Patchwork [1/3] xorg: Fix for CVE-2013-6424

login
register
mail settings
Submitter Kang Kai
Date April 1, 2014, 9:09 a.m.
Message ID <812f24b1debb5dcfb8e6b2bdd9ef877d256cd3f8.1396343261.git.kai.kang@windriver.com>
Download mbox | patch
Permalink /patch/69801/
State Accepted
Commit 377ce42a6a50da3e4de4bdd8936ce02b3c8c3d95
Headers show

Comments

Kang Kai - April 1, 2014, 9:09 a.m.
Integer underflow in the xTrapezoidValid macro in render/picture.h in X.Org
allows context-dependent attackers to cause a denial of service (crash) via
a negative bottom value.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6424

Signed-off-by: Baogen Shang <baogen.shang@windriver.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 .../xserver-xorg/xorg-CVE-2013-6424.patch          | 31 ++++++++++++++++++++++
 .../xorg-xserver/xserver-xorg_1.15.0.bb            |  1 +
 2 files changed, 32 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/xorg-CVE-2013-6424.patch

Patch

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/xorg-CVE-2013-6424.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/xorg-CVE-2013-6424.patch
new file mode 100644
index 0000000..7c61530
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/xorg-CVE-2013-6424.patch
@@ -0,0 +1,31 @@ 
+This patch comes from:
+http://lists.x.org/archives/xorg-devel/2013-October/037996.html
+
+Upstream-Status: Backport
+
+Signed-off-by: Baogen shang <baogen.shang@windriver.com>
+diff -Naur xorg-server-1.14.0-orig/exa/exa_render.c xorg-server-1.14.0/exa/exa_render.c
+--- xorg-server-1.14.0-orig/exa/exa_render.c	2014-02-27 14:32:38.000000000 +0800
++++ xorg-server-1.14.0/exa/exa_render.c	2014-02-27 15:46:59.000000000 +0800
+@@ -1141,7 +1141,8 @@
+ 
+         exaPrepareAccess(pPicture->pDrawable, EXA_PREPARE_DEST);
+         for (; ntrap; ntrap--, traps++)
+-            (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1);
++            if (xTrapezoidValid(traps))
++                (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1);
+         exaFinishAccess(pPicture->pDrawable, EXA_PREPARE_DEST);
+ 
+         xRel = bounds.x1 + xSrc - xDst;
+diff -Naur xorg-server-1.14.0-orig/render/picture.h xorg-server-1.14.0/render/picture.h
+--- xorg-server-1.14.0-orig/render/picture.h	2014-02-27 14:32:26.000000000 +0800
++++ xorg-server-1.14.0/render/picture.h	2014-02-27 15:48:13.000000000 +0800
+@@ -211,7 +211,7 @@
+ /* whether 't' is a well defined not obviously empty trapezoid */
+ #define xTrapezoidValid(t)  ((t)->left.p1.y != (t)->left.p2.y && \
+ 			     (t)->right.p1.y != (t)->right.p2.y && \
+-			     (int) ((t)->bottom - (t)->top) > 0)
++			     ((t)->bottom > (t)->top))
+ 
+ /*
+  * Standard NTSC luminance conversions:
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.15.0.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.15.0.bb
index a4dda4e..1f9fa04 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.15.0.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.15.0.bb
@@ -5,6 +5,7 @@  SRC_URI += "file://crosscompile.patch \
             file://fix_open_max_preprocessor_error.patch \
             file://mips64-compiler.patch \
             file://aarch64.patch \
+            file://xorg-CVE-2013-6424.patch \
            "
 
 SRC_URI[md5sum] = "c2ace3697b32414094cf8c597c39d7d9"