* [dunfell][PATCH] xserver-xorg: backport fixes for CVE-2022-3550, CVE-2022-3551 and CVE-2022-3553
@ 2022-10-30 13:38 Minjae Kim
2022-10-31 21:51 ` Steve Sakoman
0 siblings, 1 reply; 2+ messages in thread
From: Minjae Kim @ 2022-10-30 13:38 UTC (permalink / raw)
To: openembedded-core; +Cc: Steve Sakoman
From: Steve Sakoman <steve@sakoman.com>
<CVE-2022-3550>
xkb: proof GetCountedString against request length attacks
pstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e]
<CVE-2022-3551>
xkb: fix some possible memleaks in XkbGetKbdByName
Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2]
<CVE-2022-3553>
xquartz: Fix a possible crash when editing the Application
menu due to mutaing immutable arrays
Upstream-Status: Backport[https://cgit.freedesktop.org/xorg/xserver/commit/?id=dfd057996b26420309c324ec844a5ba6dd07eda3]
Signed-off-by:Minjae Kim <flowergom@gmail.com>
---
.../xserver-xorg/CVE-2022-3550.patch | 34 +++++++++++
.../xserver-xorg/CVE-2022-3551.patch | 60 +++++++++++++++++++
.../xserver-xorg/CVE-2022-3553.patch | 44 ++++++++++++++
.../xorg-xserver/xserver-xorg_1.20.14.bb | 3 +
4 files changed, 141 insertions(+)
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch
new file mode 100644
index 0000000000..c1241f6ac5
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch
@@ -0,0 +1,34 @@
+From 27963f7eb6d986f20c88daa40af39834ee9cf9ec Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Sun, 30 Oct 2022 13:02:46 +0000
+Subject: [PATCH] xkb: proof GetCountedString against request length attacks
+
+GetCountedString did a check for the whole string to be within the
+request buffer but not for the initial 2 bytes that contain the length
+field. A swapped client could send a malformed request to trigger a
+swaps() on those bytes, writing into random memory.
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xkb/xkb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 68c59df..c9726bc 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5138,6 +5138,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
+ CARD16 len;
+
+ wire = *wire_inout;
++
++ if (client->req_len <
++ bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
++ return BadValue;
++
+ len = *(CARD16 *) wire;
+ if (client->swapped) {
+ swaps(&len);
+--
+2.17.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
new file mode 100644
index 0000000000..365b11ea1c
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
@@ -0,0 +1,60 @@
+From a13cd058d30f30537f7e68b934238fab20f6d55a Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Sun, 30 Oct 2022 13:09:00 +0000
+Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName
+
+GetComponentByName returns an allocated string, so let's free that if we
+fail somewhere.
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xkb/xkb.c | 27 ++++++++++++++++++++-------
+ 1 file changed, 20 insertions(+), 7 deletions(-)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index c9726bc..072c138 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5908,19 +5908,32 @@ ProcXkbGetKbdByName(ClientPtr client)
+ xkb = dev->key->xkbInfo->desc;
+ status = Success;
+ str = (unsigned char *) &stuff[1];
+- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */
+- return BadMatch;
++ {
++ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */
++ if (keymap) {
++ free(keymap);
++ return BadMatch;
++ }
++ }
+ names.keycodes = GetComponentSpec(&str, TRUE, &status);
+ names.types = GetComponentSpec(&str, TRUE, &status);
+ names.compat = GetComponentSpec(&str, TRUE, &status);
+ names.symbols = GetComponentSpec(&str, TRUE, &status);
+ names.geometry = GetComponentSpec(&str, TRUE, &status);
+- if (status != Success)
+- return status;
+- len = str - ((unsigned char *) stuff);
+- if ((XkbPaddedSize(len) / 4) != stuff->length)
+- return BadLength;
++ if (status == Success) {
++ len = str - ((unsigned char *) stuff);
++ if ((XkbPaddedSize(len) / 4) != stuff->length)
++ status = BadLength;
++ }
+
++ if (status != Success) {
++ free(names.keycodes);
++ free(names.types);
++ free(names.compat);
++ free(names.symbols);
++ free(names.geometry);
++ return status;
++ }
+ CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
+ CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
+
+--
+2.17.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch
new file mode 100644
index 0000000000..3026225129
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch
@@ -0,0 +1,44 @@
+From d3de2d4ea02c5898ea7af93a68933bb1059b4f0d Mon Sep 17 00:00:00 2001
+From: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Date: Sun, 30 Oct 2022 13:13:41 +0000
+Subject: [PATCH] xquartz: Fix a possible crash when editing the Application
+ menu due to mutaing immutable arrays
+
+Crashing on exception: -[__NSCFArray replaceObjectAtIndex:withObject:]: mutating method sent to immutable object
+
+Application Specific Backtrace 0:
+0 CoreFoundation 0x00007ff80d2c5e9b __exceptionPreprocess + 242
+1 libobjc.A.dylib 0x00007ff80d027e48 objc_exception_throw + 48
+2 CoreFoundation 0x00007ff80d38167b _CFThrowFormattedException + 194
+3 CoreFoundation 0x00007ff80d382a25 -[__NSCFArray removeObjectAtIndex:].cold.1 + 0
+4 CoreFoundation 0x00007ff80d2e6c0b -[__NSCFArray replaceObjectAtIndex:withObject:] + 119
+5 X11.bin 0x00000001003180f9 -[X11Controller tableView:setObjectValue:forTableColumn:row:] + 169
+
+Fixes: https://github.com/XQuartz/XQuartz/issues/267
+Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+---
+ hw/xquartz/X11Controller.m | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/hw/xquartz/X11Controller.m b/hw/xquartz/X11Controller.m
+index 3efda50..4e9a5c9 100644
+--- a/hw/xquartz/X11Controller.m
++++ b/hw/xquartz/X11Controller.m
+@@ -467,9 +467,11 @@ extern char *bundle_id_prefix;
+ self.table_apps = table_apps;
+
+ NSArray * const apps = self.apps;
+- if (apps != nil)
+- [table_apps addObjectsFromArray:apps];
+-
++ if (apps != nil) {
++ for (NSArray <NSString *> * row in apps) {
++ [table_apps addObject:row.mutableCopy];
++ }
++ }
+ columns = [apps_table tableColumns];
+ [[columns objectAtIndex:0] setIdentifier:@"0"];
+ [[columns objectAtIndex:1] setIdentifier:@"1"];
+--
+2.17.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
index d176f390a4..4f5528f78b 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
@@ -5,6 +5,9 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
file://0001-test-xtest-Initialize-array-with-braces.patch \
file://sdksyms-no-build-path.patch \
file://0001-drmmode_display.c-add-missing-mi.h-include.patch \
+ file://CVE-2022-3550.patch \
+ file://CVE-2022-3551.patch \
+ file://CVE-2022-3553.patch \
"
SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"
SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"
--
2.17.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [dunfell][PATCH] xserver-xorg: backport fixes for CVE-2022-3550, CVE-2022-3551 and CVE-2022-3553
2022-10-30 13:38 [dunfell][PATCH] xserver-xorg: backport fixes for CVE-2022-3550, CVE-2022-3551 and CVE-2022-3553 Minjae Kim
@ 2022-10-31 21:51 ` Steve Sakoman
0 siblings, 0 replies; 2+ messages in thread
From: Steve Sakoman @ 2022-10-31 21:51 UTC (permalink / raw)
To: Minjae Kim; +Cc: openembedded-core
On Sun, Oct 30, 2022 at 3:39 AM Minjae Kim <flowergom@gmail.com> wrote:
>
> From: Steve Sakoman <steve@sakoman.com>
This seems to be in error since I didn't author this patch ;-)
>
> <CVE-2022-3550>
> xkb: proof GetCountedString against request length attacks
> pstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e]
>
> <CVE-2022-3551>
> xkb: fix some possible memleaks in XkbGetKbdByName
> Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2]
>
> <CVE-2022-3553>
> xquartz: Fix a possible crash when editing the Application
> menu due to mutaing immutable arrays
> Upstream-Status: Backport[https://cgit.freedesktop.org/xorg/xserver/commit/?id=dfd057996b26420309c324ec844a5ba6dd07eda3]
>
> Signed-off-by:Minjae Kim <flowergom@gmail.com>
> ---
> .../xserver-xorg/CVE-2022-3550.patch | 34 +++++++++++
> .../xserver-xorg/CVE-2022-3551.patch | 60 +++++++++++++++++++
> .../xserver-xorg/CVE-2022-3553.patch | 44 ++++++++++++++
All three of the patches are missing the CVE: and UpstreamStatus: tags
as well as your Signed-off-by:
Please submit a V2 with these issues fixed.
Many thanks for your help with CVEs!
Steve
> .../xorg-xserver/xserver-xorg_1.20.14.bb | 3 +
> 4 files changed, 141 insertions(+)
> create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch
> create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
> create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch
>
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch
> new file mode 100644
> index 0000000000..c1241f6ac5
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch
> @@ -0,0 +1,34 @@
> +From 27963f7eb6d986f20c88daa40af39834ee9cf9ec Mon Sep 17 00:00:00 2001
> +From: Peter Hutterer <peter.hutterer@who-t.net>
> +Date: Sun, 30 Oct 2022 13:02:46 +0000
> +Subject: [PATCH] xkb: proof GetCountedString against request length attacks
> +
> +GetCountedString did a check for the whole string to be within the
> +request buffer but not for the initial 2 bytes that contain the length
> +field. A swapped client could send a malformed request to trigger a
> +swaps() on those bytes, writing into random memory.
> +
> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
> +---
> + xkb/xkb.c | 5 +++++
> + 1 file changed, 5 insertions(+)
> +
> +diff --git a/xkb/xkb.c b/xkb/xkb.c
> +index 68c59df..c9726bc 100644
> +--- a/xkb/xkb.c
> ++++ b/xkb/xkb.c
> +@@ -5138,6 +5138,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
> + CARD16 len;
> +
> + wire = *wire_inout;
> ++
> ++ if (client->req_len <
> ++ bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
> ++ return BadValue;
> ++
> + len = *(CARD16 *) wire;
> + if (client->swapped) {
> + swaps(&len);
> +--
> +2.17.1
> +
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
> new file mode 100644
> index 0000000000..365b11ea1c
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
> @@ -0,0 +1,60 @@
> +From a13cd058d30f30537f7e68b934238fab20f6d55a Mon Sep 17 00:00:00 2001
> +From: Peter Hutterer <peter.hutterer@who-t.net>
> +Date: Sun, 30 Oct 2022 13:09:00 +0000
> +Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName
> +
> +GetComponentByName returns an allocated string, so let's free that if we
> +fail somewhere.
> +
> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
> +---
> + xkb/xkb.c | 27 ++++++++++++++++++++-------
> + 1 file changed, 20 insertions(+), 7 deletions(-)
> +
> +diff --git a/xkb/xkb.c b/xkb/xkb.c
> +index c9726bc..072c138 100644
> +--- a/xkb/xkb.c
> ++++ b/xkb/xkb.c
> +@@ -5908,19 +5908,32 @@ ProcXkbGetKbdByName(ClientPtr client)
> + xkb = dev->key->xkbInfo->desc;
> + status = Success;
> + str = (unsigned char *) &stuff[1];
> +- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */
> +- return BadMatch;
> ++ {
> ++ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */
> ++ if (keymap) {
> ++ free(keymap);
> ++ return BadMatch;
> ++ }
> ++ }
> + names.keycodes = GetComponentSpec(&str, TRUE, &status);
> + names.types = GetComponentSpec(&str, TRUE, &status);
> + names.compat = GetComponentSpec(&str, TRUE, &status);
> + names.symbols = GetComponentSpec(&str, TRUE, &status);
> + names.geometry = GetComponentSpec(&str, TRUE, &status);
> +- if (status != Success)
> +- return status;
> +- len = str - ((unsigned char *) stuff);
> +- if ((XkbPaddedSize(len) / 4) != stuff->length)
> +- return BadLength;
> ++ if (status == Success) {
> ++ len = str - ((unsigned char *) stuff);
> ++ if ((XkbPaddedSize(len) / 4) != stuff->length)
> ++ status = BadLength;
> ++ }
> +
> ++ if (status != Success) {
> ++ free(names.keycodes);
> ++ free(names.types);
> ++ free(names.compat);
> ++ free(names.symbols);
> ++ free(names.geometry);
> ++ return status;
> ++ }
> + CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
> + CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
> +
> +--
> +2.17.1
> +
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch
> new file mode 100644
> index 0000000000..3026225129
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch
> @@ -0,0 +1,44 @@
> +From d3de2d4ea02c5898ea7af93a68933bb1059b4f0d Mon Sep 17 00:00:00 2001
> +From: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
> +Date: Sun, 30 Oct 2022 13:13:41 +0000
> +Subject: [PATCH] xquartz: Fix a possible crash when editing the Application
> + menu due to mutaing immutable arrays
> +
> +Crashing on exception: -[__NSCFArray replaceObjectAtIndex:withObject:]: mutating method sent to immutable object
> +
> +Application Specific Backtrace 0:
> +0 CoreFoundation 0x00007ff80d2c5e9b __exceptionPreprocess + 242
> +1 libobjc.A.dylib 0x00007ff80d027e48 objc_exception_throw + 48
> +2 CoreFoundation 0x00007ff80d38167b _CFThrowFormattedException + 194
> +3 CoreFoundation 0x00007ff80d382a25 -[__NSCFArray removeObjectAtIndex:].cold.1 + 0
> +4 CoreFoundation 0x00007ff80d2e6c0b -[__NSCFArray replaceObjectAtIndex:withObject:] + 119
> +5 X11.bin 0x00000001003180f9 -[X11Controller tableView:setObjectValue:forTableColumn:row:] + 169
> +
> +Fixes: https://github.com/XQuartz/XQuartz/issues/267
> +Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
> +---
> + hw/xquartz/X11Controller.m | 8 +++++---
> + 1 file changed, 5 insertions(+), 3 deletions(-)
> +
> +diff --git a/hw/xquartz/X11Controller.m b/hw/xquartz/X11Controller.m
> +index 3efda50..4e9a5c9 100644
> +--- a/hw/xquartz/X11Controller.m
> ++++ b/hw/xquartz/X11Controller.m
> +@@ -467,9 +467,11 @@ extern char *bundle_id_prefix;
> + self.table_apps = table_apps;
> +
> + NSArray * const apps = self.apps;
> +- if (apps != nil)
> +- [table_apps addObjectsFromArray:apps];
> +-
> ++ if (apps != nil) {
> ++ for (NSArray <NSString *> * row in apps) {
> ++ [table_apps addObject:row.mutableCopy];
> ++ }
> ++ }
> + columns = [apps_table tableColumns];
> + [[columns objectAtIndex:0] setIdentifier:@"0"];
> + [[columns objectAtIndex:1] setIdentifier:@"1"];
> +--
> +2.17.1
> +
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
> index d176f390a4..4f5528f78b 100644
> --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
> @@ -5,6 +5,9 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
> file://0001-test-xtest-Initialize-array-with-braces.patch \
> file://sdksyms-no-build-path.patch \
> file://0001-drmmode_display.c-add-missing-mi.h-include.patch \
> + file://CVE-2022-3550.patch \
> + file://CVE-2022-3551.patch \
> + file://CVE-2022-3553.patch \
> "
> SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"
> SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"
> --
> 2.17.1
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-10-31 21:52 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-30 13:38 [dunfell][PATCH] xserver-xorg: backport fixes for CVE-2022-3550, CVE-2022-3551 and CVE-2022-3553 Minjae Kim
2022-10-31 21:51 ` Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.