1 files changed, 75 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
new file mode 100644
index 0000000000..e25afa0d16
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
@@ -0,0 +1,75 @@
+From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 29 Nov 2022 13:26:57 +1000
+Subject: [PATCH] Xi: avoid integer truncation in length check of
+ ProcXIChangeProperty
+This fixes an OOB read and the resulting information disclosure.
+Length calculation for the request was clipped to a 32-bit integer. With
+the correct stuff->num_items value the expected request size was
+truncated, passing the REQUEST_FIXED_SIZE check.
+The server then proceeded with reading at least stuff->num_items bytes
+(depending on stuff->format) from the request and stuffing whatever it
+finds into the property. In the process it would also allocate at least
+stuff->num_items bytes, i.e. 4GB.
+The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
+so let's fix that too.
+CVE-2022-46344, ZDI-CAN 19405
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Acked-by: Olivier Fourdan <ofourdan@redhat.com>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8f454b793e1f13c99872c15f0eed1d7f3b823fe8]
+CVE: CVE-2022-46344
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ Xi/xiproperty.c | 4 ++--
+ dix/property.c  | 3 ++-
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
+index 6ec419e..0cfa6e3 100644
+--- a/Xi/xiproperty.c
+++ b/Xi/xiproperty.c
+@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
+     REQUEST(xChangeDevicePropertyReq);
+     DeviceIntPtr dev;
+     unsigned long len;
+-    int totalSize;
+    uint64_t totalSize;
+     int rc;
+ 
+     REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
+@@ -1128,7 +1128,7 @@ ProcXIChangeProperty(ClientPtr client)
+ {
+     int rc;
+     DeviceIntPtr dev;
+-    int totalSize;
+    uint64_t totalSize;
+     unsigned long len;
+ 
+     REQUEST(xXIChangePropertyReq);
+diff --git a/dix/property.c b/dix/property.c
+index ff1d669..6fdb74a 100644
+--- a/dix/property.c
+++ b/dix/property.c
+@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
+     WindowPtr pWin;
+     char format, mode;
+     unsigned long len;
+-    int sizeInBytes, totalSize, err;
+    int sizeInBytes, err;
+    uint64_t totalSize;
+ 
+     REQUEST(xChangePropertyReq);
+ 
+-- 
+2.25.1

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch new file mode 100644 index 0000000000..e25afa0d16 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
@@ -0,0 +1,75 @@
	1	From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001
	2	From: Peter Hutterer <peter.hutterer@who-t.net>
	3	Date: Tue, 29 Nov 2022 13:26:57 +1000
	4	Subject: [PATCH] Xi: avoid integer truncation in length check of
	5	ProcXIChangeProperty
	6
	7	This fixes an OOB read and the resulting information disclosure.
	8
	9	Length calculation for the request was clipped to a 32-bit integer. With
	10	the correct stuff->num_items value the expected request size was
	11	truncated, passing the REQUEST_FIXED_SIZE check.
	12
	13	The server then proceeded with reading at least stuff->num_items bytes
	14	(depending on stuff->format) from the request and stuffing whatever it
	15	finds into the property. In the process it would also allocate at least
	16	stuff->num_items bytes, i.e. 4GB.
	17
	18	The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
	19	so let's fix that too.
	20
	21	CVE-2022-46344, ZDI-CAN 19405
	22
	23	This vulnerability was discovered by:
	24	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
	25
	26	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
	27	Acked-by: Olivier Fourdan <ofourdan@redhat.com>
	28
	29	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8f454b793e1f13c99872c15f0eed1d7f3b823fe8]
	30	CVE: CVE-2022-46344
	31	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	32	---
	33	Xi/xiproperty.c \| 4 ++--
	34	dix/property.c \| 3 ++-
	35	2 files changed, 4 insertions(+), 3 deletions(-)
	36
	37	diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
	38	index 6ec419e..0cfa6e3 100644
	39	--- a/Xi/xiproperty.c
	40	+++ b/Xi/xiproperty.c
	41	@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
	42	REQUEST(xChangeDevicePropertyReq);
	43	DeviceIntPtr dev;
	44	unsigned long len;
	45	- int totalSize;
	46	+ uint64_t totalSize;
	47	int rc;
	48
	49	REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
	50	@@ -1128,7 +1128,7 @@ ProcXIChangeProperty(ClientPtr client)
	51	{
	52	int rc;
	53	DeviceIntPtr dev;
	54	- int totalSize;
	55	+ uint64_t totalSize;
	56	unsigned long len;
	57
	58	REQUEST(xXIChangePropertyReq);
	59	diff --git a/dix/property.c b/dix/property.c
	60	index ff1d669..6fdb74a 100644
	61	--- a/dix/property.c
	62	+++ b/dix/property.c
	63	@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
	64	WindowPtr pWin;
	65	char format, mode;
	66	unsigned long len;
	67	- int sizeInBytes, totalSize, err;
	68	+ int sizeInBytes, err;
	69	+ uint64_t totalSize;
	70
	71	REQUEST(xChangePropertyReq);
	72
	73	--
	74	2.25.1
	75