Hello community,
here is the log from the commit of package xorg-x11-server for openSUSE:Factory
checked in at 2020-12-03 18:41:42
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/xorg-x11-server (Old)
and /work/SRC/openSUSE:Factory/.xorg-x11-server.new.5913 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xorg-x11-server"
Thu Dec 3 18:41:42 2020 rev:388 rq:852408 version:1.20.9
Changes:
--------
--- /work/SRC/openSUSE:Factory/xorg-x11-server/xorg-x11-server.changes
2020-10-07 14:16:38.337397530 +0200
+++
/work/SRC/openSUSE:Factory/.xorg-x11-server.new.5913/xorg-x11-server.changes
2020-12-03 18:43:05.690186707 +0100
@@ -1,0 +2,14 @@
+Tue Dec 1 16:39:02 UTC 2020 - Stefan Dirsch <[email protected]>
+
+- U_Check-SetMap-request-length-carefully.patch
+ * XkbSetMap Out-Of-Bounds Access: Insufficient checks on the
+ lengths of the XkbSetMap request can lead to out of bounds
+ memory accesses in the X server. (ZDI-CAN 11572,
+ CVE-2020-14360, bsc#1174908)
+- U_Fix-XkbSetDeviceInfo-and-SetDeviceIndicators-heap-ov.patch
+ * XkbSetDeviceInfo Heap-based Buffer Overflow: Insufficient
+ checks on input of the XkbSetDeviceInfo request can lead to a
+ buffer overflow on the head in the X server. (ZDI-CAN 11389,
+ CVE-2020-25712, bsc#1177596)
+
+-------------------------------------------------------------------
New:
----
U_Check-SetMap-request-length-carefully.patch
U_Fix-XkbSetDeviceInfo-and-SetDeviceIndicators-heap-ov.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ xorg-x11-server.spec ++++++
--- /var/tmp/diff_new_pack.bUxg1M/_old 2020-12-03 18:43:07.130188609 +0100
+++ /var/tmp/diff_new_pack.bUxg1M/_new 2020-12-03 18:43:07.134188614 +0100
@@ -258,6 +258,9 @@
Patch1803: U_Revert-linux-Fix-platform-device-PCI-detection-for-c.patch
Patch1804: U_Revert-linux-Make-platform-device-probe-less-fragile.patch
+Patch1901: U_Fix-XkbSetDeviceInfo-and-SetDeviceIndicators-heap-ov.patch
+Patch1902: U_Check-SetMap-request-length-carefully.patch
+
%description
This package contains the X.Org Server.
@@ -412,6 +415,8 @@
%patch1802 -p1
%patch1803 -p1
%patch1804 -p1
+%patch1901 -p1
+%patch1902 -p1
%build
%define _lto_cflags %{nil}
++++++ U_Check-SetMap-request-length-carefully.patch ++++++
From 446ff2d3177087b8173fa779fa5b77a2a128988b Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <[email protected]>
Date: Thu, 12 Nov 2020 19:15:07 +0100
Subject: [PATCH] Check SetMap request length carefully.
Avoid out of bounds memory accesses on too short request.
ZDI-CAN 11572 / CVE-2020-14360
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <[email protected]>
---
xkb/xkb.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 92 insertions(+)
Index: xserver-1.20.9/xkb/xkb.c
===================================================================
--- xserver-1.20.9.orig/xkb/xkb.c
+++ xserver-1.20.9/xkb/xkb.c
@@ -2382,6 +2382,93 @@ SetVirtualModMap(XkbSrvInfoPtr xkbi,
return (char *) wire;
}
+#define _add_check_len(new) \
+ if (len > UINT32_MAX - (new) || len > req_len - (new)) goto bad; \
+ else len += new
+
+/**
+ * Check the length of the SetMap request
+ */
+static int
+_XkbSetMapCheckLength(xkbSetMapReq *req)
+{
+ size_t len = sz_xkbSetMapReq, req_len = req->length << 2;
+ xkbKeyTypeWireDesc *keytype;
+ xkbSymMapWireDesc *symmap;
+ BOOL preserve;
+ int i, map_count, nSyms;
+
+ if (req_len < len)
+ goto bad;
+ /* types */
+ if (req->present & XkbKeyTypesMask) {
+ keytype = (xkbKeyTypeWireDesc *)(req + 1);
+ for (i = 0; i < req->nTypes; i++) {
+ _add_check_len(XkbPaddedSize(sz_xkbKeyTypeWireDesc));
+ if (req->flags & XkbSetMapResizeTypes) {
+ _add_check_len(keytype->nMapEntries
+ * sz_xkbKTSetMapEntryWireDesc);
+ preserve = keytype->preserve;
+ map_count = keytype->nMapEntries;
+ if (preserve) {
+ _add_check_len(map_count * sz_xkbModsWireDesc);
+ }
+ keytype += 1;
+ keytype = (xkbKeyTypeWireDesc *)
+ ((xkbKTSetMapEntryWireDesc *)keytype + map_count);
+ if (preserve)
+ keytype = (xkbKeyTypeWireDesc *)
+ ((xkbModsWireDesc *)keytype + map_count);
+ }
+ }
+ }
+ /* syms */
+ if (req->present & XkbKeySymsMask) {
+ symmap = (xkbSymMapWireDesc *)((char *)req + len);
+ for (i = 0; i < req->nKeySyms; i++) {
+ _add_check_len(sz_xkbSymMapWireDesc);
+ nSyms = symmap->nSyms;
+ _add_check_len(nSyms*sizeof(CARD32));
+ symmap += 1;
+ symmap = (xkbSymMapWireDesc *)((CARD32 *)symmap + nSyms);
+ }
+ }
+ /* actions */
+ if (req->present & XkbKeyActionsMask) {
+ _add_check_len(req->totalActs * sz_xkbActionWireDesc
+ + XkbPaddedSize(req->nKeyActs));
+ }
+ /* behaviours */
+ if (req->present & XkbKeyBehaviorsMask) {
+ _add_check_len(req->totalKeyBehaviors * sz_xkbBehaviorWireDesc);
+ }
+ /* vmods */
+ if (req->present & XkbVirtualModsMask) {
+ _add_check_len(XkbPaddedSize(Ones(req->virtualMods)));
+ }
+ /* explicit */
+ if (req->present & XkbExplicitComponentsMask) {
+ /* two bytes per non-zero explicit componen */
+ _add_check_len(XkbPaddedSize(req->totalKeyExplicit * sizeof(CARD16)));
+ }
+ /* modmap */
+ if (req->present & XkbModifierMapMask) {
+ /* two bytes per non-zero modmap component */
+ _add_check_len(XkbPaddedSize(req->totalModMapKeys * sizeof(CARD16)));
+ }
+ /* vmodmap */
+ if (req->present & XkbVirtualModMapMask) {
+ _add_check_len(req->totalVModMapKeys * sz_xkbVModMapWireDesc);
+ }
+ if (len == req_len)
+ return Success;
+bad:
+ ErrorF("[xkb] BOGUS LENGTH in SetMap: expected %ld got %ld\n",
+ len, req_len);
+ return BadLength;
+}
+
+
/**
* Check if the given request can be applied to the given device but don't
* actually do anything..
@@ -2639,6 +2726,11 @@ ProcXkbSetMap(ClientPtr client)
CHK_KBD_DEVICE(dev, stuff->deviceSpec, client, DixManageAccess);
CHK_MASK_LEGAL(0x01, stuff->present, XkbAllMapComponentsMask);
+ /* first verify the request length carefully */
+ rc = _XkbSetMapCheckLength(stuff);
+ if (rc != Success)
+ return rc;
+
tmp = (char *) &stuff[1];
/* Check if we can to the SetMap on the requested device. If this
++++++ U_Fix-XkbSetDeviceInfo-and-SetDeviceIndicators-heap-ov.patch ++++++
From 87c64fc5b0db9f62f4e361444f4b60501ebf67b9 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <[email protected]>
Date: Sun, 11 Oct 2020 17:05:09 +0200
Subject: [PATCH] Fix XkbSetDeviceInfo() and SetDeviceIndicators() heap
overflows
ZDI-CAN 11389 / CVE-2020-25712
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <[email protected]>
---
xkb/xkb.c | 26 +++++++++++++++++++++++---
1 file changed, 23 insertions(+), 3 deletions(-)
Index: xserver-1.20.9/xkb/xkb.c
===================================================================
--- xserver-1.20.9.orig/xkb/xkb.c
+++ xserver-1.20.9/xkb/xkb.c
@@ -6533,7 +6533,9 @@ SetDeviceIndicators(char *wire,
unsigned changed,
int num,
int *status_rtrn,
- ClientPtr client, xkbExtensionDeviceNotify * ev)
+ ClientPtr client,
+ xkbExtensionDeviceNotify * ev,
+ xkbSetDeviceInfoReq * stuff)
{
xkbDeviceLedsWireDesc *ledWire;
int i;
@@ -6554,6 +6556,11 @@ SetDeviceIndicators(char *wire,
xkbIndicatorMapWireDesc *mapWire;
XkbSrvLedInfoPtr sli;
+ if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) {
+ *status_rtrn = BadLength;
+ return (char *) ledWire;
+ }
+
namec = mapc = statec = 0;
sli = XkbFindSrvLedInfo(dev, ledWire->ledClass, ledWire->ledID,
XkbXI_IndicatorMapsMask);
@@ -6572,6 +6579,10 @@ SetDeviceIndicators(char *wire,
memset((char *) sli->names, 0, XkbNumIndicators * sizeof(Atom));
for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
if (ledWire->namesPresent & bit) {
+ if (!_XkbCheckRequestBounds(client, stuff, atomWire,
atomWire + 1)) {
+ *status_rtrn = BadLength;
+ return (char *) atomWire;
+ }
sli->names[n] = (Atom) *atomWire;
if (sli->names[n] == None)
ledWire->namesPresent &= ~bit;
@@ -6589,6 +6600,10 @@ SetDeviceIndicators(char *wire,
if (ledWire->mapsPresent) {
for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
if (ledWire->mapsPresent & bit) {
+ if (!_XkbCheckRequestBounds(client, stuff, mapWire,
mapWire + 1)) {
+ *status_rtrn = BadLength;
+ return (char *) mapWire;
+ }
sli->maps[n].flags = mapWire->flags;
sli->maps[n].which_groups = mapWire->whichGroups;
sli->maps[n].groups = mapWire->groups;
@@ -6668,7 +6683,7 @@ _XkbSetDeviceInfoCheck(ClientPtr client,
ed.deviceID = dev->id;
wire = (char *) &stuff[1];
if (stuff->change & XkbXI_ButtonActionsMask) {
- int nBtns, sz, i;
+ int nBtns, sz, i;
XkbAction *acts;
DeviceIntPtr kbd;
@@ -6680,7 +6695,11 @@ _XkbSetDeviceInfoCheck(ClientPtr client,
return BadAlloc;
dev->button->xkb_acts = acts;
}
+ if (stuff->firstBtn + stuff->nBtns > nBtns)
+ return BadValue;
sz = stuff->nBtns * SIZEOF(xkbActionWireDesc);
+ if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz))
+ return BadLength;
memcpy((char *) &acts[stuff->firstBtn], (char *) wire, sz);
wire += sz;
ed.reason |= XkbXI_ButtonActionsMask;
@@ -6701,7 +6720,8 @@ _XkbSetDeviceInfoCheck(ClientPtr client,
int status = Success;
wire = SetDeviceIndicators(wire, dev, stuff->change,
- stuff->nDeviceLedFBs, &status, client, &ed);
+ stuff->nDeviceLedFBs, &status, client, &ed,
+ stuff);
if (status != Success)
return status;
}
_______________________________________________
openSUSE Commits mailing list -- [email protected]
To unsubscribe, email [email protected]
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives:
https://lists.opensuse.org/archives/list/[email protected]
