diff options
| author |   Ross Burton <ross.burton@arm.com> | 2022-10-24 16:07:45 +0100 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-10-26 12:26:17 +0100 |
| commit | e32401d8bf44afcca88af7e4c5948d2c28e1813f (patch) | |
| tree | 4b7afeb0ec4225300543cdd1eb4abc0c2ccde4fc /meta/recipes-graphics/xorg-xserver | |
| parent | 769576f36aac9652525beec5c7e8a4d26632b844 (diff) | |
| download | openembedded-core-e32401d8bf44afcca88af7e4c5948d2c28e1813f.tar.gz | |
xserver-xorg: backport fixes for CVE-2022-3550 and CVE-2022-3551
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver')
3 files changed, 103 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch new file mode 100644 index 0000000000..0e61ec5953 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch @@ -0,0 +1,63 @@ +CVE: CVE-2022-3551 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Wed, 13 Jul 2022 11:23:09 +1000 +Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName + +GetComponentByName returns an allocated string, so let's free that if we +fail somewhere. + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + xkb/xkb.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 4692895db..b79a269e3 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client) + xkb = dev->key->xkbInfo->desc; + status = Success; + str = (unsigned char *) &stuff[1]; +- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */ +- return BadMatch; ++ { ++ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */ ++ if (keymap) { ++ free(keymap); ++ return BadMatch; ++ } ++ } + names.keycodes = GetComponentSpec(&str, TRUE, &status); + names.types = GetComponentSpec(&str, TRUE, &status); + names.compat = GetComponentSpec(&str, TRUE, &status); + names.symbols = GetComponentSpec(&str, TRUE, &status); + names.geometry = GetComponentSpec(&str, TRUE, &status); +- if (status != Success) ++ if (status == Success) { ++ len = str - ((unsigned char *) stuff); ++ if ((XkbPaddedSize(len) / 4) != stuff->length) ++ status = BadLength; ++ } ++ ++ if (status != Success) { ++ free(names.keycodes); ++ free(names.types); ++ free(names.compat); ++ free(names.symbols); ++ free(names.geometry); + return status; +- len = str - ((unsigned char *) stuff); +- if ((XkbPaddedSize(len) / 4) != stuff->length) +- return BadLength; ++ } + + CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask); + CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask); +-- +2.34.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch new file mode 100644 index 0000000000..6f862e82f9 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch @@ -0,0 +1,38 @@ +CVE: CVE-2022-3550 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 5 Jul 2022 12:06:20 +1000 +Subject: [PATCH] xkb: proof GetCountedString against request length attacks + +GetCountedString did a check for the whole string to be within the +request buffer but not for the initial 2 bytes that contain the length +field. A swapped client could send a malformed request to trigger a +swaps() on those bytes, writing into random memory. + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + xkb/xkb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index f42f59ef3..1841cff26 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) + CARD16 len; + + wire = *wire_inout; ++ ++ if (client->req_len < ++ bytes_to_int32(wire + 2 - (char *) client->requestBuffer)) ++ return BadValue; ++ + len = *(CARD16 *) wire; + if (client->swapped) { + swaps(&len); +-- +2.34.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb index b9cbc9989e..aba09afec3 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb @@ -2,6 +2,8 @@ require xserver-xorg.inc SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \ file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \ + file://0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch \ + file://0001-xkb-proof-GetCountedString-against-request-length-at.patch \ " SRC_URI[sha256sum] = "5cc4be8ee47edb58d4a90e603a59d56b40291ad38371b0bd2471fc3cbee1c587" |