diff options
author | Jackie Huang <jackie.huang@windriver.com> | 2017-08-17 15:39:13 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-08-18 23:46:37 +0100 |
commit | 583225d94ae7631f82afd618a00ca0f9ed63fce0 (patch) | |
tree | 0c9023523b5e155fc6ef1bd7b8b4481dc3b7ec82 /meta | |
parent | 88a82e74899b4152fcbda9e88aa1e8e77701b5e2 (diff) | |
download | poky-583225d94ae7631f82afd618a00ca0f9ed63fce0.tar.gz |
xserver-xorg: Fix CVE-2017-10971
Backport 3 patches to fix CVE-2017-10971:
In the X.Org X server before 2017-06-19, a user authenticated to an X
Session could crash or execute code in the context of the X Server by
exploiting a stack overflow in the endianness conversion of X Events.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2017-10971
(From OE-Core rev: 20428f660f2c046c63bbf63c4e4af95dac9f2b3d)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
4 files changed, 184 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch new file mode 100644 index 0000000000..23c8049896 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch | |||
@@ -0,0 +1,76 @@ | |||
1 | From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001 | ||
2 | From: Michal Srb <msrb@suse.com> | ||
3 | Date: Wed, 24 May 2017 15:54:40 +0300 | ||
4 | Subject: [PATCH] dix: Disallow GenericEvent in SendEvent request. | ||
5 | |||
6 | The SendEvent request holds xEvent which is exactly 32 bytes long, no more, | ||
7 | no less. Both ProcSendEvent and SProcSendEvent verify that the received data | ||
8 | exactly match the request size. However nothing stops the client from passing | ||
9 | in event with xEvent::type = GenericEvent and any value of | ||
10 | xGenericEvent::length. | ||
11 | |||
12 | In the case of ProcSendEvent, the event will be eventually passed to | ||
13 | WriteEventsToClient which will see that it is Generic event and copy the | ||
14 | arbitrary length from the receive buffer (and possibly past it) and send it to | ||
15 | the other client. This allows clients to copy unitialized heap memory out of X | ||
16 | server or to crash it. | ||
17 | |||
18 | In case of SProcSendEvent, it will attempt to swap the incoming event by | ||
19 | calling a swapping function from the EventSwapVector array. The swapped event | ||
20 | is written to target buffer, which in this case is local xEvent variable. The | ||
21 | xEvent variable is 32 bytes long, but the swapping functions for GenericEvents | ||
22 | expect that the target buffer has size matching the size of the source | ||
23 | GenericEvent. This allows clients to cause stack buffer overflows. | ||
24 | |||
25 | Signed-off-by: Michal Srb <msrb@suse.com> | ||
26 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
27 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
28 | |||
29 | CVE: CVE-2017-10971 | ||
30 | |||
31 | Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=215f894965df5fb0bb45b107d84524e700d2073c] | ||
32 | |||
33 | Signed-off-by: Jackie Huang <jackie.huang@windriver.com> | ||
34 | --- | ||
35 | dix/events.c | 6 ++++++ | ||
36 | dix/swapreq.c | 7 +++++++ | ||
37 | 2 files changed, 13 insertions(+) | ||
38 | |||
39 | diff --git a/dix/events.c b/dix/events.c | ||
40 | index 3e3a01e..d3a33ea 100644 | ||
41 | --- a/dix/events.c | ||
42 | +++ b/dix/events.c | ||
43 | @@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client) | ||
44 | client->errorValue = stuff->event.u.u.type; | ||
45 | return BadValue; | ||
46 | } | ||
47 | + /* Generic events can have variable size, but SendEvent request holds | ||
48 | + exactly 32B of event data. */ | ||
49 | + if (stuff->event.u.u.type == GenericEvent) { | ||
50 | + client->errorValue = stuff->event.u.u.type; | ||
51 | + return BadValue; | ||
52 | + } | ||
53 | if (stuff->event.u.u.type == ClientMessage && | ||
54 | stuff->event.u.u.detail != 8 && | ||
55 | stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) { | ||
56 | diff --git a/dix/swapreq.c b/dix/swapreq.c | ||
57 | index 719e9b8..6785059 100644 | ||
58 | --- a/dix/swapreq.c | ||
59 | +++ b/dix/swapreq.c | ||
60 | @@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client) | ||
61 | swapl(&stuff->destination); | ||
62 | swapl(&stuff->eventMask); | ||
63 | |||
64 | + /* Generic events can have variable size, but SendEvent request holds | ||
65 | + exactly 32B of event data. */ | ||
66 | + if (stuff->event.u.u.type == GenericEvent) { | ||
67 | + client->errorValue = stuff->event.u.u.type; | ||
68 | + return BadValue; | ||
69 | + } | ||
70 | + | ||
71 | /* Swap event */ | ||
72 | proc = EventSwapVector[stuff->event.u.u.type & 0177]; | ||
73 | if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */ | ||
74 | -- | ||
75 | 1.7.9.5 | ||
76 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch new file mode 100644 index 0000000000..5c9887afa1 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001 | ||
2 | From: Michal Srb <msrb@suse.com> | ||
3 | Date: Wed, 24 May 2017 15:54:41 +0300 | ||
4 | Subject: [PATCH] Xi: Verify all events in ProcXSendExtensionEvent. | ||
5 | |||
6 | The requirement is that events have type in range | ||
7 | EXTENSION_EVENT_BASE..lastEvent, but it was tested | ||
8 | only for first event of all. | ||
9 | |||
10 | Signed-off-by: Michal Srb <msrb@suse.com> | ||
11 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
12 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
13 | |||
14 | CVE: CVE-2017-10971 | ||
15 | |||
16 | Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d] | ||
17 | |||
18 | Signed-off-by: Jackie Huang <jackie.huang@windriver.com> | ||
19 | --- | ||
20 | Xi/sendexev.c | 12 +++++++----- | ||
21 | 1 file changed, 7 insertions(+), 5 deletions(-) | ||
22 | |||
23 | diff --git a/Xi/sendexev.c b/Xi/sendexev.c | ||
24 | index 1cf118a..5e63bfc 100644 | ||
25 | --- a/Xi/sendexev.c | ||
26 | +++ b/Xi/sendexev.c | ||
27 | @@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client) | ||
28 | int | ||
29 | ProcXSendExtensionEvent(ClientPtr client) | ||
30 | { | ||
31 | - int ret; | ||
32 | + int ret, i; | ||
33 | DeviceIntPtr dev; | ||
34 | xEvent *first; | ||
35 | XEventClass *list; | ||
36 | @@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client) | ||
37 | /* The client's event type must be one defined by an extension. */ | ||
38 | |||
39 | first = ((xEvent *) &stuff[1]); | ||
40 | - if (!((EXTENSION_EVENT_BASE <= first->u.u.type) && | ||
41 | - (first->u.u.type < lastEvent))) { | ||
42 | - client->errorValue = first->u.u.type; | ||
43 | - return BadValue; | ||
44 | + for (i = 0; i < stuff->num_events; i++) { | ||
45 | + if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) && | ||
46 | + (first[i].u.u.type < lastEvent))) { | ||
47 | + client->errorValue = first[i].u.u.type; | ||
48 | + return BadValue; | ||
49 | + } | ||
50 | } | ||
51 | |||
52 | list = (XEventClass *) (first + stuff->num_events); | ||
53 | -- | ||
54 | 1.7.9.5 | ||
55 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch new file mode 100644 index 0000000000..54ba481024 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michal Srb <msrb@suse.com> | ||
3 | Date: Wed, 24 May 2017 15:54:42 +0300 | ||
4 | Subject: [PATCH] Xi: Do not try to swap GenericEvent. | ||
5 | |||
6 | The SProcXSendExtensionEvent must not attempt to swap GenericEvent because | ||
7 | it is assuming that the event has fixed size and gives the swapping function | ||
8 | xEvent-sized buffer. | ||
9 | |||
10 | A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway. | ||
11 | |||
12 | Signed-off-by: Michal Srb <msrb@suse.com> | ||
13 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
14 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
15 | |||
16 | CVE: CVE-2017-10971 | ||
17 | |||
18 | Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=ba336b24052122b136486961c82deac76bbde455] | ||
19 | |||
20 | Signed-off-by: Jackie Huang <jackie.huang@windriver.com> | ||
21 | --- | ||
22 | Xi/sendexev.c | 10 +++++++++- | ||
23 | 1 file changed, 9 insertions(+), 1 deletion(-) | ||
24 | |||
25 | diff --git a/Xi/sendexev.c b/Xi/sendexev.c | ||
26 | index 5e63bfc..5c2e0fc 100644 | ||
27 | --- a/Xi/sendexev.c | ||
28 | +++ b/Xi/sendexev.c | ||
29 | @@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client) | ||
30 | |||
31 | eventP = (xEvent *) &stuff[1]; | ||
32 | for (i = 0; i < stuff->num_events; i++, eventP++) { | ||
33 | + if (eventP->u.u.type == GenericEvent) { | ||
34 | + client->errorValue = eventP->u.u.type; | ||
35 | + return BadValue; | ||
36 | + } | ||
37 | + | ||
38 | proc = EventSwapVector[eventP->u.u.type & 0177]; | ||
39 | - if (proc == NotImplemented) /* no swapping proc; invalid event type? */ | ||
40 | + /* no swapping proc; invalid event type? */ | ||
41 | + if (proc == NotImplemented) { | ||
42 | + client->errorValue = eventP->u.u.type; | ||
43 | return BadValue; | ||
44 | + } | ||
45 | (*proc) (eventP, &eventT); | ||
46 | *eventP = eventT; | ||
47 | } | ||
48 | -- | ||
49 | 1.7.9.5 | ||
50 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb index 606367d1e9..65ef6c683b 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb | |||
@@ -5,6 +5,9 @@ SRC_URI += "file://musl-arm-inb-outb.patch \ | |||
5 | file://0002-configure.ac-Fix-wayland-scanner-and-protocols-locat.patch \ | 5 | file://0002-configure.ac-Fix-wayland-scanner-and-protocols-locat.patch \ |
6 | file://0003-modesetting-Fix-16-bit-depth-bpp-mode.patch \ | 6 | file://0003-modesetting-Fix-16-bit-depth-bpp-mode.patch \ |
7 | file://0003-Remove-check-for-useSIGIO-option.patch \ | 7 | file://0003-Remove-check-for-useSIGIO-option.patch \ |
8 | file://CVE-2017-10971-1.patch \ | ||
9 | file://CVE-2017-10971-2.patch \ | ||
10 | file://CVE-2017-10971-3.patch \ | ||
8 | " | 11 | " |
9 | SRC_URI[md5sum] = "015d2fc4b9f2bfe7a626edb63a62c65e" | 12 | SRC_URI[md5sum] = "015d2fc4b9f2bfe7a626edb63a62c65e" |
10 | SRC_URI[sha256sum] = "677a8166e03474719238dfe396ce673c4234735464d6dadf2959b600d20e5a98" | 13 | SRC_URI[sha256sum] = "677a8166e03474719238dfe396ce673c4234735464d6dadf2959b600d20e5a98" |