From: "Steve Sakoman" <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][dunfell 15/19] xorg: Security fix for CVE-2020-14345
Date: Mon, 18 Jan 2021 12:36:23 -1000 [thread overview]
Message-ID: <212ac89db81df64b9a0b428ded422fef9f4c0e61.1611009050.git.steve@sakoman.com> (raw)
In-Reply-To: <cover.1611009050.git.steve@sakoman.com>
From: Armin Kuster <akuster@mvista.com>
Source: freedesktop.org
MR: 105894
Type: Security Fix
Disposition: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/f7cd1276bbd4fe3a9700096dec33b52b8440788d
ChangeID: 2c6b7553d8e5bc152258ad1794d95cb7d8b215eb
Description:
CVE-2020-14345 fix
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../xserver-xorg/CVE-2020-14345.patch | 182 ++++++++++++++++++
.../xorg-xserver/xserver-xorg_1.20.8.bb | 1 +
2 files changed, 183 insertions(+)
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch
new file mode 100644
index 0000000000..fb3a37c474
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch
@@ -0,0 +1,182 @@
+From f7cd1276bbd4fe3a9700096dec33b52b8440788d Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:46:32 +0200
+Subject: [PATCH] Correct bounds checking in XkbSetNames()
+
+CVE-2020-14345 / ZDI 11428
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+
+Upstream-Status: Backport
+CVE: CVE-2020-14345
+Affects < 1.20.9
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ xkb/xkb.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 48 insertions(+)
+
+Index: xorg-server-1.20.8/xkb/xkb.c
+===================================================================
+--- xorg-server-1.20.8.orig/xkb/xkb.c
++++ xorg-server-1.20.8/xkb/xkb.c
+@@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT;
+ #define CHK_REQ_KEY_RANGE(err,first,num,r) \
+ CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue)
+
++static Bool
++_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) {
++ char *cstuff = (char *)stuff;
++ char *cfrom = (char *)from;
++ char *cto = (char *)to;
++
++ return cfrom < cto &&
++ cfrom >= cstuff &&
++ cfrom < cstuff + ((size_t)client->req_len << 2) &&
++ cto >= cstuff &&
++ cto <= cstuff + ((size_t)client->req_len << 2);
++}
++
+ /***====================================================================***/
+
+ int
+@@ -4045,6 +4058,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+ client->errorValue = _XkbErrCode2(0x04, stuff->firstType);
+ return BadAccess;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nTypes))
++ return BadLength;
+ old = tmp;
+ tmp = _XkbCheckAtoms(tmp, stuff->nTypes, client->swapped, &bad);
+ if (!tmp) {
+@@ -4074,6 +4089,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+ }
+ width = (CARD8 *) tmp;
+ tmp = (CARD32 *) (((char *) tmp) + XkbPaddedSize(stuff->nKTLevels));
++ if (!_XkbCheckRequestBounds(client, stuff, width, tmp))
++ return BadLength;
+ type = &xkb->map->types[stuff->firstKTLevel];
+ for (i = 0; i < stuff->nKTLevels; i++, type++) {
+ if (width[i] == 0)
+@@ -4083,6 +4100,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+ type->num_levels, width[i]);
+ return BadMatch;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + width[i]))
++ return BadLength;
+ tmp = _XkbCheckAtoms(tmp, width[i], client->swapped, &bad);
+ if (!tmp) {
+ client->errorValue = bad;
+@@ -4095,6 +4114,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+ client->errorValue = 0x08;
+ return BadMatch;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp,
++ tmp + Ones(stuff->indicators)))
++ return BadLength;
+ tmp = _XkbCheckMaskedAtoms(tmp, XkbNumIndicators, stuff->indicators,
+ client->swapped, &bad);
+ if (!tmp) {
+@@ -4107,6 +4129,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+ client->errorValue = 0x09;
+ return BadMatch;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp,
++ tmp + Ones(stuff->virtualMods)))
++ return BadLength;
+ tmp = _XkbCheckMaskedAtoms(tmp, XkbNumVirtualMods,
+ (CARD32) stuff->virtualMods,
+ client->swapped, &bad);
+@@ -4120,6 +4145,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+ client->errorValue = 0x0a;
+ return BadMatch;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp,
++ tmp + Ones(stuff->groupNames)))
++ return BadLength;
+ tmp = _XkbCheckMaskedAtoms(tmp, XkbNumKbdGroups,
+ (CARD32) stuff->groupNames,
+ client->swapped, &bad);
+@@ -4141,9 +4169,14 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+ stuff->nKeys);
+ return BadValue;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nKeys))
++ return BadLength;
+ tmp += stuff->nKeys;
+ }
+ if ((stuff->which & XkbKeyAliasesMask) && (stuff->nKeyAliases > 0)) {
++ if (!_XkbCheckRequestBounds(client, stuff, tmp,
++ tmp + (stuff->nKeyAliases * 2)))
++ return BadLength;
+ tmp += stuff->nKeyAliases * 2;
+ }
+ if (stuff->which & XkbRGNamesMask) {
+@@ -4151,6 +4184,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+ client->errorValue = _XkbErrCode2(0x0d, stuff->nRadioGroups);
+ return BadValue;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp,
++ tmp + stuff->nRadioGroups))
++ return BadLength;
+ tmp = _XkbCheckAtoms(tmp, stuff->nRadioGroups, client->swapped, &bad);
+ if (!tmp) {
+ client->errorValue = bad;
+@@ -4344,6 +4380,8 @@ ProcXkbSetNames(ClientPtr client)
+ /* check device-independent stuff */
+ tmp = (CARD32 *) &stuff[1];
+
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbKeycodesNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+@@ -4351,6 +4389,8 @@ ProcXkbSetNames(ClientPtr client)
+ return BadAtom;
+ }
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbGeometryNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+@@ -4358,6 +4398,8 @@ ProcXkbSetNames(ClientPtr client)
+ return BadAtom;
+ }
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbSymbolsNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+@@ -4365,6 +4407,8 @@ ProcXkbSetNames(ClientPtr client)
+ return BadAtom;
+ }
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbPhysSymbolsNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+@@ -4372,6 +4416,8 @@ ProcXkbSetNames(ClientPtr client)
+ return BadAtom;
+ }
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbTypesNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+@@ -4379,6 +4425,8 @@ ProcXkbSetNames(ClientPtr client)
+ return BadAtom;
+ }
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbCompatNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
index 51d959f86c..2af1b6f307 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
@@ -9,6 +9,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
file://CVE-2020-14346.patch \
file://CVE-2020-14361.patch \
file://CVE-2020-14362.patch \
+ file://CVE-2020-14345.patch \
"
SRC_URI[md5sum] = "a770aec600116444a953ff632f51f839"
SRC_URI[sha256sum] = "d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146"
--
2.17.1
next prev parent reply other threads:[~2021-01-18 22:38 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-18 22:36 [OE-core][dunfell 00/19] Patch review Steve Sakoman
2021-01-18 22:36 ` [OE-core][dunfell 01/19] go.bbclass: don't stage test data with sources of dependencies Steve Sakoman
2021-01-18 22:36 ` [OE-core][dunfell 02/19] meta: toolchain-shar-relocate.sh: Do not use $target_sdk_dir as regex Steve Sakoman
2021-01-18 22:36 ` [OE-core][dunfell 03/19] meta: toolchain-shar-relocate.sh: Filter out post-relocate-setup script Steve Sakoman
2021-01-18 22:36 ` [OE-core][dunfell 04/19] systemd.bbclass: improve error message when a service unit specified in SYSTEMD_SERVICE is not found Steve Sakoman
2021-01-18 22:36 ` [OE-core][dunfell 05/19] license_image.bbclass: fix missing recipeinfo on self Steve Sakoman
2021-01-18 22:36 ` [OE-core][dunfell 06/19] linux-yocto/5.4: update to v5.4.87 Steve Sakoman
2021-01-18 22:36 ` [OE-core][dunfell 07/19] scripts: oe-run-native, fix *-native directories Steve Sakoman
2021-01-18 22:36 ` [OE-core][dunfell 08/19] buildstats.bbclass: add functionality to collect build system stats Steve Sakoman
2021-01-18 23:34 ` Richard Purdie
2021-01-18 23:44 ` Steve Sakoman
2021-01-18 22:36 ` [OE-core][dunfell 09/19] toolchain-shar-extract.sh: Handle special characters in script path Steve Sakoman
2021-01-18 22:36 ` [OE-core][dunfell 10/19] lib/oe/utils: Return empty string in parallel_make Steve Sakoman
2021-01-18 22:36 ` [OE-core][dunfell 11/19] boost: drop arm-intrinsics.patch Steve Sakoman
2021-01-18 22:36 ` [OE-core][dunfell 12/19] classes/waf: Add build and install arguments Steve Sakoman
2021-01-18 22:36 ` [OE-core][dunfell 13/19] waf: don't assume the waf intepretter is good Steve Sakoman
2021-01-18 22:36 ` [OE-core][dunfell 14/19] curl: fix CVE-2020-8231/8284/8285/8286 Steve Sakoman
2021-01-18 22:36 ` Steve Sakoman [this message]
2021-01-18 22:36 ` [OE-core][dunfell 16/19] glibc: Security fix for CVE-2020-29573 Steve Sakoman
2021-01-18 22:36 ` [OE-core][dunfell 17/19] glibc: CVE-2019-25013 Steve Sakoman
2021-01-18 22:36 ` [OE-core][dunfell 18/19] zip: whitelist CVE-2018-13410 and CVE-2018-13684 Steve Sakoman
2021-01-18 22:36 ` [OE-core][dunfell 19/19] ppp: Whitelist CVE-2020-15704 Steve Sakoman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=212ac89db81df64b9a0b428ded422fef9f4c0e61.1611009050.git.steve@sakoman.com \
--to=steve@sakoman.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.