diff options
author | Chee Yang Lee <chee.yang.lee@intel.com> | 2020-09-21 17:29:03 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-10-06 14:15:21 +0100 |
commit | 0b214cad5431245f49a82997f8b87d5f2fef4c49 (patch) | |
tree | bf6cf86c8d2cf09d2265b1c277015931c1fc0802 /meta/recipes-graphics | |
parent | 4557652c4f05f6bf42fa12f55052fb9c5a2f3c43 (diff) | |
download | poky-0b214cad5431245f49a82997f8b87d5f2fef4c49.tar.gz |
xserver-xorg: fix CVE-2020-14346/14361/14362
fix :
CVE-2020-14346
https://gitlab.freedesktop.org/xorg/xserver/-/commit/c940cc8b6c0a2983c1ec974f1b3f019795dd4cff
CVE-2020-14361
https://gitlab.freedesktop.org/xorg/xserver/-/commit/144849ea27230962227e62a943b399e2ab304787
CVE-2020-14362
https://gitlab.freedesktop.org/xorg/xserver/-/commit/2902b78535ecc6821cc027351818b28a5c7fdbdc
(From OE-Core rev: d485870543fbc111832735ae713b2ec405ce78fa)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-graphics')
4 files changed, 145 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch new file mode 100644 index 0000000000..4994a21d33 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From c940cc8b6c0a2983c1ec974f1b3f019795dd4cff Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthieu Herrb <matthieu@herrb.eu> | ||
3 | Date: Tue, 18 Aug 2020 14:49:04 +0200 | ||
4 | Subject: [PATCH] Fix XIChangeHierarchy() integer underflow | ||
5 | |||
6 | CVE-2020-14346 / ZDI-CAN-11429 | ||
7 | |||
8 | This vulnerability was discovered by: | ||
9 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
10 | |||
11 | Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | [https://gitlab.freedesktop.org/xorg/xserver/-/commit/c940cc8b6c0a2983c1ec974f1b3f019795dd4cff] | ||
15 | CVE: CVE-2020-14346 | ||
16 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
17 | --- | ||
18 | Xi/xichangehierarchy.c | 2 +- | ||
19 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c | ||
22 | index cbdd91258..504defe56 100644 | ||
23 | --- a/Xi/xichangehierarchy.c | ||
24 | +++ b/Xi/xichangehierarchy.c | ||
25 | @@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client) | ||
26 | if (!stuff->num_changes) | ||
27 | return rc; | ||
28 | |||
29 | - len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq); | ||
30 | + len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq); | ||
31 | |||
32 | any = (xXIAnyHierarchyChangeInfo *) &stuff[1]; | ||
33 | while (stuff->num_changes--) { | ||
34 | -- | ||
35 | 2.17.1 | ||
36 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch new file mode 100644 index 0000000000..710cc3873c --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From 144849ea27230962227e62a943b399e2ab304787 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthieu Herrb <matthieu@herrb.eu> | ||
3 | Date: Tue, 18 Aug 2020 14:52:29 +0200 | ||
4 | Subject: [PATCH] Fix XkbSelectEvents() integer underflow | ||
5 | |||
6 | CVE-2020-14361 ZDI-CAN 11573 | ||
7 | |||
8 | This vulnerability was discovered by: | ||
9 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
10 | |||
11 | Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | [https://gitlab.freedesktop.org/xorg/xserver/-/commit/144849ea27230962227e62a943b399e2ab304787] | ||
15 | CVE: CVE-2020-14361 | ||
16 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
17 | --- | ||
18 | xkb/xkbSwap.c | 2 +- | ||
19 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c | ||
22 | index 1c1ed5ff4..50cabb90e 100644 | ||
23 | --- a/xkb/xkbSwap.c | ||
24 | +++ b/xkb/xkbSwap.c | ||
25 | @@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client) | ||
26 | register unsigned bit, ndx, maskLeft, dataLeft, size; | ||
27 | |||
28 | from.c8 = (CARD8 *) &stuff[1]; | ||
29 | - dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq); | ||
30 | + dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq); | ||
31 | maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask)); | ||
32 | for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) { | ||
33 | if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify)) | ||
34 | -- | ||
35 | 2.17.1 | ||
36 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch new file mode 100644 index 0000000000..2103e9c198 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch | |||
@@ -0,0 +1,70 @@ | |||
1 | From 2902b78535ecc6821cc027351818b28a5c7fdbdc Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthieu Herrb <matthieu@herrb.eu> | ||
3 | Date: Tue, 18 Aug 2020 14:55:01 +0200 | ||
4 | Subject: [PATCH] Fix XRecordRegisterClients() Integer underflow | ||
5 | |||
6 | CVE-2020-14362 ZDI-CAN-11574 | ||
7 | |||
8 | This vulnerability was discovered by: | ||
9 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
10 | |||
11 | Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | [https://gitlab.freedesktop.org/xorg/xserver/-/commit/2902b78535ecc6821cc027351818b28a5c7fdbdc] | ||
15 | CVE: CVE-2020-14362 | ||
16 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
17 | --- | ||
18 | record/record.c | 10 +++++----- | ||
19 | 1 file changed, 5 insertions(+), 5 deletions(-) | ||
20 | |||
21 | diff --git a/record/record.c b/record/record.c | ||
22 | index f2d38c877..be154525d 100644 | ||
23 | --- a/record/record.c | ||
24 | +++ b/record/record.c | ||
25 | @@ -2500,7 +2500,7 @@ SProcRecordQueryVersion(ClientPtr client) | ||
26 | } /* SProcRecordQueryVersion */ | ||
27 | |||
28 | static int _X_COLD | ||
29 | -SwapCreateRegister(xRecordRegisterClientsReq * stuff) | ||
30 | +SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff) | ||
31 | { | ||
32 | int i; | ||
33 | XID *pClientID; | ||
34 | @@ -2510,13 +2510,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff) | ||
35 | swapl(&stuff->nRanges); | ||
36 | pClientID = (XID *) &stuff[1]; | ||
37 | if (stuff->nClients > | ||
38 | - stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)) | ||
39 | + client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)) | ||
40 | return BadLength; | ||
41 | for (i = 0; i < stuff->nClients; i++, pClientID++) { | ||
42 | swapl(pClientID); | ||
43 | } | ||
44 | if (stuff->nRanges > | ||
45 | - stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq) | ||
46 | + client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) | ||
47 | - stuff->nClients) | ||
48 | return BadLength; | ||
49 | RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); | ||
50 | @@ -2531,7 +2531,7 @@ SProcRecordCreateContext(ClientPtr client) | ||
51 | |||
52 | swaps(&stuff->length); | ||
53 | REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq); | ||
54 | - if ((status = SwapCreateRegister((void *) stuff)) != Success) | ||
55 | + if ((status = SwapCreateRegister(client, (void *) stuff)) != Success) | ||
56 | return status; | ||
57 | return ProcRecordCreateContext(client); | ||
58 | } /* SProcRecordCreateContext */ | ||
59 | @@ -2544,7 +2544,7 @@ SProcRecordRegisterClients(ClientPtr client) | ||
60 | |||
61 | swaps(&stuff->length); | ||
62 | REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq); | ||
63 | - if ((status = SwapCreateRegister((void *) stuff)) != Success) | ||
64 | + if ((status = SwapCreateRegister(client, (void *) stuff)) != Success) | ||
65 | return status; | ||
66 | return ProcRecordRegisterClients(client); | ||
67 | } /* SProcRecordRegisterClients */ | ||
68 | -- | ||
69 | 2.17.1 | ||
70 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb index 5101134538..51d959f86c 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb | |||
@@ -6,6 +6,9 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat | |||
6 | file://sdksyms-no-build-path.patch \ | 6 | file://sdksyms-no-build-path.patch \ |
7 | file://0001-drmmode_display.c-add-missing-mi.h-include.patch \ | 7 | file://0001-drmmode_display.c-add-missing-mi.h-include.patch \ |
8 | file://CVE-2020-14347.patch \ | 8 | file://CVE-2020-14347.patch \ |
9 | file://CVE-2020-14346.patch \ | ||
10 | file://CVE-2020-14361.patch \ | ||
11 | file://CVE-2020-14362.patch \ | ||
9 | " | 12 | " |
10 | SRC_URI[md5sum] = "a770aec600116444a953ff632f51f839" | 13 | SRC_URI[md5sum] = "a770aec600116444a953ff632f51f839" |
11 | SRC_URI[sha256sum] = "d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146" | 14 | SRC_URI[sha256sum] = "d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146" |