From patchwork Fri May 6 08:06:52 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Pawan X-Patchwork-Id: 7681 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F1CA6C433EF for ; Fri, 6 May 2022 08:07:25 +0000 (UTC) Received: from IND01-MA1-obe.outbound.protection.outlook.com (IND01-MA1-obe.outbound.protection.outlook.com [40.107.138.54]) by mx.groups.io with SMTP id smtpd.web12.7015.1651824437098371141 for ; Fri, 06 May 2022 01:07:17 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@kpit.com header.s=selector1 header.b=KN7hmbQW; spf=pass (domain: kpit.com, ip: 40.107.138.54, mailfrom: pawan.badganchi@kpit.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GkCyYx0bMdJnLOrz3Q5Jyo7eJcSGtc0rtpgsvLH5vQ6aw/34YfVTyd/wJVdQKMwyzW4AuSjKt5y15fWj+ECBWIuj3KkdywZkH0G0UDz1xs173zsOtdm+A4mrLVv7Ykkuz+7EGKjnALV0wsi6DybRSAaDonEMUd10p5mc0fmLc1OedEQOFFnyhc702k9h5hXBqSWm17r1qAn9Ak+qditv5RJrv/lEc0Clux4yBj+D6HoHaaER6H/HnSLA4rbr3Vxvwq0uUxomqf0+Ej6Y+ImXsPALVH8mUAb3eHvKxI24/zF7BTksZyt/0LWTKeG6rnRWhus8otzFqYLnc3f0RWejzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0avsyv8EmLwP8gSSZhLj90Jc+9oUhhYqI3f8xq03sPk=; b=AwB0crqXKhWm9P/dMhqwgUuV2yvr8iQ+H0oKs4i/G1tbCNfIrkWDY7xK6cWhgXu9zD/KAxho2X2lhk4bm1QEwtNWdjZEp/GAQPheYLdh/gBb8J7bC11/S2BU/DhTRFNFL3myIfXuBudv6uYTosZ07gRl0kwbESZZYE5FreZfTqAnY+EFD6HGLefBKwJWbnH7cTqDD/hpZt2PO6BZ6E1yxRLepADbQUFk26Efcwo1lpfzX428VRRWUg9d98dbS69jpzMIRhcCmrZDUBwuIpcqDxXbipPUJmxnDzDzts/Tf4XchnQZsC9ix79bgkLOsmIAYr4MWPPRi/Hw4aNTQuZAfg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=kpit.com; dmarc=pass action=none header.from=kpit.com; dkim=pass header.d=kpit.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kpit.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0avsyv8EmLwP8gSSZhLj90Jc+9oUhhYqI3f8xq03sPk=; b=KN7hmbQW8kIDpllLu2hzl87naabdkrTgq+2KoE27hQGqI2cq3UlCI4OX3E2u/gzTJNTyxneQo6FdbDwyMrhC3C4+Q6Ge5AyRalq5qndRMlac5hi7phF/ITNeu6JQzvAKTwT5VBghRoJ2vYtaaqPgMJwN+iVnW+VVo7ESKgr54NU= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=kpit.com; Received: from MA1PR0101MB1462.INDPRD01.PROD.OUTLOOK.COM (2603:1096:a00:28::11) by MAXPR01MB2254.INDPRD01.PROD.OUTLOOK.COM (2603:1096:a00:54::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5206.13; Fri, 6 May 2022 08:07:08 +0000 Received: from MA1PR0101MB1462.INDPRD01.PROD.OUTLOOK.COM ([fe80::6c6a:548b:35fa:55e4]) by MA1PR0101MB1462.INDPRD01.PROD.OUTLOOK.COM ([fe80::6c6a:548b:35fa:55e4%4]) with mapi id 15.20.5206.028; Fri, 6 May 2022 08:07:08 +0000 From: pawan To: openembedded-core@lists.openembedded.org, pawan.badganchi@kpit.com Cc: ranjitsinh.rathod@kpit.com, Pawan Badganchi Subject: [meta][dunfell][PATCH] libinput: Add fix for CVE-2022-1215 Date: Fri, 6 May 2022 13:36:52 +0530 Message-Id: <20220506080652.18787-1-pawan.badganchi@kpit.com> X-Mailer: git-send-email 2.17.1 X-ClientProxiedBy: PN3PR01CA0074.INDPRD01.PROD.OUTLOOK.COM (2603:1096:c01:9a::18) To MA1PR0101MB1462.INDPRD01.PROD.OUTLOOK.COM (2603:1096:a00:28::11) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 7ef81540-7fbc-450b-74fd-08da2f376a33 X-MS-TrafficTypeDiagnostic: MAXPR01MB2254:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: QYCJQACGNhTprk0MsfBht9jv3t06SQPisBVXDpGyn9fDfTmSJkdqXUgPWmIKst3tJLBNUtTuS/I2dmkPY7aSGF/Oat/fTjIJ0vjpJPBdFkA7j1eUdUUj3QAZK8yUpNU6cTNJq9DCKxz5o1sQ0PDw7Q7rfpJyFifvdBgfQn/1oL2Wy48ec3fS3jjOV3qGGl6NysK7KrGGZEzE20wUYC1nJo6rdg3Im0YmwThol1D8aJeap/WGpIkFgrviMLVKg8wt81KUr+aduN3Oic2X3L9OYh6wG2p14X25ERFP3bTEXuGISnh186lFWuuJIBm/QL/MsP+JbA0wiRtYq7FfZlk+2xbenf2/6JLxvGAm9ZiH7Xvl3hQ6y6sATxFp7dvJQvMq5peZjDO7bnhk8+vAuifNhpSBItoEASRRAY8NZko8WIBZmn9GO2h/l+Pa/Ldx5xas+AjYY1uKvuINXnkE6rAtMQm7E6bS/MyOp+DBiTJUTbPAncvy/CpOzrpZBSYziYLmKUS40NV3uJANPVQgKPsSozbdNQCe807KVhZNMF3nwV8oC/f+iWmk56QxMMhx0rDNR48fhoGGiAQD4RJ1JRkYhBf3cwdatM2HUtqW/mkldnbUvpbnQB2blfLt44kCMKJD7rzto/Xun9gbi4AYiwkTtQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MA1PR0101MB1462.INDPRD01.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230001)(4636009)(366004)(508600001)(316002)(36756003)(83380400001)(5660300002)(4326008)(66556008)(66476007)(6666004)(66946007)(2906002)(6486002)(8936002)(966005)(30864003)(8676002)(6512007)(1076003)(107886003)(6506007)(2616005)(186003)(52116002)(66574015)(38100700002)(86362001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 2 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?g//de49EPKtoOR+Ml5oxtPlrD3l5?= =?utf-8?q?dwM0FhZx/RFzXaAQ3vAVAeL8Jrz7bWkassjOWqhie0AHpJA9V/dAdXMJOIfLOGYdf?= =?utf-8?q?bCDTRxRrjPYwAxTqU0aXhDnEhB9PMWls9s5BqHP5pLzXtuvI4rWYWA5wPe7bUcvPq?= =?utf-8?q?THAEMkC46f+rIy3Lc9/N1Q2E3ECsmC/UD33zOKzzp38Qqy1I8Jb1VzN9x6YQAD5ks?= =?utf-8?q?jNrwjukk0+8pB/2hkhbMuJRoVgss+I4+DfwNJkR36G2L5b7wuQ6LiQGQmZN27YPKj?= =?utf-8?q?KtZupSkkXOLXqTWIRW7cqtCQFYlygSD5KicNK3RXrbCMT+fSICK2Og45mOF0muUnB?= =?utf-8?q?IaVf6AN3m8pxcYvdUxhrEVMJX5BJLmMhM94HPjcQTbBxqe+kJ9B658g4v7Y7/42dT?= =?utf-8?q?x1k9clBRNPFBOHzEMXWJxtW6NDUwYQ+FHZDzFAZ3reV3x9QmlMd/0Z4uCbbPw1V+Y?= =?utf-8?q?ATBYz7WjKuVlqbrF7AuOqFEjfSaMNYHxgRgDmh3DmHc+Ws6x+nZflPxypB+Ptkmk5?= =?utf-8?q?KI9xO+JRKBnhENxfxsuUgeP30F0VBnIMeLeogY0b/HPwFT+RO9N1PkA0FyzvnNYij?= =?utf-8?q?2lQZKhaciYUaLo4L4ZE1gioplZzjPMUL0wDDO0+0q6HQEB7kBOH7odrervRP9h+r9?= =?utf-8?q?NINGNL2QOAvnC+TOIVmdbBWV4qINVMHubFPFGHPbgEulPAVbfzYXQfxr87Dy5vN0E?= =?utf-8?q?Rb2X92mLeBljc7wY7LtyYbsQyFdyum8YE1Zycy7JywV6L7oaTa6cFr9IEPtFeiTec?= =?utf-8?q?2ujR+3EiSM66CGvbtqoWy8bESquCVpvfsrSRJimRaOgz1udejAsuk27GcIK8nx8qr?= =?utf-8?q?k8OdeUSR1tndOgaIR7mZskIxHzyBu37UvTftnvChSM6BAjYL2WqkLbPdBHg5/RmPa?= =?utf-8?q?4UQ2EoYnj4oMzAh2ZixJ3mlHvhpNuQh9sxffz2ISOetpx9IFUfJAVpP0dndF+85eH?= =?utf-8?q?rODDir0dFhzsivJd8jOP4mHHqeW/H7zN8xGwtDzInJvpHPwDcEAxTf7IcRu0EjXaK?= =?utf-8?q?WF5wXxmYdcc+FYMMXvh+5xalPTZhgel03YXbTz+EAIso07GQJwzuZJ+8+5H47/Hob?= =?utf-8?q?VLnO3fiJL9YPEIntM1vhPHEFjIOphDEYas322agLZ1a+M/+LqMw/sQKlDmhICQ8IO?= =?utf-8?q?yf3lZWpz5Qt5RmCLaeyvEHS7nBAdG5J5h21in27IXsBlbzqN/3DU7qjPg0T3XT1iR?= =?utf-8?q?jboDdbt3h690o3iPTRAGVyzuUFwIuoF+oZqUSSf+cggl7vMgwh60UnOWZlgz2TM0V?= =?utf-8?q?Ln1Zkh4NZPJHGfn4lsWziVAY6UEPlku926eYDsuNBJLmOYinU5EhBBTUP7U29FFBb?= =?utf-8?q?qnmrjzdk6sXPo7sxhrdr3E9jhwm2tuhbG8fpKym4kaFXIE2XYFmhr4VY4t8S76doF?= =?utf-8?q?8u/hCuIv4V3U64qyLwJP1UfjNSGSvmhcgunsqmeAMyphBuL/69hkyXTDF0kI6a1yy?= =?utf-8?q?1y6LBR/o0F7E1mWFO+naT4NU0zSRSRXrZrGxSEa7vAVX+uhXsIJtfJlSJ0t+U0IMf?= =?utf-8?q?VD75s/FjADbTPQRCNFG5Yhp24F1UjN6LNPQGGEl0QaMxiIfTr4D7lvL67md+LBkpK?= =?utf-8?q?Aop+kKy3FYZl/XMXpplSsfvZpWVRe/Fpj18v4+CnzmzLtLzeRsBVfqQPbIsQKd5tY?= =?utf-8?q?LwlN10vsRnUvFjWVuxEk4GhPYAiQ7wLLocYi5leGRvg64N4oAvVkJGanC61q0FNXA?= =?utf-8?q?UHX+dDbceRIYDKgs/?= X-MS-Exchange-AntiSpam-MessageData-1: SHuxw+aiFAcKhA== X-OriginatorOrg: kpit.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7ef81540-7fbc-450b-74fd-08da2f376a33 X-MS-Exchange-CrossTenant-AuthSource: MA1PR0101MB1462.INDPRD01.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 May 2022 08:07:08.2028 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3539451e-b46e-4a26-a242-ff61502855c7 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: x+va+63yTlD66wf1qHeA/A4wrf/JjX1mGOjh2kxngLwUNsiUOCGBT3F7x9XvB2lz3PYt47bga0CimtYEcp6J+g== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MAXPR01MB2254 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 06 May 2022 08:07:25 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/165333 From: Pawan Badganchi Add below patch to fix CVE-2022-1215 CVE-2022-1215.patch Link: https://gitlab.freedesktop.org/libinput/libinput/-/commit/2a8b8fde90d63d48ce09ddae44142674bbca1c28 Signed-off-by: Pawan Badganchi --- .../wayland/libinput/CVE-2022-1215.patch | 361 ++++++++++++++++++ .../wayland/libinput_1.15.2.bb | 1 + 2 files changed, 362 insertions(+) create mode 100644 meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch -- 2.17.1 This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails. diff --git a/meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch b/meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch new file mode 100644 index 0000000000..5f8f7a9894 --- /dev/null +++ b/meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch @@ -0,0 +1,361 @@ +From 2a8b8fde90d63d48ce09ddae44142674bbca1c28 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Wed, 30 Mar 2022 09:25:22 +1000 +Subject: [PATCH] evdev: strip the device name of format directives +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This fixes a format string vulnerabilty. + +evdev_log_message() composes a format string consisting of a fixed +prefix (including the rendered device name) and the passed-in format +buffer. This format string is then passed with the arguments to the +actual log handler, which usually and eventually ends up being printf. + +If the device name contains a printf-style format directive, these ended +up in the format string and thus get interpreted correctly, e.g. for a +device "Foo%sBar" the log message vs printf invocation ends up being: + evdev_log_message(device, "some message %s", "some argument"); + printf("event9 - Foo%sBar: some message %s", "some argument"); + +This can enable an attacker to execute malicious code with the +privileges of the process using libinput. + +To exploit this, an attacker needs to be able to create a kernel device +with a malicious name, e.g. through /dev/uinput or a Bluetooth device. + +To fix this, convert any potential format directives in the device name +by duplicating percentages. + +Pre-rendering the device to avoid the issue altogether would be nicer +but the current log level hooks do not easily allow for this. The device +name is the only user-controlled part of the format string. + +A second potential issue is the sysname of the device which is also +sanitized. + +This issue was found by Albin Eldstål-Ahrens and Benjamin Svensson from +Assured AB, and independently by Lukas Lamster. + +Fixes #752 + +Signed-off-by: Peter Hutterer +(cherry picked from commit a423d7d3269dc32a87384f79e29bb5ac021c83d1) + +CVE: CVE-2022-1215 +Upstream Status: Backport [https://gitlab.freedesktop.org/libinput/libinput/-/commit/2a8b8fde90d63d48ce09ddae44142674bbca1c28] +Signed-off-by: Pawan Badganchi + +--- + meson.build | 1 + + src/evdev.c | 31 +++++++++++------ + src/evdev.h | 6 ++-- + src/util-strings.h | 30 ++++++++++++++++ + test/litest-device-format-string.c | 56 ++++++++++++++++++++++++++++++ + test/litest.h | 1 + + test/test-utils.c | 26 ++++++++++++++ + 7 files changed, 139 insertions(+), 12 deletions(-) + create mode 100644 test/litest-device-format-string.c + +diff --git a/meson.build b/meson.build +index 90f528e6..1f6159e7 100644 +--- a/meson.build ++++ b/meson.build +@@ -787,6 +787,7 @@ + 'test/litest-device-dell-canvas-totem-touch.c', + 'test/litest-device-elantech-touchpad.c', + 'test/litest-device-elan-tablet.c', ++ 'test/litest-device-format-string.c', + 'test/litest-device-generic-singletouch.c', + 'test/litest-device-gpio-keys.c', + 'test/litest-device-huion-pentablet.c', +diff --git a/src/evdev.c b/src/evdev.c +index 6d81f58f..d1c35c07 100644 +--- a/src/evdev.c ++++ b/src/evdev.c +@@ -2356,19 +2356,19 @@ evdev_device_create(struct libinput_seat *seat, + struct libinput *libinput = seat->libinput; + struct evdev_device *device = NULL; + int rc; +- int fd; ++ int fd = -1; + int unhandled_device = 0; + const char *devnode = udev_device_get_devnode(udev_device); +- const char *sysname = udev_device_get_sysname(udev_device); ++ char *sysname = str_sanitize(udev_device_get_sysname(udev_device)); + + if (!devnode) { + log_info(libinput, "%s: no device node associated\n", sysname); +- return NULL; ++ goto err; + } + + if (udev_device_should_be_ignored(udev_device)) { + log_debug(libinput, "%s: device is ignored\n", sysname); +- return NULL; ++ goto err; + } + + /* Use non-blocking mode so that we can loop on read on +@@ -2382,13 +2382,15 @@ evdev_device_create(struct libinput_seat *seat, + sysname, + devnode, + strerror(-fd)); +- return NULL; ++ goto err; + } + + if (!evdev_device_have_same_syspath(udev_device, fd)) + goto err; + + device = zalloc(sizeof *device); ++ device->sysname = sysname; ++ sysname = NULL; + + libinput_device_init(&device->base, seat); + libinput_seat_ref(seat); +@@ -2411,6 +2413,9 @@ evdev_device_create(struct libinput_seat *seat, + device->dispatch = NULL; + device->fd = fd; + device->devname = libevdev_get_name(device->evdev); ++ /* the log_prefix_name is used as part of a printf format string and ++ * must not contain % directives, see evdev_log_msg */ ++ device->log_prefix_name = str_sanitize(device->devname); + device->scroll.threshold = 5.0; /* Default may be overridden */ + device->scroll.direction_lock_threshold = 5.0; /* Default may be overridden */ + device->scroll.direction = 0; +@@ -2238,9 +2238,14 @@ + return device; + + err: +- close_restricted(libinput, fd); +- if (device) +- evdev_device_destroy(device); ++ if (fd >= 0) { ++ close_restricted(libinput, fd); ++ if (device) { ++ unhandled_device = device->seat_caps == 0; ++ evdev_device_destroy(device); ++ } ++ } ++ free(sysname); + + return unhandled_device ? EVDEV_UNHANDLED_DEVICE : NULL; + } + +@@ -2469,7 +2478,7 @@ evdev_device_get_output(struct evdev_device *device) + const char * + evdev_device_get_sysname(struct evdev_device *device) + { +- return udev_device_get_sysname(device->udev_device); ++ return device->sysname; + } + + const char * +@@ -3066,6 +3075,8 @@ evdev_device_destroy(struct evdev_device *device) + if (device->base.group) + libinput_device_group_unref(device->base.group); + ++ free(device->log_prefix_name); ++ free(device->sysname); + free(device->output_name); + filter_destroy(device->pointer.filter); + libinput_timer_destroy(&device->scroll.timer); +diff --git a/src/evdev.h b/src/evdev.h +index c7d130f8..980c5943 100644 +--- a/src/evdev.h ++++ b/src/evdev.h +@@ -169,6 +169,8 @@ struct evdev_device { + struct udev_device *udev_device; + char *output_name; + const char *devname; ++ char *log_prefix_name; ++ char *sysname; + bool was_removed; + int fd; + enum evdev_device_seat_capability seat_caps; +@@ -786,7 +788,7 @@ evdev_log_msg(struct evdev_device *device, + sizeof(buf), + "%-7s - %s%s%s", + evdev_device_get_sysname(device), +- (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->devname : "", ++ (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->log_prefix_name : "", + (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? ": " : "", + format); + +@@ -824,7 +826,7 @@ evdev_log_msg_ratelimit(struct evdev_device *device, + sizeof(buf), + "%-7s - %s%s%s", + evdev_device_get_sysname(device), +- (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->devname : "", ++ (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->log_prefix_name : "", + (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? ": " : "", + format); + +diff --git a/src/util-strings.h b/src/util-strings.h +index 2a15fab3..d5a84146 100644 +--- a/src/util-strings.h ++++ b/src/util-strings.h +@@ -42,6 +42,7 @@ + #ifdef HAVE_XLOCALE_H + #include + #endif ++#include "util-macros.h" + + #define streq(s1, s2) (strcmp((s1), (s2)) == 0) + #define strneq(s1, s2, n) (strncmp((s1), (s2), (n)) == 0) +@@ -312,3 +313,31 @@ + free(result); + return -1; + } ++ ++/** ++ * Return a copy of str with all % converted to %% to make the string ++ * acceptable as printf format. ++ */ ++static inline char * ++str_sanitize(const char *str) ++{ ++ if (!str) ++ return NULL; ++ ++ if (!strchr(str, '%')) ++ return strdup(str); ++ ++ size_t slen = min(strlen(str), 512); ++ char *sanitized = zalloc(2 * slen + 1); ++ const char *src = str; ++ char *dst = sanitized; ++ ++ for (size_t i = 0; i < slen; i++) { ++ if (*src == '%') ++ *dst++ = '%'; ++ *dst++ = *src++; ++ } ++ *dst = '\0'; ++ ++ return sanitized; ++} +diff --git a/test/litest-device-format-string.c b/test/litest-device-format-string.c +new file mode 100644 +index 00000000..aed15db4 +--- /dev/null ++++ b/test/litest-device-format-string.c +@@ -0,0 +1,56 @@ ++ ++/* ++ * Copyright © 2013 Red Hat, Inc. ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a ++ * copy of this software and associated documentation files (the "Software"), ++ * to deal in the Software without restriction, including without limitation ++ * the rights to use, copy, modify, merge, publish, distribute, sublicense, ++ * and/or sell copies of the Software, and to permit persons to whom the ++ * Software is furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice (including the next ++ * paragraph) shall be included in all copies or substantial portions of the ++ * Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING ++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER ++ * DEALINGS IN THE SOFTWARE. ++ */ ++ ++#include "config.h" ++ ++#include "litest.h" ++#include "litest-int.h" ++ ++static struct input_id input_id = { ++ .bustype = 0x3, ++ .vendor = 0x0123, ++ .product = 0x0456, ++}; ++ ++static int events[] = { ++ EV_KEY, BTN_LEFT, ++ EV_KEY, BTN_RIGHT, ++ EV_KEY, BTN_MIDDLE, ++ EV_REL, REL_X, ++ EV_REL, REL_Y, ++ EV_REL, REL_WHEEL, ++ EV_REL, REL_WHEEL_HI_RES, ++ -1 , -1, ++}; ++ ++TEST_DEVICE("mouse-format-string", ++ .type = LITEST_MOUSE_FORMAT_STRING, ++ .features = LITEST_RELATIVE | LITEST_BUTTON | LITEST_WHEEL, ++ .interface = NULL, ++ ++ .name = "Evil %s %d %x Mouse %p %", ++ .id = &input_id, ++ .absinfo = NULL, ++ .events = events, ++) +diff --git a/test/litest.h b/test/litest.h +index 4982e516..1b1daa90 100644 +--- a/test/litest.h ++++ b/test/litest.h +@@ -303,6 +303,7 @@ + LITEST_ALPS_3FG, + LITEST_ELAN_TABLET, + LITEST_ABSINFO_OVERRIDE, ++ LITEST_MOUSE_FORMAT_STRING, + }; + + #define LITEST_DEVICELESS -2 +diff --git a/test/test-utils.c b/test/test-utils.c +index 989adecd..e80754be 100644 +--- a/test/test-utils.c ++++ b/test/test-utils.c +@@ -1267,6 +1267,31 @@ START_TEST(strstartswith_test) + } + END_TEST + ++START_TEST(strsanitize_test) ++{ ++ struct strsanitize_test { ++ const char *string; ++ const char *expected; ++ } tests[] = { ++ { "foobar", "foobar" }, ++ { "", "" }, ++ { "%", "%%" }, ++ { "%%%%", "%%%%%%%%" }, ++ { "x %s", "x %%s" }, ++ { "x %", "x %%" }, ++ { "%sx", "%%sx" }, ++ { "%s%s", "%%s%%s" }, ++ { NULL, NULL }, ++ }; ++ ++ for (struct strsanitize_test *t = tests; t->string; t++) { ++ char *sanitized = str_sanitize(t->string); ++ ck_assert_str_eq(sanitized, t->expected); ++ free(sanitized); ++ } ++} ++END_TEST ++ + START_TEST(list_test_insert) + { + struct list_test { +@@ -1138,6 +1138,7 @@ + tcase_add_test(tc, strsplit_test); + tcase_add_test(tc, kvsplit_double_test); + tcase_add_test(tc, strjoin_test); ++ tcase_add_test(tc, strsanitize_test); + tcase_add_test(tc, time_conversion); + + tcase_add_test(tc, list_test_insert); + +-- +GitLab + diff --git a/meta/recipes-graphics/wayland/libinput_1.15.2.bb b/meta/recipes-graphics/wayland/libinput_1.15.2.bb index 810532774e..d7927d132a 100644 --- a/meta/recipes-graphics/wayland/libinput_1.15.2.bb +++ b/meta/recipes-graphics/wayland/libinput_1.15.2.bb @@ -14,6 +14,7 @@ DEPENDS = "libevdev udev mtdev" SRC_URI = "http://www.freedesktop.org/software/${BPN}/${BP}.tar.xz \ file://determinism.patch \ + file://CVE-2022-1215.patch \ " SRC_URI[md5sum] = "eb6bd2907ad33d53954d70dfb881a643" SRC_URI[sha256sum] = "971c3fbfb624f95c911adeb2803c372e4e3647d1b98f278f660051f834597747"