errorValue = 0x08;
+             return BadMatch;
+         }
+        if (!_XkbCheckRequestBounds(client, stuff, tmp,
+                                    tmp + Ones(stuff->indicators)))
+            return BadLength;
+         tmp = _XkbCheckMaskedAtoms(tmp, XkbNumIndicators, stuff->indicators,
+                                    client->swapped, &bad);
+         if (!tmp) {
+@@ -4107,6 +4129,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+             client->errorValue = 0x09;
+             return BadMatch;
+         }
+        if (!_XkbCheckRequestBounds(client, stuff, tmp,
+                                    tmp + Ones(stuff->virtualMods)))
+            return BadLength;
+         tmp = _XkbCheckMaskedAtoms(tmp, XkbNumVirtualMods,
+                                    (CARD32) stuff->virtualMods,
+                                    client->swapped, &bad);
+@@ -4120,6 +4145,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+             client->errorValue = 0x0a;
+             return BadMatch;
+         }
+        if (!_XkbCheckRequestBounds(client, stuff, tmp,
+                                    tmp + Ones(stuff->groupNames)))
+            return BadLength;
+         tmp = _XkbCheckMaskedAtoms(tmp, XkbNumKbdGroups,
+                                    (CARD32) stuff->groupNames,
+                                    client->swapped, &bad);
+@@ -4141,9 +4169,14 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+                              stuff->nKeys);
+             return BadValue;
+         }
+        if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nKeys))
+            return BadLength;
+         tmp += stuff->nKeys;
+     }
+     if ((stuff->which & XkbKeyAliasesMask) && (stuff->nKeyAliases > 0)) {
+        if (!_XkbCheckRequestBounds(client, stuff, tmp,
+                                    tmp + (stuff->nKeyAliases * 2)))
+            return BadLength;
+         tmp += stuff->nKeyAliases * 2;
+     }
+     if (stuff->which & XkbRGNamesMask) {
+@@ -4151,6 +4184,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+             client->errorValue = _XkbErrCode2(0x0d, stuff->nRadioGroups);
+             return BadValue;
+         }
+        if (!_XkbCheckRequestBounds(client, stuff, tmp,
+                                    tmp + stuff->nRadioGroups))
+            return BadLength;
+         tmp = _XkbCheckAtoms(tmp, stuff->nRadioGroups, client->swapped, &bad);
+         if (!tmp) {
+             client->errorValue = bad;
+@@ -4344,6 +4380,8 @@ ProcXkbSetNames(ClientPtr client)
+     /* check device-independent stuff */
+     tmp = (CARD32 *) &stuff[1];
+ 
+    if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+        return BadLength;
+     if (stuff->which & XkbKeycodesNameMask) {
+         tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+         if (!tmp) {
+@@ -4351,6 +4389,8 @@ ProcXkbSetNames(ClientPtr client)
+             return BadAtom;
+         }
+     }
+    if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+        return BadLength;
+     if (stuff->which & XkbGeometryNameMask) {
+         tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+         if (!tmp) {
+@@ -4358,6 +4398,8 @@ ProcXkbSetNames(ClientPtr client)
+             return BadAtom;
+         }
+     }
+    if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+        return BadLength;
+     if (stuff->which & XkbSymbolsNameMask) {
+         tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+         if (!tmp) {
+@@ -4365,6 +4407,8 @@ ProcXkbSetNames(ClientPtr client)
+             return BadAtom;
+         }
+     }
+    if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+        return BadLength;
+     if (stuff->which & XkbPhysSymbolsNameMask) {
+         tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+         if (!tmp) {
+@@ -4372,6 +4416,8 @@ ProcXkbSetNames(ClientPtr client)
+             return BadAtom;
+         }
+     }
+    if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+        return BadLength;
+     if (stuff->which & XkbTypesNameMask) {
+         tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+         if (!tmp) {
+@@ -4379,6 +4425,8 @@ ProcXkbSetNames(ClientPtr client)
+             return BadAtom;
+         }
+     }
+    if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+        return BadLength;
+     if (stuff->which & XkbCompatNameMask) {
+         tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+         if (!tmp) {
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
index 51d959f86c..2af1b6f307 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
@@ -9,6 +9,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
           file://CVE-2020-14346.patch \
           file://CVE-2020-14361.patch \
           file://CVE-2020-14362.patch \
+           file://CVE-2020-14345.patch \
           "
 SRC_URI[md5sum] = "a770aec600116444a953ff632f51f839"
 SRC_URI[sha256sum] = "d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146"
author	Armin Kuster <akuster@mvista.com>	2021-01-14 10:15:12 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-01-21 23:08:16 +0000
commit	26ebdf3f4f6d43a3aaac579a676ed0bc56a00336 (patch)
tree	6bb98f4ac8ed5b8e8761468e947713dc9430f5fd /meta/recipes-graphics/xorg-xserver
parent	d5a1834e4fb666dd2348b7dca59ab3052d25468d (diff)
download	poky-26ebdf3f4f6d43a3aaac579a676ed0bc56a00336.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch new file mode 100644 index 0000000000..fb3a37c474 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch
@@ -0,0 +1,182 @@
		1	From f7cd1276bbd4fe3a9700096dec33b52b8440788d Mon Sep 17 00:00:00 2001
		2	From: Matthieu Herrb <matthieu@herrb.eu>
		3	Date: Tue, 18 Aug 2020 14:46:32 +0200
		4	Subject: [PATCH] Correct bounds checking in XkbSetNames()
		5
		6	CVE-2020-14345 / ZDI 11428
		7
		8	This vulnerability was discovered by:
		9	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		10
		11	Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
		12
		13	Upstream-Status: Backport
		14	CVE: CVE-2020-14345
		15	Affects < 1.20.9
		16
		17	Signed-off-by: Armin Kuster <akuster@mvista.com>
		18
		19	---
		20	xkb/xkb.c \| 48 ++++++++++++++++++++++++++++++++++++++++++++++++
		21	1 file changed, 48 insertions(+)
		22
		23	Index: xorg-server-1.20.8/xkb/xkb.c
		24	===================================================================
		25	--- xorg-server-1.20.8.orig/xkb/xkb.c
		26	+++ xorg-server-1.20.8/xkb/xkb.c
		27	@@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT;
		28	#define CHK_REQ_KEY_RANGE(err,first,num,r) \
		29	CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue)
		30
		31	+static Bool
		32	+_XkbCheckRequestBounds(ClientPtr client, void stuff, void from, void *to) {
		33	+ char cstuff = (char )stuff;
		34	+ char cfrom = (char )from;
		35	+ char cto = (char )to;
		36	+
		37	+ return cfrom < cto &&
		38	+ cfrom >= cstuff &&
		39	+ cfrom < cstuff + ((size_t)client->req_len << 2) &&
		40	+ cto >= cstuff &&
		41	+ cto <= cstuff + ((size_t)client->req_len << 2);
		42	+}
		43	+
		44	/*====================================================================*/
		45
		46	int
		47	@@ -4045,6 +4058,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi
		48	client->errorValue = _XkbErrCode2(0x04, stuff->firstType);
		49	return BadAccess;
		50	}
		51	+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nTypes))
		52	+ return BadLength;
		53	old = tmp;
		54	tmp = _XkbCheckAtoms(tmp, stuff->nTypes, client->swapped, &bad);
		55	if (!tmp) {
		56	@@ -4074,6 +4089,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi
		57	}
		58	width = (CARD8 *) tmp;
		59	tmp = (CARD32 ) (((char ) tmp) + XkbPaddedSize(stuff->nKTLevels));
		60	+ if (!_XkbCheckRequestBounds(client, stuff, width, tmp))
		61	+ return BadLength;
		62	type = &xkb->map->types[stuff->firstKTLevel];
		63	for (i = 0; i < stuff->nKTLevels; i++, type++) {
		64	if (width[i] == 0)
		65	@@ -4083,6 +4100,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi
		66	type->num_levels, width[i]);
		67	return BadMatch;
		68	}
		69	+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + width[i]))
		70	+ return BadLength;
		71	tmp = _XkbCheckAtoms(tmp, width[i], client->swapped, &bad);
		72	if (!tmp) {
		73	client->errorValue = bad;
		74	@@ -4095,6 +4114,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
		75	client->errorValue = 0x08;
		76	return BadMatch;
		77	}
		78	+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
		79	+ tmp + Ones(stuff->indicators)))
		80	+ return BadLength;
		81	tmp = _XkbCheckMaskedAtoms(tmp, XkbNumIndicators, stuff->indicators,
		82	client->swapped, &bad);
		83	if (!tmp) {
		84	@@ -4107,6 +4129,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
		85	client->errorValue = 0x09;
		86	return BadMatch;
		87	}
		88	+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
		89	+ tmp + Ones(stuff->virtualMods)))
		90	+ return BadLength;
		91	tmp = _XkbCheckMaskedAtoms(tmp, XkbNumVirtualMods,
		92	(CARD32) stuff->virtualMods,
		93	client->swapped, &bad);
		94	@@ -4120,6 +4145,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
		95	client->errorValue = 0x0a;
		96	return BadMatch;
		97	}
		98	+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
		99	+ tmp + Ones(stuff->groupNames)))
		100	+ return BadLength;
		101	tmp = _XkbCheckMaskedAtoms(tmp, XkbNumKbdGroups,
		102	(CARD32) stuff->groupNames,
		103	client->swapped, &bad);
		104	@@ -4141,9 +4169,14 @@ _XkbSetNamesCheck(ClientPtr client, Devi
		105	stuff->nKeys);
		106	return BadValue;
		107	}
		108	+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nKeys))
		109	+ return BadLength;
		110	tmp += stuff->nKeys;
		111	}
		112	if ((stuff->which & XkbKeyAliasesMask) && (stuff->nKeyAliases > 0)) {
		113	+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
		114	+ tmp + (stuff->nKeyAliases * 2)))
		115	+ return BadLength;
		116	tmp += stuff->nKeyAliases * 2;
		117	}
		118	if (stuff->which & XkbRGNamesMask) {
		119	@@ -4151,6 +4184,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
		120	client->errorValue = _XkbErrCode2(0x0d, stuff->nRadioGroups);
		121	return BadValue;
		122	}
		123	+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
		124	+ tmp + stuff->nRadioGroups))
		125	+ return BadLength;
		126	tmp = _XkbCheckAtoms(tmp, stuff->nRadioGroups, client->swapped, &bad);
		127	if (!tmp) {
		128	client->errorValue = bad;
		129	@@ -4344,6 +4380,8 @@ ProcXkbSetNames(ClientPtr client)
		130	/* check device-independent stuff */
		131	tmp = (CARD32 *) &stuff[1];
		132
		133	+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
		134	+ return BadLength;
		135	if (stuff->which & XkbKeycodesNameMask) {
		136	tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
		137	if (!tmp) {
		138	@@ -4351,6 +4389,8 @@ ProcXkbSetNames(ClientPtr client)
		139	return BadAtom;
		140	}
		141	}
		142	+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
		143	+ return BadLength;
		144	if (stuff->which & XkbGeometryNameMask) {
		145	tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
		146	if (!tmp) {
		147	@@ -4358,6 +4398,8 @@ ProcXkbSetNames(ClientPtr client)
		148	return BadAtom;
		149	}
		150	}
		151	+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
		152	+ return BadLength;
		153	if (stuff->which & XkbSymbolsNameMask) {
		154	tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
		155	if (!tmp) {
		156	@@ -4365,6 +4407,8 @@ ProcXkbSetNames(ClientPtr client)
		157	return BadAtom;
		158	}
		159	}
		160	+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
		161	+ return BadLength;
		162	if (stuff->which & XkbPhysSymbolsNameMask) {
		163	tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
		164	if (!tmp) {
		165	@@ -4372,6 +4416,8 @@ ProcXkbSetNames(ClientPtr client)
		166	return BadAtom;
		167	}
		168	}
		169	+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
		170	+ return BadLength;
		171	if (stuff->which & XkbTypesNameMask) {
		172	tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
		173	if (!tmp) {
		174	@@ -4379,6 +4425,8 @@ ProcXkbSetNames(ClientPtr client)
		175	return BadAtom;
		176	}
		177	}
		178	+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
		179	+ return BadLength;
		180	if (stuff->which & XkbCompatNameMask) {
		181	tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
		182	if (!tmp) {


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb index 51d959f86c..2af1b6f307 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
@@ -9,6 +9,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
9	file://CVE-2020-14346.patch \	9	file://CVE-2020-14346.patch \
10	file://CVE-2020-14361.patch \	10	file://CVE-2020-14361.patch \
11	file://CVE-2020-14362.patch \	11	file://CVE-2020-14362.patch \
		12	file://CVE-2020-14345.patch \
12	"	13	"
13	SRC_URI[md5sum] = "a770aec600116444a953ff632f51f839"	14	SRC_URI[md5sum] = "a770aec600116444a953ff632f51f839"
14	SRC_URI[sha256sum] = "d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146"	15	SRC_URI[sha256sum] = "d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146"