[oe-core][kirkstone][PATCH 1/1] xserver-xorg: fix CVE-2022-3550, CVE-2022-3551

[oe-core][kirkstone][PATCH 1/1] xserver-xorg: fix CVE-2022-3550, CVE-2022-3551

[Soumya]

A vulnerability classified as critical was found in X.org Server. Affected
by this vulnerability is the function _GetCountedString of the file
xkb/xkb.c. The manipulation leads to buffer overflow. It is recommended to
apply a patch to fix this issue. The associated identifier of this
vulnerability is VDB-211051.

A vulnerability, which was classified as problematic, has been found in
X.org Server. Affected by this issue is the function ProcXkbGetKbdByName
of the file xkb/xkb.c. The manipulation leads to memory leak. It is
recommended to apply a patch to fix this issue. The identifier of this
vulnerability is VDB-211052.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-3550
https://nvd.nist.gov/vuln/detail/CVE-2022-3551

Upstream patches:
https://gitlab.freedesktop.org/xorg/xserver/commit/11beef0b7f1ed290348e45618e5fa0d2bffcb72e
https://gitlab.freedesktop.org/xorg/xserver/commit/18f91b950e22c2a342a4fbc55e9ddf7534a707d2

Signed-off-by: Soumya <soumya.sambu@windriver.com>
---
 ...possible-memleaks-in-XkbGetKbdByName.patch | 63 +++++++++++++++++++
 ...ntedString-against-request-length-at.patch | 38 +++++++++++
 2 files changed, 101 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
new file mode 100644
index 0000000000..0e61ec5953
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
@@ -0,0 +1,63 @@
+CVE: CVE-2022-3551
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Wed, 13 Jul 2022 11:23:09 +1000
+Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName
+
+GetComponentByName returns an allocated string, so let's free that if we
+fail somewhere.
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xkb/xkb.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 4692895db..b79a269e3 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client)
+     xkb = dev->key->xkbInfo->desc;
+     status = Success;
+     str = (unsigned char *) &stuff[1];
+-    if (GetComponentSpec(&str, TRUE, &status))  /* keymap, unsupported */
+-        return BadMatch;
++    {
++        char *keymap = GetComponentSpec(&str, TRUE, &status);  /* keymap, unsupported */
++        if (keymap) {
++            free(keymap);
++            return BadMatch;
++        }
++    }
+     names.keycodes = GetComponentSpec(&str, TRUE, &status);
+     names.types = GetComponentSpec(&str, TRUE, &status);
+     names.compat = GetComponentSpec(&str, TRUE, &status);
+     names.symbols = GetComponentSpec(&str, TRUE, &status);
+     names.geometry = GetComponentSpec(&str, TRUE, &status);
+-    if (status != Success)
++    if (status == Success) {
++        len = str - ((unsigned char *) stuff);
++        if ((XkbPaddedSize(len) / 4) != stuff->length)
++            status = BadLength;
++    }
++
++    if (status != Success) {
++        free(names.keycodes);
++        free(names.types);
++        free(names.compat);
++        free(names.symbols);
++        free(names.geometry);
+         return status;
+-    len = str - ((unsigned char *) stuff);
+-    if ((XkbPaddedSize(len) / 4) != stuff->length)
+-        return BadLength;
++    }
+ 
+     CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
+     CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
+-- 
+2.34.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch
new file mode 100644
index 0000000000..6f862e82f9
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch
@@ -0,0 +1,38 @@
+CVE: CVE-2022-3550
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 5 Jul 2022 12:06:20 +1000
+Subject: [PATCH] xkb: proof GetCountedString against request length attacks
+
+GetCountedString did a check for the whole string to be within the
+request buffer but not for the initial 2 bytes that contain the length
+field. A swapped client could send a malformed request to trigger a
+swaps() on those bytes, writing into random memory.
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xkb/xkb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index f42f59ef3..1841cff26 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
+     CARD16 len;
+ 
+     wire = *wire_inout;
++
++    if (client->req_len <
++        bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
++        return BadValue;
++
+     len = *(CARD16 *) wire;
+     if (client->swapped) {
+         swaps(&len);
+-- 
+2.34.1
+
-- 
2.25.1

Re: [oe-core][kirkstone][PATCH 1/1] xserver-xorg: fix CVE-2022-3550, CVE-2022-3551

[Steve Sakoman]

On Fri, Nov 25, 2022 at 6:44 AM Soumya <soumya.sambu@windriver.com> wrote:
>
> A vulnerability classified as critical was found in X.org Server. Affected
> by this vulnerability is the function _GetCountedString of the file
> xkb/xkb.c. The manipulation leads to buffer overflow. It is recommended to
> apply a patch to fix this issue. The associated identifier of this
> vulnerability is VDB-211051.
>
> A vulnerability, which was classified as problematic, has been found in
> X.org Server. Affected by this issue is the function ProcXkbGetKbdByName
> of the file xkb/xkb.c. The manipulation leads to memory leak. It is
> recommended to apply a patch to fix this issue. The identifier of this
> vulnerability is VDB-211052.
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2022-3550
> https://nvd.nist.gov/vuln/detail/CVE-2022-3551
>
> Upstream patches:
> https://gitlab.freedesktop.org/xorg/xserver/commit/11beef0b7f1ed290348e45618e5fa0d2bffcb72e
> https://gitlab.freedesktop.org/xorg/xserver/commit/18f91b950e22c2a342a4fbc55e9ddf7534a707d2
>
> Signed-off-by: Soumya <soumya.sambu@windriver.com>
> ---
>  ...possible-memleaks-in-XkbGetKbdByName.patch | 63 +++++++++++++++++++
>  ...ntedString-against-request-length-at.patch | 38 +++++++++++
>  2 files changed, 101 insertions(+)
>  create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
>  create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch

You forgot to add the patches to the recipe!

Steve

>
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
> new file mode 100644
> index 0000000000..0e61ec5953
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
> @@ -0,0 +1,63 @@
> +CVE: CVE-2022-3551
> +Upstream-Status: Backport
> +Signed-off-by: Ross Burton <ross.burton@arm.com>
> +
> +From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001
> +From: Peter Hutterer <peter.hutterer@who-t.net>
> +Date: Wed, 13 Jul 2022 11:23:09 +1000
> +Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName
> +
> +GetComponentByName returns an allocated string, so let's free that if we
> +fail somewhere.
> +
> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
> +---
> + xkb/xkb.c | 26 ++++++++++++++++++++------
> + 1 file changed, 20 insertions(+), 6 deletions(-)
> +
> +diff --git a/xkb/xkb.c b/xkb/xkb.c
> +index 4692895db..b79a269e3 100644
> +--- a/xkb/xkb.c
> ++++ b/xkb/xkb.c
> +@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client)
> +     xkb = dev->key->xkbInfo->desc;
> +     status = Success;
> +     str = (unsigned char *) &stuff[1];
> +-    if (GetComponentSpec(&str, TRUE, &status))  /* keymap, unsupported */
> +-        return BadMatch;
> ++    {
> ++        char *keymap = GetComponentSpec(&str, TRUE, &status);  /* keymap, unsupported */
> ++        if (keymap) {
> ++            free(keymap);
> ++            return BadMatch;
> ++        }
> ++    }
> +     names.keycodes = GetComponentSpec(&str, TRUE, &status);
> +     names.types = GetComponentSpec(&str, TRUE, &status);
> +     names.compat = GetComponentSpec(&str, TRUE, &status);
> +     names.symbols = GetComponentSpec(&str, TRUE, &status);
> +     names.geometry = GetComponentSpec(&str, TRUE, &status);
> +-    if (status != Success)
> ++    if (status == Success) {
> ++        len = str - ((unsigned char *) stuff);
> ++        if ((XkbPaddedSize(len) / 4) != stuff->length)
> ++            status = BadLength;
> ++    }
> ++
> ++    if (status != Success) {
> ++        free(names.keycodes);
> ++        free(names.types);
> ++        free(names.compat);
> ++        free(names.symbols);
> ++        free(names.geometry);
> +         return status;
> +-    len = str - ((unsigned char *) stuff);
> +-    if ((XkbPaddedSize(len) / 4) != stuff->length)
> +-        return BadLength;
> ++    }
> +
> +     CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
> +     CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
> +--
> +2.34.1
> +
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch
> new file mode 100644
> index 0000000000..6f862e82f9
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch
> @@ -0,0 +1,38 @@
> +CVE: CVE-2022-3550
> +Upstream-Status: Backport
> +Signed-off-by: Ross Burton <ross.burton@arm.com>
> +
> +From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001
> +From: Peter Hutterer <peter.hutterer@who-t.net>
> +Date: Tue, 5 Jul 2022 12:06:20 +1000
> +Subject: [PATCH] xkb: proof GetCountedString against request length attacks
> +
> +GetCountedString did a check for the whole string to be within the
> +request buffer but not for the initial 2 bytes that contain the length
> +field. A swapped client could send a malformed request to trigger a
> +swaps() on those bytes, writing into random memory.
> +
> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
> +---
> + xkb/xkb.c | 5 +++++
> + 1 file changed, 5 insertions(+)
> +
> +diff --git a/xkb/xkb.c b/xkb/xkb.c
> +index f42f59ef3..1841cff26 100644
> +--- a/xkb/xkb.c
> ++++ b/xkb/xkb.c
> +@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
> +     CARD16 len;
> +
> +     wire = *wire_inout;
> ++
> ++    if (client->req_len <
> ++        bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
> ++        return BadValue;
> ++
> +     len = *(CARD16 *) wire;
> +     if (client->swapped) {
> +         swaps(&len);
> +--
> +2.34.1
> +
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#173777): https://lists.openembedded.org/g/openembedded-core/message/173777
> Mute This Topic: https://lists.openembedded.org/mt/95257196/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

[oe-core][kirkstone][PATCH 1/1] xserver-xorg: fix CVE-2022-3550, CVE-2022-3551

[Soumya]

A vulnerability classified as critical was found in X.org Server. Affected
by this vulnerability is the function _GetCountedString of the file
xkb/xkb.c. The manipulation leads to buffer overflow. It is recommended to
apply a patch to fix this issue. The associated identifier of this
vulnerability is VDB-211051.

A vulnerability, which was classified as problematic, has been found in
X.org Server. Affected by this issue is the function ProcXkbGetKbdByName
of the file xkb/xkb.c. The manipulation leads to memory leak. It is
recommended to apply a patch to fix this issue. The identifier of this
vulnerability is VDB-211052.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-3550
https://nvd.nist.gov/vuln/detail/CVE-2022-3551

Upstream patches:
https://gitlab.freedesktop.org/xorg/xserver/commit/11beef0b7f1ed290348e45618e5fa0d2bffcb72e
https://gitlab.freedesktop.org/xorg/xserver/commit/18f91b950e22c2a342a4fbc55e9ddf7534a707d2

Signed-off-by: Soumya <soumya.sambu@windriver.com>
---
 ...possible-memleaks-in-XkbGetKbdByName.patch | 63 +++++++++++++++++++
 ...ntedString-against-request-length-at.patch | 38 +++++++++++
 .../xorg-xserver/xserver-xorg_21.1.4.bb       |  2 +
 3 files changed, 103 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
new file mode 100644
index 0000000000..0e61ec5953
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
@@ -0,0 +1,63 @@
+CVE: CVE-2022-3551
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Wed, 13 Jul 2022 11:23:09 +1000
+Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName
+
+GetComponentByName returns an allocated string, so let's free that if we
+fail somewhere.
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xkb/xkb.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 4692895db..b79a269e3 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client)
+     xkb = dev->key->xkbInfo->desc;
+     status = Success;
+     str = (unsigned char *) &stuff[1];
+-    if (GetComponentSpec(&str, TRUE, &status))  /* keymap, unsupported */
+-        return BadMatch;
++    {
++        char *keymap = GetComponentSpec(&str, TRUE, &status);  /* keymap, unsupported */
++        if (keymap) {
++            free(keymap);
++            return BadMatch;
++        }
++    }
+     names.keycodes = GetComponentSpec(&str, TRUE, &status);
+     names.types = GetComponentSpec(&str, TRUE, &status);
+     names.compat = GetComponentSpec(&str, TRUE, &status);
+     names.symbols = GetComponentSpec(&str, TRUE, &status);
+     names.geometry = GetComponentSpec(&str, TRUE, &status);
+-    if (status != Success)
++    if (status == Success) {
++        len = str - ((unsigned char *) stuff);
++        if ((XkbPaddedSize(len) / 4) != stuff->length)
++            status = BadLength;
++    }
++
++    if (status != Success) {
++        free(names.keycodes);
++        free(names.types);
++        free(names.compat);
++        free(names.symbols);
++        free(names.geometry);
+         return status;
+-    len = str - ((unsigned char *) stuff);
+-    if ((XkbPaddedSize(len) / 4) != stuff->length)
+-        return BadLength;
++    }
+ 
+     CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
+     CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
+-- 
+2.34.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch
new file mode 100644
index 0000000000..6f862e82f9
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch
@@ -0,0 +1,38 @@
+CVE: CVE-2022-3550
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 5 Jul 2022 12:06:20 +1000
+Subject: [PATCH] xkb: proof GetCountedString against request length attacks
+
+GetCountedString did a check for the whole string to be within the
+request buffer but not for the initial 2 bytes that contain the length
+field. A swapped client could send a malformed request to trigger a
+swaps() on those bytes, writing into random memory.
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xkb/xkb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index f42f59ef3..1841cff26 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
+     CARD16 len;
+ 
+     wire = *wire_inout;
++
++    if (client->req_len <
++        bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
++        return BadValue;
++
+     len = *(CARD16 *) wire;
+     if (client->swapped) {
+         swaps(&len);
+-- 
+2.34.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
index b9cbc9989e..7ed2096560 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
@@ -2,6 +2,8 @@ require xserver-xorg.inc
 
 SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
            file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
+           file://0001-xkb-proof-GetCountedString-against-request-length-at.patch \
+           file://0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch \
            "
 SRC_URI[sha256sum] = "5cc4be8ee47edb58d4a90e603a59d56b40291ad38371b0bd2471fc3cbee1c587"
 
-- 
2.25.1