From patchwork Mon Jan 8 16:14:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 37492 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2D6F9C3DA6E for ; Mon, 8 Jan 2024 16:14:48 +0000 (UTC) Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com [209.85.210.174]) by mx.groups.io with SMTP id smtpd.web11.867.1704730483791813476 for ; Mon, 08 Jan 2024 08:14:43 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=tCNDOblg; spf=softfail (domain: sakoman.com, ip: 209.85.210.174, mailfrom: steve@sakoman.com) Received: by mail-pf1-f174.google.com with SMTP id d2e1a72fcca58-6daf9d5f111so771505b3a.0 for ; Mon, 08 Jan 2024 08:14:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1704730483; x=1705335283; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Vf0EYpGm+3PeYGaEo2P7rMXSf6DHbHwjaOvWIn9lfvg=; b=tCNDOblg8hthnMEi4fkmunOuc7Rpd0n+3gFehA+GnbghMuIQU9nQpcIUvCaD9q4pUS bqXvSfynAUrJSDsZJF8mD7i1l4VTnu+Fq+bG1lNDFIES73nBpMOzga1RP+PPUNgWHnuE H87LmjyHi5CYmIN+n6atG9r932lpYguWnW1Ckji0oQUDtGrsa7QoPvdCIJ+z2vK7Imrk AmuTG3DCnTUDy1fj3A1PkXnPzWOhqOjcE/AyUA/GsDJ4rYCMIZRZezEV6J+jCk0sXMYa Tdl+DAvTIalGyCKUkmsuD2P7K8ii+oSZMJ6QZ+A4TLGo+yVg3wlgPcnTWmWJnqMbQDuw XSFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704730483; x=1705335283; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Vf0EYpGm+3PeYGaEo2P7rMXSf6DHbHwjaOvWIn9lfvg=; b=LLZglheMhqIeVSoJ1p+jezamGxy9a0SXDcQ5u5n990JIu39WiY7Qwq+1lhHwqcPweh eM9WjKNm8LeCyaZ+wc1br9PfjsqpqP2JSt/5mXrvxhY8OQMNOn6YHAIGYiKo58L3A8cp v0IC6+jNNLYeRzsEQzJPc98HS1H3uyac5nZCWVJj4SA/IOPJyCIJFEEtWVC2csGcISfJ o3b1d+jQWrzmY3hd1HJc9CBMVw7KeM5kPm9ihORRpjKIWYV/QLBb/+HC1nxMPlI9T9Ac g454cF1JFZAAHHfvwbnjnyX84Z3rS9PkRFmJoVfVtqosiZBm24m3b/l182qdGiz5qzi1 oVeA== X-Gm-Message-State: AOJu0YxWRHi3E8+8RK38IIlJAUzLlSjFwUGAUycI99aAQ+n2rFBx6S2f joiRA/FN8l29zY4MOFXWvhLZhTKpXHhtXwQhc+7p4zKl6hQf7A== X-Google-Smtp-Source: AGHT+IFwBTRF/JwIED9M4MSbJY+KXHZw2Uufsa+yvFCMAzR27ZQ4mIaC6PPy8+DhxNcunO8E1UUVWQ== X-Received: by 2002:a05:6a00:138f:b0:6d9:e7d0:327f with SMTP id t15-20020a056a00138f00b006d9e7d0327fmr4696078pfg.23.1704730482730; Mon, 08 Jan 2024 08:14:42 -0800 (PST) Received: from hexa.router0800d9.com (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id a11-20020aa78e8b000000b006da14f68ac1sm45753pfr.198.2024.01.08.08.14.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jan 2024 08:14:42 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 1/6] xserver-xorg: Fix for CVE-2023-6377 and CVE-2023-6478 Date: Mon, 8 Jan 2024 06:14:27 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 08 Jan 2024 16:14:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/193416 From: Vijay Anusuri Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd & https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632] Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xserver-xorg/CVE-2023-6377.patch | 79 +++++++++++++++++++ .../xserver-xorg/CVE-2023-6478.patch | 63 +++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.8.bb | 2 + 3 files changed, 144 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch new file mode 100644 index 0000000000..0abd5914fa --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch @@ -0,0 +1,79 @@ +From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 28 Nov 2023 15:19:04 +1000 +Subject: [PATCH] Xi: allocate enough XkbActions for our buttons + +button->xkb_acts is supposed to be an array sufficiently large for all +our buttons, not just a single XkbActions struct. Allocating +insufficient memory here means when we memcpy() later in +XkbSetDeviceInfo we write into memory that wasn't ours to begin with, +leading to the usual security ooopsiedaisies. + +CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd] +CVE: CVE-2023-6377 +Signed-off-by: Vijay Anusuri +--- + Xi/exevents.c | 12 ++++++------ + dix/devices.c | 10 ++++++++++ + 2 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/Xi/exevents.c b/Xi/exevents.c +index dcd4efb3bc..54ea11a938 100644 +--- a/Xi/exevents.c ++++ b/Xi/exevents.c +@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) + } + + if (from->button->xkb_acts) { +- if (!to->button->xkb_acts) { +- to->button->xkb_acts = calloc(1, sizeof(XkbAction)); +- if (!to->button->xkb_acts) +- FatalError("[Xi] not enough memory for xkb_acts.\n"); +- } ++ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons); ++ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts, ++ maxbuttons, ++ sizeof(XkbAction)); ++ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction)); + memcpy(to->button->xkb_acts, from->button->xkb_acts, +- sizeof(XkbAction)); ++ from->button->numButtons * sizeof(XkbAction)); + } + else { + free(to->button->xkb_acts); +diff --git a/dix/devices.c b/dix/devices.c +index b063128df0..3f3224d626 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave) + + if (master->button && master->button->numButtons != maxbuttons) { + int i; ++ int last_num_buttons = master->button->numButtons; ++ + DeviceChangedEvent event = { + .header = ET_Internal, + .type = ET_DeviceChanged, +@@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave) + }; + + master->button->numButtons = maxbuttons; ++ if (last_num_buttons < maxbuttons) { ++ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts, ++ maxbuttons, ++ sizeof(XkbAction)); ++ memset(&master->button->xkb_acts[last_num_buttons], ++ 0, ++ (maxbuttons - last_num_buttons) * sizeof(XkbAction)); ++ } + + memcpy(&event.buttons.names, master->button->labels, maxbuttons * + sizeof(Atom)); +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch new file mode 100644 index 0000000000..6392eae3f8 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch @@ -0,0 +1,63 @@ +From 14f480010a93ff962fef66a16412fafff81ad632 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 27 Nov 2023 16:27:49 +1000 +Subject: [PATCH] randr: avoid integer truncation in length check of + ProcRRChange*Property + +Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty. +See also xserver@8f454b79 where this same bug was fixed for the core +protocol and XI. + +This fixes an OOB read and the resulting information disclosure. + +Length calculation for the request was clipped to a 32-bit integer. With +the correct stuff->nUnits value the expected request size was +truncated, passing the REQUEST_FIXED_SIZE check. + +The server then proceeded with reading at least stuff->num_items bytes +(depending on stuff->format) from the request and stuffing whatever it +finds into the property. In the process it would also allocate at least +stuff->nUnits bytes, i.e. 4GB. + +CVE-2023-6478, ZDI-CAN-22561 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632] +CVE: CVE-2023-6478 +Signed-off-by: Vijay Anusuri +--- + randr/rrproperty.c | 2 +- + randr/rrproviderproperty.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/randr/rrproperty.c b/randr/rrproperty.c +index 25469f57b2..c4fef8a1f6 100644 +--- a/randr/rrproperty.c ++++ b/randr/rrproperty.c +@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client) + char format, mode; + unsigned long len; + int sizeInBytes; +- int totalSize; ++ uint64_t totalSize; + int err; + + REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq); +diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c +index b79c17f9bf..90c5a9a933 100644 +--- a/randr/rrproviderproperty.c ++++ b/randr/rrproviderproperty.c +@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client) + char format, mode; + unsigned long len; + int sizeInBytes; +- int totalSize; ++ uint64_t totalSize; + int err; + + REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq); +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index 63932b4e79..7738085e11 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb @@ -4,6 +4,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \ file://CVE-2023-5367.patch \ file://CVE-2023-5380.patch \ + file://CVE-2023-6377.patch \ + file://CVE-2023-6478.patch \ " SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"