summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorJackie Huang <jackie.huang@windriver.com>2017-08-17 15:39:13 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-08-18 23:46:37 +0100
commit583225d94ae7631f82afd618a00ca0f9ed63fce0 (patch)
tree0c9023523b5e155fc6ef1bd7b8b4481dc3b7ec82 /meta
parent88a82e74899b4152fcbda9e88aa1e8e77701b5e2 (diff)
downloadpoky-583225d94ae7631f82afd618a00ca0f9ed63fce0.tar.gz
xserver-xorg: Fix CVE-2017-10971
Backport 3 patches to fix CVE-2017-10971: In the X.Org X server before 2017-06-19, a user authenticated to an X Session could crash or execute code in the context of the X Server by exploiting a stack overflow in the endianness conversion of X Events. Reference: https://nvd.nist.gov/vuln/detail/CVE-2017-10971 (From OE-Core rev: 20428f660f2c046c63bbf63c4e4af95dac9f2b3d) Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch76
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch55
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch50
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb3
4 files changed, 184 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch
new file mode 100644
index 0000000000..23c8049896
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch
@@ -0,0 +1,76 @@
1From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001
2From: Michal Srb <msrb@suse.com>
3Date: Wed, 24 May 2017 15:54:40 +0300
4Subject: [PATCH] dix: Disallow GenericEvent in SendEvent request.
5
6The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
7no less. Both ProcSendEvent and SProcSendEvent verify that the received data
8exactly match the request size. However nothing stops the client from passing
9in event with xEvent::type = GenericEvent and any value of
10xGenericEvent::length.
11
12In the case of ProcSendEvent, the event will be eventually passed to
13WriteEventsToClient which will see that it is Generic event and copy the
14arbitrary length from the receive buffer (and possibly past it) and send it to
15the other client. This allows clients to copy unitialized heap memory out of X
16server or to crash it.
17
18In case of SProcSendEvent, it will attempt to swap the incoming event by
19calling a swapping function from the EventSwapVector array. The swapped event
20is written to target buffer, which in this case is local xEvent variable. The
21xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
22expect that the target buffer has size matching the size of the source
23GenericEvent. This allows clients to cause stack buffer overflows.
24
25Signed-off-by: Michal Srb <msrb@suse.com>
26Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
27Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
28
29CVE: CVE-2017-10971
30
31Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=215f894965df5fb0bb45b107d84524e700d2073c]
32
33Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
34---
35 dix/events.c | 6 ++++++
36 dix/swapreq.c | 7 +++++++
37 2 files changed, 13 insertions(+)
38
39diff --git a/dix/events.c b/dix/events.c
40index 3e3a01e..d3a33ea 100644
41--- a/dix/events.c
42+++ b/dix/events.c
43@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client)
44 client->errorValue = stuff->event.u.u.type;
45 return BadValue;
46 }
47+ /* Generic events can have variable size, but SendEvent request holds
48+ exactly 32B of event data. */
49+ if (stuff->event.u.u.type == GenericEvent) {
50+ client->errorValue = stuff->event.u.u.type;
51+ return BadValue;
52+ }
53 if (stuff->event.u.u.type == ClientMessage &&
54 stuff->event.u.u.detail != 8 &&
55 stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) {
56diff --git a/dix/swapreq.c b/dix/swapreq.c
57index 719e9b8..6785059 100644
58--- a/dix/swapreq.c
59+++ b/dix/swapreq.c
60@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client)
61 swapl(&stuff->destination);
62 swapl(&stuff->eventMask);
63
64+ /* Generic events can have variable size, but SendEvent request holds
65+ exactly 32B of event data. */
66+ if (stuff->event.u.u.type == GenericEvent) {
67+ client->errorValue = stuff->event.u.u.type;
68+ return BadValue;
69+ }
70+
71 /* Swap event */
72 proc = EventSwapVector[stuff->event.u.u.type & 0177];
73 if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */
74--
751.7.9.5
76
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch
new file mode 100644
index 0000000000..5c9887afa1
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch
@@ -0,0 +1,55 @@
1From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001
2From: Michal Srb <msrb@suse.com>
3Date: Wed, 24 May 2017 15:54:41 +0300
4Subject: [PATCH] Xi: Verify all events in ProcXSendExtensionEvent.
5
6The requirement is that events have type in range
7EXTENSION_EVENT_BASE..lastEvent, but it was tested
8only for first event of all.
9
10Signed-off-by: Michal Srb <msrb@suse.com>
11Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
12Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
13
14CVE: CVE-2017-10971
15
16Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d]
17
18Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
19---
20 Xi/sendexev.c | 12 +++++++-----
21 1 file changed, 7 insertions(+), 5 deletions(-)
22
23diff --git a/Xi/sendexev.c b/Xi/sendexev.c
24index 1cf118a..5e63bfc 100644
25--- a/Xi/sendexev.c
26+++ b/Xi/sendexev.c
27@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client)
28 int
29 ProcXSendExtensionEvent(ClientPtr client)
30 {
31- int ret;
32+ int ret, i;
33 DeviceIntPtr dev;
34 xEvent *first;
35 XEventClass *list;
36@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client)
37 /* The client's event type must be one defined by an extension. */
38
39 first = ((xEvent *) &stuff[1]);
40- if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
41- (first->u.u.type < lastEvent))) {
42- client->errorValue = first->u.u.type;
43- return BadValue;
44+ for (i = 0; i < stuff->num_events; i++) {
45+ if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
46+ (first[i].u.u.type < lastEvent))) {
47+ client->errorValue = first[i].u.u.type;
48+ return BadValue;
49+ }
50 }
51
52 list = (XEventClass *) (first + stuff->num_events);
53--
541.7.9.5
55
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch
new file mode 100644
index 0000000000..54ba481024
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch
@@ -0,0 +1,50 @@
1From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001
2From: Michal Srb <msrb@suse.com>
3Date: Wed, 24 May 2017 15:54:42 +0300
4Subject: [PATCH] Xi: Do not try to swap GenericEvent.
5
6The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
7it is assuming that the event has fixed size and gives the swapping function
8xEvent-sized buffer.
9
10A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
11
12Signed-off-by: Michal Srb <msrb@suse.com>
13Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
14Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
15
16CVE: CVE-2017-10971
17
18Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=ba336b24052122b136486961c82deac76bbde455]
19
20Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
21---
22 Xi/sendexev.c | 10 +++++++++-
23 1 file changed, 9 insertions(+), 1 deletion(-)
24
25diff --git a/Xi/sendexev.c b/Xi/sendexev.c
26index 5e63bfc..5c2e0fc 100644
27--- a/Xi/sendexev.c
28+++ b/Xi/sendexev.c
29@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client)
30
31 eventP = (xEvent *) &stuff[1];
32 for (i = 0; i < stuff->num_events; i++, eventP++) {
33+ if (eventP->u.u.type == GenericEvent) {
34+ client->errorValue = eventP->u.u.type;
35+ return BadValue;
36+ }
37+
38 proc = EventSwapVector[eventP->u.u.type & 0177];
39- if (proc == NotImplemented) /* no swapping proc; invalid event type? */
40+ /* no swapping proc; invalid event type? */
41+ if (proc == NotImplemented) {
42+ client->errorValue = eventP->u.u.type;
43 return BadValue;
44+ }
45 (*proc) (eventP, &eventT);
46 *eventP = eventT;
47 }
48--
491.7.9.5
50
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb
index 606367d1e9..65ef6c683b 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb
@@ -5,6 +5,9 @@ SRC_URI += "file://musl-arm-inb-outb.patch \
5 file://0002-configure.ac-Fix-wayland-scanner-and-protocols-locat.patch \ 5 file://0002-configure.ac-Fix-wayland-scanner-and-protocols-locat.patch \
6 file://0003-modesetting-Fix-16-bit-depth-bpp-mode.patch \ 6 file://0003-modesetting-Fix-16-bit-depth-bpp-mode.patch \
7 file://0003-Remove-check-for-useSIGIO-option.patch \ 7 file://0003-Remove-check-for-useSIGIO-option.patch \
8 file://CVE-2017-10971-1.patch \
9 file://CVE-2017-10971-2.patch \
10 file://CVE-2017-10971-3.patch \
8 " 11 "
9SRC_URI[md5sum] = "015d2fc4b9f2bfe7a626edb63a62c65e" 12SRC_URI[md5sum] = "015d2fc4b9f2bfe7a626edb63a62c65e"
10SRC_URI[sha256sum] = "677a8166e03474719238dfe396ce673c4234735464d6dadf2959b600d20e5a98" 13SRC_URI[sha256sum] = "677a8166e03474719238dfe396ce673c4234735464d6dadf2959b600d20e5a98"