1 files changed, 86 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
new file mode 100644
index 0000000000..0ef6e5fc9f
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
@@ -0,0 +1,86 @@
+From 51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 29 Nov 2022 13:55:32 +1000
+Subject: [PATCH] Xi: disallow passive grabs with a detail > 255
+The XKB protocol effectively prevents us from ever using keycodes above
+255. For buttons it's theoretically possible but realistically too niche
+to worry about. For all other passive grabs, the detail must be zero
+anyway.
+This fixes an OOB write:
+ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a
+temporary grab struct which contains tempGrab->detail.exact = stuff->detail.
+For matching existing grabs, DeleteDetailFromMask is called with the
+stuff->detail value. This function creates a new mask with the one bit
+representing stuff->detail cleared.
+However, the array size for the new mask is 8 * sizeof(CARD32) bits,
+thus any detail above 255 results in an OOB array write.
+CVE-2022-46341, ZDI-CAN 19381
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Acked-by: Olivier Fourdan <ofourdan@redhat.com>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b]
+CVE: CVE-2022-46341
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ Xi/xipassivegrab.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
+index d30f51f..89a5910 100644
+--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
+@@ -133,6 +133,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+         return BadValue;
+     }
+ 
+    /* XI2 allows 32-bit keycodes but thanks to XKB we can never
+     * implement this. Just return an error for all keycodes that
+     * cannot work anyway, same for buttons > 255. */
+    if (stuff->detail > 255)
+        return XIAlreadyGrabbed;
+
+     if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],
+                                stuff->mask_len * 4) != Success)
+         return BadValue;
+@@ -203,14 +209,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+                                 &param, XI2, &mask);
+             break;
+         case XIGrabtypeKeycode:
+-            /* XI2 allows 32-bit keycodes but thanks to XKB we can never
+-             * implement this. Just return an error for all keycodes that
+-             * cannot work anyway */
+-            if (stuff->detail > 255)
+-                status = XIAlreadyGrabbed;
+-            else
+-                status = GrabKey(client, dev, mod_dev, stuff->detail,
+-                                 &param, XI2, &mask);
+            status = GrabKey(client, dev, mod_dev, stuff->detail,
+                             &param, XI2, &mask);
+             break;
+         case XIGrabtypeEnter:
+         case XIGrabtypeFocusIn:
+@@ -319,6 +319,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
+         return BadValue;
+     }
+ 
+    /* We don't allow passive grabs for details > 255 anyway */
+    if (stuff->detail > 255) {
+        client->errorValue = stuff->detail;
+        return BadValue;
+    }
+
+     rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess);
+     if (rc != Success)
+         return rc;
+-- 
+2.25.1

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch new file mode 100644 index 0000000000..0ef6e5fc9f --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
@@ -0,0 +1,86 @@
	1	From 51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b Mon Sep 17 00:00:00 2001
	2	From: Peter Hutterer <peter.hutterer@who-t.net>
	3	Date: Tue, 29 Nov 2022 13:55:32 +1000
	4	Subject: [PATCH] Xi: disallow passive grabs with a detail > 255
	5
	6	The XKB protocol effectively prevents us from ever using keycodes above
	7	255. For buttons it's theoretically possible but realistically too niche
	8	to worry about. For all other passive grabs, the detail must be zero
	9	anyway.
	10
	11	This fixes an OOB write:
	12
	13	ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a
	14	temporary grab struct which contains tempGrab->detail.exact = stuff->detail.
	15	For matching existing grabs, DeleteDetailFromMask is called with the
	16	stuff->detail value. This function creates a new mask with the one bit
	17	representing stuff->detail cleared.
	18
	19	However, the array size for the new mask is 8 * sizeof(CARD32) bits,
	20	thus any detail above 255 results in an OOB array write.
	21
	22	CVE-2022-46341, ZDI-CAN 19381
	23
	24	This vulnerability was discovered by:
	25	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
	26
	27	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
	28	Acked-by: Olivier Fourdan <ofourdan@redhat.com>
	29
	30	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b]
	31	CVE: CVE-2022-46341
	32	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	33	---
	34	Xi/xipassivegrab.c \| 22 ++++++++++++++--------
	35	1 file changed, 14 insertions(+), 8 deletions(-)
	36
	37	diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
	38	index d30f51f..89a5910 100644
	39	--- a/Xi/xipassivegrab.c
	40	+++ b/Xi/xipassivegrab.c
	41	@@ -133,6 +133,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)
	42	return BadValue;
	43	}
	44
	45	+ /* XI2 allows 32-bit keycodes but thanks to XKB we can never
	46	+ * implement this. Just return an error for all keycodes that
	47	+ * cannot work anyway, same for buttons > 255. */
	48	+ if (stuff->detail > 255)
	49	+ return XIAlreadyGrabbed;
	50	+
	51	if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],
	52	stuff->mask_len * 4) != Success)
	53	return BadValue;
	54	@@ -203,14 +209,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
	55	&param, XI2, &mask);
	56	break;
	57	case XIGrabtypeKeycode:
	58	- /* XI2 allows 32-bit keycodes but thanks to XKB we can never
	59	- * implement this. Just return an error for all keycodes that
	60	- * cannot work anyway */
	61	- if (stuff->detail > 255)
	62	- status = XIAlreadyGrabbed;
	63	- else
	64	- status = GrabKey(client, dev, mod_dev, stuff->detail,
	65	- &param, XI2, &mask);
	66	+ status = GrabKey(client, dev, mod_dev, stuff->detail,
	67	+ &param, XI2, &mask);
	68	break;
	69	case XIGrabtypeEnter:
	70	case XIGrabtypeFocusIn:
	71	@@ -319,6 +319,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
	72	return BadValue;
	73	}
	74
	75	+ /* We don't allow passive grabs for details > 255 anyway */
	76	+ if (stuff->detail > 255) {
	77	+ client->errorValue = stuff->detail;
	78	+ return BadValue;
	79	+ }
	80	+
	81	rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess);
	82	if (rc != Success)
	83	return rc;
	84	--
	85	2.25.1
	86