diff options
3 files changed, 144 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch new file mode 100644 index 0000000000..0abd5914fa --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch | |||
@@ -0,0 +1,79 @@ | |||
1 | From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Tue, 28 Nov 2023 15:19:04 +1000 | ||
4 | Subject: [PATCH] Xi: allocate enough XkbActions for our buttons | ||
5 | |||
6 | button->xkb_acts is supposed to be an array sufficiently large for all | ||
7 | our buttons, not just a single XkbActions struct. Allocating | ||
8 | insufficient memory here means when we memcpy() later in | ||
9 | XkbSetDeviceInfo we write into memory that wasn't ours to begin with, | ||
10 | leading to the usual security ooopsiedaisies. | ||
11 | |||
12 | CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413 | ||
13 | |||
14 | This vulnerability was discovered by: | ||
15 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
16 | |||
17 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd] | ||
18 | CVE: CVE-2023-6377 | ||
19 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
20 | --- | ||
21 | Xi/exevents.c | 12 ++++++------ | ||
22 | dix/devices.c | 10 ++++++++++ | ||
23 | 2 files changed, 16 insertions(+), 6 deletions(-) | ||
24 | |||
25 | diff --git a/Xi/exevents.c b/Xi/exevents.c | ||
26 | index dcd4efb3bc..54ea11a938 100644 | ||
27 | --- a/Xi/exevents.c | ||
28 | +++ b/Xi/exevents.c | ||
29 | @@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) | ||
30 | } | ||
31 | |||
32 | if (from->button->xkb_acts) { | ||
33 | - if (!to->button->xkb_acts) { | ||
34 | - to->button->xkb_acts = calloc(1, sizeof(XkbAction)); | ||
35 | - if (!to->button->xkb_acts) | ||
36 | - FatalError("[Xi] not enough memory for xkb_acts.\n"); | ||
37 | - } | ||
38 | + size_t maxbuttons = max(to->button->numButtons, from->button->numButtons); | ||
39 | + to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts, | ||
40 | + maxbuttons, | ||
41 | + sizeof(XkbAction)); | ||
42 | + memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction)); | ||
43 | memcpy(to->button->xkb_acts, from->button->xkb_acts, | ||
44 | - sizeof(XkbAction)); | ||
45 | + from->button->numButtons * sizeof(XkbAction)); | ||
46 | } | ||
47 | else { | ||
48 | free(to->button->xkb_acts); | ||
49 | diff --git a/dix/devices.c b/dix/devices.c | ||
50 | index b063128df0..3f3224d626 100644 | ||
51 | --- a/dix/devices.c | ||
52 | +++ b/dix/devices.c | ||
53 | @@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave) | ||
54 | |||
55 | if (master->button && master->button->numButtons != maxbuttons) { | ||
56 | int i; | ||
57 | + int last_num_buttons = master->button->numButtons; | ||
58 | + | ||
59 | DeviceChangedEvent event = { | ||
60 | .header = ET_Internal, | ||
61 | .type = ET_DeviceChanged, | ||
62 | @@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave) | ||
63 | }; | ||
64 | |||
65 | master->button->numButtons = maxbuttons; | ||
66 | + if (last_num_buttons < maxbuttons) { | ||
67 | + master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts, | ||
68 | + maxbuttons, | ||
69 | + sizeof(XkbAction)); | ||
70 | + memset(&master->button->xkb_acts[last_num_buttons], | ||
71 | + 0, | ||
72 | + (maxbuttons - last_num_buttons) * sizeof(XkbAction)); | ||
73 | + } | ||
74 | |||
75 | memcpy(&event.buttons.names, master->button->labels, maxbuttons * | ||
76 | sizeof(Atom)); | ||
77 | -- | ||
78 | GitLab | ||
79 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch new file mode 100644 index 0000000000..6392eae3f8 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From 14f480010a93ff962fef66a16412fafff81ad632 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Mon, 27 Nov 2023 16:27:49 +1000 | ||
4 | Subject: [PATCH] randr: avoid integer truncation in length check of | ||
5 | ProcRRChange*Property | ||
6 | |||
7 | Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty. | ||
8 | See also xserver@8f454b79 where this same bug was fixed for the core | ||
9 | protocol and XI. | ||
10 | |||
11 | This fixes an OOB read and the resulting information disclosure. | ||
12 | |||
13 | Length calculation for the request was clipped to a 32-bit integer. With | ||
14 | the correct stuff->nUnits value the expected request size was | ||
15 | truncated, passing the REQUEST_FIXED_SIZE check. | ||
16 | |||
17 | The server then proceeded with reading at least stuff->num_items bytes | ||
18 | (depending on stuff->format) from the request and stuffing whatever it | ||
19 | finds into the property. In the process it would also allocate at least | ||
20 | stuff->nUnits bytes, i.e. 4GB. | ||
21 | |||
22 | CVE-2023-6478, ZDI-CAN-22561 | ||
23 | |||
24 | This vulnerability was discovered by: | ||
25 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
26 | |||
27 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632] | ||
28 | CVE: CVE-2023-6478 | ||
29 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
30 | --- | ||
31 | randr/rrproperty.c | 2 +- | ||
32 | randr/rrproviderproperty.c | 2 +- | ||
33 | 2 files changed, 2 insertions(+), 2 deletions(-) | ||
34 | |||
35 | diff --git a/randr/rrproperty.c b/randr/rrproperty.c | ||
36 | index 25469f57b2..c4fef8a1f6 100644 | ||
37 | --- a/randr/rrproperty.c | ||
38 | +++ b/randr/rrproperty.c | ||
39 | @@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client) | ||
40 | char format, mode; | ||
41 | unsigned long len; | ||
42 | int sizeInBytes; | ||
43 | - int totalSize; | ||
44 | + uint64_t totalSize; | ||
45 | int err; | ||
46 | |||
47 | REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq); | ||
48 | diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c | ||
49 | index b79c17f9bf..90c5a9a933 100644 | ||
50 | --- a/randr/rrproviderproperty.c | ||
51 | +++ b/randr/rrproviderproperty.c | ||
52 | @@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client) | ||
53 | char format, mode; | ||
54 | unsigned long len; | ||
55 | int sizeInBytes; | ||
56 | - int totalSize; | ||
57 | + uint64_t totalSize; | ||
58 | int err; | ||
59 | |||
60 | REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq); | ||
61 | -- | ||
62 | GitLab | ||
63 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb index eaff93bd09..4fdf3a0ec3 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb | |||
@@ -18,6 +18,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat | |||
18 | file://CVE-2023-1393.patch \ | 18 | file://CVE-2023-1393.patch \ |
19 | file://CVE-2023-5367.patch \ | 19 | file://CVE-2023-5367.patch \ |
20 | file://CVE-2023-5380.patch \ | 20 | file://CVE-2023-5380.patch \ |
21 | file://CVE-2023-6377.patch \ | ||
22 | file://CVE-2023-6478.patch \ | ||
21 | " | 23 | " |
22 | SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf" | 24 | SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf" |
23 | SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066" | 25 | SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066" |