Message ID | 20221030133847.1756435-1-flowergom@gmail.com |
---|---|
State | New, archived |
Headers | show |
Series | [dunfell] xserver-xorg: backport fixes for CVE-2022-3550, CVE-2022-3551 and CVE-2022-3553 | expand |
On Sun, Oct 30, 2022 at 3:39 AM Minjae Kim <flowergom@gmail.com> wrote: > > From: Steve Sakoman <steve@sakoman.com> This seems to be in error since I didn't author this patch ;-) > > <CVE-2022-3550> > xkb: proof GetCountedString against request length attacks > pstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e] > > <CVE-2022-3551> > xkb: fix some possible memleaks in XkbGetKbdByName > Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2] > > <CVE-2022-3553> > xquartz: Fix a possible crash when editing the Application > menu due to mutaing immutable arrays > Upstream-Status: Backport[https://cgit.freedesktop.org/xorg/xserver/commit/?id=dfd057996b26420309c324ec844a5ba6dd07eda3] > > Signed-off-by:Minjae Kim <flowergom@gmail.com> > --- > .../xserver-xorg/CVE-2022-3550.patch | 34 +++++++++++ > .../xserver-xorg/CVE-2022-3551.patch | 60 +++++++++++++++++++ > .../xserver-xorg/CVE-2022-3553.patch | 44 ++++++++++++++ All three of the patches are missing the CVE: and UpstreamStatus: tags as well as your Signed-off-by: Please submit a V2 with these issues fixed. Many thanks for your help with CVEs! Steve > .../xorg-xserver/xserver-xorg_1.20.14.bb | 3 + > 4 files changed, 141 insertions(+) > create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch > create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch > create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch > > diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch > new file mode 100644 > index 0000000000..c1241f6ac5 > --- /dev/null > +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch > @@ -0,0 +1,34 @@ > +From 27963f7eb6d986f20c88daa40af39834ee9cf9ec Mon Sep 17 00:00:00 2001 > +From: Peter Hutterer <peter.hutterer@who-t.net> > +Date: Sun, 30 Oct 2022 13:02:46 +0000 > +Subject: [PATCH] xkb: proof GetCountedString against request length attacks > + > +GetCountedString did a check for the whole string to be within the > +request buffer but not for the initial 2 bytes that contain the length > +field. A swapped client could send a malformed request to trigger a > +swaps() on those bytes, writing into random memory. > + > +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> > +--- > + xkb/xkb.c | 5 +++++ > + 1 file changed, 5 insertions(+) > + > +diff --git a/xkb/xkb.c b/xkb/xkb.c > +index 68c59df..c9726bc 100644 > +--- a/xkb/xkb.c > ++++ b/xkb/xkb.c > +@@ -5138,6 +5138,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) > + CARD16 len; > + > + wire = *wire_inout; > ++ > ++ if (client->req_len < > ++ bytes_to_int32(wire + 2 - (char *) client->requestBuffer)) > ++ return BadValue; > ++ > + len = *(CARD16 *) wire; > + if (client->swapped) { > + swaps(&len); > +-- > +2.17.1 > + > diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch > new file mode 100644 > index 0000000000..365b11ea1c > --- /dev/null > +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch > @@ -0,0 +1,60 @@ > +From a13cd058d30f30537f7e68b934238fab20f6d55a Mon Sep 17 00:00:00 2001 > +From: Peter Hutterer <peter.hutterer@who-t.net> > +Date: Sun, 30 Oct 2022 13:09:00 +0000 > +Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName > + > +GetComponentByName returns an allocated string, so let's free that if we > +fail somewhere. > + > +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> > +--- > + xkb/xkb.c | 27 ++++++++++++++++++++------- > + 1 file changed, 20 insertions(+), 7 deletions(-) > + > +diff --git a/xkb/xkb.c b/xkb/xkb.c > +index c9726bc..072c138 100644 > +--- a/xkb/xkb.c > ++++ b/xkb/xkb.c > +@@ -5908,19 +5908,32 @@ ProcXkbGetKbdByName(ClientPtr client) > + xkb = dev->key->xkbInfo->desc; > + status = Success; > + str = (unsigned char *) &stuff[1]; > +- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */ > +- return BadMatch; > ++ { > ++ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */ > ++ if (keymap) { > ++ free(keymap); > ++ return BadMatch; > ++ } > ++ } > + names.keycodes = GetComponentSpec(&str, TRUE, &status); > + names.types = GetComponentSpec(&str, TRUE, &status); > + names.compat = GetComponentSpec(&str, TRUE, &status); > + names.symbols = GetComponentSpec(&str, TRUE, &status); > + names.geometry = GetComponentSpec(&str, TRUE, &status); > +- if (status != Success) > +- return status; > +- len = str - ((unsigned char *) stuff); > +- if ((XkbPaddedSize(len) / 4) != stuff->length) > +- return BadLength; > ++ if (status == Success) { > ++ len = str - ((unsigned char *) stuff); > ++ if ((XkbPaddedSize(len) / 4) != stuff->length) > ++ status = BadLength; > ++ } > + > ++ if (status != Success) { > ++ free(names.keycodes); > ++ free(names.types); > ++ free(names.compat); > ++ free(names.symbols); > ++ free(names.geometry); > ++ return status; > ++ } > + CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask); > + CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask); > + > +-- > +2.17.1 > + > diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch > new file mode 100644 > index 0000000000..3026225129 > --- /dev/null > +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch > @@ -0,0 +1,44 @@ > +From d3de2d4ea02c5898ea7af93a68933bb1059b4f0d Mon Sep 17 00:00:00 2001 > +From: Jeremy Huddleston Sequoia <jeremyhu@apple.com> > +Date: Sun, 30 Oct 2022 13:13:41 +0000 > +Subject: [PATCH] xquartz: Fix a possible crash when editing the Application > + menu due to mutaing immutable arrays > + > +Crashing on exception: -[__NSCFArray replaceObjectAtIndex:withObject:]: mutating method sent to immutable object > + > +Application Specific Backtrace 0: > +0 CoreFoundation 0x00007ff80d2c5e9b __exceptionPreprocess + 242 > +1 libobjc.A.dylib 0x00007ff80d027e48 objc_exception_throw + 48 > +2 CoreFoundation 0x00007ff80d38167b _CFThrowFormattedException + 194 > +3 CoreFoundation 0x00007ff80d382a25 -[__NSCFArray removeObjectAtIndex:].cold.1 + 0 > +4 CoreFoundation 0x00007ff80d2e6c0b -[__NSCFArray replaceObjectAtIndex:withObject:] + 119 > +5 X11.bin 0x00000001003180f9 -[X11Controller tableView:setObjectValue:forTableColumn:row:] + 169 > + > +Fixes: https://github.com/XQuartz/XQuartz/issues/267 > +Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> > +--- > + hw/xquartz/X11Controller.m | 8 +++++--- > + 1 file changed, 5 insertions(+), 3 deletions(-) > + > +diff --git a/hw/xquartz/X11Controller.m b/hw/xquartz/X11Controller.m > +index 3efda50..4e9a5c9 100644 > +--- a/hw/xquartz/X11Controller.m > ++++ b/hw/xquartz/X11Controller.m > +@@ -467,9 +467,11 @@ extern char *bundle_id_prefix; > + self.table_apps = table_apps; > + > + NSArray * const apps = self.apps; > +- if (apps != nil) > +- [table_apps addObjectsFromArray:apps]; > +- > ++ if (apps != nil) { > ++ for (NSArray <NSString *> * row in apps) { > ++ [table_apps addObject:row.mutableCopy]; > ++ } > ++ } > + columns = [apps_table tableColumns]; > + [[columns objectAtIndex:0] setIdentifier:@"0"]; > + [[columns objectAtIndex:1] setIdentifier:@"1"]; > +-- > +2.17.1 > + > diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb > index d176f390a4..4f5528f78b 100644 > --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb > +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb > @@ -5,6 +5,9 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat > file://0001-test-xtest-Initialize-array-with-braces.patch \ > file://sdksyms-no-build-path.patch \ > file://0001-drmmode_display.c-add-missing-mi.h-include.patch \ > + file://CVE-2022-3550.patch \ > + file://CVE-2022-3551.patch \ > + file://CVE-2022-3553.patch \ > " > SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf" > SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066" > -- > 2.17.1 >
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch new file mode 100644 index 0000000000..c1241f6ac5 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch @@ -0,0 +1,34 @@ +From 27963f7eb6d986f20c88daa40af39834ee9cf9ec Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Sun, 30 Oct 2022 13:02:46 +0000 +Subject: [PATCH] xkb: proof GetCountedString against request length attacks + +GetCountedString did a check for the whole string to be within the +request buffer but not for the initial 2 bytes that contain the length +field. A swapped client could send a malformed request to trigger a +swaps() on those bytes, writing into random memory. + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + xkb/xkb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 68c59df..c9726bc 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5138,6 +5138,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) + CARD16 len; + + wire = *wire_inout; ++ ++ if (client->req_len < ++ bytes_to_int32(wire + 2 - (char *) client->requestBuffer)) ++ return BadValue; ++ + len = *(CARD16 *) wire; + if (client->swapped) { + swaps(&len); +-- +2.17.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch new file mode 100644 index 0000000000..365b11ea1c --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch @@ -0,0 +1,60 @@ +From a13cd058d30f30537f7e68b934238fab20f6d55a Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Sun, 30 Oct 2022 13:09:00 +0000 +Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName + +GetComponentByName returns an allocated string, so let's free that if we +fail somewhere. + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + xkb/xkb.c | 27 ++++++++++++++++++++------- + 1 file changed, 20 insertions(+), 7 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index c9726bc..072c138 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5908,19 +5908,32 @@ ProcXkbGetKbdByName(ClientPtr client) + xkb = dev->key->xkbInfo->desc; + status = Success; + str = (unsigned char *) &stuff[1]; +- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */ +- return BadMatch; ++ { ++ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */ ++ if (keymap) { ++ free(keymap); ++ return BadMatch; ++ } ++ } + names.keycodes = GetComponentSpec(&str, TRUE, &status); + names.types = GetComponentSpec(&str, TRUE, &status); + names.compat = GetComponentSpec(&str, TRUE, &status); + names.symbols = GetComponentSpec(&str, TRUE, &status); + names.geometry = GetComponentSpec(&str, TRUE, &status); +- if (status != Success) +- return status; +- len = str - ((unsigned char *) stuff); +- if ((XkbPaddedSize(len) / 4) != stuff->length) +- return BadLength; ++ if (status == Success) { ++ len = str - ((unsigned char *) stuff); ++ if ((XkbPaddedSize(len) / 4) != stuff->length) ++ status = BadLength; ++ } + ++ if (status != Success) { ++ free(names.keycodes); ++ free(names.types); ++ free(names.compat); ++ free(names.symbols); ++ free(names.geometry); ++ return status; ++ } + CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask); + CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask); + +-- +2.17.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch new file mode 100644 index 0000000000..3026225129 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch @@ -0,0 +1,44 @@ +From d3de2d4ea02c5898ea7af93a68933bb1059b4f0d Mon Sep 17 00:00:00 2001 +From: Jeremy Huddleston Sequoia <jeremyhu@apple.com> +Date: Sun, 30 Oct 2022 13:13:41 +0000 +Subject: [PATCH] xquartz: Fix a possible crash when editing the Application + menu due to mutaing immutable arrays + +Crashing on exception: -[__NSCFArray replaceObjectAtIndex:withObject:]: mutating method sent to immutable object + +Application Specific Backtrace 0: +0 CoreFoundation 0x00007ff80d2c5e9b __exceptionPreprocess + 242 +1 libobjc.A.dylib 0x00007ff80d027e48 objc_exception_throw + 48 +2 CoreFoundation 0x00007ff80d38167b _CFThrowFormattedException + 194 +3 CoreFoundation 0x00007ff80d382a25 -[__NSCFArray removeObjectAtIndex:].cold.1 + 0 +4 CoreFoundation 0x00007ff80d2e6c0b -[__NSCFArray replaceObjectAtIndex:withObject:] + 119 +5 X11.bin 0x00000001003180f9 -[X11Controller tableView:setObjectValue:forTableColumn:row:] + 169 + +Fixes: https://github.com/XQuartz/XQuartz/issues/267 +Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> +--- + hw/xquartz/X11Controller.m | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/hw/xquartz/X11Controller.m b/hw/xquartz/X11Controller.m +index 3efda50..4e9a5c9 100644 +--- a/hw/xquartz/X11Controller.m ++++ b/hw/xquartz/X11Controller.m +@@ -467,9 +467,11 @@ extern char *bundle_id_prefix; + self.table_apps = table_apps; + + NSArray * const apps = self.apps; +- if (apps != nil) +- [table_apps addObjectsFromArray:apps]; +- ++ if (apps != nil) { ++ for (NSArray <NSString *> * row in apps) { ++ [table_apps addObject:row.mutableCopy]; ++ } ++ } + columns = [apps_table tableColumns]; + [[columns objectAtIndex:0] setIdentifier:@"0"]; + [[columns objectAtIndex:1] setIdentifier:@"1"]; +-- +2.17.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb index d176f390a4..4f5528f78b 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb @@ -5,6 +5,9 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://0001-test-xtest-Initialize-array-with-braces.patch \ file://sdksyms-no-build-path.patch \ file://0001-drmmode_display.c-add-missing-mi.h-include.patch \ + file://CVE-2022-3550.patch \ + file://CVE-2022-3551.patch \ + file://CVE-2022-3553.patch \ " SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf" SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"
From: Steve Sakoman <steve@sakoman.com> <CVE-2022-3550> xkb: proof GetCountedString against request length attacks pstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e] <CVE-2022-3551> xkb: fix some possible memleaks in XkbGetKbdByName Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2] <CVE-2022-3553> xquartz: Fix a possible crash when editing the Application menu due to mutaing immutable arrays Upstream-Status: Backport[https://cgit.freedesktop.org/xorg/xserver/commit/?id=dfd057996b26420309c324ec844a5ba6dd07eda3] Signed-off-by:Minjae Kim <flowergom@gmail.com> --- .../xserver-xorg/CVE-2022-3550.patch | 34 +++++++++++ .../xserver-xorg/CVE-2022-3551.patch | 60 +++++++++++++++++++ .../xserver-xorg/CVE-2022-3553.patch | 44 ++++++++++++++ .../xorg-xserver/xserver-xorg_1.20.14.bb | 3 + 4 files changed, 141 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch