1 files changed, 132 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch
new file mode 100644
index 0000000000..e9ab42742e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch
@@ -0,0 +1,132 @@
+From 446ff2d3177087b8173fa779fa5b77a2a128988b Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Thu, 12 Nov 2020 19:15:07 +0100
+Subject: [PATCH] Check SetMap request length carefully.
+Avoid out of bounds memory accesses on too short request.
+ZDI-CAN 11572 /  CVE-2020-14360
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Upstream-Status: Backport 
+https://gitlab.freedesktop.org/xorg/xserver/-/commit/446ff2d3177087b8173fa779fa5b77a2a128988b
+CVE: CVE-2020-14360
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ xkb/xkb.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 92 insertions(+)
+Index: xorg-server-1.20.8/xkb/xkb.c
+===================================================================
+--- xorg-server-1.20.8.orig/xkb/xkb.c
+++ xorg-server-1.20.8/xkb/xkb.c
+@@ -2382,6 +2382,93 @@ SetVirtualModMap(XkbSrvInfoPtr xkbi,
+     return (char *) wire;
+ }
+ 
+#define _add_check_len(new) \
+    if (len > UINT32_MAX - (new) || len > req_len - (new)) goto bad; \
+    else len += new
+
+/**
+ * Check the length of the SetMap request
+ */
+static int
+_XkbSetMapCheckLength(xkbSetMapReq *req)
+{
+    size_t len = sz_xkbSetMapReq, req_len = req->length << 2;
+    xkbKeyTypeWireDesc *keytype;
+    xkbSymMapWireDesc *symmap;
+    BOOL preserve;
+    int i, map_count, nSyms;
+
+    if (req_len < len)
+        goto bad;
+    /* types */
+    if (req->present & XkbKeyTypesMask) {
+        keytype = (xkbKeyTypeWireDesc *)(req + 1);
+        for (i = 0; i < req->nTypes; i++) {
+            _add_check_len(XkbPaddedSize(sz_xkbKeyTypeWireDesc));
+            if (req->flags & XkbSetMapResizeTypes) {
+                _add_check_len(keytype->nMapEntries
+                               * sz_xkbKTSetMapEntryWireDesc);
+                preserve = keytype->preserve;
+                map_count = keytype->nMapEntries;
+                if (preserve) {
+                    _add_check_len(map_count * sz_xkbModsWireDesc);
+                }
+                keytype += 1;
+                keytype = (xkbKeyTypeWireDesc *)
+                          ((xkbKTSetMapEntryWireDesc *)keytype + map_count);
+                if (preserve)
+                    keytype = (xkbKeyTypeWireDesc *)
+                              ((xkbModsWireDesc *)keytype + map_count);
+            }
+        }
+    }
+    /* syms */
+    if (req->present & XkbKeySymsMask) {
+        symmap = (xkbSymMapWireDesc *)((char *)req + len);
+        for (i = 0; i < req->nKeySyms; i++) {
+            _add_check_len(sz_xkbSymMapWireDesc);
+            nSyms = symmap->nSyms;
+            _add_check_len(nSyms*sizeof(CARD32));
+            symmap += 1;
+            symmap = (xkbSymMapWireDesc *)((CARD32 *)symmap + nSyms);
+        }
+    }
+    /* actions */
+    if (req->present & XkbKeyActionsMask) {
+        _add_check_len(req->totalActs * sz_xkbActionWireDesc 
+                       + XkbPaddedSize(req->nKeyActs));
+    }
+    /* behaviours */
+    if (req->present & XkbKeyBehaviorsMask) {
+        _add_check_len(req->totalKeyBehaviors * sz_xkbBehaviorWireDesc);
+    }
+    /* vmods */
+    if (req->present & XkbVirtualModsMask) {
+        _add_check_len(XkbPaddedSize(Ones(req->virtualMods)));
+    }
+    /* explicit */
+    if (req->present & XkbExplicitComponentsMask) {
+        /* two bytes per non-zero explicit componen */
+        _add_check_len(XkbPaddedSize(req->totalKeyExplicit * sizeof(CARD16)));
+    }
+    /* modmap */
+    if (req->present & XkbModifierMapMask) {
+         /* two bytes per non-zero modmap component */
+        _add_check_len(XkbPaddedSize(req->totalModMapKeys * sizeof(CARD16)));
+    }
+    /* vmodmap */
+    if (req->present & XkbVirtualModMapMask) {
+        _add_check_len(req->totalVModMapKeys * sz_xkbVModMapWireDesc);
+    }
+    if (len == req_len)
+        return Success;
+bad:
+    ErrorF("[xkb] BOGUS LENGTH in SetMap: expected %ld got %ld\n",
+           len, req_len);
+    return BadLength;
+}
+
+
+ /**
+  * Check if the given request can be applied to the given device but don't
+  * actually do anything..
+@@ -2639,6 +2726,11 @@ ProcXkbSetMap(ClientPtr client)
+     CHK_KBD_DEVICE(dev, stuff->deviceSpec, client, DixManageAccess);
+     CHK_MASK_LEGAL(0x01, stuff->present, XkbAllMapComponentsMask);
+ 
+    /* first verify the request length carefully */
+    rc = _XkbSetMapCheckLength(stuff);
+    if (rc != Success)
+        return rc;
+
+     tmp = (char *) &stuff[1];
+ 
+     /* Check if we can to the SetMap on the requested device. If this

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch new file mode 100644 index 0000000000..e9ab42742e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch
@@ -0,0 +1,132 @@
	1	From 446ff2d3177087b8173fa779fa5b77a2a128988b Mon Sep 17 00:00:00 2001
	2	From: Matthieu Herrb <matthieu@herrb.eu>
	3	Date: Thu, 12 Nov 2020 19:15:07 +0100
	4	Subject: [PATCH] Check SetMap request length carefully.
	5
	6	Avoid out of bounds memory accesses on too short request.
	7
	8	ZDI-CAN 11572 / CVE-2020-14360
	9
	10	This vulnerability was discovered by:
	11	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
	12
	13	Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
	14
	15	Upstream-Status: Backport
	16	https://gitlab.freedesktop.org/xorg/xserver/-/commit/446ff2d3177087b8173fa779fa5b77a2a128988b
	17	CVE: CVE-2020-14360
	18	Signed-off-by: Armin Kuster <akuster@mvista.com>
	19	---
	20	xkb/xkb.c \| 92 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
	21	1 file changed, 92 insertions(+)
	22
	23	Index: xorg-server-1.20.8/xkb/xkb.c
	24	===================================================================
	25	--- xorg-server-1.20.8.orig/xkb/xkb.c
	26	+++ xorg-server-1.20.8/xkb/xkb.c
	27	@@ -2382,6 +2382,93 @@ SetVirtualModMap(XkbSrvInfoPtr xkbi,
	28	return (char *) wire;
	29	}
	30
	31	+#define _add_check_len(new) \
	32	+ if (len > UINT32_MAX - (new) \|\| len > req_len - (new)) goto bad; \
	33	+ else len += new
	34	+
	35	+/**
	36	+ * Check the length of the SetMap request
	37	+ */
	38	+static int
	39	+_XkbSetMapCheckLength(xkbSetMapReq *req)
	40	+{
	41	+ size_t len = sz_xkbSetMapReq, req_len = req->length << 2;
	42	+ xkbKeyTypeWireDesc *keytype;
	43	+ xkbSymMapWireDesc *symmap;
	44	+ BOOL preserve;
	45	+ int i, map_count, nSyms;
	46	+
	47	+ if (req_len < len)
	48	+ goto bad;
	49	+ /* types */
	50	+ if (req->present & XkbKeyTypesMask) {
	51	+ keytype = (xkbKeyTypeWireDesc *)(req + 1);
	52	+ for (i = 0; i < req->nTypes; i++) {
	53	+ _add_check_len(XkbPaddedSize(sz_xkbKeyTypeWireDesc));
	54	+ if (req->flags & XkbSetMapResizeTypes) {
	55	+ _add_check_len(keytype->nMapEntries
	56	+ * sz_xkbKTSetMapEntryWireDesc);
	57	+ preserve = keytype->preserve;
	58	+ map_count = keytype->nMapEntries;
	59	+ if (preserve) {
	60	+ _add_check_len(map_count * sz_xkbModsWireDesc);
	61	+ }
	62	+ keytype += 1;
	63	+ keytype = (xkbKeyTypeWireDesc *)
	64	+ ((xkbKTSetMapEntryWireDesc *)keytype + map_count);
	65	+ if (preserve)
	66	+ keytype = (xkbKeyTypeWireDesc *)
	67	+ ((xkbModsWireDesc *)keytype + map_count);
	68	+ }
	69	+ }
	70	+ }
	71	+ /* syms */
	72	+ if (req->present & XkbKeySymsMask) {
	73	+ symmap = (xkbSymMapWireDesc )((char )req + len);
	74	+ for (i = 0; i < req->nKeySyms; i++) {
	75	+ _add_check_len(sz_xkbSymMapWireDesc);
	76	+ nSyms = symmap->nSyms;
	77	+ _add_check_len(nSyms*sizeof(CARD32));
	78	+ symmap += 1;
	79	+ symmap = (xkbSymMapWireDesc )((CARD32 )symmap + nSyms);
	80	+ }
	81	+ }
	82	+ /* actions */
	83	+ if (req->present & XkbKeyActionsMask) {
	84	+ _add_check_len(req->totalActs * sz_xkbActionWireDesc
	85	+ + XkbPaddedSize(req->nKeyActs));
	86	+ }
	87	+ /* behaviours */
	88	+ if (req->present & XkbKeyBehaviorsMask) {
	89	+ _add_check_len(req->totalKeyBehaviors * sz_xkbBehaviorWireDesc);
	90	+ }
	91	+ /* vmods */
	92	+ if (req->present & XkbVirtualModsMask) {
	93	+ _add_check_len(XkbPaddedSize(Ones(req->virtualMods)));
	94	+ }
	95	+ /* explicit */
	96	+ if (req->present & XkbExplicitComponentsMask) {
	97	+ /* two bytes per non-zero explicit componen */
	98	+ _add_check_len(XkbPaddedSize(req->totalKeyExplicit * sizeof(CARD16)));
	99	+ }
	100	+ /* modmap */
	101	+ if (req->present & XkbModifierMapMask) {
	102	+ /* two bytes per non-zero modmap component */
	103	+ _add_check_len(XkbPaddedSize(req->totalModMapKeys * sizeof(CARD16)));
	104	+ }
	105	+ /* vmodmap */
	106	+ if (req->present & XkbVirtualModMapMask) {
	107	+ _add_check_len(req->totalVModMapKeys * sz_xkbVModMapWireDesc);
	108	+ }
	109	+ if (len == req_len)
	110	+ return Success;
	111	+bad:
	112	+ ErrorF("[xkb] BOGUS LENGTH in SetMap: expected %ld got %ld\n",
	113	+ len, req_len);
	114	+ return BadLength;
	115	+}
	116	+
	117	+
	118	/**
	119	* Check if the given request can be applied to the given device but don't
	120	* actually do anything..
	121	@@ -2639,6 +2726,11 @@ ProcXkbSetMap(ClientPtr client)
	122	CHK_KBD_DEVICE(dev, stuff->deviceSpec, client, DixManageAccess);
	123	CHK_MASK_LEGAL(0x01, stuff->present, XkbAllMapComponentsMask);
	124
	125	+ /* first verify the request length carefully */
	126	+ rc = _XkbSetMapCheckLength(stuff);
	127	+ if (rc != Success)
	128	+ return rc;
	129	+
	130	tmp = (char *) &stuff[1];
	131
	132	/* Check if we can to the SetMap on the requested device. If this