diff options
Diffstat (limited to 'patches/source/xorg-server/patch/xorg-server')
8 files changed, 417 insertions, 0 deletions
diff --git a/patches/source/xorg-server/patch/xorg-server/x11.startwithblackscreen.diff b/patches/source/xorg-server/patch/xorg-server/x11.startwithblackscreen.diff new file mode 100644 index 000000000..8c0e3b546 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/x11.startwithblackscreen.diff @@ -0,0 +1,14 @@ +diff -Nur xorg-server-1.12.1.orig/dix/window.c xorg-server-1.12.1/dix/window.c +--- xorg-server-1.12.1.orig/dix/window.c 2012-03-29 21:57:25.000000000 -0500 ++++ xorg-server-1.12.1/dix/window.c 2012-04-13 22:01:24.456073603 -0500 +@@ -145,8 +145,8 @@ + + Bool bgNoneRoot = FALSE; + +-static unsigned char _back_lsb[4] = { 0x88, 0x22, 0x44, 0x11 }; +-static unsigned char _back_msb[4] = { 0x11, 0x44, 0x22, 0x88 }; ++static unsigned char _back_lsb[4] = { 0x00, 0x00, 0x00, 0x00 }; ++static unsigned char _back_msb[4] = { 0x00, 0x00, 0x00, 0x00 }; + + static Bool WindowParentHasDeviceCursor(WindowPtr pWin, + DeviceIntPtr pDev, CursorPtr pCurs); diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-1940.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-1940.diff new file mode 100644 index 000000000..3d38e6fdf --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-1940.diff @@ -0,0 +1,12 @@ +--- ./hw/xfree86/os-support/shared/posix_tty.c.orig 2012-05-17 12:09:03.000000000 -0500 ++++ ./hw/xfree86/os-support/shared/posix_tty.c 2013-04-18 17:50:29.790140871 -0500 +@@ -421,7 +421,8 @@ + { + fd_set fds; + struct timeval timeout; +- char c[4]; ++ /* this needs to be big enough to flush an evdev event. */ ++ char c[256]; + + DebugF("FlushingSerial\n"); + if (tcflush(fd, TCIFLUSH) == 0) diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-4396.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-4396.diff new file mode 100644 index 000000000..14c31782f --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-4396.diff @@ -0,0 +1,73 @@ +From 7bddc2ba16a2a15773c2ea8947059afa27727764 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith at oracle.com> +Date: Mon, 16 Sep 2013 21:47:16 -0700 +Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText() + [CVE-2013-4396] + +Save a pointer to the passed in closure structure before copying it +and overwriting the *c pointer to point to our copy instead of the +original. If we hit an error, once we free(c), reset c to point to +the original structure before jumping to the cleanup code that +references *c. + +Since one of the errors being checked for is whether the server was +able to malloc(c->nChars * itemSize), the client can potentially pass +a number of characters chosen to cause the malloc to fail and the +error path to be taken, resulting in the read from freed memory. + +Since the memory is accessed almost immediately afterwards, and the +X server is mostly single threaded, the odds of the free memory having +invalid contents are low with most malloc implementations when not using +memory debugging features, but some allocators will definitely overwrite +the memory there, leading to a likely crash. + +Reported-by: Pedro Ribeiro <pedrib at gmail.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com> +Reviewed-by: Julien Cristau <jcristau at debian.org> +--- + dix/dixfonts.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/dix/dixfonts.c b/dix/dixfonts.c +index feb765d..2e34d37 100644 +--- a/dix/dixfonts.c ++++ b/dix/dixfonts.c +@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c) + GC *pGC; + unsigned char *data; + ITclosurePtr new_closure; ++ ITclosurePtr old_closure; + + /* We're putting the client to sleep. We need to + save some state. Similar problem to that handled +@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c) + err = BadAlloc; + goto bail; + } ++ old_closure = c; + *new_closure = *c; + c = new_closure; + + data = malloc(c->nChars * itemSize); + if (!data) { + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c) + if (!pGC) { + free(c->data); + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c) + FreeScratchGC(pGC); + free(c->data); + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10971.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10971.diff new file mode 100644 index 000000000..00ed28ac3 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10971.diff @@ -0,0 +1,40 @@ +From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001 +From: Michal Srb <msrb@suse.com> +Date: Wed, 24 May 2017 15:54:42 +0300 +Subject: Xi: Do not try to swap GenericEvent. + +The SProcXSendExtensionEvent must not attempt to swap GenericEvent because +it is assuming that the event has fixed size and gives the swapping function +xEvent-sized buffer. + +A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway. + +Signed-off-by: Michal Srb <msrb@suse.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 5e63bfc..5c2e0fc 100644 +--- a/Xi/sendexev.c ++++ b/Xi/sendexev.c +@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client) + + eventP = (xEvent *) &stuff[1]; + for (i = 0; i < stuff->num_events; i++, eventP++) { ++ if (eventP->u.u.type == GenericEvent) { ++ client->errorValue = eventP->u.u.type; ++ return BadValue; ++ } ++ + proc = EventSwapVector[eventP->u.u.type & 0177]; +- if (proc == NotImplemented) /* no swapping proc; invalid event type? */ ++ /* no swapping proc; invalid event type? */ ++ if (proc == NotImplemented) { ++ client->errorValue = eventP->u.u.type; + return BadValue; ++ } + (*proc) (eventP, &eventT); + *eventP = eventT; + } +-- +cgit v0.10.2 diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10972.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10972.diff new file mode 100644 index 000000000..edddc8d66 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10972.diff @@ -0,0 +1,36 @@ +From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001 +From: Michal Srb <msrb@suse.com> +Date: Wed, 24 May 2017 15:54:39 +0300 +Subject: Xi: Zero target buffer in SProcXSendExtensionEvent. + +Make sure that the xEvent eventT is initialized with zeros, the same way as +in SProcSendEvent. + +Some event swapping functions do not overwrite all 32 bytes of xEvent +structure, for example XSecurityAuthorizationRevoked. Two cooperating +clients, one swapped and the other not, can send +XSecurityAuthorizationRevoked event to each other to retrieve old stack data +from X server. This can be potentialy misused to go around ASLR or +stack-protector. + +Signed-off-by: Michal Srb <msrb@suse.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 11d8202..1cf118a 100644 +--- a/Xi/sendexev.c ++++ b/Xi/sendexev.c +@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client) + { + CARD32 *p; + int i; +- xEvent eventT; ++ xEvent eventT = { .u.u.type = 0 }; + xEvent *eventP; + EventSwapPtr proc; + +-- +cgit v0.10.2 + + diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12176.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12176.diff new file mode 100644 index 000000000..9caf31247 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12176.diff @@ -0,0 +1,31 @@ +From b747da5e25be944337a9cd1415506fc06b70aa81 Mon Sep 17 00:00:00 2001 +From: Nathan Kidd <nkidd@opentext.com> +Date: Fri, 9 Jan 2015 10:15:46 -0500 +Subject: Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176) + +Reviewed-by: Julien Cristau <jcristau@debian.org> +Signed-off-by: Nathan Kidd <nkidd@opentext.com> +Signed-off-by: Julien Cristau <jcristau@debian.org> + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index 8b371b6..176c7a0 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -3702,7 +3702,12 @@ ProcEstablishConnection(ClientPtr client) + prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq); + auth_proto = (char *) prefix + sz_xConnClientPrefix; + auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto); +- if ((prefix->majorVersion != X_PROTOCOL) || ++ ++ if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix + ++ pad_to_int32(prefix->nbytesAuthProto) + ++ pad_to_int32(prefix->nbytesAuthString)) ++ reason = "Bad length"; ++ else if ((prefix->majorVersion != X_PROTOCOL) || + (prefix->minorVersion != X_PROTOCOL_REVISION)) + reason = "Protocol version mismatch"; + else +-- +cgit v0.10.2 + + diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12183.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12183.diff new file mode 100644 index 000000000..b88ba950e --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12183.diff @@ -0,0 +1,95 @@ +From 55caa8b08c84af2b50fbc936cf334a5a93dd7db5 Mon Sep 17 00:00:00 2001 +From: Nathan Kidd <nkidd@opentext.com> +Date: Fri, 9 Jan 2015 11:43:05 -0500 +Subject: xfixes: unvalidated lengths (CVE-2017-12183) + +v2: Use before swap (Jeremy Huddleston Sequoia) + +v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith) + +Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> +Reviewed-by: Julien Cristau <jcristau@debian.org> +Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> +Signed-off-by: Nathan Kidd <nkidd@opentext.com> +Signed-off-by: Julien Cristau <jcristau@debian.org> + +diff --git a/xfixes/cursor.c b/xfixes/cursor.c +index c1ab3be..dc447ed 100644 +--- a/xfixes/cursor.c ++++ b/xfixes/cursor.c +@@ -281,6 +281,7 @@ int _X_COLD + SProcXFixesSelectCursorInput(ClientPtr client) + { + REQUEST(xXFixesSelectCursorInputReq); ++ REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq); + + swaps(&stuff->length); + swapl(&stuff->window); +@@ -414,7 +415,7 @@ ProcXFixesSetCursorName(ClientPtr client) + REQUEST(xXFixesSetCursorNameReq); + Atom atom; + +- REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq); ++ REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes); + VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess); + tchar = (char *) &stuff[1]; + atom = MakeAtom(tchar, stuff->nbytes, TRUE); +@@ -1007,6 +1008,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client) + int i; + CARD16 *in_devices = (CARD16 *) &stuff[1]; + ++ REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq); ++ + swaps(&stuff->length); + swaps(&stuff->num_devices); + REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); +diff --git a/xfixes/region.c b/xfixes/region.c +index e773701..7c0a7d2 100644 +--- a/xfixes/region.c ++++ b/xfixes/region.c +@@ -359,6 +359,7 @@ ProcXFixesCopyRegion(ClientPtr client) + RegionPtr pSource, pDestination; + + REQUEST(xXFixesCopyRegionReq); ++ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq); + + VERIFY_REGION(pSource, stuff->source, client, DixReadAccess); + VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess); +@@ -375,7 +376,7 @@ SProcXFixesCopyRegion(ClientPtr client) + REQUEST(xXFixesCopyRegionReq); + + swaps(&stuff->length); +- REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq); ++ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq); + swapl(&stuff->source); + swapl(&stuff->destination); + return (*ProcXFixesVector[stuff->xfixesReqType]) (client); +diff --git a/xfixes/saveset.c b/xfixes/saveset.c +index 2043153..fd9c7a1 100644 +--- a/xfixes/saveset.c ++++ b/xfixes/saveset.c +@@ -62,6 +62,7 @@ int _X_COLD + SProcXFixesChangeSaveSet(ClientPtr client) + { + REQUEST(xXFixesChangeSaveSetReq); ++ REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq); + + swaps(&stuff->length); + swapl(&stuff->window); +diff --git a/xfixes/xfixes.c b/xfixes/xfixes.c +index 77efd64..248bf02 100644 +--- a/xfixes/xfixes.c ++++ b/xfixes/xfixes.c +@@ -160,6 +160,7 @@ static _X_COLD int + SProcXFixesQueryVersion(ClientPtr client) + { + REQUEST(xXFixesQueryVersionReq); ++ REQUEST_SIZE_MATCH(xXFixesQueryVersionReq); + + swaps(&stuff->length); + swapl(&stuff->majorVersion); +-- +cgit v0.10.2 + + diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13723.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13723.diff new file mode 100644 index 000000000..6e37be485 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13723.diff @@ -0,0 +1,116 @@ +From 94f11ca5cf011ef123bd222cabeaef6f424d76ac Mon Sep 17 00:00:00 2001 +From: Keith Packard <keithp@keithp.com> +Date: Thu, 27 Jul 2017 10:08:32 -0700 +Subject: xkb: Handle xkb formated string output safely (CVE-2017-13723) + +Generating strings for XKB data used a single shared static buffer, +which offered several opportunities for errors. Use a ring of +resizable buffers instead, to avoid problems when strings end up +longer than anticipated. + +Reviewed-by: Michal Srb <msrb@suse.com> +Signed-off-by: Keith Packard <keithp@keithp.com> +Signed-off-by: Julien Cristau <jcristau@debian.org> + +diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c +index ead2b1a..d2a2567 100644 +--- a/xkb/xkbtext.c ++++ b/xkb/xkbtext.c +@@ -47,23 +47,27 @@ + + /***====================================================================***/ + +-#define BUFFER_SIZE 512 +- +-static char textBuffer[BUFFER_SIZE]; +-static int tbNext = 0; ++#define NUM_BUFFER 8 ++static struct textBuffer { ++ int size; ++ char *buffer; ++} textBuffer[NUM_BUFFER]; ++static int textBufferIndex; + + static char * + tbGetBuffer(unsigned size) + { +- char *rtrn; ++ struct textBuffer *tb; + +- if (size >= BUFFER_SIZE) +- return NULL; +- if ((BUFFER_SIZE - tbNext) <= size) +- tbNext = 0; +- rtrn = &textBuffer[tbNext]; +- tbNext += size; +- return rtrn; ++ tb = &textBuffer[textBufferIndex]; ++ textBufferIndex = (textBufferIndex + 1) % NUM_BUFFER; ++ ++ if (size > tb->size) { ++ free(tb->buffer); ++ tb->buffer = xnfalloc(size); ++ tb->size = size; ++ } ++ return tb->buffer; + } + + /***====================================================================***/ +@@ -79,8 +83,6 @@ XkbAtomText(Atom atm, unsigned format) + int len; + + len = strlen(atmstr) + 1; +- if (len > BUFFER_SIZE) +- len = BUFFER_SIZE - 2; + rtrn = tbGetBuffer(len); + strlcpy(rtrn, atmstr, len); + } +@@ -128,8 +130,6 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format) + len = strlen(tmp) + 1; + if (format == XkbCFile) + len += 4; +- if (len >= BUFFER_SIZE) +- len = BUFFER_SIZE - 1; + rtrn = tbGetBuffer(len); + if (format == XkbCFile) { + strcpy(rtrn, "vmod_"); +@@ -140,6 +140,8 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format) + return rtrn; + } + ++#define VMOD_BUFFER_SIZE 512 ++ + char * + XkbVModMaskText(XkbDescPtr xkb, + unsigned modMask, unsigned mask, unsigned format) +@@ -147,7 +149,7 @@ XkbVModMaskText(XkbDescPtr xkb, + register int i, bit; + int len; + char *mm, *rtrn; +- char *str, buf[BUFFER_SIZE]; ++ char *str, buf[VMOD_BUFFER_SIZE]; + + if ((modMask == 0) && (mask == 0)) { + rtrn = tbGetBuffer(5); +@@ -173,7 +175,7 @@ XkbVModMaskText(XkbDescPtr xkb, + len = strlen(tmp) + 1 + (str == buf ? 0 : 1); + if (format == XkbCFile) + len += 4; +- if ((str - (buf + len)) <= BUFFER_SIZE) { ++ if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) { + if (str != buf) { + if (format == XkbCFile) + *str++ = '|'; +@@ -199,8 +201,6 @@ XkbVModMaskText(XkbDescPtr xkb, + len = 0; + if (str) + len += strlen(str) + (mm == NULL ? 0 : 1); +- if (len >= BUFFER_SIZE) +- len = BUFFER_SIZE - 1; + rtrn = tbGetBuffer(len + 1); + rtrn[0] = '\0'; + +-- +cgit v0.10.2 + + |