xserver-xorg: Fix Multiple CVEs

CVE-2022-4283: xkb: reset the radio_groups pointer to NULL after freeing it Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/ccdd431cd8f1cabae9d744f0514b6533c438908c CVE-2022-46340: Xtest: disallow GenericEvents in XTestSwapFakeInput Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 CVE-2022-46341: Xi: disallow passive grabs with a detail > 255 Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b CVE-2022-46342: Xext: free the XvRTVideoNotify when turning off from the same client Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/b79f32b57cc0c1186b2899bce7cf89f7b325161b CVE-2022-46343: Xext: free the screen saver resource when replacing it Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/842ca3ccef100ce010d1d8f5f6d6cc1915055900 CVE-2022-46344: Xi: avoid integer truncation in length check of ProcXIChangeProperty Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/8f454b793e1f13c99872c15f0eed1d7f3b823fe8 (From OE-Core rev: dcc597d52a579fca44581ebd81b4a15fa56456fe) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Hitendra Prajapati <hprajapati@mvista.com> 2023-01-24 10:14:48 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-02-13 07:44:09 +0000
commit: 40bfc5ff44350fc5302ab803f3c82d70495c04a7 (patch)
tree: ac2be32049843e3598506d68b11d1042d512fa4f
parent: e3af3f6915f7f4f2084eb37a47b115c5836f5b63 (diff)
download: poky-40bfc5ff44350fc5302ab803f3c82d70495c04a7.tar.gz
7 files changed, 391 insertions, 1 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
new file mode 100644
index 0000000000..3f6b68fea8
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
@@ -0,0 +1,39 @@
+From ccdd431cd8f1cabae9d744f0514b6533c438908c Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 5 Dec 2022 15:55:54 +1000
+Subject: [PATCH] xkb: reset the radio_groups pointer to NULL after freeing it
+Unlike other elements of the keymap, this pointer was freed but not
+reset. On a subsequent XkbGetKbdByName request, the server may access
+already freed memory.
+CVE-2022-4283, ZDI-CAN-19530
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Acked-by: Olivier Fourdan <ofourdan@redhat.com>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ccdd431cd8f1cabae9d744f0514b6533c438908c]
+CVE: CVE-2022-4283
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ xkb/xkbUtils.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
+index 8975ade..9bc51fc 100644
+--- a/xkb/xkbUtils.c
+++ b/xkb/xkbUtils.c
+@@ -1327,6 +1327,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr dst)
+         }
+         else {
+             free(dst->names->radio_groups);
+            dst->names->radio_groups = NULL;
+         }
+         dst->names->num_rg = src->names->num_rg;
+ 
+-- 
+2.25.1
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
new file mode 100644
index 0000000000..a6c97485cd
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
@@ -0,0 +1,55 @@
+From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 29 Nov 2022 12:55:45 +1000
+Subject: [PATCH] Xtest: disallow GenericEvents in XTestSwapFakeInput
+XTestSwapFakeInput assumes all events in this request are
+sizeof(xEvent) and iterates through these in 32-byte increments.
+However, a GenericEvent may be of arbitrary length longer than 32 bytes,
+so any GenericEvent in this list would result in subsequent events to be
+misparsed.
+Additional, the swapped event is written into a stack-allocated struct
+xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes,
+swapping the event may thus smash the stack like an avocado on toast.
+Catch this case early and return BadValue for any GenericEvent.
+Which is what would happen in unswapped setups anyway since XTest
+doesn't support GenericEvent.
+CVE-2022-46340, ZDI-CAN 19265
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Acked-by: Olivier Fourdan <ofourdan@redhat.com>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63]
+CVE: CVE-2022-46340
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ Xext/xtest.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/Xext/xtest.c b/Xext/xtest.c
+index 38b8012..bf11789 100644
+--- a/Xext/xtest.c
+++ b/Xext/xtest.c
+@@ -501,10 +501,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req)
+ 
+     nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent);
+     for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) {
+        int evtype = ev->u.u.type & 0x177;
+         /* Swap event */
+-        proc = EventSwapVector[ev->u.u.type & 0177];
+        proc = EventSwapVector[evtype];
+         /* no swapping proc; invalid event type? */
+-        if (!proc || proc == NotImplemented) {
+        if (!proc || proc == NotImplemented || evtype == GenericEvent) {
+             client->errorValue = ev->u.u.type;
+             return BadValue;
+         }
+-- 
+2.25.1
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
new file mode 100644
index 0000000000..0ef6e5fc9f
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
@@ -0,0 +1,86 @@
+From 51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 29 Nov 2022 13:55:32 +1000
+Subject: [PATCH] Xi: disallow passive grabs with a detail > 255
+The XKB protocol effectively prevents us from ever using keycodes above
+255. For buttons it's theoretically possible but realistically too niche
+to worry about. For all other passive grabs, the detail must be zero
+anyway.
+This fixes an OOB write:
+ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a
+temporary grab struct which contains tempGrab->detail.exact = stuff->detail.
+For matching existing grabs, DeleteDetailFromMask is called with the
+stuff->detail value. This function creates a new mask with the one bit
+representing stuff->detail cleared.
+However, the array size for the new mask is 8 * sizeof(CARD32) bits,
+thus any detail above 255 results in an OOB array write.
+CVE-2022-46341, ZDI-CAN 19381
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Acked-by: Olivier Fourdan <ofourdan@redhat.com>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b]
+CVE: CVE-2022-46341
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ Xi/xipassivegrab.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
+index d30f51f..89a5910 100644
+--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
+@@ -133,6 +133,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+         return BadValue;
+     }
+ 
+    /* XI2 allows 32-bit keycodes but thanks to XKB we can never
+     * implement this. Just return an error for all keycodes that
+     * cannot work anyway, same for buttons > 255. */
+    if (stuff->detail > 255)
+        return XIAlreadyGrabbed;
+
+     if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],
+                                stuff->mask_len * 4) != Success)
+         return BadValue;
+@@ -203,14 +209,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+                                 &param, XI2, &mask);
+             break;
+         case XIGrabtypeKeycode:
+-            /* XI2 allows 32-bit keycodes but thanks to XKB we can never
+-             * implement this. Just return an error for all keycodes that
+-             * cannot work anyway */
+-            if (stuff->detail > 255)
+-                status = XIAlreadyGrabbed;
+-            else
+-                status = GrabKey(client, dev, mod_dev, stuff->detail,
+-                                 &param, XI2, &mask);
+            status = GrabKey(client, dev, mod_dev, stuff->detail,
+                             &param, XI2, &mask);
+             break;
+         case XIGrabtypeEnter:
+         case XIGrabtypeFocusIn:
+@@ -319,6 +319,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
+         return BadValue;
+     }
+ 
+    /* We don't allow passive grabs for details > 255 anyway */
+    if (stuff->detail > 255) {
+        client->errorValue = stuff->detail;
+        return BadValue;
+    }
+
+     rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess);
+     if (rc != Success)
+         return rc;
+-- 
+2.25.1
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
new file mode 100644
index 0000000000..23fef3f321
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
@@ -0,0 +1,78 @@
+From b79f32b57cc0c1186b2899bce7cf89f7b325161b Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Wed, 30 Nov 2022 11:20:40 +1000
+Subject: [PATCH] Xext: free the XvRTVideoNotify when turning off from the same
+ client
+This fixes a use-after-free bug:
+When a client first calls XvdiSelectVideoNotify() on a drawable with a
+TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct
+is added twice to the resources:
+  - as the drawable's XvRTVideoNotifyList. This happens only once per
+    drawable, subsequent calls append to this list.
+  - as the client's XvRTVideoNotify. This happens for every client.
+The struct keeps the ClientPtr around once it has been added for a
+client. The idea, presumably, is that if the client disconnects we can remove
+all structs from the drawable's list that match the client (by resetting
+the ClientPtr to NULL), but if the drawable is destroyed we can remove
+and free the whole list.
+However, if the same client then calls XvdiSelectVideoNotify() on the
+same drawable with a FALSE onoff argument, only the ClientPtr on the
+existing struct was set to NULL. The struct itself remained in the
+client's resources.
+If the drawable is now destroyed, the resource system invokes
+XvdiDestroyVideoNotifyList which frees the whole list for this drawable
+- including our struct. This function however does not free the resource
+for the client since our ClientPtr is NULL.
+Later, when the client is destroyed and the resource system invokes
+XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On
+a struct that has been freed previously. This is generally frowned upon.
+Fix this by calling FreeResource() on the second call instead of merely
+setting the ClientPtr to NULL. This removes the struct from the client
+resources (but not from the list), ensuring that it won't be accessed
+again when the client quits.
+Note that the assignment tpn->client = NULL; is superfluous since the
+XvdiDestroyVideoNotify function will do this anyway. But it's left for
+clarity and to match a similar invocation in XvdiSelectPortNotify.
+CVE-2022-46342, ZDI-CAN 19400
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Acked-by: Olivier Fourdan <ofourdan@redhat.com>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b79f32b57cc0c1186b2899bce7cf89f7b325161b]
+CVE: CVE-2022-46342
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ Xext/xvmain.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+diff --git a/Xext/xvmain.c b/Xext/xvmain.c
+index c520c7d..5f4c174 100644
+--- a/Xext/xvmain.c
+++ b/Xext/xvmain.c
+@@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff)
+         tpn = pn;
+         while (tpn) {
+             if (tpn->client == client) {
+-                if (!onoff)
+                if (!onoff) {
+                     tpn->client = NULL;
+                    FreeResource(tpn->id, XvRTVideoNotify);
+                }
+                 return Success;
+             }
+             if (!tpn->client)
+-- 
+2.25.1
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
new file mode 100644
index 0000000000..838f7d3726
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
@@ -0,0 +1,51 @@
+From 842ca3ccef100ce010d1d8f5f6d6cc1915055900 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 29 Nov 2022 14:53:07 +1000
+Subject: [PATCH] Xext: free the screen saver resource when replacing it
+This fixes a use-after-free bug:
+When a client first calls ScreenSaverSetAttributes(), a struct
+ScreenSaverAttrRec is allocated and added to the client's
+resources.
+When the same client calls ScreenSaverSetAttributes() again, a new
+struct ScreenSaverAttrRec is allocated, replacing the old struct. The
+old struct was freed but not removed from the clients resources.
+Later, when the client is destroyed the resource system invokes
+ScreenSaverFreeAttr and attempts to clean up the already freed struct.
+Fix this by letting the resource system free the old attrs instead.
+CVE-2022-46343, ZDI-CAN 19404
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Acked-by: Olivier Fourdan <ofourdan@redhat.com>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/842ca3ccef100ce010d1d8f5f6d6cc1915055900]
+CVE: CVE-2022-46343
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ Xext/saver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/Xext/saver.c b/Xext/saver.c
+index c23907d..05b9ca3 100644
+--- a/Xext/saver.c
+++ b/Xext/saver.c
+@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client)
+         pVlist++;
+     }
+     if (pPriv->attr)
+-        FreeScreenAttr(pPriv->attr);
+        FreeResource(pPriv->attr->resource, AttrType);
+     pPriv->attr = pAttr;
+     pAttr->resource = FakeClientID(client->index);
+     if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))
+-- 
+2.25.1
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
new file mode 100644
index 0000000000..e25afa0d16
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
@@ -0,0 +1,75 @@
+From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 29 Nov 2022 13:26:57 +1000
+Subject: [PATCH] Xi: avoid integer truncation in length check of
+ ProcXIChangeProperty
+This fixes an OOB read and the resulting information disclosure.
+Length calculation for the request was clipped to a 32-bit integer. With
+the correct stuff->num_items value the expected request size was
+truncated, passing the REQUEST_FIXED_SIZE check.
+The server then proceeded with reading at least stuff->num_items bytes
+(depending on stuff->format) from the request and stuffing whatever it
+finds into the property. In the process it would also allocate at least
+stuff->num_items bytes, i.e. 4GB.
+The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
+so let's fix that too.
+CVE-2022-46344, ZDI-CAN 19405
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Acked-by: Olivier Fourdan <ofourdan@redhat.com>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8f454b793e1f13c99872c15f0eed1d7f3b823fe8]
+CVE: CVE-2022-46344
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ Xi/xiproperty.c | 4 ++--
+ dix/property.c  | 3 ++-
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
+index 6ec419e..0cfa6e3 100644
+--- a/Xi/xiproperty.c
+++ b/Xi/xiproperty.c
+@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
+     REQUEST(xChangeDevicePropertyReq);
+     DeviceIntPtr dev;
+     unsigned long len;
+-    int totalSize;
+    uint64_t totalSize;
+     int rc;
+ 
+     REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
+@@ -1128,7 +1128,7 @@ ProcXIChangeProperty(ClientPtr client)
+ {
+     int rc;
+     DeviceIntPtr dev;
+-    int totalSize;
+    uint64_t totalSize;
+     unsigned long len;
+ 
+     REQUEST(xXIChangePropertyReq);
+diff --git a/dix/property.c b/dix/property.c
+index ff1d669..6fdb74a 100644
+--- a/dix/property.c
+++ b/dix/property.c
+@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
+     WindowPtr pWin;
+     char format, mode;
+     unsigned long len;
+-    int sizeInBytes, totalSize, err;
+    int sizeInBytes, err;
+    uint64_t totalSize;
+ 
+     REQUEST(xChangePropertyReq);
+ 
+-- 
+2.25.1
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
index 4f5528f78b..ab18a87a3d 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
@@ -8,7 +8,13 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
           file://CVE-2022-3550.patch \
           file://CVE-2022-3551.patch \
           file://CVE-2022-3553.patch \
-           "
+           file://CVE-2022-4283.patch \
+           file://CVE-2022-46340.patch \
+           file://CVE-2022-46341.patch \
+           file://CVE-2022-46342.patch \
+           file://CVE-2022-46343.patch \
+           file://CVE-2022-46344.patch \
+"
 SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"
 SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"
author	Hitendra Prajapati <hprajapati@mvista.com>	2023-01-24 10:14:48 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-02-13 07:44:09 +0000
commit	40bfc5ff44350fc5302ab803f3c82d70495c04a7 (patch)
tree	ac2be32049843e3598506d68b11d1042d512fa4f
parent	e3af3f6915f7f4f2084eb37a47b115c5836f5b63 (diff)
download	poky-40bfc5ff44350fc5302ab803f3c82d70495c04a7.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch new file mode 100644 index 0000000000..3f6b68fea8 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
@@ -0,0 +1,39 @@
		1	From ccdd431cd8f1cabae9d744f0514b6533c438908c Mon Sep 17 00:00:00 2001
		2	From: Peter Hutterer <peter.hutterer@who-t.net>
		3	Date: Mon, 5 Dec 2022 15:55:54 +1000
		4	Subject: [PATCH] xkb: reset the radio_groups pointer to NULL after freeing it
		5
		6	Unlike other elements of the keymap, this pointer was freed but not
		7	reset. On a subsequent XkbGetKbdByName request, the server may access
		8	already freed memory.
		9
		10	CVE-2022-4283, ZDI-CAN-19530
		11
		12	This vulnerability was discovered by:
		13	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		14
		15	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
		16	Acked-by: Olivier Fourdan <ofourdan@redhat.com>
		17
		18	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ccdd431cd8f1cabae9d744f0514b6533c438908c]
		19	CVE: CVE-2022-4283
		20	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		21	---
		22	xkb/xkbUtils.c \| 1 +
		23	1 file changed, 1 insertion(+)
		24
		25	diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
		26	index 8975ade..9bc51fc 100644
		27	--- a/xkb/xkbUtils.c
		28	+++ b/xkb/xkbUtils.c
		29	@@ -1327,6 +1327,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr dst)
		30	}
		31	else {
		32	free(dst->names->radio_groups);
		33	+ dst->names->radio_groups = NULL;
		34	}
		35	dst->names->num_rg = src->names->num_rg;
		36
		37	--
		38	2.25.1
		39


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch new file mode 100644 index 0000000000..a6c97485cd --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
@@ -0,0 +1,55 @@
		1	From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001
		2	From: Peter Hutterer <peter.hutterer@who-t.net>
		3	Date: Tue, 29 Nov 2022 12:55:45 +1000
		4	Subject: [PATCH] Xtest: disallow GenericEvents in XTestSwapFakeInput
		5
		6	XTestSwapFakeInput assumes all events in this request are
		7	sizeof(xEvent) and iterates through these in 32-byte increments.
		8	However, a GenericEvent may be of arbitrary length longer than 32 bytes,
		9	so any GenericEvent in this list would result in subsequent events to be
		10	misparsed.
		11
		12	Additional, the swapped event is written into a stack-allocated struct
		13	xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes,
		14	swapping the event may thus smash the stack like an avocado on toast.
		15
		16	Catch this case early and return BadValue for any GenericEvent.
		17	Which is what would happen in unswapped setups anyway since XTest
		18	doesn't support GenericEvent.
		19
		20	CVE-2022-46340, ZDI-CAN 19265
		21
		22	This vulnerability was discovered by:
		23	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		24
		25	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
		26	Acked-by: Olivier Fourdan <ofourdan@redhat.com>
		27
		28	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63]
		29	CVE: CVE-2022-46340
		30	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		31	---
		32	Xext/xtest.c \| 5 +++--
		33	1 file changed, 3 insertions(+), 2 deletions(-)
		34
		35	diff --git a/Xext/xtest.c b/Xext/xtest.c
		36	index 38b8012..bf11789 100644
		37	--- a/Xext/xtest.c
		38	+++ b/Xext/xtest.c
		39	@@ -501,10 +501,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req)
		40
		41	nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent);
		42	for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) {
		43	+ int evtype = ev->u.u.type & 0x177;
		44	/* Swap event */
		45	- proc = EventSwapVector[ev->u.u.type & 0177];
		46	+ proc = EventSwapVector[evtype];
		47	/* no swapping proc; invalid event type? */
		48	- if (!proc \|\| proc == NotImplemented) {
		49	+ if (!proc \|\| proc == NotImplemented \|\| evtype == GenericEvent) {
		50	client->errorValue = ev->u.u.type;
		51	return BadValue;
		52	}
		53	--
		54	2.25.1
		55


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch new file mode 100644 index 0000000000..0ef6e5fc9f --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
@@ -0,0 +1,86 @@
		1	From 51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b Mon Sep 17 00:00:00 2001
		2	From: Peter Hutterer <peter.hutterer@who-t.net>
		3	Date: Tue, 29 Nov 2022 13:55:32 +1000
		4	Subject: [PATCH] Xi: disallow passive grabs with a detail > 255
		5
		6	The XKB protocol effectively prevents us from ever using keycodes above
		7	255. For buttons it's theoretically possible but realistically too niche
		8	to worry about. For all other passive grabs, the detail must be zero
		9	anyway.
		10
		11	This fixes an OOB write:
		12
		13	ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a
		14	temporary grab struct which contains tempGrab->detail.exact = stuff->detail.
		15	For matching existing grabs, DeleteDetailFromMask is called with the
		16	stuff->detail value. This function creates a new mask with the one bit
		17	representing stuff->detail cleared.
		18
		19	However, the array size for the new mask is 8 * sizeof(CARD32) bits,
		20	thus any detail above 255 results in an OOB array write.
		21
		22	CVE-2022-46341, ZDI-CAN 19381
		23
		24	This vulnerability was discovered by:
		25	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		26
		27	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
		28	Acked-by: Olivier Fourdan <ofourdan@redhat.com>
		29
		30	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b]
		31	CVE: CVE-2022-46341
		32	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		33	---
		34	Xi/xipassivegrab.c \| 22 ++++++++++++++--------
		35	1 file changed, 14 insertions(+), 8 deletions(-)
		36
		37	diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
		38	index d30f51f..89a5910 100644
		39	--- a/Xi/xipassivegrab.c
		40	+++ b/Xi/xipassivegrab.c
		41	@@ -133,6 +133,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)
		42	return BadValue;
		43	}
		44
		45	+ /* XI2 allows 32-bit keycodes but thanks to XKB we can never
		46	+ * implement this. Just return an error for all keycodes that
		47	+ * cannot work anyway, same for buttons > 255. */
		48	+ if (stuff->detail > 255)
		49	+ return XIAlreadyGrabbed;
		50	+
		51	if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],
		52	stuff->mask_len * 4) != Success)
		53	return BadValue;
		54	@@ -203,14 +209,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
		55	&param, XI2, &mask);
		56	break;
		57	case XIGrabtypeKeycode:
		58	- /* XI2 allows 32-bit keycodes but thanks to XKB we can never
		59	- * implement this. Just return an error for all keycodes that
		60	- * cannot work anyway */
		61	- if (stuff->detail > 255)
		62	- status = XIAlreadyGrabbed;
		63	- else
		64	- status = GrabKey(client, dev, mod_dev, stuff->detail,
		65	- &param, XI2, &mask);
		66	+ status = GrabKey(client, dev, mod_dev, stuff->detail,
		67	+ &param, XI2, &mask);
		68	break;
		69	case XIGrabtypeEnter:
		70	case XIGrabtypeFocusIn:
		71	@@ -319,6 +319,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
		72	return BadValue;
		73	}
		74
		75	+ /* We don't allow passive grabs for details > 255 anyway */
		76	+ if (stuff->detail > 255) {
		77	+ client->errorValue = stuff->detail;
		78	+ return BadValue;
		79	+ }
		80	+
		81	rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess);
		82	if (rc != Success)
		83	return rc;
		84	--
		85	2.25.1
		86


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch new file mode 100644 index 0000000000..23fef3f321 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
@@ -0,0 +1,78 @@
		1	From b79f32b57cc0c1186b2899bce7cf89f7b325161b Mon Sep 17 00:00:00 2001
		2	From: Peter Hutterer <peter.hutterer@who-t.net>
		3	Date: Wed, 30 Nov 2022 11:20:40 +1000
		4	Subject: [PATCH] Xext: free the XvRTVideoNotify when turning off from the same
		5	client
		6
		7	This fixes a use-after-free bug:
		8
		9	When a client first calls XvdiSelectVideoNotify() on a drawable with a
		10	TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct
		11	is added twice to the resources:
		12	- as the drawable's XvRTVideoNotifyList. This happens only once per
		13	drawable, subsequent calls append to this list.
		14	- as the client's XvRTVideoNotify. This happens for every client.
		15
		16	The struct keeps the ClientPtr around once it has been added for a
		17	client. The idea, presumably, is that if the client disconnects we can remove
		18	all structs from the drawable's list that match the client (by resetting
		19	the ClientPtr to NULL), but if the drawable is destroyed we can remove
		20	and free the whole list.
		21
		22	However, if the same client then calls XvdiSelectVideoNotify() on the
		23	same drawable with a FALSE onoff argument, only the ClientPtr on the
		24	existing struct was set to NULL. The struct itself remained in the
		25	client's resources.
		26
		27	If the drawable is now destroyed, the resource system invokes
		28	XvdiDestroyVideoNotifyList which frees the whole list for this drawable
		29	- including our struct. This function however does not free the resource
		30	for the client since our ClientPtr is NULL.
		31
		32	Later, when the client is destroyed and the resource system invokes
		33	XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On
		34	a struct that has been freed previously. This is generally frowned upon.
		35
		36	Fix this by calling FreeResource() on the second call instead of merely
		37	setting the ClientPtr to NULL. This removes the struct from the client
		38	resources (but not from the list), ensuring that it won't be accessed
		39	again when the client quits.
		40
		41	Note that the assignment tpn->client = NULL; is superfluous since the
		42	XvdiDestroyVideoNotify function will do this anyway. But it's left for
		43	clarity and to match a similar invocation in XvdiSelectPortNotify.
		44
		45	CVE-2022-46342, ZDI-CAN 19400
		46
		47	This vulnerability was discovered by:
		48	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		49
		50	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
		51	Acked-by: Olivier Fourdan <ofourdan@redhat.com>
		52
		53	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b79f32b57cc0c1186b2899bce7cf89f7b325161b]
		54	CVE: CVE-2022-46342
		55	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		56	---
		57	Xext/xvmain.c \| 4 +++-
		58	1 file changed, 3 insertions(+), 1 deletion(-)
		59
		60	diff --git a/Xext/xvmain.c b/Xext/xvmain.c
		61	index c520c7d..5f4c174 100644
		62	--- a/Xext/xvmain.c
		63	+++ b/Xext/xvmain.c
		64	@@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff)
		65	tpn = pn;
		66	while (tpn) {
		67	if (tpn->client == client) {
		68	- if (!onoff)
		69	+ if (!onoff) {
		70	tpn->client = NULL;
		71	+ FreeResource(tpn->id, XvRTVideoNotify);
		72	+ }
		73	return Success;
		74	}
		75	if (!tpn->client)
		76	--
		77	2.25.1
		78


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch new file mode 100644 index 0000000000..838f7d3726 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
@@ -0,0 +1,51 @@
		1	From 842ca3ccef100ce010d1d8f5f6d6cc1915055900 Mon Sep 17 00:00:00 2001
		2	From: Peter Hutterer <peter.hutterer@who-t.net>
		3	Date: Tue, 29 Nov 2022 14:53:07 +1000
		4	Subject: [PATCH] Xext: free the screen saver resource when replacing it
		5
		6	This fixes a use-after-free bug:
		7
		8	When a client first calls ScreenSaverSetAttributes(), a struct
		9	ScreenSaverAttrRec is allocated and added to the client's
		10	resources.
		11
		12	When the same client calls ScreenSaverSetAttributes() again, a new
		13	struct ScreenSaverAttrRec is allocated, replacing the old struct. The
		14	old struct was freed but not removed from the clients resources.
		15
		16	Later, when the client is destroyed the resource system invokes
		17	ScreenSaverFreeAttr and attempts to clean up the already freed struct.
		18
		19	Fix this by letting the resource system free the old attrs instead.
		20
		21	CVE-2022-46343, ZDI-CAN 19404
		22
		23	This vulnerability was discovered by:
		24	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		25
		26	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
		27	Acked-by: Olivier Fourdan <ofourdan@redhat.com>
		28
		29	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/842ca3ccef100ce010d1d8f5f6d6cc1915055900]
		30	CVE: CVE-2022-46343
		31	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		32	---
		33	Xext/saver.c \| 2 +-
		34	1 file changed, 1 insertion(+), 1 deletion(-)
		35
		36	diff --git a/Xext/saver.c b/Xext/saver.c
		37	index c23907d..05b9ca3 100644
		38	--- a/Xext/saver.c
		39	+++ b/Xext/saver.c
		40	@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client)
		41	pVlist++;
		42	}
		43	if (pPriv->attr)
		44	- FreeScreenAttr(pPriv->attr);
		45	+ FreeResource(pPriv->attr->resource, AttrType);
		46	pPriv->attr = pAttr;
		47	pAttr->resource = FakeClientID(client->index);
		48	if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))
		49	--
		50	2.25.1
		51


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch new file mode 100644 index 0000000000..e25afa0d16 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
@@ -0,0 +1,75 @@
		1	From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001
		2	From: Peter Hutterer <peter.hutterer@who-t.net>
		3	Date: Tue, 29 Nov 2022 13:26:57 +1000
		4	Subject: [PATCH] Xi: avoid integer truncation in length check of
		5	ProcXIChangeProperty
		6
		7	This fixes an OOB read and the resulting information disclosure.
		8
		9	Length calculation for the request was clipped to a 32-bit integer. With
		10	the correct stuff->num_items value the expected request size was
		11	truncated, passing the REQUEST_FIXED_SIZE check.
		12
		13	The server then proceeded with reading at least stuff->num_items bytes
		14	(depending on stuff->format) from the request and stuffing whatever it
		15	finds into the property. In the process it would also allocate at least
		16	stuff->num_items bytes, i.e. 4GB.
		17
		18	The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
		19	so let's fix that too.
		20
		21	CVE-2022-46344, ZDI-CAN 19405
		22
		23	This vulnerability was discovered by:
		24	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		25
		26	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
		27	Acked-by: Olivier Fourdan <ofourdan@redhat.com>
		28
		29	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8f454b793e1f13c99872c15f0eed1d7f3b823fe8]
		30	CVE: CVE-2022-46344
		31	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		32	---
		33	Xi/xiproperty.c \| 4 ++--
		34	dix/property.c \| 3 ++-
		35	2 files changed, 4 insertions(+), 3 deletions(-)
		36
		37	diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
		38	index 6ec419e..0cfa6e3 100644
		39	--- a/Xi/xiproperty.c
		40	+++ b/Xi/xiproperty.c
		41	@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
		42	REQUEST(xChangeDevicePropertyReq);
		43	DeviceIntPtr dev;
		44	unsigned long len;
		45	- int totalSize;
		46	+ uint64_t totalSize;
		47	int rc;
		48
		49	REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
		50	@@ -1128,7 +1128,7 @@ ProcXIChangeProperty(ClientPtr client)
		51	{
		52	int rc;
		53	DeviceIntPtr dev;
		54	- int totalSize;
		55	+ uint64_t totalSize;
		56	unsigned long len;
		57
		58	REQUEST(xXIChangePropertyReq);
		59	diff --git a/dix/property.c b/dix/property.c
		60	index ff1d669..6fdb74a 100644
		61	--- a/dix/property.c
		62	+++ b/dix/property.c
		63	@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
		64	WindowPtr pWin;
		65	char format, mode;
		66	unsigned long len;
		67	- int sizeInBytes, totalSize, err;
		68	+ int sizeInBytes, err;
		69	+ uint64_t totalSize;
		70
		71	REQUEST(xChangePropertyReq);
		72
		73	--
		74	2.25.1
		75


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb index 4f5528f78b..ab18a87a3d 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
@@ -8,7 +8,13 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
8	file://CVE-2022-3550.patch \	8	file://CVE-2022-3550.patch \
9	file://CVE-2022-3551.patch \	9	file://CVE-2022-3551.patch \
10	file://CVE-2022-3553.patch \	10	file://CVE-2022-3553.patch \
11	"	11	file://CVE-2022-4283.patch \
		12	file://CVE-2022-46340.patch \
		13	file://CVE-2022-46341.patch \
		14	file://CVE-2022-46342.patch \
		15	file://CVE-2022-46343.patch \
		16	file://CVE-2022-46344.patch \
		17	"
12	SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"	18	SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"
13	SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"	19	SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"
14		20