xserver-xorg: fix CVE-2021-3472

Insufficient checks on the lengths of the XInput extension ChangeFeedbackControl request can lead to out of bounds memory accesses in the X server. References: https://nvd.nist.gov/vuln/detail/CVE-2021-3472 Upstream patches: https://gitlab.freedesktop.org/xorg/xserver/-/commit/7aaf54a1884f71dc363f0b884e57bcb67407a6cd (From OE-Core rev: 6fec5fea942ce88e33e5cf4c2102d69ce25e7180) Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Stefan Ghinea <stefan.ghinea@windriver.com> 2021-04-29 20:15:33 +0300
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-05-02 23:21:42 +0100
commit: cd618cc017efc45483f20e5f3eb702e511295146 (patch)
tree: bbbda6734cd4088854e1caf23c432bf7710c09e7 /meta/recipes-graphics/xorg-xserver/xserver-xorg
parent: c52b46825f22e928fb7c9afd37c890a9d196f33c (diff)
download: poky-cd618cc017efc45483f20e5f3eb702e511295146.tar.gz
1 files changed, 43 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-3472.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-3472.patch
new file mode 100644
index 0000000000..5480f71871
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-3472.patch
@@ -0,0 +1,43 @@
+From 7aaf54a1884f71dc363f0b884e57bcb67407a6cd Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Sun, 21 Mar 2021 18:38:57 +0100
+Subject: [PATCH] Fix XChangeFeedbackControl() request underflow
+CVE-2021-3472 / ZDI-CAN-1259
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Upstream-Status: Backport
+CVE: CVE-2021-3472
+Reference to upstream patch:
+[https://gitlab.freedesktop.org/xorg/xserver/-/commit/7aaf54a1884f71dc363f0b884e57bcb67407a6cd]
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ Xi/chgfctl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
+index 1de4da9..7a597e4 100644
+--- a/Xi/chgfctl.c
+++ b/Xi/chgfctl.c
+@@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client)
+         break;
+     case StringFeedbackClass:
+     {
+-        xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
+        xStringFeedbackCtl *f;
+ 
+        REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq,
+                                    sizeof(xStringFeedbackCtl));
+        f = ((xStringFeedbackCtl *) &stuff[1]);
+         if (client->swapped) {
+             if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
+                 return BadLength;
+-- 
+2.17.1
author	Stefan Ghinea <stefan.ghinea@windriver.com>	2021-04-29 20:15:33 +0300
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-05-02 23:21:42 +0100
commit	cd618cc017efc45483f20e5f3eb702e511295146 (patch)
tree	bbbda6734cd4088854e1caf23c432bf7710c09e7 /meta/recipes-graphics/xorg-xserver/xserver-xorg
parent	c52b46825f22e928fb7c9afd37c890a9d196f33c (diff)
download	poky-cd618cc017efc45483f20e5f3eb702e511295146.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-3472.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-3472.patch new file mode 100644 index 0000000000..5480f71871 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-3472.patch
@@ -0,0 +1,43 @@
	1	From 7aaf54a1884f71dc363f0b884e57bcb67407a6cd Mon Sep 17 00:00:00 2001
	2	From: Matthieu Herrb <matthieu@herrb.eu>
	3	Date: Sun, 21 Mar 2021 18:38:57 +0100
	4	Subject: [PATCH] Fix XChangeFeedbackControl() request underflow
	5
	6	CVE-2021-3472 / ZDI-CAN-1259
	7
	8	This vulnerability was discovered by:
	9	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
	10
	11	Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
	12
	13	Upstream-Status: Backport
	14	CVE: CVE-2021-3472
	15
	16	Reference to upstream patch:
	17	[https://gitlab.freedesktop.org/xorg/xserver/-/commit/7aaf54a1884f71dc363f0b884e57bcb67407a6cd]
	18
	19	Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
	20	---
	21	Xi/chgfctl.c \| 5 ++++-
	22	1 file changed, 4 insertions(+), 1 deletion(-)
	23
	24	diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
	25	index 1de4da9..7a597e4 100644
	26	--- a/Xi/chgfctl.c
	27	+++ b/Xi/chgfctl.c
	28	@@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client)
	29	break;
	30	case StringFeedbackClass:
	31	{
	32	- xStringFeedbackCtl f = ((xStringFeedbackCtl ) &stuff[1]);
	33	+ xStringFeedbackCtl *f;
	34
	35	+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq,
	36	+ sizeof(xStringFeedbackCtl));
	37	+ f = ((xStringFeedbackCtl *) &stuff[1]);
	38	if (client->swapped) {
	39	if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
	40	return BadLength;
	41	--
	42	2.17.1
	43