diff options
Diffstat (limited to 'meta/recipes-graphics')
9 files changed, 433 insertions, 2 deletions
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0135.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0135.patch new file mode 100644 index 0000000000..ae42dc8f6c --- /dev/null +++ b/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0135.patch | |||
@@ -0,0 +1,117 @@ | |||
1 | From 63aee871365f9c9e7fa9125672302a0fb250d34d Mon Sep 17 00:00:00 2001 | ||
2 | From: Gert Wollny <gert.wollny@collabora.com> | ||
3 | Date: Tue, 30 Nov 2021 09:16:24 +0100 | ||
4 | Subject: [PATCH 2/2] vrend: propperly check whether the shader image range is | ||
5 | correct | ||
6 | |||
7 | Also add a test to check the integer underflow. | ||
8 | |||
9 | Closes: #251 | ||
10 | Signed-off-by: Gert Wollny <gert.wollny@collabora.com> | ||
11 | Reviewed-by: Chia-I Wu <olvaffe@gmail.com> | ||
12 | |||
13 | cherry-pick from anongit.freedesktop.org/virglrenderer | ||
14 | commit 2aed5d4... | ||
15 | |||
16 | CVE: CVE-2022-0135 | ||
17 | Upstream-Status: Backport | ||
18 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
19 | |||
20 | --- | ||
21 | src/vrend_decode.c | 3 +- | ||
22 | tests/test_fuzzer_formats.c | 57 +++++++++++++++++++++++++++++++++++++ | ||
23 | 2 files changed, 59 insertions(+), 1 deletion(-) | ||
24 | |||
25 | diff --git a/src/vrend_decode.c b/src/vrend_decode.c | ||
26 | index 91f5f24..6771b10 100644 | ||
27 | --- a/src/vrend_decode.c | ||
28 | +++ b/src/vrend_decode.c | ||
29 | @@ -1249,8 +1249,9 @@ static int vrend_decode_set_shader_images(struct vrend_context *ctx, const uint3 | ||
30 | if (num_images < 1) { | ||
31 | return 0; | ||
32 | } | ||
33 | + | ||
34 | if (start_slot > PIPE_MAX_SHADER_IMAGES || | ||
35 | - start_slot > PIPE_MAX_SHADER_IMAGES - num_images) | ||
36 | + start_slot + num_images > PIPE_MAX_SHADER_IMAGES) | ||
37 | return EINVAL; | ||
38 | |||
39 | for (uint32_t i = 0; i < num_images; i++) { | ||
40 | diff --git a/tests/test_fuzzer_formats.c b/tests/test_fuzzer_formats.c | ||
41 | index 154a2e5..e32caf0 100644 | ||
42 | --- a/tests/test_fuzzer_formats.c | ||
43 | +++ b/tests/test_fuzzer_formats.c | ||
44 | @@ -958,6 +958,61 @@ static void test_vrend_set_signle_abo_heap_overflow() { | ||
45 | virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde); | ||
46 | } | ||
47 | |||
48 | +static void test_vrend_set_shader_images_overflow() | ||
49 | +{ | ||
50 | + uint32_t num_shaders = PIPE_MAX_SHADER_IMAGES + 1; | ||
51 | + uint32_t size = num_shaders * VIRGL_SET_SHADER_IMAGE_ELEMENT_SIZE + 3; | ||
52 | + uint32_t cmd[size]; | ||
53 | + int i = 0; | ||
54 | + cmd[i++] = ((size - 1)<< 16) | 0 << 8 | VIRGL_CCMD_SET_SHADER_IMAGES; | ||
55 | + cmd[i++] = PIPE_SHADER_FRAGMENT; | ||
56 | + memset(&cmd[i], 0, size - i); | ||
57 | + | ||
58 | + virgl_renderer_submit_cmd((void *) cmd, ctx_id, size); | ||
59 | +} | ||
60 | + | ||
61 | +/* Test adapted from yaojun8558363@gmail.com: | ||
62 | + * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250 | ||
63 | +*/ | ||
64 | +static void test_vrend_3d_resource_overflow() { | ||
65 | + | ||
66 | + struct virgl_renderer_resource_create_args resource; | ||
67 | + resource.handle = 0x4c474572; | ||
68 | + resource.target = PIPE_TEXTURE_2D_ARRAY; | ||
69 | + resource.format = VIRGL_FORMAT_Z24X8_UNORM; | ||
70 | + resource.nr_samples = 2; | ||
71 | + resource.last_level = 0; | ||
72 | + resource.array_size = 3; | ||
73 | + resource.bind = VIRGL_BIND_SAMPLER_VIEW; | ||
74 | + resource.depth = 1; | ||
75 | + resource.width = 8; | ||
76 | + resource.height = 4; | ||
77 | + resource.flags = 0; | ||
78 | + | ||
79 | + virgl_renderer_resource_create(&resource, NULL, 0); | ||
80 | + virgl_renderer_ctx_attach_resource(ctx_id, resource.handle); | ||
81 | + | ||
82 | + uint32_t size = 0x400; | ||
83 | + uint32_t cmd[size]; | ||
84 | + int i = 0; | ||
85 | + cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE; | ||
86 | + cmd[i++] = resource.handle; | ||
87 | + cmd[i++] = 0; // level | ||
88 | + cmd[i++] = 0; // usage | ||
89 | + cmd[i++] = 0; // stride | ||
90 | + cmd[i++] = 0; // layer_stride | ||
91 | + cmd[i++] = 0; // x | ||
92 | + cmd[i++] = 0; // y | ||
93 | + cmd[i++] = 0; // z | ||
94 | + cmd[i++] = 8; // w | ||
95 | + cmd[i++] = 4; // h | ||
96 | + cmd[i++] = 3; // d | ||
97 | + memset(&cmd[i], 0, size - i); | ||
98 | + | ||
99 | + virgl_renderer_submit_cmd((void *) cmd, ctx_id, size); | ||
100 | +} | ||
101 | + | ||
102 | + | ||
103 | int main() | ||
104 | { | ||
105 | initialize_environment(); | ||
106 | @@ -980,6 +1035,8 @@ int main() | ||
107 | test_cs_nullpointer_deference(); | ||
108 | test_vrend_set_signle_abo_heap_overflow(); | ||
109 | |||
110 | + test_vrend_set_shader_images_overflow(); | ||
111 | + test_vrend_3d_resource_overflow(); | ||
112 | |||
113 | virgl_renderer_context_destroy(ctx_id); | ||
114 | virgl_renderer_cleanup(&cookie); | ||
115 | -- | ||
116 | 2.25.1 | ||
117 | |||
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0175.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0175.patch new file mode 100644 index 0000000000..8bbb9eb579 --- /dev/null +++ b/meta/recipes-graphics/virglrenderer/virglrenderer/cve-2022-0175.patch | |||
@@ -0,0 +1,112 @@ | |||
1 | From 5ca7aca001092c557f0b6fc1ba3db7dcdab860b7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Gert Wollny <gert.wollny@collabora.com> | ||
3 | Date: Tue, 30 Nov 2021 09:29:42 +0100 | ||
4 | Subject: [PATCH 1/2] vrend: clear memory when allocating a host-backed memory | ||
5 | resource | ||
6 | |||
7 | Closes: #249 | ||
8 | Signed-off-by: Gert Wollny <gert.wollny@collabora.com> | ||
9 | Reviewed-by: Chia-I Wu <olvaffe@gmail.com> | ||
10 | |||
11 | cherry-pick from anongit.freedesktop.org/virglrenderer | ||
12 | commit b05bb61... | ||
13 | |||
14 | CVE: CVE-2022-0175 | ||
15 | Upstream-Status: Backport | ||
16 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
17 | |||
18 | Patch to vrend_renderer.c modified to apply to version used by hardknott. | ||
19 | Patch to test_virgl_transfer.c unchanged. | ||
20 | |||
21 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
22 | |||
23 | --- | ||
24 | src/vrend_renderer.c | 2 +- | ||
25 | tests/test_virgl_transfer.c | 51 +++++++++++++++++++++++++++++++++++++ | ||
26 | 2 files changed, 52 insertions(+), 1 deletion(-) | ||
27 | |||
28 | diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c | ||
29 | index ad7a351..d84f785 100644 | ||
30 | --- a/src/vrend_renderer.c | ||
31 | +++ b/src/vrend_renderer.c | ||
32 | @@ -6646,7 +6646,7 @@ int vrend_renderer_resource_create(struct vrend_renderer_resource_create_args *a | ||
33 | if (args->bind == VIRGL_BIND_CUSTOM) { | ||
34 | /* use iovec directly when attached */ | ||
35 | gr->storage_bits |= VREND_STORAGE_HOST_SYSTEM_MEMORY; | ||
36 | - gr->ptr = malloc(args->width); | ||
37 | + gr->ptr = calloc(1, args->width); | ||
38 | if (!gr->ptr) { | ||
39 | FREE(gr); | ||
40 | return ENOMEM; | ||
41 | diff --git a/tests/test_virgl_transfer.c b/tests/test_virgl_transfer.c | ||
42 | index 2c8669a..8f8e98a 100644 | ||
43 | --- a/tests/test_virgl_transfer.c | ||
44 | +++ b/tests/test_virgl_transfer.c | ||
45 | @@ -952,6 +952,56 @@ START_TEST(virgl_test_transfer_near_res_bounds_with_stride_succeeds) | ||
46 | } | ||
47 | END_TEST | ||
48 | |||
49 | +START_TEST(test_vrend_host_backed_memory_no_data_leak) | ||
50 | +{ | ||
51 | + struct iovec iovs[1]; | ||
52 | + int niovs = 1; | ||
53 | + | ||
54 | + struct virgl_context ctx = {0}; | ||
55 | + | ||
56 | + int ret = testvirgl_init_ctx_cmdbuf(&ctx); | ||
57 | + | ||
58 | + struct virgl_renderer_resource_create_args res; | ||
59 | + res.handle = 0x400; | ||
60 | + res.target = PIPE_BUFFER; | ||
61 | + res.format = VIRGL_FORMAT_R8_UNORM; | ||
62 | + res.nr_samples = 0; | ||
63 | + res.last_level = 0; | ||
64 | + res.array_size = 1; | ||
65 | + res.bind = VIRGL_BIND_CUSTOM; | ||
66 | + res.depth = 1; | ||
67 | + res.width = 32; | ||
68 | + res.height = 1; | ||
69 | + res.flags = 0; | ||
70 | + | ||
71 | + uint32_t size = 32; | ||
72 | + uint8_t* data = calloc(1, size); | ||
73 | + memset(data, 1, 32); | ||
74 | + iovs[0].iov_base = data; | ||
75 | + iovs[0].iov_len = size; | ||
76 | + | ||
77 | + struct pipe_box box = {0,0,0, size, 1,1}; | ||
78 | + | ||
79 | + virgl_renderer_resource_create(&res, NULL, 0); | ||
80 | + virgl_renderer_ctx_attach_resource(ctx.ctx_id, res.handle); | ||
81 | + | ||
82 | + ret = virgl_renderer_transfer_read_iov(res.handle, ctx.ctx_id, 0, 0, 0, | ||
83 | + (struct virgl_box *)&box, 0, iovs, niovs); | ||
84 | + | ||
85 | + ck_assert_int_eq(ret, 0); | ||
86 | + | ||
87 | + for (int i = 0; i < 32; ++i) | ||
88 | + ck_assert_int_eq(data[i], 0); | ||
89 | + | ||
90 | + virgl_renderer_ctx_detach_resource(1, res.handle); | ||
91 | + | ||
92 | + virgl_renderer_resource_unref(res.handle); | ||
93 | + free(data); | ||
94 | + | ||
95 | +} | ||
96 | +END_TEST | ||
97 | + | ||
98 | + | ||
99 | static Suite *virgl_init_suite(void) | ||
100 | { | ||
101 | Suite *s; | ||
102 | @@ -981,6 +1031,7 @@ static Suite *virgl_init_suite(void) | ||
103 | tcase_add_test(tc_core, virgl_test_transfer_buffer_bad_strides); | ||
104 | tcase_add_test(tc_core, virgl_test_transfer_2d_array_bad_layer_stride); | ||
105 | tcase_add_test(tc_core, virgl_test_transfer_2d_bad_level); | ||
106 | + tcase_add_test(tc_core, test_vrend_host_backed_memory_no_data_leak); | ||
107 | |||
108 | tcase_add_loop_test(tc_core, virgl_test_transfer_res_read_valid, 0, PIPE_MAX_TEXTURE_TYPES); | ||
109 | tcase_add_loop_test(tc_core, virgl_test_transfer_res_write_valid, 0, PIPE_MAX_TEXTURE_TYPES); | ||
110 | -- | ||
111 | 2.31.1 | ||
112 | |||
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb index 7f035f820a..1c32a573b2 100644 --- a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb +++ b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb | |||
@@ -10,9 +10,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=c81c08eeefd9418fca8f88309a76db10" | |||
10 | 10 | ||
11 | DEPENDS = "libdrm virtual/libgl libepoxy" | 11 | DEPENDS = "libdrm virtual/libgl libepoxy" |
12 | SRCREV = "7d204f3927be65fb3365dce01dbcd04d447a4985" | 12 | SRCREV = "7d204f3927be65fb3365dce01dbcd04d447a4985" |
13 | SRC_URI = "git://anongit.freedesktop.org/virglrenderer;branch=master \ | 13 | SRC_URI = "git://anongit.freedesktop.org/git/virglrenderer;branch=master \ |
14 | file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \ | 14 | file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \ |
15 | file://0001-meson.build-use-python3-directly-for-python.patch \ | 15 | file://0001-meson.build-use-python3-directly-for-python.patch \ |
16 | file://cve-2022-0135.patch \ | ||
17 | file://cve-2022-0175.patch \ | ||
16 | " | 18 | " |
17 | 19 | ||
18 | S = "${WORKDIR}/git" | 20 | S = "${WORKDIR}/git" |
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc index b3e03744c0..d83cb94317 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc | |||
@@ -17,7 +17,15 @@ PE = "2" | |||
17 | XORG_PN = "xorg-server" | 17 | XORG_PN = "xorg-server" |
18 | SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.bz2" | 18 | SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.bz2" |
19 | 19 | ||
20 | CVE_PRODUCT = "xorg-server" | 20 | CVE_PRODUCT = "xorg-server x_server" |
21 | # This is specific to Debian's xserver-wrapper.c | ||
22 | CVE_CHECK_WHITELIST += "CVE-2011-4613" | ||
23 | # As per upstream, exploiting this flaw is non-trivial and it requires exact | ||
24 | # timing on the behalf of the attacker. Many graphical applications exit if their | ||
25 | # connection to the X server is lost, so a typical desktop session is either | ||
26 | # impossible or difficult to exploit. There is currently no upstream patch | ||
27 | # available for this flaw. | ||
28 | CVE_CHECK_WHITELIST += "CVE-2020-25697" | ||
21 | 29 | ||
22 | S = "${WORKDIR}/${XORG_PN}-${PV}" | 30 | S = "${WORKDIR}/${XORG_PN}-${PV}" |
23 | 31 | ||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch new file mode 100644 index 0000000000..3277be0185 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | Backport patch to fix CVE-2021-4008. | ||
2 | |||
3 | CVE: CVE-2021-4008 | ||
4 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ebce7e2] | ||
5 | |||
6 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
7 | |||
8 | From ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60 Mon Sep 17 00:00:00 2001 | ||
9 | From: Povilas Kanapickas <povilas@radix.lt> | ||
10 | Date: Tue, 14 Dec 2021 15:00:03 +0200 | ||
11 | Subject: [PATCH] render: Fix out of bounds access in | ||
12 | SProcRenderCompositeGlyphs() | ||
13 | |||
14 | ZDI-CAN-14192, CVE-2021-4008 | ||
15 | |||
16 | This vulnerability was discovered and the fix was suggested by: | ||
17 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
18 | |||
19 | Signed-off-by: Povilas Kanapickas <povilas@radix.lt> | ||
20 | --- | ||
21 | render/render.c | 9 +++++++++ | ||
22 | 1 file changed, 9 insertions(+) | ||
23 | |||
24 | diff --git a/render/render.c b/render/render.c | ||
25 | index c376090ca..456f156d4 100644 | ||
26 | --- a/render/render.c | ||
27 | +++ b/render/render.c | ||
28 | @@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client) | ||
29 | |||
30 | i = elt->len; | ||
31 | if (i == 0xff) { | ||
32 | + if (buffer + 4 > end) { | ||
33 | + return BadLength; | ||
34 | + } | ||
35 | swapl((int *) buffer); | ||
36 | buffer += 4; | ||
37 | } | ||
38 | @@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client) | ||
39 | buffer += i; | ||
40 | break; | ||
41 | case 2: | ||
42 | + if (buffer + i * 2 > end) { | ||
43 | + return BadLength; | ||
44 | + } | ||
45 | while (i--) { | ||
46 | swaps((short *) buffer); | ||
47 | buffer += 2; | ||
48 | } | ||
49 | break; | ||
50 | case 4: | ||
51 | + if (buffer + i * 4 > end) { | ||
52 | + return BadLength; | ||
53 | + } | ||
54 | while (i--) { | ||
55 | swapl((int *) buffer); | ||
56 | buffer += 4; | ||
57 | -- | ||
58 | GitLab | ||
59 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4009.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4009.patch new file mode 100644 index 0000000000..ddfbb43ee4 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4009.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | Backport patch to fix CVE-2021-4009. | ||
2 | |||
3 | CVE: CVE-2021-4009 | ||
4 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b519675] | ||
5 | |||
6 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
7 | |||
8 | From b5196750099ae6ae582e1f46bd0a6dad29550e02 Mon Sep 17 00:00:00 2001 | ||
9 | From: Povilas Kanapickas <povilas@radix.lt> | ||
10 | Date: Tue, 14 Dec 2021 15:00:01 +0200 | ||
11 | Subject: [PATCH] xfixes: Fix out of bounds access in | ||
12 | *ProcXFixesCreatePointerBarrier() | ||
13 | |||
14 | ZDI-CAN-14950, CVE-2021-4009 | ||
15 | |||
16 | This vulnerability was discovered and the fix was suggested by: | ||
17 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
18 | |||
19 | Signed-off-by: Povilas Kanapickas <povilas@radix.lt> | ||
20 | --- | ||
21 | xfixes/cursor.c | 6 ++++-- | ||
22 | 1 file changed, 4 insertions(+), 2 deletions(-) | ||
23 | |||
24 | diff --git a/xfixes/cursor.c b/xfixes/cursor.c | ||
25 | index 60580b88f..c5d4554b2 100644 | ||
26 | --- a/xfixes/cursor.c | ||
27 | +++ b/xfixes/cursor.c | ||
28 | @@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client) | ||
29 | { | ||
30 | REQUEST(xXFixesCreatePointerBarrierReq); | ||
31 | |||
32 | - REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); | ||
33 | + REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, | ||
34 | + pad_to_int32(stuff->num_devices * sizeof(CARD16))); | ||
35 | LEGAL_NEW_RESOURCE(stuff->barrier, client); | ||
36 | |||
37 | return XICreatePointerBarrier(client, stuff); | ||
38 | @@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client) | ||
39 | |||
40 | swaps(&stuff->length); | ||
41 | swaps(&stuff->num_devices); | ||
42 | - REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); | ||
43 | + REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, | ||
44 | + pad_to_int32(stuff->num_devices * sizeof(CARD16))); | ||
45 | |||
46 | swapl(&stuff->barrier); | ||
47 | swapl(&stuff->window); | ||
48 | -- | ||
49 | GitLab | ||
50 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4010.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4010.patch new file mode 100644 index 0000000000..06ebe7d077 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4010.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | Backport patch to fix CVE-2021-4010. | ||
2 | |||
3 | CVE: CVE-2021-4010 | ||
4 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/6c4c530] | ||
5 | |||
6 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
7 | |||
8 | From 6c4c53010772e3cb4cb8acd54950c8eec9c00d21 Mon Sep 17 00:00:00 2001 | ||
9 | From: Povilas Kanapickas <povilas@radix.lt> | ||
10 | Date: Tue, 14 Dec 2021 15:00:02 +0200 | ||
11 | Subject: [PATCH] Xext: Fix out of bounds access in SProcScreenSaverSuspend() | ||
12 | |||
13 | ZDI-CAN-14951, CVE-2021-4010 | ||
14 | |||
15 | This vulnerability was discovered and the fix was suggested by: | ||
16 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
17 | |||
18 | Signed-off-by: Povilas Kanapickas <povilas@radix.lt> | ||
19 | --- | ||
20 | Xext/saver.c | 2 +- | ||
21 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
22 | |||
23 | diff --git a/Xext/saver.c b/Xext/saver.c | ||
24 | index 1d7e3cadf..f813ba08d 100644 | ||
25 | --- a/Xext/saver.c | ||
26 | +++ b/Xext/saver.c | ||
27 | @@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client) | ||
28 | REQUEST(xScreenSaverSuspendReq); | ||
29 | |||
30 | swaps(&stuff->length); | ||
31 | - swapl(&stuff->suspend); | ||
32 | REQUEST_SIZE_MATCH(xScreenSaverSuspendReq); | ||
33 | + swapl(&stuff->suspend); | ||
34 | return ProcScreenSaverSuspend(client); | ||
35 | } | ||
36 | |||
37 | -- | ||
38 | GitLab | ||
39 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4011.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4011.patch new file mode 100644 index 0000000000..c7eb03091d --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4011.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | Backport patch to fix CVE-2021-4011. | ||
2 | |||
3 | CVE: CVE-2021-4011 | ||
4 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/e56f61c] | ||
5 | |||
6 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
7 | |||
8 | From e56f61c79fc3cee26d83cda0f84ae56d5979f768 Mon Sep 17 00:00:00 2001 | ||
9 | From: Povilas Kanapickas <povilas@radix.lt> | ||
10 | Date: Tue, 14 Dec 2021 15:00:00 +0200 | ||
11 | Subject: [PATCH] record: Fix out of bounds access in SwapCreateRegister() | ||
12 | |||
13 | ZDI-CAN-14952, CVE-2021-4011 | ||
14 | |||
15 | This vulnerability was discovered and the fix was suggested by: | ||
16 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
17 | |||
18 | Signed-off-by: Povilas Kanapickas <povilas@radix.lt> | ||
19 | --- | ||
20 | record/record.c | 4 ++-- | ||
21 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
22 | |||
23 | diff --git a/record/record.c b/record/record.c | ||
24 | index be154525d..e123867a7 100644 | ||
25 | --- a/record/record.c | ||
26 | +++ b/record/record.c | ||
27 | @@ -2516,8 +2516,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff) | ||
28 | swapl(pClientID); | ||
29 | } | ||
30 | if (stuff->nRanges > | ||
31 | - client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) | ||
32 | - - stuff->nClients) | ||
33 | + (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) | ||
34 | + - stuff->nClients) / bytes_to_int32(sz_xRecordRange)) | ||
35 | return BadLength; | ||
36 | RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); | ||
37 | return Success; | ||
38 | -- | ||
39 | GitLab | ||
40 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb index e0551fa999..58f1eb328e 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb | |||
@@ -9,6 +9,10 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat | |||
9 | file://0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch \ | 9 | file://0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch \ |
10 | file://CVE-2021-3472.patch \ | 10 | file://CVE-2021-3472.patch \ |
11 | file://0001-hw-xwayland-Makefile.am-fix-build-without-glx.patch \ | 11 | file://0001-hw-xwayland-Makefile.am-fix-build-without-glx.patch \ |
12 | file://CVE-2021-4008.patch \ | ||
13 | file://CVE-2021-4009.patch \ | ||
14 | file://CVE-2021-4010.patch \ | ||
15 | file://CVE-2021-4011.patch \ | ||
12 | " | 16 | " |
13 | SRC_URI[sha256sum] = "977420c082450dc808de301ef56af4856d653eea71519a973c3490a780cb7c99" | 17 | SRC_URI[sha256sum] = "977420c082450dc808de301ef56af4856d653eea71519a973c3490a780cb7c99" |
14 | 18 | ||