[prev in list] [next in list] [prev in thread] [next in thread]
List: openembedded-core
Subject: Re: [OE-core][kirkstone][PATCH] xorg-x11-server: fix multiple xorg-x11-server bugs.
From: "vkumbhar" <vkumbhar () mvista ! com>
Date: 2023-01-31 8:27:08
Message-ID: CAPun1rFYkE-+9Nie8kVpogtmGDiKa5SkOfNY57Mh7LpL9pW3uA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks for the information. Okay, will modify the patch accordingly.
-Thanks,
Vivek
On Mon, Jan 30, 2023 at 11:17 PM Steve Sakoman <steve@sakoman.com> wrote:
> On Wed, Jan 25, 2023 at 1:55 AM vkumbhar <vkumbhar@mvista.com> wrote:
> >
> > From: Vivek Kumbhar <vkumbhar@mvista.com>
> >
> > Fixed Below CVE:
> > CVE-2022-4283
> > CVE-2022-46340
> > CVE-2022-46341
> > CVE-2022-46342
> > CVE-2022-46343
> > CVE-2022-46344
> >
> > Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> > ---
> > .../xserver-xorg/CVE-2022-4283.patch | 39 +++++++++
> > .../xserver-xorg/CVE-2022-46340.patch | 55 ++++++++++++
> > .../xserver-xorg/CVE-2022-46341.patch | 86 +++++++++++++++++++
> > .../xserver-xorg/CVE-2022-46342.patch | 78 +++++++++++++++++
> > .../xserver-xorg/CVE-2022-46343.patch | 51 +++++++++++
> > .../xserver-xorg/CVE-2022-46344.patch | 75 ++++++++++++++++
> > .../xorg-xserver/xserver-xorg_21.1.4.bb | 6 ++
>
> We've done a version bump to 21.1.6 in kirkstone, so you'll need to
> rework this patch (if it is still necessary)
>
> Thanks!
>
> Steve
>
> > 7 files changed, 390 insertions(+)
> > create mode 100644
> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
> > create mode 100644
> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
> > create mode 100644
> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
> > create mode 100644
> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
> > create mode 100644
> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
> > create mode 100644
> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
> >
> > diff --git
> a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
> b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
> > new file mode 100644
> > index 0000000000..ce642843ab
> > --- /dev/null
> > +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
> > @@ -0,0 +1,39 @@
> > +From ccdd431cd8f1cabae9d744f0514b6533c438908c Mon Sep 17 00:00:00 2001
> > +From: Peter Hutterer <peter.hutterer@who-t.net>
> > +Date: Mon, 5 Dec 2022 15:55:54 +1000
> > +Subject: [PATCH] xkb: reset the radio_groups pointer to NULL after
> freeing it
> > +
> > +Unlike other elements of the keymap, this pointer was freed but not
> > +reset. On a subsequent XkbGetKbdByName request, the server may access
> > +already freed memory.
> > +
> > +CVE-2022-4283, ZDI-CAN-19530
> > +
> > +This vulnerability was discovered by:
> > +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> > +
> > +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
> > +Acked-by: Olivier Fourdan <ofourdan@redhat.com>
> > +
> > +Upstream-Status: Backport [
> https://gitlab.freedesktop.org/xorg/xserver/-/commit/ccdd431cd8f1cabae9d744f0514b6533c438908c
> ]
> > +CVE: CVE-2022-4283
> > +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> > +---
> > + xkb/xkbUtils.c | 1 +
> > + 1 file changed, 1 insertion(+)
> > +
> > +diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
> > +index dd089c204..3f5791a18 100644
> > +--- a/xkb/xkbUtils.c
> > ++++ b/xkb/xkbUtils.c
> > +@@ -1326,6 +1326,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr dst)
> > + }
> > + else {
> > + free(dst->names->radio_groups);
> > ++ dst->names->radio_groups = NULL;
> > + }
> > + dst->names->num_rg = src->names->num_rg;
> > +
> > +--
> > +2.30.2
> > +
> > diff --git
> a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
> b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
> > new file mode 100644
> > index 0000000000..9bdcdfa76e
> > --- /dev/null
> > +++
> b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
> > @@ -0,0 +1,55 @@
> > +From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001
> > +From: Peter Hutterer <peter.hutterer@who-t.net>
> > +Date: Tue, 29 Nov 2022 12:55:45 +1000
> > +Subject: [PATCH] Xtest: disallow GenericEvents in XTestSwapFakeInput
> > +
> > +XTestSwapFakeInput assumes all events in this request are
> > +sizeof(xEvent) and iterates through these in 32-byte increments.
> > +However, a GenericEvent may be of arbitrary length longer than 32 bytes,
> > +so any GenericEvent in this list would result in subsequent events to be
> > +misparsed.
> > +
> > +Additional, the swapped event is written into a stack-allocated struct
> > +xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes,
> > +swapping the event may thus smash the stack like an avocado on toast.
> > +
> > +Catch this case early and return BadValue for any GenericEvent.
> > +Which is what would happen in unswapped setups anyway since XTest
> > +doesn't support GenericEvent.
> > +
> > +CVE-2022-46340, ZDI-CAN 19265
> > +
> > +This vulnerability was discovered by:
> > +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> > +
> > +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
> > +Acked-by: Olivier Fourdan <ofourdan@redhat.com>
> > +
> > +Upstream-Status: Backport [
> https://gitlab.freedesktop.org/xorg/xserver/-/commit/b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63
> ]
> > +CVE: CVE-2022-46340
> > +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> > +---
> > + Xext/xtest.c | 5 +++--
> > + 1 file changed, 3 insertions(+), 2 deletions(-)
> > +
> > +diff --git a/Xext/xtest.c b/Xext/xtest.c
> > +index bf27eb590..2985a4ce6 100644
> > +--- a/Xext/xtest.c
> > ++++ b/Xext/xtest.c
> > +@@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req)
> > +
> > + nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent);
> > + for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) {
> > ++ int evtype = ev->u.u.type & 0x177;
> > + /* Swap event */
> > +- proc = EventSwapVector[ev->u.u.type & 0177];
> > ++ proc = EventSwapVector[evtype];
> > + /* no swapping proc; invalid event type? */
> > +- if (!proc || proc == NotImplemented) {
> > ++ if (!proc || proc == NotImplemented || evtype == GenericEvent)
> {
> > + client->errorValue = ev->u.u.type;
> > + return BadValue;
> > + }
> > +--
> > +2.30.2
> > +
> > diff --git
> a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
> b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
> > new file mode 100644
> > index 0000000000..669792a5e7
> > --- /dev/null
> > +++
> b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
> > @@ -0,0 +1,86 @@
> > +From 51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b Mon Sep 17 00:00:00 2001
> > +From: Peter Hutterer <peter.hutterer@who-t.net>
> > +Date: Tue, 29 Nov 2022 13:55:32 +1000
> > +Subject: [PATCH] Xi: disallow passive grabs with a detail > 255
> > +
> > +The XKB protocol effectively prevents us from ever using keycodes above
> > +255. For buttons it's theoretically possible but realistically too niche
> > +to worry about. For all other passive grabs, the detail must be zero
> > +anyway.
> > +
> > +This fixes an OOB write:
> > +
> > +ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a
> > +temporary grab struct which contains tempGrab->detail.exact =
> stuff->detail.
> > +For matching existing grabs, DeleteDetailFromMask is called with the
> > +stuff->detail value. This function creates a new mask with the one bit
> > +representing stuff->detail cleared.
> > +
> > +However, the array size for the new mask is 8 * sizeof(CARD32) bits,
> > +thus any detail above 255 results in an OOB array write.
> > +
> > +CVE-2022-46341, ZDI-CAN 19381
> > +
> > +This vulnerability was discovered by:
> > +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> > +
> > +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
> > +Acked-by: Olivier Fourdan <ofourdan@redhat.com>
> > +
> > +Upstream-Status: Backport [
> https://gitlab.freedesktop.org/xorg/xserver/-/commit/51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b
> ]
> > +CVE: CVE-2022-46341
> > +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> > +---
> > + Xi/xipassivegrab.c | 22 ++++++++++++++--------
> > + 1 file changed, 14 insertions(+), 8 deletions(-)
> > +
> > +diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
> > +index 2769fb7c9..c9ac2f855 100644
> > +--- a/Xi/xipassivegrab.c
> > ++++ b/Xi/xipassivegrab.c
> > +@@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)
> > + return BadValue;
> > + }
> > +
> > ++ /* XI2 allows 32-bit keycodes but thanks to XKB we can never
> > ++ * implement this. Just return an error for all keycodes that
> > ++ * cannot work anyway, same for buttons > 255. */
> > ++ if (stuff->detail > 255)
> > ++ return XIAlreadyGrabbed;
> > ++
> > + if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],
> > + stuff->mask_len * 4) != Success)
> > + return BadValue;
> > +@@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
> > + ¶m, XI2, &mask);
> > + break;
> > + case XIGrabtypeKeycode:
> > +- /* XI2 allows 32-bit keycodes but thanks to XKB we can
> never
> > +- * implement this. Just return an error for all keycodes
> that
> > +- * cannot work anyway */
> > +- if (stuff->detail > 255)
> > +- status = XIAlreadyGrabbed;
> > +- else
> > +- status = GrabKey(client, dev, mod_dev, stuff->detail,
> > +- ¶m, XI2, &mask);
> > ++ status = GrabKey(client, dev, mod_dev, stuff->detail,
> > ++ ¶m, XI2, &mask);
> > + break;
> > + case XIGrabtypeEnter:
> > + case XIGrabtypeFocusIn:
> > +@@ -334,6 +334,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
> > + return BadValue;
> > + }
> > +
> > ++ /* We don't allow passive grabs for details > 255 anyway */
> > ++ if (stuff->detail > 255) {
> > ++ client->errorValue = stuff->detail;
> > ++ return BadValue;
> > ++ }
> > ++
> > + rc = dixLookupWindow(&win, stuff->grab_window, client,
> DixSetAttrAccess);
> > + if (rc != Success)
> > + return rc;
> > +--
> > +2.30.2
> > +
> > diff --git
> a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
> b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
> > new file mode 100644
> > index 0000000000..6c17b105a0
> > --- /dev/null
> > +++
> b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
> > @@ -0,0 +1,78 @@
> > +From b79f32b57cc0c1186b2899bce7cf89f7b325161b Mon Sep 17 00:00:00 2001
> > +From: Peter Hutterer <peter.hutterer@who-t.net>
> > +Date: Wed, 30 Nov 2022 11:20:40 +1000
> > +Subject: [PATCH] Xext: free the XvRTVideoNotify when turning off from
> the same
> > + client
> > +
> > +This fixes a use-after-free bug:
> > +
> > +When a client first calls XvdiSelectVideoNotify() on a drawable with a
> > +TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct
> > +is added twice to the resources:
> > + - as the drawable's XvRTVideoNotifyList. This happens only once per
> > + drawable, subsequent calls append to this list.
> > + - as the client's XvRTVideoNotify. This happens for every client.
> > +
> > +The struct keeps the ClientPtr around once it has been added for a
> > +client. The idea, presumably, is that if the client disconnects we can
> remove
> > +all structs from the drawable's list that match the client (by resetting
> > +the ClientPtr to NULL), but if the drawable is destroyed we can remove
> > +and free the whole list.
> > +
> > +However, if the same client then calls XvdiSelectVideoNotify() on the
> > +same drawable with a FALSE onoff argument, only the ClientPtr on the
> > +existing struct was set to NULL. The struct itself remained in the
> > +client's resources.
> > +
> > +If the drawable is now destroyed, the resource system invokes
> > +XvdiDestroyVideoNotifyList which frees the whole list for this drawable
> > +- including our struct. This function however does not free the resource
> > +for the client since our ClientPtr is NULL.
> > +
> > +Later, when the client is destroyed and the resource system invokes
> > +XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On
> > +a struct that has been freed previously. This is generally frowned upon.
> > +
> > +Fix this by calling FreeResource() on the second call instead of merely
> > +setting the ClientPtr to NULL. This removes the struct from the client
> > +resources (but not from the list), ensuring that it won't be accessed
> > +again when the client quits.
> > +
> > +Note that the assignment tpn->client = NULL; is superfluous since the
> > +XvdiDestroyVideoNotify function will do this anyway. But it's left for
> > +clarity and to match a similar invocation in XvdiSelectPortNotify.
> > +
> > +CVE-2022-46342, ZDI-CAN 19400
> > +
> > +This vulnerability was discovered by:
> > +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> > +
> > +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
> > +Acked-by: Olivier Fourdan <ofourdan@redhat.com>
> > +
> > +Upstream-Status: Backport [
> https://gitlab.freedesktop.org/xorg/xserver/-/commit/b79f32b57cc0c1186b2899bce7cf89f7b325161b
> ]
> > +CVE: CVE-2022-46342
> > +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> > +---
> > + Xext/xvmain.c | 4 +++-
> > + 1 file changed, 3 insertions(+), 1 deletion(-)
> > +
> > +diff --git a/Xext/xvmain.c b/Xext/xvmain.c
> > +index f62747193..2a08f8744 100644
> > +--- a/Xext/xvmain.c
> > ++++ b/Xext/xvmain.c
> > +@@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client,
> DrawablePtr pDraw, BOOL onoff)
> > + tpn = pn;
> > + while (tpn) {
> > + if (tpn->client == client) {
> > +- if (!onoff)
> > ++ if (!onoff) {
> > + tpn->client = NULL;
> > ++ FreeResource(tpn->id, XvRTVideoNotify);
> > ++ }
> > + return Success;
> > + }
> > + if (!tpn->client)
> > +--
> > +2.30.2
> > +
> > diff --git
> a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
> b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
> > new file mode 100644
> > index 0000000000..11507c3247
> > --- /dev/null
> > +++
> b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
> > @@ -0,0 +1,51 @@
> > +From 842ca3ccef100ce010d1d8f5f6d6cc1915055900 Mon Sep 17 00:00:00 2001
> > +From: Peter Hutterer <peter.hutterer@who-t.net>
> > +Date: Tue, 29 Nov 2022 14:53:07 +1000
> > +Subject: [PATCH] Xext: free the screen saver resource when replacing it
> > +
> > +This fixes a use-after-free bug:
> > +
> > +When a client first calls ScreenSaverSetAttributes(), a struct
> > +ScreenSaverAttrRec is allocated and added to the client's
> > +resources.
> > +
> > +When the same client calls ScreenSaverSetAttributes() again, a new
> > +struct ScreenSaverAttrRec is allocated, replacing the old struct. The
> > +old struct was freed but not removed from the clients resources.
> > +
> > +Later, when the client is destroyed the resource system invokes
> > +ScreenSaverFreeAttr and attempts to clean up the already freed struct.
> > +
> > +Fix this by letting the resource system free the old attrs instead.
> > +
> > +CVE-2022-46343, ZDI-CAN 19404
> > +
> > +This vulnerability was discovered by:
> > +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> > +
> > +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
> > +Acked-by: Olivier Fourdan <ofourdan@redhat.com>
> > +
> > +Upstream-Status: Backport [
> https://gitlab.freedesktop.org/xorg/xserver/-/commit/842ca3ccef100ce010d1d8f5f6d6cc1915055900
> ]
> > +CVE: CVE-2022-46343
> > +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> > +---
> > + Xext/saver.c | 2 +-
> > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > +
> > +diff --git a/Xext/saver.c b/Xext/saver.c
> > +index f813ba08d..fd6153c31 100644
> > +--- a/Xext/saver.c
> > ++++ b/Xext/saver.c
> > +@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client)
> > + pVlist++;
> > + }
> > + if (pPriv->attr)
> > +- FreeScreenAttr(pPriv->attr);
> > ++ FreeResource(pPriv->attr->resource, AttrType);
> > + pPriv->attr = pAttr;
> > + pAttr->resource = FakeClientID(client->index);
> > + if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))
> > +--
> > +2.30.2
> > +
> > diff --git
> a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
> b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
> > new file mode 100644
> > index 0000000000..92f65569ef
> > --- /dev/null
> > +++
> b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
> > @@ -0,0 +1,75 @@
> > +From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001
> > +From: Peter Hutterer <peter.hutterer@who-t.net>
> > +Date: Tue, 29 Nov 2022 13:26:57 +1000
> > +Subject: [PATCH] Xi: avoid integer truncation in length check of
> > + ProcXIChangeProperty
> > +
> > +This fixes an OOB read and the resulting information disclosure.
> > +
> > +Length calculation for the request was clipped to a 32-bit integer. With
> > +the correct stuff->num_items value the expected request size was
> > +truncated, passing the REQUEST_FIXED_SIZE check.
> > +
> > +The server then proceeded with reading at least stuff->num_items bytes
> > +(depending on stuff->format) from the request and stuffing whatever it
> > +finds into the property. In the process it would also allocate at least
> > +stuff->num_items bytes, i.e. 4GB.
> > +
> > +The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
> > +so let's fix that too.
> > +
> > +CVE-2022-46344, ZDI-CAN 19405
> > +
> > +This vulnerability was discovered by:
> > +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> > +
> > +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
> > +Acked-by: Olivier Fourdan <ofourdan@redhat.com>
> > +
> > +Upstream-Status: Backport [
> https://gitlab.freedesktop.org/xorg/xserver/-/commit/8f454b793e1f13c99872c15f0eed1d7f3b823fe8
> ]
> > +CVE: CVE-2022-46344
> > +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> > +---
> > + Xi/xiproperty.c | 4 ++--
> > + dix/property.c | 3 ++-
> > + 2 files changed, 4 insertions(+), 3 deletions(-)
> > +
> > +diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
> > +index 68c362c62..066ba21fb 100644
> > +--- a/Xi/xiproperty.c
> > ++++ b/Xi/xiproperty.c
> > +@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
> > + REQUEST(xChangeDevicePropertyReq);
> > + DeviceIntPtr dev;
> > + unsigned long len;
> > +- int totalSize;
> > ++ uint64_t totalSize;
> > + int rc;
> > +
> > + REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
> > +@@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client)
> > + {
> > + int rc;
> > + DeviceIntPtr dev;
> > +- int totalSize;
> > ++ uint64_t totalSize;
> > + unsigned long len;
> > +
> > + REQUEST(xXIChangePropertyReq);
> > +diff --git a/dix/property.c b/dix/property.c
> > +index 94ef5a0ec..acce94b2c 100644
> > +--- a/dix/property.c
> > ++++ b/dix/property.c
> > +@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
> > + WindowPtr pWin;
> > + char format, mode;
> > + unsigned long len;
> > +- int sizeInBytes, totalSize, err;
> > ++ int sizeInBytes, err;
> > ++ uint64_t totalSize;
> > +
> > + REQUEST(xChangePropertyReq);
> > +
> > +--
> > +2.30.2
> > +
> > diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
> b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
> > index aba09afec3..744bd3e2aa 100644
> > --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
> > +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
> > @@ -4,6 +4,12 @@ SRC_URI +=
> "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
> > file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
> >
> file://0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch \
> >
> file://0001-xkb-proof-GetCountedString-against-request-length-at.patch \
> > + file://CVE-2022-4283.patch \
> > + file://CVE-2022-46340.patch \
> > + file://CVE-2022-46341.patch \
> > + file://CVE-2022-46342.patch \
> > + file://CVE-2022-46343.patch \
> > + file://CVE-2022-46344.patch \
> > "
> > SRC_URI[sha256sum] =
> "5cc4be8ee47edb58d4a90e603a59d56b40291ad38371b0bd2471fc3cbee1c587"
> >
> > --
> > 2.30.2
> >
> >
> >
> >
>
[Attachment #5 (text/html)]
<div dir="ltr"><div>Thanks for the information. Okay, will modify the patch \
accordingly.<br></div><div><br></div><div>-Thanks,</div><div>Vivek</div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jan 30, 2023 at 11:17 \
PM Steve Sakoman <<a href="mailto:steve@sakoman.com">steve@sakoman.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wed, Jan 25, 2023 \
at 1:55 AM vkumbhar <<a href="mailto:vkumbhar@mvista.com" \
target="_blank">vkumbhar@mvista.com</a>> wrote:<br> ><br>
> From: Vivek Kumbhar <<a href="mailto:vkumbhar@mvista.com" \
target="_blank">vkumbhar@mvista.com</a>><br> ><br>
> Fixed Below CVE:<br>
> CVE-2022-4283<br>
> CVE-2022-46340<br>
> CVE-2022-46341<br>
> CVE-2022-46342<br>
> CVE-2022-46343<br>
> CVE-2022-46344<br>
><br>
> Signed-off-by: Vivek Kumbhar <<a href="mailto:vkumbhar@mvista.com" \
target="_blank">vkumbhar@mvista.com</a>><br> > ---<br>
> .../xserver-xorg/CVE-2022-4283.patch | 39 +++++++++<br>
> .../xserver-xorg/CVE-2022-46340.patch | 55 ++++++++++++<br>
> .../xserver-xorg/CVE-2022-46341.patch | 86 \
+++++++++++++++++++<br> > .../xserver-xorg/CVE-2022-46342.patch | \
78 +++++++++++++++++<br> > .../xserver-xorg/CVE-2022-46343.patch | \
51 +++++++++++<br> > .../xserver-xorg/CVE-2022-46344.patch | 75 \
++++++++++++++++<br> > .../xorg-xserver/<a href="http://xserver-xorg_21.1.4.bb" \
rel="noreferrer" target="_blank">xserver-xorg_21.1.4.bb</a> | 6 ++<br> \
<br> We've done a version bump to 21.1.6 in kirkstone, so you'll need to<br>
rework this patch (if it is still necessary)<br>
<br>
Thanks!<br>
<br>
Steve<br>
<br>
> 7 files changed, 390 insertions(+)<br>
> create mode 100644 \
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch<br> > create \
mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch<br> \
> create mode 100644 \
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch<br> > \
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch<br>
> create mode 100644 \
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch<br> > \
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch<br>
><br>
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch \
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch<br> > new \
file mode 100644<br> > index 0000000000..ce642843ab<br>
> --- /dev/null<br>
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch<br>
> @@ -0,0 +1,39 @@<br>
> +From ccdd431cd8f1cabae9d744f0514b6533c438908c Mon Sep 17 00:00:00 2001<br>
> +From: Peter Hutterer <<a href="mailto:peter.hutterer@who-t.net" \
target="_blank">peter.hutterer@who-t.net</a>><br> > +Date: Mon, 5 Dec 2022 \
15:55:54 +1000<br> > +Subject: [PATCH] xkb: reset the radio_groups pointer to NULL \
after freeing it<br> > +<br>
> +Unlike other elements of the keymap, this pointer was freed but not<br>
> +reset. On a subsequent XkbGetKbdByName request, the server may access<br>
> +already freed memory.<br>
> +<br>
> +CVE-2022-4283, ZDI-CAN-19530<br>
> +<br>
> +This vulnerability was discovered by:<br>
> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative<br>
> +<br>
> +Signed-off-by: Peter Hutterer <<a href="mailto:peter.hutterer@who-t.net" \
target="_blank">peter.hutterer@who-t.net</a>><br> > +Acked-by: Olivier Fourdan \
<<a href="mailto:ofourdan@redhat.com" \
target="_blank">ofourdan@redhat.com</a>><br> > +<br>
> +Upstream-Status: Backport [<a \
href="https://gitlab.freedesktop.org/xorg/xserver/-/commit/ccdd431cd8f1cabae9d744f0514b6533c438908c" \
rel="noreferrer" target="_blank">https://gitlab.freedesktop.org/xorg/xserver/-/commit/ccdd431cd8f1cabae9d744f0514b6533c438908c</a>]<br>
> +CVE: CVE-2022-4283<br>
> +Signed-off-by: Vivek Kumbhar <<a href="mailto:vkumbhar@mvista.com" \
target="_blank">vkumbhar@mvista.com</a>><br> > +---<br>
> + xkb/xkbUtils.c | 1 +<br>
> + 1 file changed, 1 insertion(+)<br>
> +<br>
> +diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c<br>
> +index dd089c204..3f5791a18 100644<br>
> +--- a/xkb/xkbUtils.c<br>
> ++++ b/xkb/xkbUtils.c<br>
> +@@ -1326,6 +1326,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr dst)<br>
> + }<br>
> + else {<br>
> + free(dst->names->radio_groups);<br>
> ++ dst->names->radio_groups = NULL;<br>
> + }<br>
> + dst->names->num_rg = src->names->num_rg;<br>
> +<br>
> +--<br>
> +2.30.2<br>
> +<br>
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch \
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch<br> > new \
file mode 100644<br> > index 0000000000..9bdcdfa76e<br>
> --- /dev/null<br>
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch<br>
> @@ -0,0 +1,55 @@<br>
> +From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001<br>
> +From: Peter Hutterer <<a href="mailto:peter.hutterer@who-t.net" \
target="_blank">peter.hutterer@who-t.net</a>><br> > +Date: Tue, 29 Nov 2022 \
12:55:45 +1000<br> > +Subject: [PATCH] Xtest: disallow GenericEvents in \
XTestSwapFakeInput<br> > +<br>
> +XTestSwapFakeInput assumes all events in this request are<br>
> +sizeof(xEvent) and iterates through these in 32-byte increments.<br>
> +However, a GenericEvent may be of arbitrary length longer than 32 bytes,<br>
> +so any GenericEvent in this list would result in subsequent events to be<br>
> +misparsed.<br>
> +<br>
> +Additional, the swapped event is written into a stack-allocated struct<br>
> +xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes,<br>
> +swapping the event may thus smash the stack like an avocado on toast.<br>
> +<br>
> +Catch this case early and return BadValue for any GenericEvent.<br>
> +Which is what would happen in unswapped setups anyway since XTest<br>
> +doesn't support GenericEvent.<br>
> +<br>
> +CVE-2022-46340, ZDI-CAN 19265<br>
> +<br>
> +This vulnerability was discovered by:<br>
> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative<br>
> +<br>
> +Signed-off-by: Peter Hutterer <<a href="mailto:peter.hutterer@who-t.net" \
target="_blank">peter.hutterer@who-t.net</a>><br> > +Acked-by: Olivier Fourdan \
<<a href="mailto:ofourdan@redhat.com" \
target="_blank">ofourdan@redhat.com</a>><br> > +<br>
> +Upstream-Status: Backport [<a \
href="https://gitlab.freedesktop.org/xorg/xserver/-/commit/b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63" \
rel="noreferrer" target="_blank">https://gitlab.freedesktop.org/xorg/xserver/-/commit/b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63</a>]<br>
> +CVE: CVE-2022-46340<br>
> +Signed-off-by: Vivek Kumbhar <<a href="mailto:vkumbhar@mvista.com" \
target="_blank">vkumbhar@mvista.com</a>><br> > +---<br>
> + Xext/xtest.c | 5 +++--<br>
> + 1 file changed, 3 insertions(+), 2 deletions(-)<br>
> +<br>
> +diff --git a/Xext/xtest.c b/Xext/xtest.c<br>
> +index bf27eb590..2985a4ce6 100644<br>
> +--- a/Xext/xtest.c<br>
> ++++ b/Xext/xtest.c<br>
> +@@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req)<br>
> +<br>
> + nev = ((req->length << 2) - sizeof(xReq)) / \
sizeof(xEvent);<br> > + for (ev = (xEvent *) &req[1]; --nev >= 0; \
ev++) {<br> > ++ int evtype = ev->u.u.type & 0x177;<br>
> + /* Swap event */<br>
> +- proc = EventSwapVector[ev->u.u.type & 0177];<br>
> ++ proc = EventSwapVector[evtype];<br>
> + /* no swapping proc; invalid event type? */<br>
> +- if (!proc || proc == NotImplemented) {<br>
> ++ if (!proc || proc == NotImplemented || evtype == GenericEvent) \
{<br> > + client->errorValue = ev->u.u.type;<br>
> + return BadValue;<br>
> + }<br>
> +--<br>
> +2.30.2<br>
> +<br>
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch \
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch<br> > new \
file mode 100644<br> > index 0000000000..669792a5e7<br>
> --- /dev/null<br>
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch<br>
> @@ -0,0 +1,86 @@<br>
> +From 51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b Mon Sep 17 00:00:00 2001<br>
> +From: Peter Hutterer <<a href="mailto:peter.hutterer@who-t.net" \
target="_blank">peter.hutterer@who-t.net</a>><br> > +Date: Tue, 29 Nov 2022 \
13:55:32 +1000<br> > +Subject: [PATCH] Xi: disallow passive grabs with a detail \
> 255<br> > +<br>
> +The XKB protocol effectively prevents us from ever using keycodes above<br>
> +255. For buttons it's theoretically possible but realistically too \
niche<br> > +to worry about. For all other passive grabs, the detail must be \
zero<br> > +anyway.<br>
> +<br>
> +This fixes an OOB write:<br>
> +<br>
> +ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a<br>
> +temporary grab struct which contains tempGrab->detail.exact = \
stuff->detail.<br> > +For matching existing grabs, DeleteDetailFromMask is \
called with the<br> > +stuff->detail value. This function creates a new mask \
with the one bit<br> > +representing stuff->detail cleared.<br>
> +<br>
> +However, the array size for the new mask is 8 * sizeof(CARD32) bits,<br>
> +thus any detail above 255 results in an OOB array write.<br>
> +<br>
> +CVE-2022-46341, ZDI-CAN 19381<br>
> +<br>
> +This vulnerability was discovered by:<br>
> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative<br>
> +<br>
> +Signed-off-by: Peter Hutterer <<a href="mailto:peter.hutterer@who-t.net" \
target="_blank">peter.hutterer@who-t.net</a>><br> > +Acked-by: Olivier Fourdan \
<<a href="mailto:ofourdan@redhat.com" \
target="_blank">ofourdan@redhat.com</a>><br> > +<br>
> +Upstream-Status: Backport [<a \
href="https://gitlab.freedesktop.org/xorg/xserver/-/commit/51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b" \
rel="noreferrer" target="_blank">https://gitlab.freedesktop.org/xorg/xserver/-/commit/51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b</a>]<br>
> +CVE: CVE-2022-46341<br>
> +Signed-off-by: Vivek Kumbhar <<a href="mailto:vkumbhar@mvista.com" \
target="_blank">vkumbhar@mvista.com</a>><br> > +---<br>
> + Xi/xipassivegrab.c | 22 ++++++++++++++--------<br>
> + 1 file changed, 14 insertions(+), 8 deletions(-)<br>
> +<br>
> +diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c<br>
> +index 2769fb7c9..c9ac2f855 100644<br>
> +--- a/Xi/xipassivegrab.c<br>
> ++++ b/Xi/xipassivegrab.c<br>
> +@@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)<br>
> + return BadValue;<br>
> + }<br>
> +<br>
> ++ /* XI2 allows 32-bit keycodes but thanks to XKB we can never<br>
> ++ * implement this. Just return an error for all keycodes that<br>
> ++ * cannot work anyway, same for buttons > 255. */<br>
> ++ if (stuff->detail > 255)<br>
> ++ return XIAlreadyGrabbed;<br>
> ++<br>
> + if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],<br>
> + stuff->mask_len * 4) != \
Success)<br> > + return BadValue;<br>
> +@@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)<br>
> + &param, XI2, \
&mask);<br> > + break;<br>
> + case XIGrabtypeKeycode:<br>
> +- /* XI2 allows 32-bit keycodes but thanks to XKB we can \
never<br> > +- * implement this. Just return an error for all \
keycodes that<br> > +- * cannot work anyway */<br>
> +- if (stuff->detail > 255)<br>
> +- status = XIAlreadyGrabbed;<br>
> +- else<br>
> +- status = GrabKey(client, dev, mod_dev, \
stuff->detail,<br> > +- \
&param, XI2, &mask);<br> > ++ status = GrabKey(client, \
dev, mod_dev, stuff->detail,<br> > ++ \
&param, XI2, &mask);<br> > + break;<br>
> + case XIGrabtypeEnter:<br>
> + case XIGrabtypeFocusIn:<br>
> +@@ -334,6 +334,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)<br>
> + return BadValue;<br>
> + }<br>
> +<br>
> ++ /* We don't allow passive grabs for details > 255 anyway */<br>
> ++ if (stuff->detail > 255) {<br>
> ++ client->errorValue = stuff->detail;<br>
> ++ return BadValue;<br>
> ++ }<br>
> ++<br>
> + rc = dixLookupWindow(&win, stuff->grab_window, client, \
DixSetAttrAccess);<br> > + if (rc != Success)<br>
> + return rc;<br>
> +--<br>
> +2.30.2<br>
> +<br>
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch \
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch<br> > new \
file mode 100644<br> > index 0000000000..6c17b105a0<br>
> --- /dev/null<br>
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch<br>
> @@ -0,0 +1,78 @@<br>
> +From b79f32b57cc0c1186b2899bce7cf89f7b325161b Mon Sep 17 00:00:00 2001<br>
> +From: Peter Hutterer <<a href="mailto:peter.hutterer@who-t.net" \
target="_blank">peter.hutterer@who-t.net</a>><br> > +Date: Wed, 30 Nov 2022 \
11:20:40 +1000<br> > +Subject: [PATCH] Xext: free the XvRTVideoNotify when turning \
off from the same<br> > + client<br>
> +<br>
> +This fixes a use-after-free bug:<br>
> +<br>
> +When a client first calls XvdiSelectVideoNotify() on a drawable with a<br>
> +TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct<br>
> +is added twice to the resources:<br>
> + - as the drawable's XvRTVideoNotifyList. This happens only once per<br>
> + drawable, subsequent calls append to this list.<br>
> + - as the client's XvRTVideoNotify. This happens for every client.<br>
> +<br>
> +The struct keeps the ClientPtr around once it has been added for a<br>
> +client. The idea, presumably, is that if the client disconnects we can \
remove<br> > +all structs from the drawable's list that match the client (by \
resetting<br> > +the ClientPtr to NULL), but if the drawable is destroyed we can \
remove<br> > +and free the whole list.<br>
> +<br>
> +However, if the same client then calls XvdiSelectVideoNotify() on the<br>
> +same drawable with a FALSE onoff argument, only the ClientPtr on the<br>
> +existing struct was set to NULL. The struct itself remained in the<br>
> +client's resources.<br>
> +<br>
> +If the drawable is now destroyed, the resource system invokes<br>
> +XvdiDestroyVideoNotifyList which frees the whole list for this drawable<br>
> +- including our struct. This function however does not free the resource<br>
> +for the client since our ClientPtr is NULL.<br>
> +<br>
> +Later, when the client is destroyed and the resource system invokes<br>
> +XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On<br>
> +a struct that has been freed previously. This is generally frowned upon.<br>
> +<br>
> +Fix this by calling FreeResource() on the second call instead of merely<br>
> +setting the ClientPtr to NULL. This removes the struct from the client<br>
> +resources (but not from the list), ensuring that it won't be accessed<br>
> +again when the client quits.<br>
> +<br>
> +Note that the assignment tpn->client = NULL; is superfluous since the<br>
> +XvdiDestroyVideoNotify function will do this anyway. But it's left for<br>
> +clarity and to match a similar invocation in XvdiSelectPortNotify.<br>
> +<br>
> +CVE-2022-46342, ZDI-CAN 19400<br>
> +<br>
> +This vulnerability was discovered by:<br>
> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative<br>
> +<br>
> +Signed-off-by: Peter Hutterer <<a href="mailto:peter.hutterer@who-t.net" \
target="_blank">peter.hutterer@who-t.net</a>><br> > +Acked-by: Olivier Fourdan \
<<a href="mailto:ofourdan@redhat.com" \
target="_blank">ofourdan@redhat.com</a>><br> > +<br>
> +Upstream-Status: Backport [<a \
href="https://gitlab.freedesktop.org/xorg/xserver/-/commit/b79f32b57cc0c1186b2899bce7cf89f7b325161b" \
rel="noreferrer" target="_blank">https://gitlab.freedesktop.org/xorg/xserver/-/commit/b79f32b57cc0c1186b2899bce7cf89f7b325161b</a>]<br>
> +CVE: CVE-2022-46342<br>
> +Signed-off-by: Vivek Kumbhar <<a href="mailto:vkumbhar@mvista.com" \
target="_blank">vkumbhar@mvista.com</a>><br> > +---<br>
> + Xext/xvmain.c | 4 +++-<br>
> + 1 file changed, 3 insertions(+), 1 deletion(-)<br>
> +<br>
> +diff --git a/Xext/xvmain.c b/Xext/xvmain.c<br>
> +index f62747193..2a08f8744 100644<br>
> +--- a/Xext/xvmain.c<br>
> ++++ b/Xext/xvmain.c<br>
> +@@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, \
BOOL onoff)<br> > + tpn = pn;<br>
> + while (tpn) {<br>
> + if (tpn->client == client) {<br>
> +- if (!onoff)<br>
> ++ if (!onoff) {<br>
> + tpn->client = NULL;<br>
> ++ FreeResource(tpn->id, XvRTVideoNotify);<br>
> ++ }<br>
> + return Success;<br>
> + }<br>
> + if (!tpn->client)<br>
> +--<br>
> +2.30.2<br>
> +<br>
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch \
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch<br> > new \
file mode 100644<br> > index 0000000000..11507c3247<br>
> --- /dev/null<br>
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch<br>
> @@ -0,0 +1,51 @@<br>
> +From 842ca3ccef100ce010d1d8f5f6d6cc1915055900 Mon Sep 17 00:00:00 2001<br>
> +From: Peter Hutterer <<a href="mailto:peter.hutterer@who-t.net" \
target="_blank">peter.hutterer@who-t.net</a>><br> > +Date: Tue, 29 Nov 2022 \
14:53:07 +1000<br> > +Subject: [PATCH] Xext: free the screen saver resource when \
replacing it<br> > +<br>
> +This fixes a use-after-free bug:<br>
> +<br>
> +When a client first calls ScreenSaverSetAttributes(), a struct<br>
> +ScreenSaverAttrRec is allocated and added to the client's<br>
> +resources.<br>
> +<br>
> +When the same client calls ScreenSaverSetAttributes() again, a new<br>
> +struct ScreenSaverAttrRec is allocated, replacing the old struct. The<br>
> +old struct was freed but not removed from the clients resources.<br>
> +<br>
> +Later, when the client is destroyed the resource system invokes<br>
> +ScreenSaverFreeAttr and attempts to clean up the already freed struct.<br>
> +<br>
> +Fix this by letting the resource system free the old attrs instead.<br>
> +<br>
> +CVE-2022-46343, ZDI-CAN 19404<br>
> +<br>
> +This vulnerability was discovered by:<br>
> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative<br>
> +<br>
> +Signed-off-by: Peter Hutterer <<a href="mailto:peter.hutterer@who-t.net" \
target="_blank">peter.hutterer@who-t.net</a>><br> > +Acked-by: Olivier Fourdan \
<<a href="mailto:ofourdan@redhat.com" \
target="_blank">ofourdan@redhat.com</a>><br> > +<br>
> +Upstream-Status: Backport [<a \
href="https://gitlab.freedesktop.org/xorg/xserver/-/commit/842ca3ccef100ce010d1d8f5f6d6cc1915055900" \
rel="noreferrer" target="_blank">https://gitlab.freedesktop.org/xorg/xserver/-/commit/842ca3ccef100ce010d1d8f5f6d6cc1915055900</a>]<br>
> +CVE: CVE-2022-46343<br>
> +Signed-off-by: Vivek Kumbhar <<a href="mailto:vkumbhar@mvista.com" \
target="_blank">vkumbhar@mvista.com</a>><br> > +---<br>
> + Xext/saver.c | 2 +-<br>
> + 1 file changed, 1 insertion(+), 1 deletion(-)<br>
> +<br>
> +diff --git a/Xext/saver.c b/Xext/saver.c<br>
> +index f813ba08d..fd6153c31 100644<br>
> +--- a/Xext/saver.c<br>
> ++++ b/Xext/saver.c<br>
> +@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client)<br>
> + pVlist++;<br>
> + }<br>
> + if (pPriv->attr)<br>
> +- FreeScreenAttr(pPriv->attr);<br>
> ++ FreeResource(pPriv->attr->resource, AttrType);<br>
> + pPriv->attr = pAttr;<br>
> + pAttr->resource = FakeClientID(client->index);<br>
> + if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))<br>
> +--<br>
> +2.30.2<br>
> +<br>
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch \
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch<br> > new \
file mode 100644<br> > index 0000000000..92f65569ef<br>
> --- /dev/null<br>
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch<br>
> @@ -0,0 +1,75 @@<br>
> +From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001<br>
> +From: Peter Hutterer <<a href="mailto:peter.hutterer@who-t.net" \
target="_blank">peter.hutterer@who-t.net</a>><br> > +Date: Tue, 29 Nov 2022 \
13:26:57 +1000<br> > +Subject: [PATCH] Xi: avoid integer truncation in length \
check of<br> > + ProcXIChangeProperty<br>
> +<br>
> +This fixes an OOB read and the resulting information disclosure.<br>
> +<br>
> +Length calculation for the request was clipped to a 32-bit integer. With<br>
> +the correct stuff->num_items value the expected request size was<br>
> +truncated, passing the REQUEST_FIXED_SIZE check.<br>
> +<br>
> +The server then proceeded with reading at least stuff->num_items bytes<br>
> +(depending on stuff->format) from the request and stuffing whatever it<br>
> +finds into the property. In the process it would also allocate at least<br>
> +stuff->num_items bytes, i.e. 4GB.<br>
> +<br>
> +The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,<br>
> +so let's fix that too.<br>
> +<br>
> +CVE-2022-46344, ZDI-CAN 19405<br>
> +<br>
> +This vulnerability was discovered by:<br>
> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative<br>
> +<br>
> +Signed-off-by: Peter Hutterer <<a href="mailto:peter.hutterer@who-t.net" \
target="_blank">peter.hutterer@who-t.net</a>><br> > +Acked-by: Olivier Fourdan \
<<a href="mailto:ofourdan@redhat.com" \
target="_blank">ofourdan@redhat.com</a>><br> > +<br>
> +Upstream-Status: Backport [<a \
href="https://gitlab.freedesktop.org/xorg/xserver/-/commit/8f454b793e1f13c99872c15f0eed1d7f3b823fe8" \
rel="noreferrer" target="_blank">https://gitlab.freedesktop.org/xorg/xserver/-/commit/8f454b793e1f13c99872c15f0eed1d7f3b823fe8</a>]<br>
> +CVE: CVE-2022-46344<br>
> +Signed-off-by: Vivek Kumbhar <<a href="mailto:vkumbhar@mvista.com" \
target="_blank">vkumbhar@mvista.com</a>><br> > +---<br>
> + Xi/xiproperty.c | 4 ++--<br>
> + dix/property.c | 3 ++-<br>
> + 2 files changed, 4 insertions(+), 3 deletions(-)<br>
> +<br>
> +diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c<br>
> +index 68c362c62..066ba21fb 100644<br>
> +--- a/Xi/xiproperty.c<br>
> ++++ b/Xi/xiproperty.c<br>
> +@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)<br>
> + REQUEST(xChangeDevicePropertyReq);<br>
> + DeviceIntPtr dev;<br>
> + unsigned long len;<br>
> +- int totalSize;<br>
> ++ uint64_t totalSize;<br>
> + int rc;<br>
> +<br>
> + REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);<br>
> +@@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client)<br>
> + {<br>
> + int rc;<br>
> + DeviceIntPtr dev;<br>
> +- int totalSize;<br>
> ++ uint64_t totalSize;<br>
> + unsigned long len;<br>
> +<br>
> + REQUEST(xXIChangePropertyReq);<br>
> +diff --git a/dix/property.c b/dix/property.c<br>
> +index 94ef5a0ec..acce94b2c 100644<br>
> +--- a/dix/property.c<br>
> ++++ b/dix/property.c<br>
> +@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)<br>
> + WindowPtr pWin;<br>
> + char format, mode;<br>
> + unsigned long len;<br>
> +- int sizeInBytes, totalSize, err;<br>
> ++ int sizeInBytes, err;<br>
> ++ uint64_t totalSize;<br>
> +<br>
> + REQUEST(xChangePropertyReq);<br>
> +<br>
> +--<br>
> +2.30.2<br>
> +<br>
> diff --git a/meta/recipes-graphics/xorg-xserver/<a \
href="http://xserver-xorg_21.1.4.bb" rel="noreferrer" \
target="_blank">xserver-xorg_21.1.4.bb</a> b/meta/recipes-graphics/xorg-xserver/<a \
href="http://xserver-xorg_21.1.4.bb" rel="noreferrer" \
target="_blank">xserver-xorg_21.1.4.bb</a><br> > index aba09afec3..744bd3e2aa \
100644<br> > --- a/meta/recipes-graphics/xorg-xserver/<a \
href="http://xserver-xorg_21.1.4.bb" rel="noreferrer" \
target="_blank">xserver-xorg_21.1.4.bb</a><br> > +++ \
b/meta/recipes-graphics/xorg-xserver/<a href="http://xserver-xorg_21.1.4.bb" \
rel="noreferrer" target="_blank">xserver-xorg_21.1.4.bb</a><br> > @@ -4,6 +4,12 @@ \
SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat<br>
> file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
\<br> > \
file://0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch \<br> > \
file://0001-xkb-proof-GetCountedString-against-request-length-at.patch \<br> > + \
file://CVE-2022-4283.patch \<br> > + file://CVE-2022-46340.patch \
\<br> > + file://CVE-2022-46341.patch \<br>
> + file://CVE-2022-46342.patch \<br>
> + file://CVE-2022-46343.patch \<br>
> + file://CVE-2022-46344.patch \<br>
> "<br>
> SRC_URI[sha256sum] = \
"5cc4be8ee47edb58d4a90e603a59d56b40291ad38371b0bd2471fc3cbee1c587"<br> \
><br> > --<br>
> 2.30.2<br>
><br>
><br>
> <br>
><br>
</blockquote></div>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#176510): https://lists.openembedded.org/g/openembedded-core/message/176510
Mute This Topic: https://lists.openembedded.org/mt/96518750/4454766
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [openembedded-core@marc.info]
-=-=-=-=-=-=-=-=-=-=-=-
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic