summaryrefslogtreecommitdiffstats
path: root/meta/recipes-graphics
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2021-01-14 10:15:12 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-01-21 23:08:16 +0000
commit26ebdf3f4f6d43a3aaac579a676ed0bc56a00336 (patch)
tree6bb98f4ac8ed5b8e8761468e947713dc9430f5fd /meta/recipes-graphics
parentd5a1834e4fb666dd2348b7dca59ab3052d25468d (diff)
downloadpoky-26ebdf3f4f6d43a3aaac579a676ed0bc56a00336.tar.gz
xorg: Security fix for CVE-2020-14345
Source: freedesktop.org MR: 105894 Type: Security Fix Disposition: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/f7cd1276bbd4fe3a9700096dec33b52b8440788d ChangeID: 2c6b7553d8e5bc152258ad1794d95cb7d8b215eb Description: CVE-2020-14345 fix (From OE-Core rev: 16e30186afd13650407c67a2f6a598412f214bd1) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-graphics')
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch182
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb1
2 files changed, 183 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch
new file mode 100644
index 0000000000..fb3a37c474
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch
@@ -0,0 +1,182 @@
1From f7cd1276bbd4fe3a9700096dec33b52b8440788d Mon Sep 17 00:00:00 2001
2From: Matthieu Herrb <matthieu@herrb.eu>
3Date: Tue, 18 Aug 2020 14:46:32 +0200
4Subject: [PATCH] Correct bounds checking in XkbSetNames()
5
6CVE-2020-14345 / ZDI 11428
7
8This vulnerability was discovered by:
9Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
10
11Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
12
13Upstream-Status: Backport
14CVE: CVE-2020-14345
15Affects < 1.20.9
16
17Signed-off-by: Armin Kuster <akuster@mvista.com>
18
19---
20 xkb/xkb.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
21 1 file changed, 48 insertions(+)
22
23Index: xorg-server-1.20.8/xkb/xkb.c
24===================================================================
25--- xorg-server-1.20.8.orig/xkb/xkb.c
26+++ xorg-server-1.20.8/xkb/xkb.c
27@@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT;
28 #define CHK_REQ_KEY_RANGE(err,first,num,r) \
29 CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue)
30
31+static Bool
32+_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) {
33+ char *cstuff = (char *)stuff;
34+ char *cfrom = (char *)from;
35+ char *cto = (char *)to;
36+
37+ return cfrom < cto &&
38+ cfrom >= cstuff &&
39+ cfrom < cstuff + ((size_t)client->req_len << 2) &&
40+ cto >= cstuff &&
41+ cto <= cstuff + ((size_t)client->req_len << 2);
42+}
43+
44 /***====================================================================***/
45
46 int
47@@ -4045,6 +4058,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi
48 client->errorValue = _XkbErrCode2(0x04, stuff->firstType);
49 return BadAccess;
50 }
51+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nTypes))
52+ return BadLength;
53 old = tmp;
54 tmp = _XkbCheckAtoms(tmp, stuff->nTypes, client->swapped, &bad);
55 if (!tmp) {
56@@ -4074,6 +4089,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi
57 }
58 width = (CARD8 *) tmp;
59 tmp = (CARD32 *) (((char *) tmp) + XkbPaddedSize(stuff->nKTLevels));
60+ if (!_XkbCheckRequestBounds(client, stuff, width, tmp))
61+ return BadLength;
62 type = &xkb->map->types[stuff->firstKTLevel];
63 for (i = 0; i < stuff->nKTLevels; i++, type++) {
64 if (width[i] == 0)
65@@ -4083,6 +4100,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi
66 type->num_levels, width[i]);
67 return BadMatch;
68 }
69+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + width[i]))
70+ return BadLength;
71 tmp = _XkbCheckAtoms(tmp, width[i], client->swapped, &bad);
72 if (!tmp) {
73 client->errorValue = bad;
74@@ -4095,6 +4114,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
75 client->errorValue = 0x08;
76 return BadMatch;
77 }
78+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
79+ tmp + Ones(stuff->indicators)))
80+ return BadLength;
81 tmp = _XkbCheckMaskedAtoms(tmp, XkbNumIndicators, stuff->indicators,
82 client->swapped, &bad);
83 if (!tmp) {
84@@ -4107,6 +4129,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
85 client->errorValue = 0x09;
86 return BadMatch;
87 }
88+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
89+ tmp + Ones(stuff->virtualMods)))
90+ return BadLength;
91 tmp = _XkbCheckMaskedAtoms(tmp, XkbNumVirtualMods,
92 (CARD32) stuff->virtualMods,
93 client->swapped, &bad);
94@@ -4120,6 +4145,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
95 client->errorValue = 0x0a;
96 return BadMatch;
97 }
98+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
99+ tmp + Ones(stuff->groupNames)))
100+ return BadLength;
101 tmp = _XkbCheckMaskedAtoms(tmp, XkbNumKbdGroups,
102 (CARD32) stuff->groupNames,
103 client->swapped, &bad);
104@@ -4141,9 +4169,14 @@ _XkbSetNamesCheck(ClientPtr client, Devi
105 stuff->nKeys);
106 return BadValue;
107 }
108+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nKeys))
109+ return BadLength;
110 tmp += stuff->nKeys;
111 }
112 if ((stuff->which & XkbKeyAliasesMask) && (stuff->nKeyAliases > 0)) {
113+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
114+ tmp + (stuff->nKeyAliases * 2)))
115+ return BadLength;
116 tmp += stuff->nKeyAliases * 2;
117 }
118 if (stuff->which & XkbRGNamesMask) {
119@@ -4151,6 +4184,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
120 client->errorValue = _XkbErrCode2(0x0d, stuff->nRadioGroups);
121 return BadValue;
122 }
123+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
124+ tmp + stuff->nRadioGroups))
125+ return BadLength;
126 tmp = _XkbCheckAtoms(tmp, stuff->nRadioGroups, client->swapped, &bad);
127 if (!tmp) {
128 client->errorValue = bad;
129@@ -4344,6 +4380,8 @@ ProcXkbSetNames(ClientPtr client)
130 /* check device-independent stuff */
131 tmp = (CARD32 *) &stuff[1];
132
133+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
134+ return BadLength;
135 if (stuff->which & XkbKeycodesNameMask) {
136 tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
137 if (!tmp) {
138@@ -4351,6 +4389,8 @@ ProcXkbSetNames(ClientPtr client)
139 return BadAtom;
140 }
141 }
142+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
143+ return BadLength;
144 if (stuff->which & XkbGeometryNameMask) {
145 tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
146 if (!tmp) {
147@@ -4358,6 +4398,8 @@ ProcXkbSetNames(ClientPtr client)
148 return BadAtom;
149 }
150 }
151+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
152+ return BadLength;
153 if (stuff->which & XkbSymbolsNameMask) {
154 tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
155 if (!tmp) {
156@@ -4365,6 +4407,8 @@ ProcXkbSetNames(ClientPtr client)
157 return BadAtom;
158 }
159 }
160+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
161+ return BadLength;
162 if (stuff->which & XkbPhysSymbolsNameMask) {
163 tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
164 if (!tmp) {
165@@ -4372,6 +4416,8 @@ ProcXkbSetNames(ClientPtr client)
166 return BadAtom;
167 }
168 }
169+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
170+ return BadLength;
171 if (stuff->which & XkbTypesNameMask) {
172 tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
173 if (!tmp) {
174@@ -4379,6 +4425,8 @@ ProcXkbSetNames(ClientPtr client)
175 return BadAtom;
176 }
177 }
178+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
179+ return BadLength;
180 if (stuff->which & XkbCompatNameMask) {
181 tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
182 if (!tmp) {
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
index 51d959f86c..2af1b6f307 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
@@ -9,6 +9,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
9 file://CVE-2020-14346.patch \ 9 file://CVE-2020-14346.patch \
10 file://CVE-2020-14361.patch \ 10 file://CVE-2020-14361.patch \
11 file://CVE-2020-14362.patch \ 11 file://CVE-2020-14362.patch \
12 file://CVE-2020-14345.patch \
12 " 13 "
13SRC_URI[md5sum] = "a770aec600116444a953ff632f51f839" 14SRC_URI[md5sum] = "a770aec600116444a953ff632f51f839"
14SRC_URI[sha256sum] = "d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146" 15SRC_URI[sha256sum] = "d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146"