diff options
author | Alexander Kanavin <alex.kanavin@gmail.com> | 2023-01-04 12:05:07 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-01-06 12:03:47 +0000 |
commit | fc21330699208fb49b133964bb0e2f7d7880fa0d (patch) | |
tree | 21711a4f0c82069aec664f0cb2e2b8e65ddec85f /meta/recipes-graphics | |
parent | 2144d70e3e12e023a02d01639bb3d0080fe3036f (diff) | |
download | poky-fc21330699208fb49b133964bb0e2f7d7880fa0d.tar.gz |
xserver-xorg: upgrade 21.1.4 -> 21.1.6
(From OE-Core rev: 009e8d6a292690a0c355d12be2368a9677c701f5)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-graphics')
-rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch | 63 | ||||
-rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch | 38 | ||||
-rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.6.bb (renamed from meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb) | 4 |
3 files changed, 1 insertions, 104 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch deleted file mode 100644 index 0e61ec5953..0000000000 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch +++ /dev/null | |||
@@ -1,63 +0,0 @@ | |||
1 | CVE: CVE-2022-3551 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
4 | |||
5 | From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001 | ||
6 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
7 | Date: Wed, 13 Jul 2022 11:23:09 +1000 | ||
8 | Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName | ||
9 | |||
10 | GetComponentByName returns an allocated string, so let's free that if we | ||
11 | fail somewhere. | ||
12 | |||
13 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
14 | --- | ||
15 | xkb/xkb.c | 26 ++++++++++++++++++++------ | ||
16 | 1 file changed, 20 insertions(+), 6 deletions(-) | ||
17 | |||
18 | diff --git a/xkb/xkb.c b/xkb/xkb.c | ||
19 | index 4692895db..b79a269e3 100644 | ||
20 | --- a/xkb/xkb.c | ||
21 | +++ b/xkb/xkb.c | ||
22 | @@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client) | ||
23 | xkb = dev->key->xkbInfo->desc; | ||
24 | status = Success; | ||
25 | str = (unsigned char *) &stuff[1]; | ||
26 | - if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */ | ||
27 | - return BadMatch; | ||
28 | + { | ||
29 | + char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */ | ||
30 | + if (keymap) { | ||
31 | + free(keymap); | ||
32 | + return BadMatch; | ||
33 | + } | ||
34 | + } | ||
35 | names.keycodes = GetComponentSpec(&str, TRUE, &status); | ||
36 | names.types = GetComponentSpec(&str, TRUE, &status); | ||
37 | names.compat = GetComponentSpec(&str, TRUE, &status); | ||
38 | names.symbols = GetComponentSpec(&str, TRUE, &status); | ||
39 | names.geometry = GetComponentSpec(&str, TRUE, &status); | ||
40 | - if (status != Success) | ||
41 | + if (status == Success) { | ||
42 | + len = str - ((unsigned char *) stuff); | ||
43 | + if ((XkbPaddedSize(len) / 4) != stuff->length) | ||
44 | + status = BadLength; | ||
45 | + } | ||
46 | + | ||
47 | + if (status != Success) { | ||
48 | + free(names.keycodes); | ||
49 | + free(names.types); | ||
50 | + free(names.compat); | ||
51 | + free(names.symbols); | ||
52 | + free(names.geometry); | ||
53 | return status; | ||
54 | - len = str - ((unsigned char *) stuff); | ||
55 | - if ((XkbPaddedSize(len) / 4) != stuff->length) | ||
56 | - return BadLength; | ||
57 | + } | ||
58 | |||
59 | CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask); | ||
60 | CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask); | ||
61 | -- | ||
62 | 2.34.1 | ||
63 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch deleted file mode 100644 index 6f862e82f9..0000000000 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch +++ /dev/null | |||
@@ -1,38 +0,0 @@ | |||
1 | CVE: CVE-2022-3550 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
4 | |||
5 | From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001 | ||
6 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
7 | Date: Tue, 5 Jul 2022 12:06:20 +1000 | ||
8 | Subject: [PATCH] xkb: proof GetCountedString against request length attacks | ||
9 | |||
10 | GetCountedString did a check for the whole string to be within the | ||
11 | request buffer but not for the initial 2 bytes that contain the length | ||
12 | field. A swapped client could send a malformed request to trigger a | ||
13 | swaps() on those bytes, writing into random memory. | ||
14 | |||
15 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
16 | --- | ||
17 | xkb/xkb.c | 5 +++++ | ||
18 | 1 file changed, 5 insertions(+) | ||
19 | |||
20 | diff --git a/xkb/xkb.c b/xkb/xkb.c | ||
21 | index f42f59ef3..1841cff26 100644 | ||
22 | --- a/xkb/xkb.c | ||
23 | +++ b/xkb/xkb.c | ||
24 | @@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) | ||
25 | CARD16 len; | ||
26 | |||
27 | wire = *wire_inout; | ||
28 | + | ||
29 | + if (client->req_len < | ||
30 | + bytes_to_int32(wire + 2 - (char *) client->requestBuffer)) | ||
31 | + return BadValue; | ||
32 | + | ||
33 | len = *(CARD16 *) wire; | ||
34 | if (client->swapped) { | ||
35 | swaps(&len); | ||
36 | -- | ||
37 | 2.34.1 | ||
38 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.6.bb index aba09afec3..256903ce5f 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.6.bb | |||
@@ -2,10 +2,8 @@ require xserver-xorg.inc | |||
2 | 2 | ||
3 | SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \ | 3 | SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \ |
4 | file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \ | 4 | file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \ |
5 | file://0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch \ | ||
6 | file://0001-xkb-proof-GetCountedString-against-request-length-at.patch \ | ||
7 | " | 5 | " |
8 | SRC_URI[sha256sum] = "5cc4be8ee47edb58d4a90e603a59d56b40291ad38371b0bd2471fc3cbee1c587" | 6 | SRC_URI[sha256sum] = "1eb86ed674d042b6c8b1f9135e59395cbbca35ed551b122f73a7d8bb3bb22484" |
9 | 7 | ||
10 | # These extensions are now integrated into the server, so declare the migration | 8 | # These extensions are now integrated into the server, so declare the migration |
11 | # path for in-place upgrades. | 9 | # path for in-place upgrades. |