diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver/xserver-xorg')
32 files changed, 1848 insertions, 362 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch deleted file mode 100644 index fb3a37c474..0000000000 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch +++ /dev/null | |||
@@ -1,182 +0,0 @@ | |||
1 | From f7cd1276bbd4fe3a9700096dec33b52b8440788d Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthieu Herrb <matthieu@herrb.eu> | ||
3 | Date: Tue, 18 Aug 2020 14:46:32 +0200 | ||
4 | Subject: [PATCH] Correct bounds checking in XkbSetNames() | ||
5 | |||
6 | CVE-2020-14345 / ZDI 11428 | ||
7 | |||
8 | This vulnerability was discovered by: | ||
9 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
10 | |||
11 | Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | CVE: CVE-2020-14345 | ||
15 | Affects < 1.20.9 | ||
16 | |||
17 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
18 | |||
19 | --- | ||
20 | xkb/xkb.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ | ||
21 | 1 file changed, 48 insertions(+) | ||
22 | |||
23 | Index: xorg-server-1.20.8/xkb/xkb.c | ||
24 | =================================================================== | ||
25 | --- xorg-server-1.20.8.orig/xkb/xkb.c | ||
26 | +++ xorg-server-1.20.8/xkb/xkb.c | ||
27 | @@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT; | ||
28 | #define CHK_REQ_KEY_RANGE(err,first,num,r) \ | ||
29 | CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue) | ||
30 | |||
31 | +static Bool | ||
32 | +_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) { | ||
33 | + char *cstuff = (char *)stuff; | ||
34 | + char *cfrom = (char *)from; | ||
35 | + char *cto = (char *)to; | ||
36 | + | ||
37 | + return cfrom < cto && | ||
38 | + cfrom >= cstuff && | ||
39 | + cfrom < cstuff + ((size_t)client->req_len << 2) && | ||
40 | + cto >= cstuff && | ||
41 | + cto <= cstuff + ((size_t)client->req_len << 2); | ||
42 | +} | ||
43 | + | ||
44 | /***====================================================================***/ | ||
45 | |||
46 | int | ||
47 | @@ -4045,6 +4058,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi | ||
48 | client->errorValue = _XkbErrCode2(0x04, stuff->firstType); | ||
49 | return BadAccess; | ||
50 | } | ||
51 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nTypes)) | ||
52 | + return BadLength; | ||
53 | old = tmp; | ||
54 | tmp = _XkbCheckAtoms(tmp, stuff->nTypes, client->swapped, &bad); | ||
55 | if (!tmp) { | ||
56 | @@ -4074,6 +4089,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi | ||
57 | } | ||
58 | width = (CARD8 *) tmp; | ||
59 | tmp = (CARD32 *) (((char *) tmp) + XkbPaddedSize(stuff->nKTLevels)); | ||
60 | + if (!_XkbCheckRequestBounds(client, stuff, width, tmp)) | ||
61 | + return BadLength; | ||
62 | type = &xkb->map->types[stuff->firstKTLevel]; | ||
63 | for (i = 0; i < stuff->nKTLevels; i++, type++) { | ||
64 | if (width[i] == 0) | ||
65 | @@ -4083,6 +4100,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi | ||
66 | type->num_levels, width[i]); | ||
67 | return BadMatch; | ||
68 | } | ||
69 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + width[i])) | ||
70 | + return BadLength; | ||
71 | tmp = _XkbCheckAtoms(tmp, width[i], client->swapped, &bad); | ||
72 | if (!tmp) { | ||
73 | client->errorValue = bad; | ||
74 | @@ -4095,6 +4114,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi | ||
75 | client->errorValue = 0x08; | ||
76 | return BadMatch; | ||
77 | } | ||
78 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, | ||
79 | + tmp + Ones(stuff->indicators))) | ||
80 | + return BadLength; | ||
81 | tmp = _XkbCheckMaskedAtoms(tmp, XkbNumIndicators, stuff->indicators, | ||
82 | client->swapped, &bad); | ||
83 | if (!tmp) { | ||
84 | @@ -4107,6 +4129,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi | ||
85 | client->errorValue = 0x09; | ||
86 | return BadMatch; | ||
87 | } | ||
88 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, | ||
89 | + tmp + Ones(stuff->virtualMods))) | ||
90 | + return BadLength; | ||
91 | tmp = _XkbCheckMaskedAtoms(tmp, XkbNumVirtualMods, | ||
92 | (CARD32) stuff->virtualMods, | ||
93 | client->swapped, &bad); | ||
94 | @@ -4120,6 +4145,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi | ||
95 | client->errorValue = 0x0a; | ||
96 | return BadMatch; | ||
97 | } | ||
98 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, | ||
99 | + tmp + Ones(stuff->groupNames))) | ||
100 | + return BadLength; | ||
101 | tmp = _XkbCheckMaskedAtoms(tmp, XkbNumKbdGroups, | ||
102 | (CARD32) stuff->groupNames, | ||
103 | client->swapped, &bad); | ||
104 | @@ -4141,9 +4169,14 @@ _XkbSetNamesCheck(ClientPtr client, Devi | ||
105 | stuff->nKeys); | ||
106 | return BadValue; | ||
107 | } | ||
108 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nKeys)) | ||
109 | + return BadLength; | ||
110 | tmp += stuff->nKeys; | ||
111 | } | ||
112 | if ((stuff->which & XkbKeyAliasesMask) && (stuff->nKeyAliases > 0)) { | ||
113 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, | ||
114 | + tmp + (stuff->nKeyAliases * 2))) | ||
115 | + return BadLength; | ||
116 | tmp += stuff->nKeyAliases * 2; | ||
117 | } | ||
118 | if (stuff->which & XkbRGNamesMask) { | ||
119 | @@ -4151,6 +4184,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi | ||
120 | client->errorValue = _XkbErrCode2(0x0d, stuff->nRadioGroups); | ||
121 | return BadValue; | ||
122 | } | ||
123 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, | ||
124 | + tmp + stuff->nRadioGroups)) | ||
125 | + return BadLength; | ||
126 | tmp = _XkbCheckAtoms(tmp, stuff->nRadioGroups, client->swapped, &bad); | ||
127 | if (!tmp) { | ||
128 | client->errorValue = bad; | ||
129 | @@ -4344,6 +4380,8 @@ ProcXkbSetNames(ClientPtr client) | ||
130 | /* check device-independent stuff */ | ||
131 | tmp = (CARD32 *) &stuff[1]; | ||
132 | |||
133 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) | ||
134 | + return BadLength; | ||
135 | if (stuff->which & XkbKeycodesNameMask) { | ||
136 | tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); | ||
137 | if (!tmp) { | ||
138 | @@ -4351,6 +4389,8 @@ ProcXkbSetNames(ClientPtr client) | ||
139 | return BadAtom; | ||
140 | } | ||
141 | } | ||
142 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) | ||
143 | + return BadLength; | ||
144 | if (stuff->which & XkbGeometryNameMask) { | ||
145 | tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); | ||
146 | if (!tmp) { | ||
147 | @@ -4358,6 +4398,8 @@ ProcXkbSetNames(ClientPtr client) | ||
148 | return BadAtom; | ||
149 | } | ||
150 | } | ||
151 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) | ||
152 | + return BadLength; | ||
153 | if (stuff->which & XkbSymbolsNameMask) { | ||
154 | tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); | ||
155 | if (!tmp) { | ||
156 | @@ -4365,6 +4407,8 @@ ProcXkbSetNames(ClientPtr client) | ||
157 | return BadAtom; | ||
158 | } | ||
159 | } | ||
160 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) | ||
161 | + return BadLength; | ||
162 | if (stuff->which & XkbPhysSymbolsNameMask) { | ||
163 | tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); | ||
164 | if (!tmp) { | ||
165 | @@ -4372,6 +4416,8 @@ ProcXkbSetNames(ClientPtr client) | ||
166 | return BadAtom; | ||
167 | } | ||
168 | } | ||
169 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) | ||
170 | + return BadLength; | ||
171 | if (stuff->which & XkbTypesNameMask) { | ||
172 | tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); | ||
173 | if (!tmp) { | ||
174 | @@ -4379,6 +4425,8 @@ ProcXkbSetNames(ClientPtr client) | ||
175 | return BadAtom; | ||
176 | } | ||
177 | } | ||
178 | + if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) | ||
179 | + return BadLength; | ||
180 | if (stuff->which & XkbCompatNameMask) { | ||
181 | tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); | ||
182 | if (!tmp) { | ||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch deleted file mode 100644 index 4994a21d33..0000000000 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch +++ /dev/null | |||
@@ -1,36 +0,0 @@ | |||
1 | From c940cc8b6c0a2983c1ec974f1b3f019795dd4cff Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthieu Herrb <matthieu@herrb.eu> | ||
3 | Date: Tue, 18 Aug 2020 14:49:04 +0200 | ||
4 | Subject: [PATCH] Fix XIChangeHierarchy() integer underflow | ||
5 | |||
6 | CVE-2020-14346 / ZDI-CAN-11429 | ||
7 | |||
8 | This vulnerability was discovered by: | ||
9 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
10 | |||
11 | Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | [https://gitlab.freedesktop.org/xorg/xserver/-/commit/c940cc8b6c0a2983c1ec974f1b3f019795dd4cff] | ||
15 | CVE: CVE-2020-14346 | ||
16 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
17 | --- | ||
18 | Xi/xichangehierarchy.c | 2 +- | ||
19 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c | ||
22 | index cbdd91258..504defe56 100644 | ||
23 | --- a/Xi/xichangehierarchy.c | ||
24 | +++ b/Xi/xichangehierarchy.c | ||
25 | @@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client) | ||
26 | if (!stuff->num_changes) | ||
27 | return rc; | ||
28 | |||
29 | - len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq); | ||
30 | + len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq); | ||
31 | |||
32 | any = (xXIAnyHierarchyChangeInfo *) &stuff[1]; | ||
33 | while (stuff->num_changes--) { | ||
34 | -- | ||
35 | 2.17.1 | ||
36 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch deleted file mode 100644 index cf3f5f9417..0000000000 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch +++ /dev/null | |||
@@ -1,38 +0,0 @@ | |||
1 | From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthieu Herrb <matthieu@herrb.eu> | ||
3 | Date: Sat, 25 Jul 2020 19:33:50 +0200 | ||
4 | Subject: [PATCH] fix for ZDI-11426 | ||
5 | |||
6 | Avoid leaking un-initalized memory to clients by zeroing the | ||
7 | whole pixmap on initial allocation. | ||
8 | |||
9 | This vulnerability was discovered by: | ||
10 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
11 | |||
12 | Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> | ||
13 | Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
14 | |||
15 | |||
16 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/aac28e162e5108510065ad4c323affd6deffd816] | ||
17 | CVE: CVE-2020-14347 | ||
18 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
19 | --- | ||
20 | dix/pixmap.c | 2 +- | ||
21 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
22 | |||
23 | diff --git a/dix/pixmap.c b/dix/pixmap.c | ||
24 | index 1186d7dbbf..5a0146bbb6 100644 | ||
25 | --- a/dix/pixmap.c | ||
26 | +++ b/dix/pixmap.c | ||
27 | @@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize) | ||
28 | if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize) | ||
29 | return NullPixmap; | ||
30 | |||
31 | - pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize); | ||
32 | + pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize); | ||
33 | if (!pPixmap) | ||
34 | return NullPixmap; | ||
35 | |||
36 | -- | ||
37 | GitLab | ||
38 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch deleted file mode 100644 index 710cc3873c..0000000000 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch +++ /dev/null | |||
@@ -1,36 +0,0 @@ | |||
1 | From 144849ea27230962227e62a943b399e2ab304787 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthieu Herrb <matthieu@herrb.eu> | ||
3 | Date: Tue, 18 Aug 2020 14:52:29 +0200 | ||
4 | Subject: [PATCH] Fix XkbSelectEvents() integer underflow | ||
5 | |||
6 | CVE-2020-14361 ZDI-CAN 11573 | ||
7 | |||
8 | This vulnerability was discovered by: | ||
9 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
10 | |||
11 | Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | [https://gitlab.freedesktop.org/xorg/xserver/-/commit/144849ea27230962227e62a943b399e2ab304787] | ||
15 | CVE: CVE-2020-14361 | ||
16 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
17 | --- | ||
18 | xkb/xkbSwap.c | 2 +- | ||
19 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c | ||
22 | index 1c1ed5ff4..50cabb90e 100644 | ||
23 | --- a/xkb/xkbSwap.c | ||
24 | +++ b/xkb/xkbSwap.c | ||
25 | @@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client) | ||
26 | register unsigned bit, ndx, maskLeft, dataLeft, size; | ||
27 | |||
28 | from.c8 = (CARD8 *) &stuff[1]; | ||
29 | - dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq); | ||
30 | + dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq); | ||
31 | maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask)); | ||
32 | for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) { | ||
33 | if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify)) | ||
34 | -- | ||
35 | 2.17.1 | ||
36 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch deleted file mode 100644 index 2103e9c198..0000000000 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch +++ /dev/null | |||
@@ -1,70 +0,0 @@ | |||
1 | From 2902b78535ecc6821cc027351818b28a5c7fdbdc Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthieu Herrb <matthieu@herrb.eu> | ||
3 | Date: Tue, 18 Aug 2020 14:55:01 +0200 | ||
4 | Subject: [PATCH] Fix XRecordRegisterClients() Integer underflow | ||
5 | |||
6 | CVE-2020-14362 ZDI-CAN-11574 | ||
7 | |||
8 | This vulnerability was discovered by: | ||
9 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
10 | |||
11 | Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | [https://gitlab.freedesktop.org/xorg/xserver/-/commit/2902b78535ecc6821cc027351818b28a5c7fdbdc] | ||
15 | CVE: CVE-2020-14362 | ||
16 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
17 | --- | ||
18 | record/record.c | 10 +++++----- | ||
19 | 1 file changed, 5 insertions(+), 5 deletions(-) | ||
20 | |||
21 | diff --git a/record/record.c b/record/record.c | ||
22 | index f2d38c877..be154525d 100644 | ||
23 | --- a/record/record.c | ||
24 | +++ b/record/record.c | ||
25 | @@ -2500,7 +2500,7 @@ SProcRecordQueryVersion(ClientPtr client) | ||
26 | } /* SProcRecordQueryVersion */ | ||
27 | |||
28 | static int _X_COLD | ||
29 | -SwapCreateRegister(xRecordRegisterClientsReq * stuff) | ||
30 | +SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff) | ||
31 | { | ||
32 | int i; | ||
33 | XID *pClientID; | ||
34 | @@ -2510,13 +2510,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff) | ||
35 | swapl(&stuff->nRanges); | ||
36 | pClientID = (XID *) &stuff[1]; | ||
37 | if (stuff->nClients > | ||
38 | - stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)) | ||
39 | + client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)) | ||
40 | return BadLength; | ||
41 | for (i = 0; i < stuff->nClients; i++, pClientID++) { | ||
42 | swapl(pClientID); | ||
43 | } | ||
44 | if (stuff->nRanges > | ||
45 | - stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq) | ||
46 | + client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) | ||
47 | - stuff->nClients) | ||
48 | return BadLength; | ||
49 | RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); | ||
50 | @@ -2531,7 +2531,7 @@ SProcRecordCreateContext(ClientPtr client) | ||
51 | |||
52 | swaps(&stuff->length); | ||
53 | REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq); | ||
54 | - if ((status = SwapCreateRegister((void *) stuff)) != Success) | ||
55 | + if ((status = SwapCreateRegister(client, (void *) stuff)) != Success) | ||
56 | return status; | ||
57 | return ProcRecordCreateContext(client); | ||
58 | } /* SProcRecordCreateContext */ | ||
59 | @@ -2544,7 +2544,7 @@ SProcRecordRegisterClients(ClientPtr client) | ||
60 | |||
61 | swaps(&stuff->length); | ||
62 | REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq); | ||
63 | - if ((status = SwapCreateRegister((void *) stuff)) != Success) | ||
64 | + if ((status = SwapCreateRegister(client, (void *) stuff)) != Success) | ||
65 | return status; | ||
66 | return ProcRecordRegisterClients(client); | ||
67 | } /* SProcRecordRegisterClients */ | ||
68 | -- | ||
69 | 2.17.1 | ||
70 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch new file mode 100644 index 0000000000..efec7b6b4e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From d2dcbdc67c96c84dff301505072b0b7b022f1a14 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Sun, 4 Dec 2022 17:40:21 +0000 | ||
4 | Subject: [PATCH 1/3] xkb: proof GetCountedString against request length | ||
5 | attacks | ||
6 | |||
7 | GetCountedString did a check for the whole string to be within the | ||
8 | request buffer but not for the initial 2 bytes that contain the length | ||
9 | field. A swapped client could send a malformed request to trigger a | ||
10 | swaps() on those bytes, writing into random memory. | ||
11 | |||
12 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
13 | |||
14 | Ustream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e] | ||
15 | CVE: CVE-2022-3550 | ||
16 | Signed-off-by:Minjae Kim <flowergom@gmail.com> | ||
17 | |||
18 | --- | ||
19 | xkb/xkb.c | 5 +++++ | ||
20 | 1 file changed, 5 insertions(+) | ||
21 | |||
22 | diff --git a/xkb/xkb.c b/xkb/xkb.c | ||
23 | index 68c59df..bf8aaa3 100644 | ||
24 | --- a/xkb/xkb.c | ||
25 | +++ b/xkb/xkb.c | ||
26 | @@ -5138,6 +5138,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) | ||
27 | CARD16 len; | ||
28 | |||
29 | wire = *wire_inout; | ||
30 | + | ||
31 | + if (client->req_len < | ||
32 | + bytes_to_int32(wire + 2 - (char *) client->requestBuffer)) | ||
33 | + return BadValue; | ||
34 | + | ||
35 | len = *(CARD16 *) wire; | ||
36 | if (client->swapped) { | ||
37 | swaps(&len); | ||
38 | -- | ||
39 | 2.17.1 | ||
40 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch new file mode 100644 index 0000000000..a3b977aac9 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From d3787290f56165f5656ddd2123dbf676a32d0a68 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Sun, 4 Dec 2022 17:44:00 +0000 | ||
4 | Subject: [PATCH 2/3] xkb: fix some possible memleaks in XkbGetKbdByName | ||
5 | |||
6 | GetComponentByName returns an allocated string, so let's free that if we | ||
7 | fail somewhere. | ||
8 | |||
9 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
10 | |||
11 | Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2] | ||
12 | CVE: CVE-2022-3551 | ||
13 | Signed-off-by:Minjae Kim <flowergom@gmail.com> | ||
14 | |||
15 | --- | ||
16 | xkb/xkb.c | 26 +++++++++++++++++++------- | ||
17 | 1 file changed, 19 insertions(+), 7 deletions(-) | ||
18 | |||
19 | diff --git a/xkb/xkb.c b/xkb/xkb.c | ||
20 | index bf8aaa3..f79d306 100644 | ||
21 | --- a/xkb/xkb.c | ||
22 | +++ b/xkb/xkb.c | ||
23 | @@ -5908,19 +5908,31 @@ ProcXkbGetKbdByName(ClientPtr client) | ||
24 | xkb = dev->key->xkbInfo->desc; | ||
25 | status = Success; | ||
26 | str = (unsigned char *) &stuff[1]; | ||
27 | - if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */ | ||
28 | - return BadMatch; | ||
29 | + { | ||
30 | + char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */ | ||
31 | + if (keymap) { | ||
32 | + free(keymap); | ||
33 | + return BadMatch; | ||
34 | + } | ||
35 | + } | ||
36 | names.keycodes = GetComponentSpec(&str, TRUE, &status); | ||
37 | names.types = GetComponentSpec(&str, TRUE, &status); | ||
38 | names.compat = GetComponentSpec(&str, TRUE, &status); | ||
39 | names.symbols = GetComponentSpec(&str, TRUE, &status); | ||
40 | names.geometry = GetComponentSpec(&str, TRUE, &status); | ||
41 | - if (status != Success) | ||
42 | - return status; | ||
43 | - len = str - ((unsigned char *) stuff); | ||
44 | - if ((XkbPaddedSize(len) / 4) != stuff->length) | ||
45 | - return BadLength; | ||
46 | + if (status == Success) { | ||
47 | + len = str - ((unsigned char *) stuff); | ||
48 | + if ((XkbPaddedSize(len) / 4) != stuff->length) | ||
49 | + status = BadLength; | ||
50 | + } | ||
51 | |||
52 | + if (status != Success) { | ||
53 | + free(names.keycodes); | ||
54 | + free(names.types); | ||
55 | + free(names.compat); | ||
56 | + free(names.symbols); | ||
57 | + free(names.geometry); | ||
58 | + } | ||
59 | CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask); | ||
60 | CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask); | ||
61 | |||
62 | -- | ||
63 | 2.17.1 | ||
64 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch new file mode 100644 index 0000000000..94cea77edc --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 57ad2c03730d56f8432b6d66b29c0e5a9f9b1ec2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jeremy Huddleston Sequoia <jeremyhu@apple.com> | ||
3 | Date: Sun, 4 Dec 2022 17:46:18 +0000 | ||
4 | Subject: [PATCH 3/3] xquartz: Fix a possible crash when editing the | ||
5 | Application menu due to mutaing immutable arrays | ||
6 | |||
7 | Crashing on exception: -[__NSCFArray replaceObjectAtIndex:withObject:]: mutating method sent to immutable object | ||
8 | |||
9 | Application Specific Backtrace 0: | ||
10 | 0 CoreFoundation 0x00007ff80d2c5e9b __exceptionPreprocess + 242 | ||
11 | 1 libobjc.A.dylib 0x00007ff80d027e48 objc_exception_throw + 48 | ||
12 | 2 CoreFoundation 0x00007ff80d38167b _CFThrowFormattedException + 194 | ||
13 | 3 CoreFoundation 0x00007ff80d382a25 -[__NSCFArray removeObjectAtIndex:].cold.1 + 0 | ||
14 | 4 CoreFoundation 0x00007ff80d2e6c0b -[__NSCFArray replaceObjectAtIndex:withObject:] + 119 | ||
15 | 5 X11.bin 0x00000001003180f9 -[X11Controller tableView:setObjectValue:forTableColumn:row:] + 169 | ||
16 | |||
17 | Fixes: https://github.com/XQuartz/XQuartz/issues/267 | ||
18 | Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> | ||
19 | |||
20 | Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=dfd057996b26420309c324ec844a5ba6dd07eda3] | ||
21 | CVE: CVE-2022-3553 | ||
22 | Signed-off-by:Minjae Kim <flowergom@gmail.com> | ||
23 | |||
24 | --- | ||
25 | hw/xquartz/X11Controller.m | 8 ++++++-- | ||
26 | 1 file changed, 6 insertions(+), 2 deletions(-) | ||
27 | |||
28 | diff --git a/hw/xquartz/X11Controller.m b/hw/xquartz/X11Controller.m | ||
29 | index 3efda50..9870ff2 100644 | ||
30 | --- a/hw/xquartz/X11Controller.m | ||
31 | +++ b/hw/xquartz/X11Controller.m | ||
32 | @@ -467,8 +467,12 @@ extern char *bundle_id_prefix; | ||
33 | self.table_apps = table_apps; | ||
34 | |||
35 | NSArray * const apps = self.apps; | ||
36 | - if (apps != nil) | ||
37 | - [table_apps addObjectsFromArray:apps]; | ||
38 | + | ||
39 | + if (apps != nil) { | ||
40 | + for (NSArray <NSString *> * row in apps) { | ||
41 | + [table_apps addObject:row.mutableCopy]; | ||
42 | + } | ||
43 | + } | ||
44 | |||
45 | columns = [apps_table tableColumns]; | ||
46 | [[columns objectAtIndex:0] setIdentifier:@"0"]; | ||
47 | -- | ||
48 | 2.17.1 | ||
49 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch new file mode 100644 index 0000000000..3f6b68fea8 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From ccdd431cd8f1cabae9d744f0514b6533c438908c Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Mon, 5 Dec 2022 15:55:54 +1000 | ||
4 | Subject: [PATCH] xkb: reset the radio_groups pointer to NULL after freeing it | ||
5 | |||
6 | Unlike other elements of the keymap, this pointer was freed but not | ||
7 | reset. On a subsequent XkbGetKbdByName request, the server may access | ||
8 | already freed memory. | ||
9 | |||
10 | CVE-2022-4283, ZDI-CAN-19530 | ||
11 | |||
12 | This vulnerability was discovered by: | ||
13 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
14 | |||
15 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
16 | Acked-by: Olivier Fourdan <ofourdan@redhat.com> | ||
17 | |||
18 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ccdd431cd8f1cabae9d744f0514b6533c438908c] | ||
19 | CVE: CVE-2022-4283 | ||
20 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
21 | --- | ||
22 | xkb/xkbUtils.c | 1 + | ||
23 | 1 file changed, 1 insertion(+) | ||
24 | |||
25 | diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c | ||
26 | index 8975ade..9bc51fc 100644 | ||
27 | --- a/xkb/xkbUtils.c | ||
28 | +++ b/xkb/xkbUtils.c | ||
29 | @@ -1327,6 +1327,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr dst) | ||
30 | } | ||
31 | else { | ||
32 | free(dst->names->radio_groups); | ||
33 | + dst->names->radio_groups = NULL; | ||
34 | } | ||
35 | dst->names->num_rg = src->names->num_rg; | ||
36 | |||
37 | -- | ||
38 | 2.25.1 | ||
39 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch new file mode 100644 index 0000000000..a6c97485cd --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Tue, 29 Nov 2022 12:55:45 +1000 | ||
4 | Subject: [PATCH] Xtest: disallow GenericEvents in XTestSwapFakeInput | ||
5 | |||
6 | XTestSwapFakeInput assumes all events in this request are | ||
7 | sizeof(xEvent) and iterates through these in 32-byte increments. | ||
8 | However, a GenericEvent may be of arbitrary length longer than 32 bytes, | ||
9 | so any GenericEvent in this list would result in subsequent events to be | ||
10 | misparsed. | ||
11 | |||
12 | Additional, the swapped event is written into a stack-allocated struct | ||
13 | xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes, | ||
14 | swapping the event may thus smash the stack like an avocado on toast. | ||
15 | |||
16 | Catch this case early and return BadValue for any GenericEvent. | ||
17 | Which is what would happen in unswapped setups anyway since XTest | ||
18 | doesn't support GenericEvent. | ||
19 | |||
20 | CVE-2022-46340, ZDI-CAN 19265 | ||
21 | |||
22 | This vulnerability was discovered by: | ||
23 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
24 | |||
25 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
26 | Acked-by: Olivier Fourdan <ofourdan@redhat.com> | ||
27 | |||
28 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63] | ||
29 | CVE: CVE-2022-46340 | ||
30 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
31 | --- | ||
32 | Xext/xtest.c | 5 +++-- | ||
33 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
34 | |||
35 | diff --git a/Xext/xtest.c b/Xext/xtest.c | ||
36 | index 38b8012..bf11789 100644 | ||
37 | --- a/Xext/xtest.c | ||
38 | +++ b/Xext/xtest.c | ||
39 | @@ -501,10 +501,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req) | ||
40 | |||
41 | nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent); | ||
42 | for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) { | ||
43 | + int evtype = ev->u.u.type & 0x177; | ||
44 | /* Swap event */ | ||
45 | - proc = EventSwapVector[ev->u.u.type & 0177]; | ||
46 | + proc = EventSwapVector[evtype]; | ||
47 | /* no swapping proc; invalid event type? */ | ||
48 | - if (!proc || proc == NotImplemented) { | ||
49 | + if (!proc || proc == NotImplemented || evtype == GenericEvent) { | ||
50 | client->errorValue = ev->u.u.type; | ||
51 | return BadValue; | ||
52 | } | ||
53 | -- | ||
54 | 2.25.1 | ||
55 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch new file mode 100644 index 0000000000..0ef6e5fc9f --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch | |||
@@ -0,0 +1,86 @@ | |||
1 | From 51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Tue, 29 Nov 2022 13:55:32 +1000 | ||
4 | Subject: [PATCH] Xi: disallow passive grabs with a detail > 255 | ||
5 | |||
6 | The XKB protocol effectively prevents us from ever using keycodes above | ||
7 | 255. For buttons it's theoretically possible but realistically too niche | ||
8 | to worry about. For all other passive grabs, the detail must be zero | ||
9 | anyway. | ||
10 | |||
11 | This fixes an OOB write: | ||
12 | |||
13 | ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a | ||
14 | temporary grab struct which contains tempGrab->detail.exact = stuff->detail. | ||
15 | For matching existing grabs, DeleteDetailFromMask is called with the | ||
16 | stuff->detail value. This function creates a new mask with the one bit | ||
17 | representing stuff->detail cleared. | ||
18 | |||
19 | However, the array size for the new mask is 8 * sizeof(CARD32) bits, | ||
20 | thus any detail above 255 results in an OOB array write. | ||
21 | |||
22 | CVE-2022-46341, ZDI-CAN 19381 | ||
23 | |||
24 | This vulnerability was discovered by: | ||
25 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
26 | |||
27 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
28 | Acked-by: Olivier Fourdan <ofourdan@redhat.com> | ||
29 | |||
30 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b] | ||
31 | CVE: CVE-2022-46341 | ||
32 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
33 | --- | ||
34 | Xi/xipassivegrab.c | 22 ++++++++++++++-------- | ||
35 | 1 file changed, 14 insertions(+), 8 deletions(-) | ||
36 | |||
37 | diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c | ||
38 | index d30f51f..89a5910 100644 | ||
39 | --- a/Xi/xipassivegrab.c | ||
40 | +++ b/Xi/xipassivegrab.c | ||
41 | @@ -133,6 +133,12 @@ ProcXIPassiveGrabDevice(ClientPtr client) | ||
42 | return BadValue; | ||
43 | } | ||
44 | |||
45 | + /* XI2 allows 32-bit keycodes but thanks to XKB we can never | ||
46 | + * implement this. Just return an error for all keycodes that | ||
47 | + * cannot work anyway, same for buttons > 255. */ | ||
48 | + if (stuff->detail > 255) | ||
49 | + return XIAlreadyGrabbed; | ||
50 | + | ||
51 | if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1], | ||
52 | stuff->mask_len * 4) != Success) | ||
53 | return BadValue; | ||
54 | @@ -203,14 +209,8 @@ ProcXIPassiveGrabDevice(ClientPtr client) | ||
55 | ¶m, XI2, &mask); | ||
56 | break; | ||
57 | case XIGrabtypeKeycode: | ||
58 | - /* XI2 allows 32-bit keycodes but thanks to XKB we can never | ||
59 | - * implement this. Just return an error for all keycodes that | ||
60 | - * cannot work anyway */ | ||
61 | - if (stuff->detail > 255) | ||
62 | - status = XIAlreadyGrabbed; | ||
63 | - else | ||
64 | - status = GrabKey(client, dev, mod_dev, stuff->detail, | ||
65 | - ¶m, XI2, &mask); | ||
66 | + status = GrabKey(client, dev, mod_dev, stuff->detail, | ||
67 | + ¶m, XI2, &mask); | ||
68 | break; | ||
69 | case XIGrabtypeEnter: | ||
70 | case XIGrabtypeFocusIn: | ||
71 | @@ -319,6 +319,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client) | ||
72 | return BadValue; | ||
73 | } | ||
74 | |||
75 | + /* We don't allow passive grabs for details > 255 anyway */ | ||
76 | + if (stuff->detail > 255) { | ||
77 | + client->errorValue = stuff->detail; | ||
78 | + return BadValue; | ||
79 | + } | ||
80 | + | ||
81 | rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess); | ||
82 | if (rc != Success) | ||
83 | return rc; | ||
84 | -- | ||
85 | 2.25.1 | ||
86 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch new file mode 100644 index 0000000000..23fef3f321 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch | |||
@@ -0,0 +1,78 @@ | |||
1 | From b79f32b57cc0c1186b2899bce7cf89f7b325161b Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Wed, 30 Nov 2022 11:20:40 +1000 | ||
4 | Subject: [PATCH] Xext: free the XvRTVideoNotify when turning off from the same | ||
5 | client | ||
6 | |||
7 | This fixes a use-after-free bug: | ||
8 | |||
9 | When a client first calls XvdiSelectVideoNotify() on a drawable with a | ||
10 | TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct | ||
11 | is added twice to the resources: | ||
12 | - as the drawable's XvRTVideoNotifyList. This happens only once per | ||
13 | drawable, subsequent calls append to this list. | ||
14 | - as the client's XvRTVideoNotify. This happens for every client. | ||
15 | |||
16 | The struct keeps the ClientPtr around once it has been added for a | ||
17 | client. The idea, presumably, is that if the client disconnects we can remove | ||
18 | all structs from the drawable's list that match the client (by resetting | ||
19 | the ClientPtr to NULL), but if the drawable is destroyed we can remove | ||
20 | and free the whole list. | ||
21 | |||
22 | However, if the same client then calls XvdiSelectVideoNotify() on the | ||
23 | same drawable with a FALSE onoff argument, only the ClientPtr on the | ||
24 | existing struct was set to NULL. The struct itself remained in the | ||
25 | client's resources. | ||
26 | |||
27 | If the drawable is now destroyed, the resource system invokes | ||
28 | XvdiDestroyVideoNotifyList which frees the whole list for this drawable | ||
29 | - including our struct. This function however does not free the resource | ||
30 | for the client since our ClientPtr is NULL. | ||
31 | |||
32 | Later, when the client is destroyed and the resource system invokes | ||
33 | XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On | ||
34 | a struct that has been freed previously. This is generally frowned upon. | ||
35 | |||
36 | Fix this by calling FreeResource() on the second call instead of merely | ||
37 | setting the ClientPtr to NULL. This removes the struct from the client | ||
38 | resources (but not from the list), ensuring that it won't be accessed | ||
39 | again when the client quits. | ||
40 | |||
41 | Note that the assignment tpn->client = NULL; is superfluous since the | ||
42 | XvdiDestroyVideoNotify function will do this anyway. But it's left for | ||
43 | clarity and to match a similar invocation in XvdiSelectPortNotify. | ||
44 | |||
45 | CVE-2022-46342, ZDI-CAN 19400 | ||
46 | |||
47 | This vulnerability was discovered by: | ||
48 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
49 | |||
50 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
51 | Acked-by: Olivier Fourdan <ofourdan@redhat.com> | ||
52 | |||
53 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b79f32b57cc0c1186b2899bce7cf89f7b325161b] | ||
54 | CVE: CVE-2022-46342 | ||
55 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
56 | --- | ||
57 | Xext/xvmain.c | 4 +++- | ||
58 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
59 | |||
60 | diff --git a/Xext/xvmain.c b/Xext/xvmain.c | ||
61 | index c520c7d..5f4c174 100644 | ||
62 | --- a/Xext/xvmain.c | ||
63 | +++ b/Xext/xvmain.c | ||
64 | @@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff) | ||
65 | tpn = pn; | ||
66 | while (tpn) { | ||
67 | if (tpn->client == client) { | ||
68 | - if (!onoff) | ||
69 | + if (!onoff) { | ||
70 | tpn->client = NULL; | ||
71 | + FreeResource(tpn->id, XvRTVideoNotify); | ||
72 | + } | ||
73 | return Success; | ||
74 | } | ||
75 | if (!tpn->client) | ||
76 | -- | ||
77 | 2.25.1 | ||
78 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch new file mode 100644 index 0000000000..838f7d3726 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From 842ca3ccef100ce010d1d8f5f6d6cc1915055900 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Tue, 29 Nov 2022 14:53:07 +1000 | ||
4 | Subject: [PATCH] Xext: free the screen saver resource when replacing it | ||
5 | |||
6 | This fixes a use-after-free bug: | ||
7 | |||
8 | When a client first calls ScreenSaverSetAttributes(), a struct | ||
9 | ScreenSaverAttrRec is allocated and added to the client's | ||
10 | resources. | ||
11 | |||
12 | When the same client calls ScreenSaverSetAttributes() again, a new | ||
13 | struct ScreenSaverAttrRec is allocated, replacing the old struct. The | ||
14 | old struct was freed but not removed from the clients resources. | ||
15 | |||
16 | Later, when the client is destroyed the resource system invokes | ||
17 | ScreenSaverFreeAttr and attempts to clean up the already freed struct. | ||
18 | |||
19 | Fix this by letting the resource system free the old attrs instead. | ||
20 | |||
21 | CVE-2022-46343, ZDI-CAN 19404 | ||
22 | |||
23 | This vulnerability was discovered by: | ||
24 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
25 | |||
26 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
27 | Acked-by: Olivier Fourdan <ofourdan@redhat.com> | ||
28 | |||
29 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/842ca3ccef100ce010d1d8f5f6d6cc1915055900] | ||
30 | CVE: CVE-2022-46343 | ||
31 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
32 | --- | ||
33 | Xext/saver.c | 2 +- | ||
34 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
35 | |||
36 | diff --git a/Xext/saver.c b/Xext/saver.c | ||
37 | index c23907d..05b9ca3 100644 | ||
38 | --- a/Xext/saver.c | ||
39 | +++ b/Xext/saver.c | ||
40 | @@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client) | ||
41 | pVlist++; | ||
42 | } | ||
43 | if (pPriv->attr) | ||
44 | - FreeScreenAttr(pPriv->attr); | ||
45 | + FreeResource(pPriv->attr->resource, AttrType); | ||
46 | pPriv->attr = pAttr; | ||
47 | pAttr->resource = FakeClientID(client->index); | ||
48 | if (!AddResource(pAttr->resource, AttrType, (void *) pAttr)) | ||
49 | -- | ||
50 | 2.25.1 | ||
51 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch new file mode 100644 index 0000000000..e25afa0d16 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch | |||
@@ -0,0 +1,75 @@ | |||
1 | From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Tue, 29 Nov 2022 13:26:57 +1000 | ||
4 | Subject: [PATCH] Xi: avoid integer truncation in length check of | ||
5 | ProcXIChangeProperty | ||
6 | |||
7 | This fixes an OOB read and the resulting information disclosure. | ||
8 | |||
9 | Length calculation for the request was clipped to a 32-bit integer. With | ||
10 | the correct stuff->num_items value the expected request size was | ||
11 | truncated, passing the REQUEST_FIXED_SIZE check. | ||
12 | |||
13 | The server then proceeded with reading at least stuff->num_items bytes | ||
14 | (depending on stuff->format) from the request and stuffing whatever it | ||
15 | finds into the property. In the process it would also allocate at least | ||
16 | stuff->num_items bytes, i.e. 4GB. | ||
17 | |||
18 | The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty, | ||
19 | so let's fix that too. | ||
20 | |||
21 | CVE-2022-46344, ZDI-CAN 19405 | ||
22 | |||
23 | This vulnerability was discovered by: | ||
24 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
25 | |||
26 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
27 | Acked-by: Olivier Fourdan <ofourdan@redhat.com> | ||
28 | |||
29 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8f454b793e1f13c99872c15f0eed1d7f3b823fe8] | ||
30 | CVE: CVE-2022-46344 | ||
31 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
32 | --- | ||
33 | Xi/xiproperty.c | 4 ++-- | ||
34 | dix/property.c | 3 ++- | ||
35 | 2 files changed, 4 insertions(+), 3 deletions(-) | ||
36 | |||
37 | diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c | ||
38 | index 6ec419e..0cfa6e3 100644 | ||
39 | --- a/Xi/xiproperty.c | ||
40 | +++ b/Xi/xiproperty.c | ||
41 | @@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client) | ||
42 | REQUEST(xChangeDevicePropertyReq); | ||
43 | DeviceIntPtr dev; | ||
44 | unsigned long len; | ||
45 | - int totalSize; | ||
46 | + uint64_t totalSize; | ||
47 | int rc; | ||
48 | |||
49 | REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq); | ||
50 | @@ -1128,7 +1128,7 @@ ProcXIChangeProperty(ClientPtr client) | ||
51 | { | ||
52 | int rc; | ||
53 | DeviceIntPtr dev; | ||
54 | - int totalSize; | ||
55 | + uint64_t totalSize; | ||
56 | unsigned long len; | ||
57 | |||
58 | REQUEST(xXIChangePropertyReq); | ||
59 | diff --git a/dix/property.c b/dix/property.c | ||
60 | index ff1d669..6fdb74a 100644 | ||
61 | --- a/dix/property.c | ||
62 | +++ b/dix/property.c | ||
63 | @@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client) | ||
64 | WindowPtr pWin; | ||
65 | char format, mode; | ||
66 | unsigned long len; | ||
67 | - int sizeInBytes, totalSize, err; | ||
68 | + int sizeInBytes, err; | ||
69 | + uint64_t totalSize; | ||
70 | |||
71 | REQUEST(xChangePropertyReq); | ||
72 | |||
73 | -- | ||
74 | 2.25.1 | ||
75 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch new file mode 100644 index 0000000000..ef2ee5d55e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 0ba6d8c37071131a49790243cdac55392ecf71ec Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Wed, 25 Jan 2023 11:41:40 +1000 | ||
4 | Subject: [PATCH] Xi: fix potential use-after-free in DeepCopyPointerClasses | ||
5 | |||
6 | CVE-2023-0494, ZDI-CAN-19596 | ||
7 | |||
8 | This vulnerability was discovered by: | ||
9 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
10 | |||
11 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
12 | |||
13 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0ba6d8c37071131a49790243cdac55392ecf71ec] | ||
14 | CVE: CVE-2023-0494 | ||
15 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
16 | --- | ||
17 | Xi/exevents.c | 4 +++- | ||
18 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/Xi/exevents.c b/Xi/exevents.c | ||
21 | index 217baa9561..dcd4efb3bc 100644 | ||
22 | --- a/Xi/exevents.c | ||
23 | +++ b/Xi/exevents.c | ||
24 | @@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) | ||
25 | memcpy(to->button->xkb_acts, from->button->xkb_acts, | ||
26 | sizeof(XkbAction)); | ||
27 | } | ||
28 | - else | ||
29 | + else { | ||
30 | free(to->button->xkb_acts); | ||
31 | + to->button->xkb_acts = NULL; | ||
32 | + } | ||
33 | |||
34 | memcpy(to->button->labels, from->button->labels, | ||
35 | from->button->numButtons * sizeof(Atom)); | ||
36 | -- | ||
37 | GitLab | ||
38 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch new file mode 100644 index 0000000000..51d0e0cab6 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001 | ||
2 | From: Olivier Fourdan <ofourdan@redhat.com> | ||
3 | Date: Mon, 13 Mar 2023 11:08:47 +0100 | ||
4 | Subject: [PATCH] composite: Fix use-after-free of the COW | ||
5 | |||
6 | ZDI-CAN-19866/CVE-2023-1393 | ||
7 | |||
8 | If a client explicitly destroys the compositor overlay window (aka COW), | ||
9 | we would leave a dangling pointer to that window in the CompScreen | ||
10 | structure, which will trigger a use-after-free later. | ||
11 | |||
12 | Make sure to clear the CompScreen pointer to the COW when the latter gets | ||
13 | destroyed explicitly by the client. | ||
14 | |||
15 | This vulnerability was discovered by: | ||
16 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
17 | |||
18 | Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> | ||
19 | Reviewed-by: Adam Jackson <ajax@redhat.com> | ||
20 | |||
21 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/26ef545b3502f61ca722a7a3373507e88ef64110] | ||
22 | CVE: CVE-2023-1393 | ||
23 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
24 | --- | ||
25 | composite/compwindow.c | 5 +++++ | ||
26 | 1 file changed, 5 insertions(+) | ||
27 | |||
28 | diff --git a/composite/compwindow.c b/composite/compwindow.c | ||
29 | index 4e2494b86b..b30da589e9 100644 | ||
30 | --- a/composite/compwindow.c | ||
31 | +++ b/composite/compwindow.c | ||
32 | @@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin) | ||
33 | ret = (*pScreen->DestroyWindow) (pWin); | ||
34 | cs->DestroyWindow = pScreen->DestroyWindow; | ||
35 | pScreen->DestroyWindow = compDestroyWindow; | ||
36 | + | ||
37 | + /* Did we just destroy the overlay window? */ | ||
38 | + if (pWin == cs->pOverlayWin) | ||
39 | + cs->pOverlayWin = NULL; | ||
40 | + | ||
41 | /* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/ | ||
42 | return ret; | ||
43 | } | ||
44 | -- | ||
45 | GitLab | ||
46 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch new file mode 100644 index 0000000000..508588481e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch | |||
@@ -0,0 +1,84 @@ | |||
1 | From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Tue, 3 Oct 2023 11:53:05 +1000 | ||
4 | Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend | ||
5 | |||
6 | The handling of appending/prepending properties was incorrect, with at | ||
7 | least two bugs: the property length was set to the length of the new | ||
8 | part only, i.e. appending or prepending N elements to a property with P | ||
9 | existing elements always resulted in the property having N elements | ||
10 | instead of N + P. | ||
11 | |||
12 | Second, when pre-pending a value to a property, the offset for the old | ||
13 | values was incorrect, leaving the new property with potentially | ||
14 | uninitalized values and/or resulting in OOB memory writes. | ||
15 | For example, prepending a 3 element value to a 5 element property would | ||
16 | result in this 8 value array: | ||
17 | [N, N, N, ?, ?, P, P, P ] P, P | ||
18 | ^OOB write | ||
19 | |||
20 | The XI2 code is a copy/paste of the RandR code, so the bug exists in | ||
21 | both. | ||
22 | |||
23 | CVE-2023-5367, ZDI-CAN-22153 | ||
24 | |||
25 | This vulnerability was discovered by: | ||
26 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
27 | |||
28 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
29 | |||
30 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a] | ||
31 | CVE: CVE-2023-5367 | ||
32 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
33 | --- | ||
34 | Xi/xiproperty.c | 4 ++-- | ||
35 | randr/rrproperty.c | 4 ++-- | ||
36 | 2 files changed, 4 insertions(+), 4 deletions(-) | ||
37 | |||
38 | diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c | ||
39 | index 066ba21fba..d315f04d0e 100644 | ||
40 | --- a/Xi/xiproperty.c | ||
41 | +++ b/Xi/xiproperty.c | ||
42 | @@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type, | ||
43 | XIDestroyDeviceProperty(prop); | ||
44 | return BadAlloc; | ||
45 | } | ||
46 | - new_value.size = len; | ||
47 | + new_value.size = total_len; | ||
48 | new_value.type = type; | ||
49 | new_value.format = format; | ||
50 | |||
51 | @@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type, | ||
52 | case PropModePrepend: | ||
53 | new_data = new_value.data; | ||
54 | old_data = (void *) (((char *) new_value.data) + | ||
55 | - (prop_value->size * size_in_bytes)); | ||
56 | + (len * size_in_bytes)); | ||
57 | break; | ||
58 | } | ||
59 | if (new_data) | ||
60 | diff --git a/randr/rrproperty.c b/randr/rrproperty.c | ||
61 | index c2fb9585c6..25469f57b2 100644 | ||
62 | --- a/randr/rrproperty.c | ||
63 | +++ b/randr/rrproperty.c | ||
64 | @@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type, | ||
65 | RRDestroyOutputProperty(prop); | ||
66 | return BadAlloc; | ||
67 | } | ||
68 | - new_value.size = len; | ||
69 | + new_value.size = total_len; | ||
70 | new_value.type = type; | ||
71 | new_value.format = format; | ||
72 | |||
73 | @@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type, | ||
74 | case PropModePrepend: | ||
75 | new_data = new_value.data; | ||
76 | old_data = (void *) (((char *) new_value.data) + | ||
77 | - (prop_value->size * size_in_bytes)); | ||
78 | + (len * size_in_bytes)); | ||
79 | break; | ||
80 | } | ||
81 | if (new_data) | ||
82 | -- | ||
83 | GitLab | ||
84 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch new file mode 100644 index 0000000000..720340d83b --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch | |||
@@ -0,0 +1,102 @@ | |||
1 | From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Thu, 5 Oct 2023 12:19:45 +1000 | ||
4 | Subject: [PATCH] mi: reset the PointerWindows reference on screen switch | ||
5 | |||
6 | PointerWindows[] keeps a reference to the last window our sprite | ||
7 | entered - changes are usually handled by CheckMotion(). | ||
8 | |||
9 | If we switch between screens via XWarpPointer our | ||
10 | dev->spriteInfo->sprite->win is set to the new screen's root window. | ||
11 | If there's another window at the cursor location CheckMotion() will | ||
12 | trigger the right enter/leave events later. If there is not, it skips | ||
13 | that process and we never trigger LeaveWindow() - PointerWindows[] for | ||
14 | the device still refers to the previous window. | ||
15 | |||
16 | If that window is destroyed we have a dangling reference that will | ||
17 | eventually cause a use-after-free bug when checking the window hierarchy | ||
18 | later. | ||
19 | |||
20 | To trigger this, we require: | ||
21 | - two protocol screens | ||
22 | - XWarpPointer to the other screen's root window | ||
23 | - XDestroyWindow before entering any other window | ||
24 | |||
25 | This is a niche bug so we hack around it by making sure we reset the | ||
26 | PointerWindows[] entry so we cannot have a dangling pointer. This | ||
27 | doesn't handle Enter/Leave events correctly but the previous code didn't | ||
28 | either. | ||
29 | |||
30 | CVE-2023-5380, ZDI-CAN-21608 | ||
31 | |||
32 | This vulnerability was discovered by: | ||
33 | Sri working with Trend Micro Zero Day Initiative | ||
34 | |||
35 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
36 | Reviewed-by: Adam Jackson <ajax@redhat.com> | ||
37 | |||
38 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7] | ||
39 | CVE: CVE-2023-5380 | ||
40 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
41 | --- | ||
42 | dix/enterleave.h | 2 -- | ||
43 | include/eventstr.h | 3 +++ | ||
44 | mi/mipointer.c | 17 +++++++++++++++-- | ||
45 | 3 files changed, 18 insertions(+), 4 deletions(-) | ||
46 | |||
47 | diff --git a/dix/enterleave.h b/dix/enterleave.h | ||
48 | index 4b833d8..e8af924 100644 | ||
49 | --- a/dix/enterleave.h | ||
50 | +++ b/dix/enterleave.h | ||
51 | @@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev, | ||
52 | |||
53 | extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode); | ||
54 | |||
55 | -extern void LeaveWindow(DeviceIntPtr dev); | ||
56 | - | ||
57 | extern void CoreFocusEvent(DeviceIntPtr kbd, | ||
58 | int type, int mode, int detail, WindowPtr pWin); | ||
59 | |||
60 | diff --git a/include/eventstr.h b/include/eventstr.h | ||
61 | index bf3b95f..2bae3b0 100644 | ||
62 | --- a/include/eventstr.h | ||
63 | +++ b/include/eventstr.h | ||
64 | @@ -296,4 +296,7 @@ union _InternalEvent { | ||
65 | #endif | ||
66 | }; | ||
67 | |||
68 | +extern void | ||
69 | +LeaveWindow(DeviceIntPtr dev); | ||
70 | + | ||
71 | #endif | ||
72 | diff --git a/mi/mipointer.c b/mi/mipointer.c | ||
73 | index 75be1ae..b12ae9b 100644 | ||
74 | --- a/mi/mipointer.c | ||
75 | +++ b/mi/mipointer.c | ||
76 | @@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y) | ||
77 | #ifdef PANORAMIX | ||
78 | && noPanoramiXExtension | ||
79 | #endif | ||
80 | - ) | ||
81 | - UpdateSpriteForScreen(pDev, pScreen); | ||
82 | + ) { | ||
83 | + DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER); | ||
84 | + /* Hack for CVE-2023-5380: if we're moving | ||
85 | + * screens PointerWindows[] keeps referring to the | ||
86 | + * old window. If that gets destroyed we have a UAF | ||
87 | + * bug later. Only happens when jumping from a window | ||
88 | + * to the root window on the other screen. | ||
89 | + * Enter/Leave events are incorrect for that case but | ||
90 | + * too niche to fix. | ||
91 | + */ | ||
92 | + LeaveWindow(pDev); | ||
93 | + if (master) | ||
94 | + LeaveWindow(master); | ||
95 | + UpdateSpriteForScreen(pDev, pScreen); | ||
96 | + } | ||
97 | } | ||
98 | |||
99 | /** | ||
100 | -- | ||
101 | 2.25.1 | ||
102 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch new file mode 100644 index 0000000000..0abd5914fa --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch | |||
@@ -0,0 +1,79 @@ | |||
1 | From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Tue, 28 Nov 2023 15:19:04 +1000 | ||
4 | Subject: [PATCH] Xi: allocate enough XkbActions for our buttons | ||
5 | |||
6 | button->xkb_acts is supposed to be an array sufficiently large for all | ||
7 | our buttons, not just a single XkbActions struct. Allocating | ||
8 | insufficient memory here means when we memcpy() later in | ||
9 | XkbSetDeviceInfo we write into memory that wasn't ours to begin with, | ||
10 | leading to the usual security ooopsiedaisies. | ||
11 | |||
12 | CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413 | ||
13 | |||
14 | This vulnerability was discovered by: | ||
15 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
16 | |||
17 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd] | ||
18 | CVE: CVE-2023-6377 | ||
19 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
20 | --- | ||
21 | Xi/exevents.c | 12 ++++++------ | ||
22 | dix/devices.c | 10 ++++++++++ | ||
23 | 2 files changed, 16 insertions(+), 6 deletions(-) | ||
24 | |||
25 | diff --git a/Xi/exevents.c b/Xi/exevents.c | ||
26 | index dcd4efb3bc..54ea11a938 100644 | ||
27 | --- a/Xi/exevents.c | ||
28 | +++ b/Xi/exevents.c | ||
29 | @@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) | ||
30 | } | ||
31 | |||
32 | if (from->button->xkb_acts) { | ||
33 | - if (!to->button->xkb_acts) { | ||
34 | - to->button->xkb_acts = calloc(1, sizeof(XkbAction)); | ||
35 | - if (!to->button->xkb_acts) | ||
36 | - FatalError("[Xi] not enough memory for xkb_acts.\n"); | ||
37 | - } | ||
38 | + size_t maxbuttons = max(to->button->numButtons, from->button->numButtons); | ||
39 | + to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts, | ||
40 | + maxbuttons, | ||
41 | + sizeof(XkbAction)); | ||
42 | + memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction)); | ||
43 | memcpy(to->button->xkb_acts, from->button->xkb_acts, | ||
44 | - sizeof(XkbAction)); | ||
45 | + from->button->numButtons * sizeof(XkbAction)); | ||
46 | } | ||
47 | else { | ||
48 | free(to->button->xkb_acts); | ||
49 | diff --git a/dix/devices.c b/dix/devices.c | ||
50 | index b063128df0..3f3224d626 100644 | ||
51 | --- a/dix/devices.c | ||
52 | +++ b/dix/devices.c | ||
53 | @@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave) | ||
54 | |||
55 | if (master->button && master->button->numButtons != maxbuttons) { | ||
56 | int i; | ||
57 | + int last_num_buttons = master->button->numButtons; | ||
58 | + | ||
59 | DeviceChangedEvent event = { | ||
60 | .header = ET_Internal, | ||
61 | .type = ET_DeviceChanged, | ||
62 | @@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave) | ||
63 | }; | ||
64 | |||
65 | master->button->numButtons = maxbuttons; | ||
66 | + if (last_num_buttons < maxbuttons) { | ||
67 | + master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts, | ||
68 | + maxbuttons, | ||
69 | + sizeof(XkbAction)); | ||
70 | + memset(&master->button->xkb_acts[last_num_buttons], | ||
71 | + 0, | ||
72 | + (maxbuttons - last_num_buttons) * sizeof(XkbAction)); | ||
73 | + } | ||
74 | |||
75 | memcpy(&event.buttons.names, master->button->labels, maxbuttons * | ||
76 | sizeof(Atom)); | ||
77 | -- | ||
78 | GitLab | ||
79 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch new file mode 100644 index 0000000000..6392eae3f8 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From 14f480010a93ff962fef66a16412fafff81ad632 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Mon, 27 Nov 2023 16:27:49 +1000 | ||
4 | Subject: [PATCH] randr: avoid integer truncation in length check of | ||
5 | ProcRRChange*Property | ||
6 | |||
7 | Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty. | ||
8 | See also xserver@8f454b79 where this same bug was fixed for the core | ||
9 | protocol and XI. | ||
10 | |||
11 | This fixes an OOB read and the resulting information disclosure. | ||
12 | |||
13 | Length calculation for the request was clipped to a 32-bit integer. With | ||
14 | the correct stuff->nUnits value the expected request size was | ||
15 | truncated, passing the REQUEST_FIXED_SIZE check. | ||
16 | |||
17 | The server then proceeded with reading at least stuff->num_items bytes | ||
18 | (depending on stuff->format) from the request and stuffing whatever it | ||
19 | finds into the property. In the process it would also allocate at least | ||
20 | stuff->nUnits bytes, i.e. 4GB. | ||
21 | |||
22 | CVE-2023-6478, ZDI-CAN-22561 | ||
23 | |||
24 | This vulnerability was discovered by: | ||
25 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
26 | |||
27 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632] | ||
28 | CVE: CVE-2023-6478 | ||
29 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
30 | --- | ||
31 | randr/rrproperty.c | 2 +- | ||
32 | randr/rrproviderproperty.c | 2 +- | ||
33 | 2 files changed, 2 insertions(+), 2 deletions(-) | ||
34 | |||
35 | diff --git a/randr/rrproperty.c b/randr/rrproperty.c | ||
36 | index 25469f57b2..c4fef8a1f6 100644 | ||
37 | --- a/randr/rrproperty.c | ||
38 | +++ b/randr/rrproperty.c | ||
39 | @@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client) | ||
40 | char format, mode; | ||
41 | unsigned long len; | ||
42 | int sizeInBytes; | ||
43 | - int totalSize; | ||
44 | + uint64_t totalSize; | ||
45 | int err; | ||
46 | |||
47 | REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq); | ||
48 | diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c | ||
49 | index b79c17f9bf..90c5a9a933 100644 | ||
50 | --- a/randr/rrproviderproperty.c | ||
51 | +++ b/randr/rrproviderproperty.c | ||
52 | @@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client) | ||
53 | char format, mode; | ||
54 | unsigned long len; | ||
55 | int sizeInBytes; | ||
56 | - int totalSize; | ||
57 | + uint64_t totalSize; | ||
58 | int err; | ||
59 | |||
60 | REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq); | ||
61 | -- | ||
62 | GitLab | ||
63 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch new file mode 100644 index 0000000000..0bfff268e7 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Thu, 14 Dec 2023 11:29:49 +1000 | ||
4 | Subject: [PATCH] dix: allocate enough space for logical button maps | ||
5 | |||
6 | Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for | ||
7 | each logical button currently down. Since buttons can be arbitrarily mapped | ||
8 | to anything up to 255 make sure we have enough bits for the maximum mapping. | ||
9 | |||
10 | CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665 | ||
11 | |||
12 | This vulnerability was discovered by: | ||
13 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
14 | |||
15 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3] | ||
16 | CVE: CVE-2023-6816 | ||
17 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
18 | --- | ||
19 | Xi/xiquerypointer.c | 3 +-- | ||
20 | dix/enterleave.c | 5 +++-- | ||
21 | 2 files changed, 4 insertions(+), 4 deletions(-) | ||
22 | |||
23 | diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c | ||
24 | index 5b77b1a444..2b05ac5f39 100644 | ||
25 | --- a/Xi/xiquerypointer.c | ||
26 | +++ b/Xi/xiquerypointer.c | ||
27 | @@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client) | ||
28 | if (pDev->button) { | ||
29 | int i; | ||
30 | |||
31 | - rep.buttons_len = | ||
32 | - bytes_to_int32(bits_to_bytes(pDev->button->numButtons)); | ||
33 | + rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */ | ||
34 | rep.length += rep.buttons_len; | ||
35 | buttons = calloc(rep.buttons_len, 4); | ||
36 | if (!buttons) | ||
37 | diff --git a/dix/enterleave.c b/dix/enterleave.c | ||
38 | index 867ec74363..ded8679d76 100644 | ||
39 | --- a/dix/enterleave.c | ||
40 | +++ b/dix/enterleave.c | ||
41 | @@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail, | ||
42 | |||
43 | mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER); | ||
44 | |||
45 | - /* XI 2 event */ | ||
46 | - btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0; | ||
47 | + /* XI 2 event contains the logical button map - maps are CARD8 | ||
48 | + * so we need 256 bits for the possibly maximum mapping */ | ||
49 | + btlen = (mouse->button) ? bits_to_bytes(256) : 0; | ||
50 | btlen = bytes_to_int32(btlen); | ||
51 | len = sizeof(xXIFocusInEvent) + btlen * 4; | ||
52 | |||
53 | -- | ||
54 | GitLab | ||
55 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch new file mode 100644 index 0000000000..80ebc64e59 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch | |||
@@ -0,0 +1,87 @@ | |||
1 | From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Mon, 18 Dec 2023 14:27:50 +1000 | ||
4 | Subject: [PATCH] dix: Allocate sufficient xEvents for our DeviceStateNotify | ||
5 | |||
6 | If a device has both a button class and a key class and numButtons is | ||
7 | zero, we can get an OOB write due to event under-allocation. | ||
8 | |||
9 | This function seems to assume a device has either keys or buttons, not | ||
10 | both. It has two virtually identical code paths, both of which assume | ||
11 | they're applying to the first event in the sequence. | ||
12 | |||
13 | A device with both a key and button class triggered a logic bug - only | ||
14 | one xEvent was allocated but the deviceStateNotify pointer was pushed on | ||
15 | once per type. So effectively this logic code: | ||
16 | |||
17 | int count = 1; | ||
18 | if (button && nbuttons > 32) count++; | ||
19 | if (key && nbuttons > 0) count++; | ||
20 | if (key && nkeys > 32) count++; // this is basically always true | ||
21 | // count is at 2 for our keys + zero button device | ||
22 | |||
23 | ev = alloc(count * sizeof(xEvent)); | ||
24 | FixDeviceStateNotify(ev); | ||
25 | if (button) | ||
26 | FixDeviceStateNotify(ev++); | ||
27 | if (key) | ||
28 | FixDeviceStateNotify(ev++); // santa drops into the wrong chimney here | ||
29 | |||
30 | If the device has more than 3 valuators, the OOB is pushed back - we're | ||
31 | off by one so it will happen when the last deviceValuator event is | ||
32 | written instead. | ||
33 | |||
34 | Fix this by allocating the maximum number of events we may allocate. | ||
35 | Note that the current behavior is not protocol-correct anyway, this | ||
36 | patch fixes only the allocation issue. | ||
37 | |||
38 | Note that this issue does not trigger if the device has at least one | ||
39 | button. While the server does not prevent a button class with zero | ||
40 | buttons, it is very unlikely. | ||
41 | |||
42 | CVE-2024-0229, ZDI-CAN-22678 | ||
43 | |||
44 | This vulnerability was discovered by: | ||
45 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
46 | |||
47 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ece23be888a93b741aa1209d1dbf64636109d6a5] | ||
48 | CVE: CVE-2024-0229 | ||
49 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
50 | --- | ||
51 | dix/enterleave.c | 6 +++--- | ||
52 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
53 | |||
54 | diff --git a/dix/enterleave.c b/dix/enterleave.c | ||
55 | index ded8679d76..17964b00a4 100644 | ||
56 | --- a/dix/enterleave.c | ||
57 | +++ b/dix/enterleave.c | ||
58 | @@ -675,7 +675,8 @@ static void | ||
59 | DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) | ||
60 | { | ||
61 | int evcount = 1; | ||
62 | - deviceStateNotify *ev, *sev; | ||
63 | + deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3]; | ||
64 | + deviceStateNotify *ev; | ||
65 | deviceKeyStateNotify *kev; | ||
66 | deviceButtonStateNotify *bev; | ||
67 | |||
68 | @@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) | ||
69 | } | ||
70 | } | ||
71 | |||
72 | - sev = ev = xallocarray(evcount, sizeof(xEvent)); | ||
73 | + ev = sev; | ||
74 | FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first); | ||
75 | |||
76 | if (b != NULL) { | ||
77 | @@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) | ||
78 | |||
79 | DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount, | ||
80 | DeviceStateNotifyMask, NullGrab); | ||
81 | - free(sev); | ||
82 | } | ||
83 | |||
84 | void | ||
85 | -- | ||
86 | GitLab | ||
87 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch new file mode 100644 index 0000000000..65df74376b --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch | |||
@@ -0,0 +1,221 @@ | |||
1 | From 219c54b8a3337456ce5270ded6a67bcde53553d5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Mon, 18 Dec 2023 12:26:20 +1000 | ||
4 | Subject: [PATCH] dix: fix DeviceStateNotify event calculation | ||
5 | |||
6 | The previous code only made sense if one considers buttons and keys to | ||
7 | be mutually exclusive on a device. That is not necessarily true, causing | ||
8 | a number of issues. | ||
9 | |||
10 | This function allocates and fills in the number of xEvents we need to | ||
11 | send the device state down the wire. This is split across multiple | ||
12 | 32-byte devices including one deviceStateNotify event and optional | ||
13 | deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple) | ||
14 | deviceValuator events. | ||
15 | |||
16 | The previous behavior would instead compose a sequence | ||
17 | of [state, buttonstate, state, keystate, valuator...]. This is not | ||
18 | protocol correct, and on top of that made the code extremely convoluted. | ||
19 | |||
20 | Fix this by streamlining: add both button and key into the deviceStateNotify | ||
21 | and then append the key state and button state, followed by the | ||
22 | valuators. Finally, the deviceValuator events contain up to 6 valuators | ||
23 | per event but we only ever sent through 3 at a time. Let's double that | ||
24 | troughput. | ||
25 | |||
26 | CVE-2024-0229, ZDI-CAN-22678 | ||
27 | |||
28 | This vulnerability was discovered by: | ||
29 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
30 | |||
31 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/219c54b8a3337456ce5270ded6a67bcde53553d5] | ||
32 | CVE: CVE-2024-0229 | ||
33 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
34 | --- | ||
35 | dix/enterleave.c | 121 ++++++++++++++++++++--------------------------- | ||
36 | 1 file changed, 52 insertions(+), 69 deletions(-) | ||
37 | |||
38 | diff --git a/dix/enterleave.c b/dix/enterleave.c | ||
39 | index 17964b00a4..7b7ba1098b 100644 | ||
40 | --- a/dix/enterleave.c | ||
41 | +++ b/dix/enterleave.c | ||
42 | @@ -615,9 +615,15 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, | ||
43 | |||
44 | ev->type = DeviceValuator; | ||
45 | ev->deviceid = dev->id; | ||
46 | - ev->num_valuators = nval < 3 ? nval : 3; | ||
47 | + ev->num_valuators = nval < 6 ? nval : 6; | ||
48 | ev->first_valuator = first; | ||
49 | switch (ev->num_valuators) { | ||
50 | + case 6: | ||
51 | + ev->valuator2 = v->axisVal[first + 5]; | ||
52 | + case 5: | ||
53 | + ev->valuator2 = v->axisVal[first + 4]; | ||
54 | + case 4: | ||
55 | + ev->valuator2 = v->axisVal[first + 3]; | ||
56 | case 3: | ||
57 | ev->valuator2 = v->axisVal[first + 2]; | ||
58 | case 2: | ||
59 | @@ -626,7 +632,6 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, | ||
60 | ev->valuator0 = v->axisVal[first]; | ||
61 | break; | ||
62 | } | ||
63 | - first += ev->num_valuators; | ||
64 | } | ||
65 | |||
66 | static void | ||
67 | @@ -646,7 +651,7 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k, | ||
68 | ev->num_buttons = b->numButtons; | ||
69 | memcpy((char *) ev->buttons, (char *) b->down, 4); | ||
70 | } | ||
71 | - else if (k) { | ||
72 | + if (k) { | ||
73 | ev->classes_reported |= (1 << KeyClass); | ||
74 | ev->num_keys = k->xkbInfo->desc->max_key_code - | ||
75 | k->xkbInfo->desc->min_key_code; | ||
76 | @@ -670,15 +675,26 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k, | ||
77 | } | ||
78 | } | ||
79 | |||
80 | - | ||
81 | +/** | ||
82 | + * The device state notify event is split across multiple 32-byte events. | ||
83 | + * The first one contains the first 32 button state bits, the first 32 | ||
84 | + * key state bits, and the first 3 valuator values. | ||
85 | + * | ||
86 | + * If a device has more than that, the server sends out: | ||
87 | + * - one deviceButtonStateNotify for buttons 32 and above | ||
88 | + * - one deviceKeyStateNotify for keys 32 and above | ||
89 | + * - one deviceValuator event per 6 valuators above valuator 4 | ||
90 | + * | ||
91 | + * All events but the last one have the deviceid binary ORed with MORE_EVENTS, | ||
92 | + */ | ||
93 | static void | ||
94 | DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) | ||
95 | { | ||
96 | + /* deviceStateNotify, deviceKeyStateNotify, deviceButtonStateNotify | ||
97 | + * and one deviceValuator for each 6 valuators */ | ||
98 | + deviceStateNotify sev[3 + (MAX_VALUATORS + 6)/6]; | ||
99 | int evcount = 1; | ||
100 | - deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3]; | ||
101 | - deviceStateNotify *ev; | ||
102 | - deviceKeyStateNotify *kev; | ||
103 | - deviceButtonStateNotify *bev; | ||
104 | + deviceStateNotify *ev = sev; | ||
105 | |||
106 | KeyClassPtr k; | ||
107 | ButtonClassPtr b; | ||
108 | @@ -691,82 +707,49 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) | ||
109 | |||
110 | if ((b = dev->button) != NULL) { | ||
111 | nbuttons = b->numButtons; | ||
112 | - if (nbuttons > 32) | ||
113 | + if (nbuttons > 32) /* first 32 are encoded in deviceStateNotify */ | ||
114 | evcount++; | ||
115 | } | ||
116 | if ((k = dev->key) != NULL) { | ||
117 | nkeys = k->xkbInfo->desc->max_key_code - k->xkbInfo->desc->min_key_code; | ||
118 | - if (nkeys > 32) | ||
119 | + if (nkeys > 32) /* first 32 are encoded in deviceStateNotify */ | ||
120 | evcount++; | ||
121 | - if (nbuttons > 0) { | ||
122 | - evcount++; | ||
123 | - } | ||
124 | } | ||
125 | if ((v = dev->valuator) != NULL) { | ||
126 | nval = v->numAxes; | ||
127 | - | ||
128 | - if (nval > 3) | ||
129 | - evcount++; | ||
130 | - if (nval > 6) { | ||
131 | - if (!(k && b)) | ||
132 | - evcount++; | ||
133 | - if (nval > 9) | ||
134 | - evcount += ((nval - 7) / 3); | ||
135 | - } | ||
136 | + /* first three are encoded in deviceStateNotify, then | ||
137 | + * it's 6 per deviceValuator event */ | ||
138 | + evcount += ((nval - 3) + 6)/6; | ||
139 | } | ||
140 | |||
141 | - ev = sev; | ||
142 | - FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first); | ||
143 | - | ||
144 | - if (b != NULL) { | ||
145 | - FixDeviceStateNotify(dev, ev++, NULL, b, v, first); | ||
146 | - first += 3; | ||
147 | - nval -= 3; | ||
148 | - if (nbuttons > 32) { | ||
149 | - (ev - 1)->deviceid |= MORE_EVENTS; | ||
150 | - bev = (deviceButtonStateNotify *) ev++; | ||
151 | - bev->type = DeviceButtonStateNotify; | ||
152 | - bev->deviceid = dev->id; | ||
153 | - memcpy((char *) &bev->buttons[4], (char *) &b->down[4], | ||
154 | - DOWN_LENGTH - 4); | ||
155 | - } | ||
156 | - if (nval > 0) { | ||
157 | - (ev - 1)->deviceid |= MORE_EVENTS; | ||
158 | - FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); | ||
159 | - first += 3; | ||
160 | - nval -= 3; | ||
161 | - } | ||
162 | + BUG_RETURN(evcount <= ARRAY_SIZE(sev)); | ||
163 | + | ||
164 | + FixDeviceStateNotify(dev, ev, k, b, v, first); | ||
165 | + | ||
166 | + if (b != NULL && nbuttons > 32) { | ||
167 | + deviceButtonStateNotify *bev = (deviceButtonStateNotify *) ++ev; | ||
168 | + (ev - 1)->deviceid |= MORE_EVENTS; | ||
169 | + bev->type = DeviceButtonStateNotify; | ||
170 | + bev->deviceid = dev->id; | ||
171 | + memcpy((char *) &bev->buttons[4], (char *) &b->down[4], | ||
172 | + DOWN_LENGTH - 4); | ||
173 | } | ||
174 | |||
175 | - if (k != NULL) { | ||
176 | - FixDeviceStateNotify(dev, ev++, k, NULL, v, first); | ||
177 | - first += 3; | ||
178 | - nval -= 3; | ||
179 | - if (nkeys > 32) { | ||
180 | - (ev - 1)->deviceid |= MORE_EVENTS; | ||
181 | - kev = (deviceKeyStateNotify *) ev++; | ||
182 | - kev->type = DeviceKeyStateNotify; | ||
183 | - kev->deviceid = dev->id; | ||
184 | - memmove((char *) &kev->keys[0], (char *) &k->down[4], 28); | ||
185 | - } | ||
186 | - if (nval > 0) { | ||
187 | - (ev - 1)->deviceid |= MORE_EVENTS; | ||
188 | - FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); | ||
189 | - first += 3; | ||
190 | - nval -= 3; | ||
191 | - } | ||
192 | + if (k != NULL && nkeys > 32) { | ||
193 | + deviceKeyStateNotify *kev = (deviceKeyStateNotify *) ++ev; | ||
194 | + (ev - 1)->deviceid |= MORE_EVENTS; | ||
195 | + kev->type = DeviceKeyStateNotify; | ||
196 | + kev->deviceid = dev->id; | ||
197 | + memmove((char *) &kev->keys[0], (char *) &k->down[4], 28); | ||
198 | } | ||
199 | |||
200 | + first = 3; | ||
201 | + nval -= 3; | ||
202 | while (nval > 0) { | ||
203 | - FixDeviceStateNotify(dev, ev++, NULL, NULL, v, first); | ||
204 | - first += 3; | ||
205 | - nval -= 3; | ||
206 | - if (nval > 0) { | ||
207 | - (ev - 1)->deviceid |= MORE_EVENTS; | ||
208 | - FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); | ||
209 | - first += 3; | ||
210 | - nval -= 3; | ||
211 | - } | ||
212 | + ev->deviceid |= MORE_EVENTS; | ||
213 | + FixDeviceValuator(dev, (deviceValuator *) ++ev, v, first); | ||
214 | + first += 6; | ||
215 | + nval -= 6; | ||
216 | } | ||
217 | |||
218 | DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount, | ||
219 | -- | ||
220 | GitLab | ||
221 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch new file mode 100644 index 0000000000..742c122fa8 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Thu, 21 Dec 2023 13:48:10 +1000 | ||
4 | Subject: [PATCH] Xi: when creating a new ButtonClass, set the number of | ||
5 | buttons | ||
6 | |||
7 | There's a racy sequence where a master device may copy the button class | ||
8 | from the slave, without ever initializing numButtons. This leads to a | ||
9 | device with zero buttons but a button class which is invalid. | ||
10 | |||
11 | Let's copy the numButtons value from the source - by definition if we | ||
12 | don't have a button class yet we do not have any other slave devices | ||
13 | with more than this number of buttons anyway. | ||
14 | |||
15 | CVE-2024-0229, ZDI-CAN-22678 | ||
16 | |||
17 | This vulnerability was discovered by: | ||
18 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
19 | |||
20 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/df3c65706eb169d5938df0052059f3e0d5981b74] | ||
21 | CVE: CVE-2024-0229 | ||
22 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
23 | --- | ||
24 | Xi/exevents.c | 1 + | ||
25 | 1 file changed, 1 insertion(+) | ||
26 | |||
27 | diff --git a/Xi/exevents.c b/Xi/exevents.c | ||
28 | index 54ea11a938..e161714682 100644 | ||
29 | --- a/Xi/exevents.c | ||
30 | +++ b/Xi/exevents.c | ||
31 | @@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) | ||
32 | to->button = calloc(1, sizeof(ButtonClassRec)); | ||
33 | if (!to->button) | ||
34 | FatalError("[Xi] no memory for class shift.\n"); | ||
35 | + to->button->numButtons = from->button->numButtons; | ||
36 | } | ||
37 | else | ||
38 | classes->button = NULL; | ||
39 | -- | ||
40 | GitLab | ||
41 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch new file mode 100644 index 0000000000..d1a6214793 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From 37539cb0bfe4ed96d4499bf371e6b1a474a740fe Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Thu, 21 Dec 2023 14:10:11 +1000 | ||
4 | Subject: [PATCH] Xi: require a pointer and keyboard device for | ||
5 | XIAttachToMaster | ||
6 | |||
7 | If we remove a master device and specify which other master devices | ||
8 | attached slaves should be returned to, enforce that those two are | ||
9 | indeeed a pointer and a keyboard. | ||
10 | |||
11 | Otherwise we can try to attach the keyboards to pointers and vice versa, | ||
12 | leading to possible crashes later. | ||
13 | |||
14 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/37539cb0bfe4ed96d4499bf371e6b1a474a740fe] | ||
15 | CVE: CVE-2024-0229 | ||
16 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
17 | --- | ||
18 | Xi/xichangehierarchy.c | 4 ++-- | ||
19 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
20 | |||
21 | diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c | ||
22 | index 504defe566..d2d985848d 100644 | ||
23 | --- a/Xi/xichangehierarchy.c | ||
24 | +++ b/Xi/xichangehierarchy.c | ||
25 | @@ -270,7 +270,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES]) | ||
26 | if (rc != Success) | ||
27 | goto unwind; | ||
28 | |||
29 | - if (!IsMaster(newptr)) { | ||
30 | + if (!IsMaster(newptr) || !IsPointerDevice(newptr)) { | ||
31 | client->errorValue = r->return_pointer; | ||
32 | rc = BadDevice; | ||
33 | goto unwind; | ||
34 | @@ -281,7 +281,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES]) | ||
35 | if (rc != Success) | ||
36 | goto unwind; | ||
37 | |||
38 | - if (!IsMaster(newkeybd)) { | ||
39 | + if (!IsMaster(newkeybd) || !IsKeyboardDevice(newkeybd)) { | ||
40 | client->errorValue = r->return_keyboard; | ||
41 | rc = BadDevice; | ||
42 | goto unwind; | ||
43 | -- | ||
44 | GitLab | ||
45 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch new file mode 100644 index 0000000000..c8f75d8a7e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From e5e8586a12a3ec915673edffa10dc8fe5e15dac3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Olivier Fourdan <ofourdan@redhat.com> | ||
3 | Date: Wed, 6 Dec 2023 12:09:41 +0100 | ||
4 | Subject: [PATCH] glx: Call XACE hooks on the GLX buffer | ||
5 | |||
6 | The XSELINUX code will label resources at creation by checking the | ||
7 | access mode. When the access mode is DixCreateAccess, it will call the | ||
8 | function to label the new resource SELinuxLabelResource(). | ||
9 | |||
10 | However, GLX buffers do not go through the XACE hooks when created, | ||
11 | hence leaving the resource actually unlabeled. | ||
12 | |||
13 | When, later, the client tries to create another resource using that | ||
14 | drawable (like a GC for example), the XSELINUX code would try to use | ||
15 | the security ID of that object which has never been labeled, get a NULL | ||
16 | pointer and crash when checking whether the requested permissions are | ||
17 | granted for subject security ID. | ||
18 | |||
19 | To avoid the issue, make sure to call the XACE hooks when creating the | ||
20 | GLX buffers. | ||
21 | |||
22 | Credit goes to Donn Seeley <donn@xmission.com> for providing the patch. | ||
23 | |||
24 | CVE-2024-0408 | ||
25 | |||
26 | Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> | ||
27 | Acked-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
28 | |||
29 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/e5e8586a12a3ec915673edffa10dc8fe5e15dac3] | ||
30 | CVE: CVE-2024-0408 | ||
31 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
32 | --- | ||
33 | glx/glxcmds.c | 8 ++++++++ | ||
34 | 1 file changed, 8 insertions(+) | ||
35 | |||
36 | diff --git a/glx/glxcmds.c b/glx/glxcmds.c | ||
37 | index fc26a2e345..1e46d0c723 100644 | ||
38 | --- a/glx/glxcmds.c | ||
39 | +++ b/glx/glxcmds.c | ||
40 | @@ -48,6 +48,7 @@ | ||
41 | #include "indirect_util.h" | ||
42 | #include "protocol-versions.h" | ||
43 | #include "glxvndabi.h" | ||
44 | +#include "xace.h" | ||
45 | |||
46 | static char GLXServerVendorName[] = "SGI"; | ||
47 | |||
48 | @@ -1392,6 +1393,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId, | ||
49 | if (!pPixmap) | ||
50 | return BadAlloc; | ||
51 | |||
52 | + err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP, | ||
53 | + pPixmap, RT_NONE, NULL, DixCreateAccess); | ||
54 | + if (err != Success) { | ||
55 | + (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap); | ||
56 | + return err; | ||
57 | + } | ||
58 | + | ||
59 | /* Assign the pixmap the same id as the pbuffer and add it as a | ||
60 | * resource so it and the DRI2 drawable will be reclaimed when the | ||
61 | * pbuffer is destroyed. */ | ||
62 | -- | ||
63 | GitLab | ||
64 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch new file mode 100644 index 0000000000..9763e0b562 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Olivier Fourdan <ofourdan@redhat.com> | ||
3 | Date: Wed, 6 Dec 2023 11:51:56 +0100 | ||
4 | Subject: [PATCH] ephyr,xwayland: Use the proper private key for cursor | ||
5 | |||
6 | The cursor in DIX is actually split in two parts, the cursor itself and | ||
7 | the cursor bits, each with their own devPrivates. | ||
8 | |||
9 | The cursor itself includes the cursor bits, meaning that the cursor bits | ||
10 | devPrivates in within structure of the cursor. | ||
11 | |||
12 | Both Xephyr and Xwayland were using the private key for the cursor bits | ||
13 | to store the data for the cursor, and when using XSELINUX which comes | ||
14 | with its own special devPrivates, the data stored in that cursor bits' | ||
15 | devPrivates would interfere with the XSELINUX devPrivates data and the | ||
16 | SELINUX security ID would point to some other unrelated data, causing a | ||
17 | crash in the XSELINUX code when trying to (re)use the security ID. | ||
18 | |||
19 | CVE-2024-0409 | ||
20 | |||
21 | Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> | ||
22 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
23 | |||
24 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7] | ||
25 | CVE: CVE-2024-0409 | ||
26 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
27 | --- | ||
28 | hw/kdrive/ephyr/ephyrcursor.c | 2 +- | ||
29 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
30 | |||
31 | diff --git a/hw/kdrive/ephyr/ephyrcursor.c b/hw/kdrive/ephyr/ephyrcursor.c | ||
32 | index f991899..3f192d0 100644 | ||
33 | --- a/hw/kdrive/ephyr/ephyrcursor.c | ||
34 | +++ b/hw/kdrive/ephyr/ephyrcursor.c | ||
35 | @@ -246,7 +246,7 @@ miPointerSpriteFuncRec EphyrPointerSpriteFuncs = { | ||
36 | Bool | ||
37 | ephyrCursorInit(ScreenPtr screen) | ||
38 | { | ||
39 | - if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR_BITS, | ||
40 | + if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR, | ||
41 | sizeof(ephyrCursorRec))) | ||
42 | return FALSE; | ||
43 | |||
44 | -- | ||
45 | 2.25.1 | ||
46 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch new file mode 100644 index 0000000000..7c8fbcc3ec --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch | |||
@@ -0,0 +1,113 @@ | |||
1 | From 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Thu, 4 Jan 2024 10:01:24 +1000 | ||
4 | Subject: [PATCH] Xi: flush hierarchy events after adding/removing master | ||
5 | devices | ||
6 | |||
7 | The `XISendDeviceHierarchyEvent()` function allocates space to store up | ||
8 | to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`. | ||
9 | |||
10 | If a device with a given ID was removed and a new device with the same | ||
11 | ID added both in the same operation, the single device ID will lead to | ||
12 | two info structures being written to `info`. | ||
13 | |||
14 | Since this case can occur for every device ID at once, a total of two | ||
15 | times `MAXDEVICES` info structures might be written to the allocation. | ||
16 | |||
17 | To avoid it, once one add/remove master is processed, send out the | ||
18 | device hierarchy event for the current state and continue. That event | ||
19 | thus only ever has exactly one of either added/removed in it (and | ||
20 | optionally slave attached/detached). | ||
21 | |||
22 | CVE-2024-21885, ZDI-CAN-22744 | ||
23 | |||
24 | This vulnerability was discovered by: | ||
25 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
26 | |||
27 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/4a5e9b1895627d40d26045bd0b7ef3dce503cbd1] | ||
28 | CVE: CVE-2024-21885 | ||
29 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
30 | --- | ||
31 | Xi/xichangehierarchy.c | 27 ++++++++++++++++++++++----- | ||
32 | 1 file changed, 22 insertions(+), 5 deletions(-) | ||
33 | |||
34 | diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c | ||
35 | index d2d985848d..72d00451e3 100644 | ||
36 | --- a/Xi/xichangehierarchy.c | ||
37 | +++ b/Xi/xichangehierarchy.c | ||
38 | @@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client) | ||
39 | size_t len; /* length of data remaining in request */ | ||
40 | int rc = Success; | ||
41 | int flags[MAXDEVICES] = { 0 }; | ||
42 | + enum { | ||
43 | + NO_CHANGE, | ||
44 | + FLUSH, | ||
45 | + CHANGED, | ||
46 | + } changes = NO_CHANGE; | ||
47 | |||
48 | REQUEST(xXIChangeHierarchyReq); | ||
49 | REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq); | ||
50 | @@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client) | ||
51 | rc = add_master(client, c, flags); | ||
52 | if (rc != Success) | ||
53 | goto unwind; | ||
54 | - } | ||
55 | + changes = FLUSH; | ||
56 | break; | ||
57 | + } | ||
58 | case XIRemoveMaster: | ||
59 | { | ||
60 | xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any; | ||
61 | @@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client) | ||
62 | rc = remove_master(client, r, flags); | ||
63 | if (rc != Success) | ||
64 | goto unwind; | ||
65 | - } | ||
66 | + changes = FLUSH; | ||
67 | break; | ||
68 | + } | ||
69 | case XIDetachSlave: | ||
70 | { | ||
71 | xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any; | ||
72 | @@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client) | ||
73 | rc = detach_slave(client, c, flags); | ||
74 | if (rc != Success) | ||
75 | goto unwind; | ||
76 | - } | ||
77 | + changes = CHANGED; | ||
78 | break; | ||
79 | + } | ||
80 | case XIAttachSlave: | ||
81 | { | ||
82 | xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any; | ||
83 | @@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client) | ||
84 | rc = attach_slave(client, c, flags); | ||
85 | if (rc != Success) | ||
86 | goto unwind; | ||
87 | + changes = CHANGED; | ||
88 | + break; | ||
89 | } | ||
90 | + default: | ||
91 | break; | ||
92 | } | ||
93 | |||
94 | + if (changes == FLUSH) { | ||
95 | + XISendDeviceHierarchyEvent(flags); | ||
96 | + memset(flags, 0, sizeof(flags)); | ||
97 | + changes = NO_CHANGE; | ||
98 | + } | ||
99 | + | ||
100 | len -= any->length * 4; | ||
101 | any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4); | ||
102 | } | ||
103 | |||
104 | unwind: | ||
105 | - | ||
106 | - XISendDeviceHierarchyEvent(flags); | ||
107 | + if (changes != NO_CHANGE) | ||
108 | + XISendDeviceHierarchyEvent(flags); | ||
109 | return rc; | ||
110 | } | ||
111 | -- | ||
112 | GitLab | ||
113 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch new file mode 100644 index 0000000000..1e1c782963 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch | |||
@@ -0,0 +1,74 @@ | |||
1 | From bc1fdbe46559dd947674375946bbef54dd0ce36b Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com> | ||
3 | Date: Fri, 22 Dec 2023 18:28:31 +0100 | ||
4 | Subject: [PATCH] Xi: do not keep linked list pointer during recursion | ||
5 | |||
6 | The `DisableDevice()` function is called whenever an enabled device | ||
7 | is disabled and it moves the device from the `inputInfo.devices` linked | ||
8 | list to the `inputInfo.off_devices` linked list. | ||
9 | |||
10 | However, its link/unlink operation has an issue during the recursive | ||
11 | call to `DisableDevice()` due to the `prev` pointer pointing to a | ||
12 | removed device. | ||
13 | |||
14 | This issue leads to a length mismatch between the total number of | ||
15 | devices and the number of device in the list, leading to a heap | ||
16 | overflow and, possibly, to local privilege escalation. | ||
17 | |||
18 | Simplify the code that checked whether the device passed to | ||
19 | `DisableDevice()` was in `inputInfo.devices` or not and find the | ||
20 | previous device after the recursion. | ||
21 | |||
22 | CVE-2024-21886, ZDI-CAN-22840 | ||
23 | |||
24 | This vulnerability was discovered by: | ||
25 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
26 | |||
27 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b] | ||
28 | CVE: CVE-2024-21886 | ||
29 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
30 | --- | ||
31 | dix/devices.c | 15 ++++++++++++--- | ||
32 | 1 file changed, 12 insertions(+), 3 deletions(-) | ||
33 | |||
34 | diff --git a/dix/devices.c b/dix/devices.c | ||
35 | index dca98c8d1b..389d28a23c 100644 | ||
36 | --- a/dix/devices.c | ||
37 | +++ b/dix/devices.c | ||
38 | @@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) | ||
39 | { | ||
40 | DeviceIntPtr *prev, other; | ||
41 | BOOL enabled; | ||
42 | + BOOL dev_in_devices_list = FALSE; | ||
43 | int flags[MAXDEVICES] = { 0 }; | ||
44 | |||
45 | if (!dev->enabled) | ||
46 | return TRUE; | ||
47 | |||
48 | - for (prev = &inputInfo.devices; | ||
49 | - *prev && (*prev != dev); prev = &(*prev)->next); | ||
50 | - if (*prev != dev) | ||
51 | + for (other = inputInfo.devices; other; other = other->next) { | ||
52 | + if (other == dev) { | ||
53 | + dev_in_devices_list = TRUE; | ||
54 | + break; | ||
55 | + } | ||
56 | + } | ||
57 | + | ||
58 | + if (!dev_in_devices_list) | ||
59 | return FALSE; | ||
60 | |||
61 | TouchEndPhysicallyActiveTouches(dev); | ||
62 | @@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) | ||
63 | LeaveWindow(dev); | ||
64 | SetFocusOut(dev); | ||
65 | |||
66 | + for (prev = &inputInfo.devices; | ||
67 | + *prev && (*prev != dev); prev = &(*prev)->next); | ||
68 | + | ||
69 | *prev = dev->next; | ||
70 | dev->next = inputInfo.off_devices; | ||
71 | inputInfo.off_devices = dev; | ||
72 | -- | ||
73 | GitLab | ||
74 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch new file mode 100644 index 0000000000..af607df4f0 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Fri, 5 Jan 2024 09:40:27 +1000 | ||
4 | Subject: [PATCH] dix: when disabling a master, float disabled slaved devices | ||
5 | too | ||
6 | |||
7 | Disabling a master device floats all slave devices but we didn't do this | ||
8 | to already-disabled slave devices. As a result those devices kept their | ||
9 | reference to the master device resulting in access to already freed | ||
10 | memory if the master device was removed before the corresponding slave | ||
11 | device. | ||
12 | |||
13 | And to match this behavior, also forcibly reset that pointer during | ||
14 | CloseDownDevices(). | ||
15 | |||
16 | Related to CVE-2024-21886, ZDI-CAN-22840 | ||
17 | |||
18 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8] | ||
19 | CVE: CVE-2024-21886 | ||
20 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
21 | --- | ||
22 | dix/devices.c | 12 ++++++++++++ | ||
23 | 1 file changed, 12 insertions(+) | ||
24 | |||
25 | diff --git a/dix/devices.c b/dix/devices.c | ||
26 | index 389d28a23c..84a6406d13 100644 | ||
27 | --- a/dix/devices.c | ||
28 | +++ b/dix/devices.c | ||
29 | @@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) | ||
30 | flags[other->id] |= XISlaveDetached; | ||
31 | } | ||
32 | } | ||
33 | + | ||
34 | + for (other = inputInfo.off_devices; other; other = other->next) { | ||
35 | + if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) { | ||
36 | + AttachDevice(NULL, other, NULL); | ||
37 | + flags[other->id] |= XISlaveDetached; | ||
38 | + } | ||
39 | + } | ||
40 | } | ||
41 | else { | ||
42 | for (other = inputInfo.devices; other; other = other->next) { | ||
43 | @@ -1088,6 +1095,11 @@ CloseDownDevices(void) | ||
44 | dev->master = NULL; | ||
45 | } | ||
46 | |||
47 | + for (dev = inputInfo.off_devices; dev; dev = dev->next) { | ||
48 | + if (!IsMaster(dev) && !IsFloating(dev)) | ||
49 | + dev->master = NULL; | ||
50 | + } | ||
51 | + | ||
52 | CloseDeviceList(&inputInfo.devices); | ||
53 | CloseDeviceList(&inputInfo.off_devices); | ||
54 | |||
55 | -- | ||
56 | GitLab | ||
57 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch new file mode 100644 index 0000000000..da735efb2b --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Fri, 22 Mar 2024 18:51:45 -0700 | ||
4 | Subject: [PATCH] Xi: ProcXIGetSelectedEvents needs to use unswapped length to | ||
5 | send reply | ||
6 | |||
7 | CVE-2024-31080 | ||
8 | |||
9 | Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762 | ||
10 | Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.") | ||
11 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
12 | Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463> | ||
13 | |||
14 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b] | ||
15 | CVE: CVE-2024-31080 | ||
16 | Signed-off-by: Ashish Sharma <asharma@mvista.com> | ||
17 | |||
18 | Xi/xiselectev.c | 5 ++++- | ||
19 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c | ||
22 | index edcb8a0d36..ac14949871 100644 | ||
23 | --- a/Xi/xiselectev.c | ||
24 | +++ b/Xi/xiselectev.c | ||
25 | @@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client) | ||
26 | InputClientsPtr others = NULL; | ||
27 | xXIEventMask *evmask = NULL; | ||
28 | DeviceIntPtr dev; | ||
29 | + uint32_t length; | ||
30 | |||
31 | REQUEST(xXIGetSelectedEventsReq); | ||
32 | REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq); | ||
33 | @@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client) | ||
34 | } | ||
35 | } | ||
36 | |||
37 | + /* save the value before SRepXIGetSelectedEvents swaps it */ | ||
38 | + length = reply.length; | ||
39 | WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply); | ||
40 | |||
41 | if (reply.num_masks) | ||
42 | - WriteToClient(client, reply.length * 4, buffer); | ||
43 | + WriteToClient(client, length * 4, buffer); | ||
44 | |||
45 | free(buffer); | ||
46 | return Success; | ||
47 | -- | ||
48 | GitLab | ||
49 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch new file mode 100644 index 0000000000..d2c551a0e5 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Fri, 22 Mar 2024 18:56:27 -0700 | ||
4 | Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to | ||
5 | send reply | ||
6 | |||
7 | CVE-2024-31081 | ||
8 | |||
9 | Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.") | ||
10 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
11 | Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463> | ||
12 | |||
13 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee] | ||
14 | CVE: CVE-2024-31081 | ||
15 | Signed-off-by: Ashish Sharma <asharma@mvista.com> | ||
16 | |||
17 | Xi/xipassivegrab.c | 5 ++++- | ||
18 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c | ||
21 | index c9ac2f8553..896233bec2 100644 | ||
22 | --- a/Xi/xipassivegrab.c | ||
23 | +++ b/Xi/xipassivegrab.c | ||
24 | @@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client) | ||
25 | GrabParameters param; | ||
26 | void *tmp; | ||
27 | int mask_len; | ||
28 | + uint32_t length; | ||
29 | |||
30 | REQUEST(xXIPassiveGrabDeviceReq); | ||
31 | REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, | ||
32 | @@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client) | ||
33 | } | ||
34 | } | ||
35 | |||
36 | + /* save the value before SRepXIPassiveGrabDevice swaps it */ | ||
37 | + length = rep.length; | ||
38 | WriteReplyToClient(client, sizeof(rep), &rep); | ||
39 | if (rep.num_modifiers) | ||
40 | - WriteToClient(client, rep.length * 4, modifiers_failed); | ||
41 | + WriteToClient(client, length * 4, modifiers_failed); | ||
42 | |||
43 | out: | ||
44 | free(modifiers_failed); | ||
45 | -- | ||
46 | GitLab | ||
47 | |||