summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2021-09-09 16:55:20 -0700
committerSteve Sakoman <steve@sakoman.com>2021-09-10 05:49:28 -1000
commitee4a4f9053909f820de48a48750bda92170aaf86 (patch)
tree25dadc553502e4a23c05cca57841f9f82325e2b6
parent9dfc6abbb83f8792fbfa1acb9c0fe4ab23872d8f (diff)
downloadopenembedded-core-contrib-ee4a4f9053909f820de48a48750bda92170aaf86.tar.gz
xserver-xorg: Security fix for CVE-2020-14360/-25712
Source: https://gitlab.freedesktop.org/xorg/xserver MR: 108223, Type: Security Fix Disposition: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/446ff2d3177087b8173fa779fa5b77a2a128988b and https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9 ChangeID: 496c2a2d80e4f8fff9b0d3148fca70c090cec31e Description: affects < 1.20.10 Fixes CVE-2020-14360 and CVE-2020-25712 Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch132
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-25712.patch102
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb2
3 files changed, 236 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch
new file mode 100644
index 0000000000..e9ab42742e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch
@@ -0,0 +1,132 @@
+From 446ff2d3177087b8173fa779fa5b77a2a128988b Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Thu, 12 Nov 2020 19:15:07 +0100
+Subject: [PATCH] Check SetMap request length carefully.
+
+Avoid out of bounds memory accesses on too short request.
+
+ZDI-CAN 11572 / CVE-2020-14360
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+
+Upstream-Status: Backport
+https://gitlab.freedesktop.org/xorg/xserver/-/commit/446ff2d3177087b8173fa779fa5b77a2a128988b
+CVE: CVE-2020-14360
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ xkb/xkb.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 92 insertions(+)
+
+Index: xorg-server-1.20.8/xkb/xkb.c
+===================================================================
+--- xorg-server-1.20.8.orig/xkb/xkb.c
++++ xorg-server-1.20.8/xkb/xkb.c
+@@ -2382,6 +2382,93 @@ SetVirtualModMap(XkbSrvInfoPtr xkbi,
+ return (char *) wire;
+ }
+
++#define _add_check_len(new) \
++ if (len > UINT32_MAX - (new) || len > req_len - (new)) goto bad; \
++ else len += new
++
++/**
++ * Check the length of the SetMap request
++ */
++static int
++_XkbSetMapCheckLength(xkbSetMapReq *req)
++{
++ size_t len = sz_xkbSetMapReq, req_len = req->length << 2;
++ xkbKeyTypeWireDesc *keytype;
++ xkbSymMapWireDesc *symmap;
++ BOOL preserve;
++ int i, map_count, nSyms;
++
++ if (req_len < len)
++ goto bad;
++ /* types */
++ if (req->present & XkbKeyTypesMask) {
++ keytype = (xkbKeyTypeWireDesc *)(req + 1);
++ for (i = 0; i < req->nTypes; i++) {
++ _add_check_len(XkbPaddedSize(sz_xkbKeyTypeWireDesc));
++ if (req->flags & XkbSetMapResizeTypes) {
++ _add_check_len(keytype->nMapEntries
++ * sz_xkbKTSetMapEntryWireDesc);
++ preserve = keytype->preserve;
++ map_count = keytype->nMapEntries;
++ if (preserve) {
++ _add_check_len(map_count * sz_xkbModsWireDesc);
++ }
++ keytype += 1;
++ keytype = (xkbKeyTypeWireDesc *)
++ ((xkbKTSetMapEntryWireDesc *)keytype + map_count);
++ if (preserve)
++ keytype = (xkbKeyTypeWireDesc *)
++ ((xkbModsWireDesc *)keytype + map_count);
++ }
++ }
++ }
++ /* syms */
++ if (req->present & XkbKeySymsMask) {
++ symmap = (xkbSymMapWireDesc *)((char *)req + len);
++ for (i = 0; i < req->nKeySyms; i++) {
++ _add_check_len(sz_xkbSymMapWireDesc);
++ nSyms = symmap->nSyms;
++ _add_check_len(nSyms*sizeof(CARD32));
++ symmap += 1;
++ symmap = (xkbSymMapWireDesc *)((CARD32 *)symmap + nSyms);
++ }
++ }
++ /* actions */
++ if (req->present & XkbKeyActionsMask) {
++ _add_check_len(req->totalActs * sz_xkbActionWireDesc
++ + XkbPaddedSize(req->nKeyActs));
++ }
++ /* behaviours */
++ if (req->present & XkbKeyBehaviorsMask) {
++ _add_check_len(req->totalKeyBehaviors * sz_xkbBehaviorWireDesc);
++ }
++ /* vmods */
++ if (req->present & XkbVirtualModsMask) {
++ _add_check_len(XkbPaddedSize(Ones(req->virtualMods)));
++ }
++ /* explicit */
++ if (req->present & XkbExplicitComponentsMask) {
++ /* two bytes per non-zero explicit componen */
++ _add_check_len(XkbPaddedSize(req->totalKeyExplicit * sizeof(CARD16)));
++ }
++ /* modmap */
++ if (req->present & XkbModifierMapMask) {
++ /* two bytes per non-zero modmap component */
++ _add_check_len(XkbPaddedSize(req->totalModMapKeys * sizeof(CARD16)));
++ }
++ /* vmodmap */
++ if (req->present & XkbVirtualModMapMask) {
++ _add_check_len(req->totalVModMapKeys * sz_xkbVModMapWireDesc);
++ }
++ if (len == req_len)
++ return Success;
++bad:
++ ErrorF("[xkb] BOGUS LENGTH in SetMap: expected %ld got %ld\n",
++ len, req_len);
++ return BadLength;
++}
++
++
+ /**
+ * Check if the given request can be applied to the given device but don't
+ * actually do anything..
+@@ -2639,6 +2726,11 @@ ProcXkbSetMap(ClientPtr client)
+ CHK_KBD_DEVICE(dev, stuff->deviceSpec, client, DixManageAccess);
+ CHK_MASK_LEGAL(0x01, stuff->present, XkbAllMapComponentsMask);
+
++ /* first verify the request length carefully */
++ rc = _XkbSetMapCheckLength(stuff);
++ if (rc != Success)
++ return rc;
++
+ tmp = (char *) &stuff[1];
+
+ /* Check if we can to the SetMap on the requested device. If this
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-25712.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-25712.patch
new file mode 100644
index 0000000000..f39f6b32b1
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-25712.patch
@@ -0,0 +1,102 @@
+From 87c64fc5b0db9f62f4e361444f4b60501ebf67b9 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Sun, 11 Oct 2020 17:05:09 +0200
+Subject: [PATCH] Fix XkbSetDeviceInfo() and SetDeviceIndicators() heap
+ overflows
+
+ZDI-CAN 11389 / CVE-2020-25712
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+
+Upstream-Status: Backport
+https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9
+CVE: CVE-2020-25712
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ xkb/xkb.c | 26 +++++++++++++++++++++++---
+ 1 file changed, 23 insertions(+), 3 deletions(-)
+
+Index: xorg-server-1.20.8/xkb/xkb.c
+===================================================================
+--- xorg-server-1.20.8.orig/xkb/xkb.c
++++ xorg-server-1.20.8/xkb/xkb.c
+@@ -6625,7 +6625,9 @@ SetDeviceIndicators(char *wire,
+ unsigned changed,
+ int num,
+ int *status_rtrn,
+- ClientPtr client, xkbExtensionDeviceNotify * ev)
++ ClientPtr client,
++ xkbExtensionDeviceNotify * ev,
++ xkbSetDeviceInfoReq * stuff)
+ {
+ xkbDeviceLedsWireDesc *ledWire;
+ int i;
+@@ -6646,6 +6648,11 @@ SetDeviceIndicators(char *wire,
+ xkbIndicatorMapWireDesc *mapWire;
+ XkbSrvLedInfoPtr sli;
+
++ if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) {
++ *status_rtrn = BadLength;
++ return (char *) ledWire;
++ }
++
+ namec = mapc = statec = 0;
+ sli = XkbFindSrvLedInfo(dev, ledWire->ledClass, ledWire->ledID,
+ XkbXI_IndicatorMapsMask);
+@@ -6664,6 +6671,10 @@ SetDeviceIndicators(char *wire,
+ memset((char *) sli->names, 0, XkbNumIndicators * sizeof(Atom));
+ for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
+ if (ledWire->namesPresent & bit) {
++ if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) {
++ *status_rtrn = BadLength;
++ return (char *) atomWire;
++ }
+ sli->names[n] = (Atom) *atomWire;
+ if (sli->names[n] == None)
+ ledWire->namesPresent &= ~bit;
+@@ -6681,6 +6692,10 @@ SetDeviceIndicators(char *wire,
+ if (ledWire->mapsPresent) {
+ for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
+ if (ledWire->mapsPresent & bit) {
++ if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) {
++ *status_rtrn = BadLength;
++ return (char *) mapWire;
++ }
+ sli->maps[n].flags = mapWire->flags;
+ sli->maps[n].which_groups = mapWire->whichGroups;
+ sli->maps[n].groups = mapWire->groups;
+@@ -6760,7 +6775,7 @@ _XkbSetDeviceInfoCheck(ClientPtr client,
+ ed.deviceID = dev->id;
+ wire = (char *) &stuff[1];
+ if (stuff->change & XkbXI_ButtonActionsMask) {
+- int nBtns, sz, i;
++ int nBtns, sz, i;
+ XkbAction *acts;
+ DeviceIntPtr kbd;
+
+@@ -6772,7 +6787,11 @@ _XkbSetDeviceInfoCheck(ClientPtr client,
+ return BadAlloc;
+ dev->button->xkb_acts = acts;
+ }
++ if (stuff->firstBtn + stuff->nBtns > nBtns)
++ return BadValue;
+ sz = stuff->nBtns * SIZEOF(xkbActionWireDesc);
++ if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz))
++ return BadLength;
+ memcpy((char *) &acts[stuff->firstBtn], (char *) wire, sz);
+ wire += sz;
+ ed.reason |= XkbXI_ButtonActionsMask;
+@@ -6793,7 +6812,8 @@ _XkbSetDeviceInfoCheck(ClientPtr client,
+ int status = Success;
+
+ wire = SetDeviceIndicators(wire, dev, stuff->change,
+- stuff->nDeviceLedFBs, &status, client, &ed);
++ stuff->nDeviceLedFBs, &status, client, &ed,
++ stuff);
+ if (status != Success)
+ return status;
+ }
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
index 2af1b6f307..8c77c3756b 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
@@ -10,6 +10,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
file://CVE-2020-14361.patch \
file://CVE-2020-14362.patch \
file://CVE-2020-14345.patch \
+ file://CVE-2020-14360.patch \
+ file://CVE-2020-25712.patch \
"
SRC_URI[md5sum] = "a770aec600116444a953ff632f51f839"
SRC_URI[sha256sum] = "d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146"
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-04-19 20:36:54 +0000