summaryrefslogtreecommitdiffstats
path: root/meta/recipes-graphics
diff options
context:
space:
mode:
authorChee Yang Lee <chee.yang.lee@intel.com>2020-09-21 17:29:03 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-10-06 14:15:21 +0100
commit0b214cad5431245f49a82997f8b87d5f2fef4c49 (patch)
treebf6cf86c8d2cf09d2265b1c277015931c1fc0802 /meta/recipes-graphics
parent4557652c4f05f6bf42fa12f55052fb9c5a2f3c43 (diff)
downloadpoky-0b214cad5431245f49a82997f8b87d5f2fef4c49.tar.gz
xserver-xorg: fix CVE-2020-14346/14361/14362
fix : CVE-2020-14346 https://gitlab.freedesktop.org/xorg/xserver/-/commit/c940cc8b6c0a2983c1ec974f1b3f019795dd4cff CVE-2020-14361 https://gitlab.freedesktop.org/xorg/xserver/-/commit/144849ea27230962227e62a943b399e2ab304787 CVE-2020-14362 https://gitlab.freedesktop.org/xorg/xserver/-/commit/2902b78535ecc6821cc027351818b28a5c7fdbdc (From OE-Core rev: d485870543fbc111832735ae713b2ec405ce78fa) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-graphics')
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch36
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch36
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch70
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb3
4 files changed, 145 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch
new file mode 100644
index 0000000000..4994a21d33
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch
@@ -0,0 +1,36 @@
1From c940cc8b6c0a2983c1ec974f1b3f019795dd4cff Mon Sep 17 00:00:00 2001
2From: Matthieu Herrb <matthieu@herrb.eu>
3Date: Tue, 18 Aug 2020 14:49:04 +0200
4Subject: [PATCH] Fix XIChangeHierarchy() integer underflow
5
6CVE-2020-14346 / ZDI-CAN-11429
7
8This vulnerability was discovered by:
9Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
10
11Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
12
13Upstream-Status: Backport
14[https://gitlab.freedesktop.org/xorg/xserver/-/commit/c940cc8b6c0a2983c1ec974f1b3f019795dd4cff]
15CVE: CVE-2020-14346
16Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
17---
18 Xi/xichangehierarchy.c | 2 +-
19 1 file changed, 1 insertion(+), 1 deletion(-)
20
21diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
22index cbdd91258..504defe56 100644
23--- a/Xi/xichangehierarchy.c
24+++ b/Xi/xichangehierarchy.c
25@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
26 if (!stuff->num_changes)
27 return rc;
28
29- len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
30+ len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq);
31
32 any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
33 while (stuff->num_changes--) {
34--
352.17.1
36
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch
new file mode 100644
index 0000000000..710cc3873c
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch
@@ -0,0 +1,36 @@
1From 144849ea27230962227e62a943b399e2ab304787 Mon Sep 17 00:00:00 2001
2From: Matthieu Herrb <matthieu@herrb.eu>
3Date: Tue, 18 Aug 2020 14:52:29 +0200
4Subject: [PATCH] Fix XkbSelectEvents() integer underflow
5
6CVE-2020-14361 ZDI-CAN 11573
7
8This vulnerability was discovered by:
9Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
10
11Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
12
13Upstream-Status: Backport
14[https://gitlab.freedesktop.org/xorg/xserver/-/commit/144849ea27230962227e62a943b399e2ab304787]
15CVE: CVE-2020-14361
16Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
17---
18 xkb/xkbSwap.c | 2 +-
19 1 file changed, 1 insertion(+), 1 deletion(-)
20
21diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c
22index 1c1ed5ff4..50cabb90e 100644
23--- a/xkb/xkbSwap.c
24+++ b/xkb/xkbSwap.c
25@@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client)
26 register unsigned bit, ndx, maskLeft, dataLeft, size;
27
28 from.c8 = (CARD8 *) &stuff[1];
29- dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq);
30+ dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq);
31 maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask));
32 for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) {
33 if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify))
34--
352.17.1
36
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch
new file mode 100644
index 0000000000..2103e9c198
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch
@@ -0,0 +1,70 @@
1From 2902b78535ecc6821cc027351818b28a5c7fdbdc Mon Sep 17 00:00:00 2001
2From: Matthieu Herrb <matthieu@herrb.eu>
3Date: Tue, 18 Aug 2020 14:55:01 +0200
4Subject: [PATCH] Fix XRecordRegisterClients() Integer underflow
5
6CVE-2020-14362 ZDI-CAN-11574
7
8This vulnerability was discovered by:
9Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
10
11Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
12
13Upstream-Status: Backport
14[https://gitlab.freedesktop.org/xorg/xserver/-/commit/2902b78535ecc6821cc027351818b28a5c7fdbdc]
15CVE: CVE-2020-14362
16Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
17---
18 record/record.c | 10 +++++-----
19 1 file changed, 5 insertions(+), 5 deletions(-)
20
21diff --git a/record/record.c b/record/record.c
22index f2d38c877..be154525d 100644
23--- a/record/record.c
24+++ b/record/record.c
25@@ -2500,7 +2500,7 @@ SProcRecordQueryVersion(ClientPtr client)
26 } /* SProcRecordQueryVersion */
27
28 static int _X_COLD
29-SwapCreateRegister(xRecordRegisterClientsReq * stuff)
30+SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
31 {
32 int i;
33 XID *pClientID;
34@@ -2510,13 +2510,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
35 swapl(&stuff->nRanges);
36 pClientID = (XID *) &stuff[1];
37 if (stuff->nClients >
38- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
39+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
40 return BadLength;
41 for (i = 0; i < stuff->nClients; i++, pClientID++) {
42 swapl(pClientID);
43 }
44 if (stuff->nRanges >
45- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
46+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
47 - stuff->nClients)
48 return BadLength;
49 RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
50@@ -2531,7 +2531,7 @@ SProcRecordCreateContext(ClientPtr client)
51
52 swaps(&stuff->length);
53 REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
54- if ((status = SwapCreateRegister((void *) stuff)) != Success)
55+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
56 return status;
57 return ProcRecordCreateContext(client);
58 } /* SProcRecordCreateContext */
59@@ -2544,7 +2544,7 @@ SProcRecordRegisterClients(ClientPtr client)
60
61 swaps(&stuff->length);
62 REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
63- if ((status = SwapCreateRegister((void *) stuff)) != Success)
64+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
65 return status;
66 return ProcRecordRegisterClients(client);
67 } /* SProcRecordRegisterClients */
68--
692.17.1
70
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
index 5101134538..51d959f86c 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
@@ -6,6 +6,9 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
6 file://sdksyms-no-build-path.patch \ 6 file://sdksyms-no-build-path.patch \
7 file://0001-drmmode_display.c-add-missing-mi.h-include.patch \ 7 file://0001-drmmode_display.c-add-missing-mi.h-include.patch \
8 file://CVE-2020-14347.patch \ 8 file://CVE-2020-14347.patch \
9 file://CVE-2020-14346.patch \
10 file://CVE-2020-14361.patch \
11 file://CVE-2020-14362.patch \
9 " 12 "
10SRC_URI[md5sum] = "a770aec600116444a953ff632f51f839" 13SRC_URI[md5sum] = "a770aec600116444a953ff632f51f839"
11SRC_URI[sha256sum] = "d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146" 14SRC_URI[sha256sum] = "d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146"