4 files changed, 145 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch
new file mode 100644
index 0000000000..4994a21d33
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch
@@ -0,0 +1,36 @@
+From c940cc8b6c0a2983c1ec974f1b3f019795dd4cff Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:49:04 +0200
+Subject: [PATCH] Fix XIChangeHierarchy() integer underflow
+CVE-2020-14346 / ZDI-CAN-11429
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/xorg/xserver/-/commit/c940cc8b6c0a2983c1ec974f1b3f019795dd4cff]
+CVE: CVE-2020-14346
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ Xi/xichangehierarchy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
+index cbdd91258..504defe56 100644
+--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
+@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
+     if (!stuff->num_changes)
+         return rc;
+ 
+-    len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
+    len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq);
+ 
+     any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
+     while (stuff->num_changes--) {
+-- 
+2.17.1
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch
new file mode 100644
index 0000000000..710cc3873c
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch
@@ -0,0 +1,36 @@
+From 144849ea27230962227e62a943b399e2ab304787 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:52:29 +0200
+Subject: [PATCH] Fix XkbSelectEvents() integer underflow
+CVE-2020-14361 ZDI-CAN 11573
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/xorg/xserver/-/commit/144849ea27230962227e62a943b399e2ab304787]
+CVE: CVE-2020-14361
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ xkb/xkbSwap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c
+index 1c1ed5ff4..50cabb90e 100644
+--- a/xkb/xkbSwap.c
+++ b/xkb/xkbSwap.c
+@@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client)
+         register unsigned bit, ndx, maskLeft, dataLeft, size;
+ 
+         from.c8 = (CARD8 *) &stuff[1];
+-        dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq);
+        dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq);
+         maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask));
+         for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) {
+             if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify))
+-- 
+2.17.1
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch
new file mode 100644
index 0000000000..2103e9c198
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch
@@ -0,0 +1,70 @@
+From 2902b78535ecc6821cc027351818b28a5c7fdbdc Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:55:01 +0200
+Subject: [PATCH] Fix XRecordRegisterClients() Integer underflow
+CVE-2020-14362 ZDI-CAN-11574
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/xorg/xserver/-/commit/2902b78535ecc6821cc027351818b28a5c7fdbdc]
+CVE: CVE-2020-14362
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ record/record.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+diff --git a/record/record.c b/record/record.c
+index f2d38c877..be154525d 100644
+--- a/record/record.c
+++ b/record/record.c
+@@ -2500,7 +2500,7 @@ SProcRecordQueryVersion(ClientPtr client)
+ }                               /* SProcRecordQueryVersion */
+ 
+ static int _X_COLD
+-SwapCreateRegister(xRecordRegisterClientsReq * stuff)
+SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
+ {
+     int i;
+     XID *pClientID;
+@@ -2510,13 +2510,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
+     swapl(&stuff->nRanges);
+     pClientID = (XID *) &stuff[1];
+     if (stuff->nClients >
+-        stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
+        client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
+         return BadLength;
+     for (i = 0; i < stuff->nClients; i++, pClientID++) {
+         swapl(pClientID);
+     }
+     if (stuff->nRanges >
+-        stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
+        client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
+         - stuff->nClients)
+         return BadLength;
+     RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
+@@ -2531,7 +2531,7 @@ SProcRecordCreateContext(ClientPtr client)
+ 
+     swaps(&stuff->length);
+     REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
+-    if ((status = SwapCreateRegister((void *) stuff)) != Success)
+    if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
+         return status;
+     return ProcRecordCreateContext(client);
+ }                               /* SProcRecordCreateContext */
+@@ -2544,7 +2544,7 @@ SProcRecordRegisterClients(ClientPtr client)
+ 
+     swaps(&stuff->length);
+     REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
+-    if ((status = SwapCreateRegister((void *) stuff)) != Success)
+    if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
+         return status;
+     return ProcRecordRegisterClients(client);
+ }                               /* SProcRecordRegisterClients */
+-- 
+2.17.1
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
index 5101134538..51d959f86c 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
@@ -6,6 +6,9 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
           file://sdksyms-no-build-path.patch \
           file://0001-drmmode_display.c-add-missing-mi.h-include.patch \
           file://CVE-2020-14347.patch \
+           file://CVE-2020-14346.patch \
+           file://CVE-2020-14361.patch \
+           file://CVE-2020-14362.patch \
           "
 SRC_URI[md5sum] = "a770aec600116444a953ff632f51f839"
 SRC_URI[sha256sum] = "d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146"

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch new file mode 100644 index 0000000000..4994a21d33 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch
@@ -0,0 +1,36 @@
		1	From c940cc8b6c0a2983c1ec974f1b3f019795dd4cff Mon Sep 17 00:00:00 2001
		2	From: Matthieu Herrb <matthieu@herrb.eu>
		3	Date: Tue, 18 Aug 2020 14:49:04 +0200
		4	Subject: [PATCH] Fix XIChangeHierarchy() integer underflow
		5
		6	CVE-2020-14346 / ZDI-CAN-11429
		7
		8	This vulnerability was discovered by:
		9	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		10
		11	Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
		12
		13	Upstream-Status: Backport
		14	[https://gitlab.freedesktop.org/xorg/xserver/-/commit/c940cc8b6c0a2983c1ec974f1b3f019795dd4cff]
		15	CVE: CVE-2020-14346
		16	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		17	---
		18	Xi/xichangehierarchy.c \| 2 +-
		19	1 file changed, 1 insertion(+), 1 deletion(-)
		20
		21	diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
		22	index cbdd91258..504defe56 100644
		23	--- a/Xi/xichangehierarchy.c
		24	+++ b/Xi/xichangehierarchy.c
		25	@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
		26	if (!stuff->num_changes)
		27	return rc;
		28
		29	- len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
		30	+ len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq);
		31
		32	any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
		33	while (stuff->num_changes--) {
		34	--
		35	2.17.1
		36


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch new file mode 100644 index 0000000000..710cc3873c --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch
@@ -0,0 +1,36 @@
		1	From 144849ea27230962227e62a943b399e2ab304787 Mon Sep 17 00:00:00 2001
		2	From: Matthieu Herrb <matthieu@herrb.eu>
		3	Date: Tue, 18 Aug 2020 14:52:29 +0200
		4	Subject: [PATCH] Fix XkbSelectEvents() integer underflow
		5
		6	CVE-2020-14361 ZDI-CAN 11573
		7
		8	This vulnerability was discovered by:
		9	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		10
		11	Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
		12
		13	Upstream-Status: Backport
		14	[https://gitlab.freedesktop.org/xorg/xserver/-/commit/144849ea27230962227e62a943b399e2ab304787]
		15	CVE: CVE-2020-14361
		16	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		17	---
		18	xkb/xkbSwap.c \| 2 +-
		19	1 file changed, 1 insertion(+), 1 deletion(-)
		20
		21	diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c
		22	index 1c1ed5ff4..50cabb90e 100644
		23	--- a/xkb/xkbSwap.c
		24	+++ b/xkb/xkbSwap.c
		25	@@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client)
		26	register unsigned bit, ndx, maskLeft, dataLeft, size;
		27
		28	from.c8 = (CARD8 *) &stuff[1];
		29	- dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq);
		30	+ dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq);
		31	maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask));
		32	for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) {
		33	if (((bit & maskLeft) == 0) \|\| (ndx == XkbMapNotify))
		34	--
		35	2.17.1
		36


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch new file mode 100644 index 0000000000..2103e9c198 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch
@@ -0,0 +1,70 @@
		1	From 2902b78535ecc6821cc027351818b28a5c7fdbdc Mon Sep 17 00:00:00 2001
		2	From: Matthieu Herrb <matthieu@herrb.eu>
		3	Date: Tue, 18 Aug 2020 14:55:01 +0200
		4	Subject: [PATCH] Fix XRecordRegisterClients() Integer underflow
		5
		6	CVE-2020-14362 ZDI-CAN-11574
		7
		8	This vulnerability was discovered by:
		9	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		10
		11	Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
		12
		13	Upstream-Status: Backport
		14	[https://gitlab.freedesktop.org/xorg/xserver/-/commit/2902b78535ecc6821cc027351818b28a5c7fdbdc]
		15	CVE: CVE-2020-14362
		16	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		17	---
		18	record/record.c \| 10 +++++-----
		19	1 file changed, 5 insertions(+), 5 deletions(-)
		20
		21	diff --git a/record/record.c b/record/record.c
		22	index f2d38c877..be154525d 100644
		23	--- a/record/record.c
		24	+++ b/record/record.c
		25	@@ -2500,7 +2500,7 @@ SProcRecordQueryVersion(ClientPtr client)
		26	} /* SProcRecordQueryVersion */
		27
		28	static int _X_COLD
		29	-SwapCreateRegister(xRecordRegisterClientsReq * stuff)
		30	+SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
		31	{
		32	int i;
		33	XID *pClientID;
		34	@@ -2510,13 +2510,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
		35	swapl(&stuff->nRanges);
		36	pClientID = (XID *) &stuff[1];
		37	if (stuff->nClients >
		38	- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
		39	+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
		40	return BadLength;
		41	for (i = 0; i < stuff->nClients; i++, pClientID++) {
		42	swapl(pClientID);
		43	}
		44	if (stuff->nRanges >
		45	- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
		46	+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
		47	- stuff->nClients)
		48	return BadLength;
		49	RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
		50	@@ -2531,7 +2531,7 @@ SProcRecordCreateContext(ClientPtr client)
		51
		52	swaps(&stuff->length);
		53	REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
		54	- if ((status = SwapCreateRegister((void *) stuff)) != Success)
		55	+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
		56	return status;
		57	return ProcRecordCreateContext(client);
		58	} /* SProcRecordCreateContext */
		59	@@ -2544,7 +2544,7 @@ SProcRecordRegisterClients(ClientPtr client)
		60
		61	swaps(&stuff->length);
		62	REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
		63	- if ((status = SwapCreateRegister((void *) stuff)) != Success)
		64	+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
		65	return status;
		66	return ProcRecordRegisterClients(client);
		67	} /* SProcRecordRegisterClients */
		68	--
		69	2.17.1
		70


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb index 5101134538..51d959f86c 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
@@ -6,6 +6,9 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
6	file://sdksyms-no-build-path.patch \	6	file://sdksyms-no-build-path.patch \
7	file://0001-drmmode_display.c-add-missing-mi.h-include.patch \	7	file://0001-drmmode_display.c-add-missing-mi.h-include.patch \
8	file://CVE-2020-14347.patch \	8	file://CVE-2020-14347.patch \
		9	file://CVE-2020-14346.patch \
		10	file://CVE-2020-14361.patch \
		11	file://CVE-2020-14362.patch \
9	"	12	"
10	SRC_URI[md5sum] = "a770aec600116444a953ff632f51f839"	13	SRC_URI[md5sum] = "a770aec600116444a953ff632f51f839"
11	SRC_URI[sha256sum] = "d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146"	14	SRC_URI[sha256sum] = "d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146"