Compare commits
No commits in common. "c8-beta" and "c10s" have entirely different histories.
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/xwayland-21.1.3.tar.xz
|
||||
/xwayland-*.tar.xz
|
||||
|
||||
@ -1 +0,0 @@
|
||||
ae980a7deeb7cad9f3cd253f3b1ddca5bb26aafa SOURCES/xwayland-21.1.3.tar.xz
|
||||
57
0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch
Normal file
57
0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch
Normal file
@ -0,0 +1,57 @@
|
||||
From 26120df7aae6b5bf8086fb4d871d3b1a07ddacdb Mon Sep 17 00:00:00 2001
|
||||
From: Matthieu Herrb <matthieu@herrb.eu>
|
||||
Date: Thu, 10 Oct 2024 10:37:28 +0200
|
||||
Subject: [PATCH xserver] xkb: Fix buffer overflow in _XkbSetCompatMap()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
|
||||
buffer.
|
||||
|
||||
However, It didn't update its size properly. It updated `num_si` only,
|
||||
without updating `size_si`.
|
||||
|
||||
This may lead to local privilege escalation if the server is run as root
|
||||
or remote code execution (e.g. x11 over ssh).
|
||||
|
||||
CVE-2024-9632, ZDI-CAN-24756
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Reviewed-by: José Expósito <jexposit@redhat.com>
|
||||
(cherry picked from commit 85b776571487f52e756f68a069c768757369bfe3)
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1735>
|
||||
---
|
||||
xkb/xkb.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/xkb/xkb.c b/xkb/xkb.c
|
||||
index 8d52e25df..8b63e34b5 100644
|
||||
--- a/xkb/xkb.c
|
||||
+++ b/xkb/xkb.c
|
||||
@@ -2990,13 +2990,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
|
||||
XkbSymInterpretPtr sym;
|
||||
unsigned int skipped = 0;
|
||||
|
||||
- if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) {
|
||||
- compat->num_si = req->firstSI + req->nSI;
|
||||
+ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
|
||||
+ compat->num_si = compat->size_si = req->firstSI + req->nSI;
|
||||
compat->sym_interpret = reallocarray(compat->sym_interpret,
|
||||
- compat->num_si,
|
||||
+ compat->size_si,
|
||||
sizeof(XkbSymInterpretRec));
|
||||
if (!compat->sym_interpret) {
|
||||
- compat->num_si = 0;
|
||||
+ compat->num_si = compat->size_si = 0;
|
||||
return BadAlloc;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.47.0
|
||||
|
||||
3
README.md
Normal file
3
README.md
Normal file
@ -0,0 +1,3 @@
|
||||
# xorg-x11-server-Xwayland
|
||||
|
||||
The xorg-x11-server-Xwayland package
|
||||
@ -1,77 +0,0 @@
|
||||
From 19e9f199950aaa4b9b7696936d1b067475da999c Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Tue, 28 Nov 2023 15:19:04 +1000
|
||||
Subject: [PATCH xserver] Xi: allocate enough XkbActions for our buttons
|
||||
|
||||
button->xkb_acts is supposed to be an array sufficiently large for all
|
||||
our buttons, not just a single XkbActions struct. Allocating
|
||||
insufficient memory here means when we memcpy() later in
|
||||
XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
|
||||
leading to the usual security ooopsiedaisies.
|
||||
|
||||
CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
(cherry picked from commit 0c1a93d319558fe3ab2d94f51d174b4f93810afd)
|
||||
---
|
||||
Xi/exevents.c | 12 ++++++------
|
||||
dix/devices.c | 10 ++++++++++
|
||||
2 files changed, 16 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/Xi/exevents.c b/Xi/exevents.c
|
||||
index dcd4efb3b..54ea11a93 100644
|
||||
--- a/Xi/exevents.c
|
||||
+++ b/Xi/exevents.c
|
||||
@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
|
||||
}
|
||||
|
||||
if (from->button->xkb_acts) {
|
||||
- if (!to->button->xkb_acts) {
|
||||
- to->button->xkb_acts = calloc(1, sizeof(XkbAction));
|
||||
- if (!to->button->xkb_acts)
|
||||
- FatalError("[Xi] not enough memory for xkb_acts.\n");
|
||||
- }
|
||||
+ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
|
||||
+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
|
||||
+ maxbuttons,
|
||||
+ sizeof(XkbAction));
|
||||
+ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
|
||||
memcpy(to->button->xkb_acts, from->button->xkb_acts,
|
||||
- sizeof(XkbAction));
|
||||
+ from->button->numButtons * sizeof(XkbAction));
|
||||
}
|
||||
else {
|
||||
free(to->button->xkb_acts);
|
||||
diff --git a/dix/devices.c b/dix/devices.c
|
||||
index 7150734a5..20fef1692 100644
|
||||
--- a/dix/devices.c
|
||||
+++ b/dix/devices.c
|
||||
@@ -2530,6 +2530,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
|
||||
|
||||
if (master->button && master->button->numButtons != maxbuttons) {
|
||||
int i;
|
||||
+ int last_num_buttons = master->button->numButtons;
|
||||
+
|
||||
DeviceChangedEvent event = {
|
||||
.header = ET_Internal,
|
||||
.type = ET_DeviceChanged,
|
||||
@@ -2540,6 +2542,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
|
||||
};
|
||||
|
||||
master->button->numButtons = maxbuttons;
|
||||
+ if (last_num_buttons < maxbuttons) {
|
||||
+ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
|
||||
+ maxbuttons,
|
||||
+ sizeof(XkbAction));
|
||||
+ memset(&master->button->xkb_acts[last_num_buttons],
|
||||
+ 0,
|
||||
+ (maxbuttons - last_num_buttons) * sizeof(XkbAction));
|
||||
+ }
|
||||
|
||||
memcpy(&event.buttons.names, master->button->labels, maxbuttons *
|
||||
sizeof(Atom));
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@ -1,36 +0,0 @@
|
||||
From 8660dd164882ce5fc1f274427e2ff3dc020d6273 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Wed, 25 Jan 2023 11:41:40 +1000
|
||||
Subject: [PATCH xserver] Xi: fix potential use-after-free in
|
||||
DeepCopyPointerClasses
|
||||
|
||||
CVE-2023-0494, ZDI-CAN-19596
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
(cherry picked from commit 0ba6d8c37071131a49790243cdac55392ecf71ec)
|
||||
---
|
||||
Xi/exevents.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Xi/exevents.c b/Xi/exevents.c
|
||||
index 217baa956..dcd4efb3b 100644
|
||||
--- a/Xi/exevents.c
|
||||
+++ b/Xi/exevents.c
|
||||
@@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
|
||||
memcpy(to->button->xkb_acts, from->button->xkb_acts,
|
||||
sizeof(XkbAction));
|
||||
}
|
||||
- else
|
||||
+ else {
|
||||
free(to->button->xkb_acts);
|
||||
+ to->button->xkb_acts = NULL;
|
||||
+ }
|
||||
|
||||
memcpy(to->button->labels, from->button->labels,
|
||||
from->button->numButtons * sizeof(Atom));
|
||||
--
|
||||
2.39.1
|
||||
|
||||
@ -1,81 +0,0 @@
|
||||
From 1e8478455458e998dd366d2cd23d2aeab2bdeee5 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Tue, 3 Oct 2023 11:53:05 +1000
|
||||
Subject: [PATCH xserver] Xi/randr: fix handling of PropModeAppend/Prepend
|
||||
|
||||
The handling of appending/prepending properties was incorrect, with at
|
||||
least two bugs: the property length was set to the length of the new
|
||||
part only, i.e. appending or prepending N elements to a property with P
|
||||
existing elements always resulted in the property having N elements
|
||||
instead of N + P.
|
||||
|
||||
Second, when pre-pending a value to a property, the offset for the old
|
||||
values was incorrect, leaving the new property with potentially
|
||||
uninitalized values and/or resulting in OOB memory writes.
|
||||
For example, prepending a 3 element value to a 5 element property would
|
||||
result in this 8 value array:
|
||||
[N, N, N, ?, ?, P, P, P ] P, P
|
||||
^OOB write
|
||||
|
||||
The XI2 code is a copy/paste of the RandR code, so the bug exists in
|
||||
both.
|
||||
|
||||
CVE-2023-5367, ZDI-CAN-22153
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
(cherry picked from commit 541ab2ecd41d4d8689e71855d93e492bc554719a)
|
||||
---
|
||||
Xi/xiproperty.c | 4 ++--
|
||||
randr/rrproperty.c | 4 ++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
|
||||
index 066ba21fba..d315f04d0e 100644
|
||||
--- a/Xi/xiproperty.c
|
||||
+++ b/Xi/xiproperty.c
|
||||
@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
|
||||
XIDestroyDeviceProperty(prop);
|
||||
return BadAlloc;
|
||||
}
|
||||
- new_value.size = len;
|
||||
+ new_value.size = total_len;
|
||||
new_value.type = type;
|
||||
new_value.format = format;
|
||||
|
||||
@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
|
||||
case PropModePrepend:
|
||||
new_data = new_value.data;
|
||||
old_data = (void *) (((char *) new_value.data) +
|
||||
- (prop_value->size * size_in_bytes));
|
||||
+ (len * size_in_bytes));
|
||||
break;
|
||||
}
|
||||
if (new_data)
|
||||
diff --git a/randr/rrproperty.c b/randr/rrproperty.c
|
||||
index c2fb9585c6..25469f57b2 100644
|
||||
--- a/randr/rrproperty.c
|
||||
+++ b/randr/rrproperty.c
|
||||
@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
|
||||
RRDestroyOutputProperty(prop);
|
||||
return BadAlloc;
|
||||
}
|
||||
- new_value.size = len;
|
||||
+ new_value.size = total_len;
|
||||
new_value.type = type;
|
||||
new_value.format = format;
|
||||
|
||||
@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
|
||||
case PropModePrepend:
|
||||
new_data = new_value.data;
|
||||
old_data = (void *) (((char *) new_value.data) +
|
||||
- (prop_value->size * size_in_bytes));
|
||||
+ (len * size_in_bytes));
|
||||
break;
|
||||
}
|
||||
if (new_data)
|
||||
--
|
||||
2.41.0
|
||||
|
||||
@ -1,51 +0,0 @@
|
||||
From 8dba686dc277d6d262ad0c77b4632a5b276697ba Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Tue, 29 Nov 2022 12:55:45 +1000
|
||||
Subject: [PATCH xserver 1/7] Xtest: disallow GenericEvents in
|
||||
XTestSwapFakeInput
|
||||
|
||||
XTestSwapFakeInput assumes all events in this request are
|
||||
sizeof(xEvent) and iterates through these in 32-byte increments.
|
||||
However, a GenericEvent may be of arbitrary length longer than 32 bytes,
|
||||
so any GenericEvent in this list would result in subsequent events to be
|
||||
misparsed.
|
||||
|
||||
Additional, the swapped event is written into a stack-allocated struct
|
||||
xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes,
|
||||
swapping the event may thus smash the stack like an avocado on toast.
|
||||
|
||||
Catch this case early and return BadValue for any GenericEvent.
|
||||
Which is what would happen in unswapped setups anyway since XTest
|
||||
doesn't support GenericEvent.
|
||||
|
||||
CVE-2022-46340, ZDI-CAN 19265
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
---
|
||||
Xext/xtest.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/Xext/xtest.c b/Xext/xtest.c
|
||||
index bf27eb590b..2985a4ce6e 100644
|
||||
--- a/Xext/xtest.c
|
||||
+++ b/Xext/xtest.c
|
||||
@@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req)
|
||||
|
||||
nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent);
|
||||
for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) {
|
||||
+ int evtype = ev->u.u.type & 0x177;
|
||||
/* Swap event */
|
||||
- proc = EventSwapVector[ev->u.u.type & 0177];
|
||||
+ proc = EventSwapVector[evtype];
|
||||
/* no swapping proc; invalid event type? */
|
||||
- if (!proc || proc == NotImplemented) {
|
||||
+ if (!proc || proc == NotImplemented || evtype == GenericEvent) {
|
||||
client->errorValue = ev->u.u.type;
|
||||
return BadValue;
|
||||
}
|
||||
--
|
||||
2.38.1
|
||||
@ -1,42 +0,0 @@
|
||||
From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Mon, 13 Mar 2023 11:08:47 +0100
|
||||
Subject: [PATCH xserver] composite: Fix use-after-free of the COW
|
||||
|
||||
ZDI-CAN-19866/CVE-2023-1393
|
||||
|
||||
If a client explicitly destroys the compositor overlay window (aka COW),
|
||||
we would leave a dangling pointer to that window in the CompScreen
|
||||
structure, which will trigger a use-after-free later.
|
||||
|
||||
Make sure to clear the CompScreen pointer to the COW when the latter gets
|
||||
destroyed explicitly by the client.
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Adam Jackson <ajax@redhat.com>
|
||||
---
|
||||
composite/compwindow.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/composite/compwindow.c b/composite/compwindow.c
|
||||
index 4e2494b86..b30da589e 100644
|
||||
--- a/composite/compwindow.c
|
||||
+++ b/composite/compwindow.c
|
||||
@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
|
||||
ret = (*pScreen->DestroyWindow) (pWin);
|
||||
cs->DestroyWindow = pScreen->DestroyWindow;
|
||||
pScreen->DestroyWindow = compDestroyWindow;
|
||||
+
|
||||
+ /* Did we just destroy the overlay window? */
|
||||
+ if (pWin == cs->pOverlayWin)
|
||||
+ cs->pOverlayWin = NULL;
|
||||
+
|
||||
/* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
|
||||
return ret;
|
||||
}
|
||||
--
|
||||
2.40.0
|
||||
|
||||
@ -1,54 +0,0 @@
|
||||
From b5cb27032d3e486ba84a491e1420e85171c4c0a3 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Thu, 14 Dec 2023 11:29:49 +1000
|
||||
Subject: [PATCH xserver 1/9] dix: allocate enough space for logical button
|
||||
maps
|
||||
|
||||
Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for
|
||||
each logical button currently down. Since buttons can be arbitrarily mapped
|
||||
to anything up to 255 make sure we have enough bits for the maximum mapping.
|
||||
|
||||
CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
(cherry picked from commit 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3)
|
||||
---
|
||||
Xi/xiquerypointer.c | 3 +--
|
||||
dix/enterleave.c | 5 +++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
|
||||
index 5b77b1a44..2b05ac5f3 100644
|
||||
--- a/Xi/xiquerypointer.c
|
||||
+++ b/Xi/xiquerypointer.c
|
||||
@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client)
|
||||
if (pDev->button) {
|
||||
int i;
|
||||
|
||||
- rep.buttons_len =
|
||||
- bytes_to_int32(bits_to_bytes(pDev->button->numButtons));
|
||||
+ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */
|
||||
rep.length += rep.buttons_len;
|
||||
buttons = calloc(rep.buttons_len, 4);
|
||||
if (!buttons)
|
||||
diff --git a/dix/enterleave.c b/dix/enterleave.c
|
||||
index 867ec7436..ded8679d7 100644
|
||||
--- a/dix/enterleave.c
|
||||
+++ b/dix/enterleave.c
|
||||
@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail,
|
||||
|
||||
mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);
|
||||
|
||||
- /* XI 2 event */
|
||||
- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;
|
||||
+ /* XI 2 event contains the logical button map - maps are CARD8
|
||||
+ * so we need 256 bits for the possibly maximum mapping */
|
||||
+ btlen = (mouse->button) ? bits_to_bytes(256) : 0;
|
||||
btlen = bytes_to_int32(btlen);
|
||||
len = sizeof(xXIFocusInEvent) + btlen * 4;
|
||||
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@ -1,105 +0,0 @@
|
||||
From b98fc07d3442a289c6bef82df50dd0a2d01de71a Mon Sep 17 00:00:00 2001
|
||||
From: Adam Jackson <ajax@redhat.com>
|
||||
Date: Thu, 2 Feb 2023 12:26:27 -0500
|
||||
Subject: [PATCH xserver] present: Send a PresentConfigureNotify event for
|
||||
destroyed windows
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This enables fixing a deadlock case on the client side, where the client
|
||||
ends up blocked waiting for a Present event that will never come because
|
||||
the window was destroyed. The new PresentWindowDestroyed flag allows the
|
||||
client to avoid blocking indefinitely.
|
||||
|
||||
Signed-off-by: Adam Jackson <ajax@redhat.com>
|
||||
See-also: https://gitlab.freedesktop.org/mesa/mesa/-/issues/116
|
||||
See-also: https://gitlab.freedesktop.org/mesa/mesa/-/issues/6685
|
||||
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
|
||||
(cherry picked from commit 462b06033e66a32308d940eb5fc47f5e4c914dc0)
|
||||
---
|
||||
present/present_event.c | 5 +++--
|
||||
present/present_priv.h | 7 ++++++-
|
||||
present/present_screen.c | 11 ++++++++++-
|
||||
3 files changed, 19 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/present/present_event.c b/present/present_event.c
|
||||
index 435b26b70..849732dc8 100644
|
||||
--- a/present/present_event.c
|
||||
+++ b/present/present_event.c
|
||||
@@ -102,7 +102,8 @@ present_event_swap(xGenericEvent *from, xGenericEvent *to)
|
||||
}
|
||||
|
||||
void
|
||||
-present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw, WindowPtr sibling)
|
||||
+present_send_config_notify(WindowPtr window, int x, int y, int w, int h,
|
||||
+ int bw, WindowPtr sibling, CARD32 flags)
|
||||
{
|
||||
present_window_priv_ptr window_priv = present_window_priv(window);
|
||||
|
||||
@@ -122,7 +123,7 @@ present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw,
|
||||
.off_y = 0,
|
||||
.pixmap_width = w,
|
||||
.pixmap_height = h,
|
||||
- .pixmap_flags = 0
|
||||
+ .pixmap_flags = flags
|
||||
};
|
||||
present_event_ptr event;
|
||||
|
||||
diff --git a/present/present_priv.h b/present/present_priv.h
|
||||
index 6ebd009a2..4ad729864 100644
|
||||
--- a/present/present_priv.h
|
||||
+++ b/present/present_priv.h
|
||||
@@ -43,6 +43,11 @@
|
||||
#define DebugPresent(x)
|
||||
#endif
|
||||
|
||||
+/* XXX this belongs in presentproto */
|
||||
+#ifndef PresentWindowDestroyed
|
||||
+#define PresentWindowDestroyed (1 << 0)
|
||||
+#endif
|
||||
+
|
||||
extern int present_request;
|
||||
|
||||
extern DevPrivateKeyRec present_screen_private_key;
|
||||
@@ -307,7 +312,7 @@ void
|
||||
present_free_events(WindowPtr window);
|
||||
|
||||
void
|
||||
-present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw, WindowPtr sibling);
|
||||
+present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw, WindowPtr sibling, CARD32 flags);
|
||||
|
||||
void
|
||||
present_send_complete_notify(WindowPtr window, CARD8 kind, CARD8 mode, CARD32 serial, uint64_t ust, uint64_t msc);
|
||||
diff --git a/present/present_screen.c b/present/present_screen.c
|
||||
index 15684eda4..2c29aafd2 100644
|
||||
--- a/present/present_screen.c
|
||||
+++ b/present/present_screen.c
|
||||
@@ -93,6 +93,15 @@ present_destroy_window(WindowPtr window)
|
||||
present_screen_priv_ptr screen_priv = present_screen_priv(screen);
|
||||
present_window_priv_ptr window_priv = present_window_priv(window);
|
||||
|
||||
+ present_send_config_notify(window,
|
||||
+ window->drawable.x,
|
||||
+ window->drawable.y,
|
||||
+ window->drawable.width,
|
||||
+ window->drawable.height,
|
||||
+ window->borderWidth,
|
||||
+ window->nextSib,
|
||||
+ PresentWindowDestroyed);
|
||||
+
|
||||
if (window_priv) {
|
||||
present_clear_window_notifies(window);
|
||||
present_free_events(window);
|
||||
@@ -123,7 +132,7 @@ present_config_notify(WindowPtr window,
|
||||
ScreenPtr screen = window->drawable.pScreen;
|
||||
present_screen_priv_ptr screen_priv = present_screen_priv(screen);
|
||||
|
||||
- present_send_config_notify(window, x, y, w, h, bw, sibling);
|
||||
+ present_send_config_notify(window, x, y, w, h, bw, sibling, 0);
|
||||
|
||||
unwrap(screen_priv, screen, ConfigNotify);
|
||||
if (screen->ConfigNotify)
|
||||
--
|
||||
2.40.0
|
||||
|
||||
@ -1,61 +0,0 @@
|
||||
From aaf854fb25541380cc38a221c15f0e8372f48872 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Mon, 27 Nov 2023 16:27:49 +1000
|
||||
Subject: [PATCH xserver] randr: avoid integer truncation in length check of
|
||||
ProcRRChange*Property
|
||||
|
||||
Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
|
||||
See also xserver@8f454b79 where this same bug was fixed for the core
|
||||
protocol and XI.
|
||||
|
||||
This fixes an OOB read and the resulting information disclosure.
|
||||
|
||||
Length calculation for the request was clipped to a 32-bit integer. With
|
||||
the correct stuff->nUnits value the expected request size was
|
||||
truncated, passing the REQUEST_FIXED_SIZE check.
|
||||
|
||||
The server then proceeded with reading at least stuff->num_items bytes
|
||||
(depending on stuff->format) from the request and stuffing whatever it
|
||||
finds into the property. In the process it would also allocate at least
|
||||
stuff->nUnits bytes, i.e. 4GB.
|
||||
|
||||
CVE-2023-6478, ZDI-CAN-22561
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
(cherry picked from commit 14f480010a93ff962fef66a16412fafff81ad632)
|
||||
---
|
||||
randr/rrproperty.c | 2 +-
|
||||
randr/rrproviderproperty.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/randr/rrproperty.c b/randr/rrproperty.c
|
||||
index 25469f57b..c4fef8a1f 100644
|
||||
--- a/randr/rrproperty.c
|
||||
+++ b/randr/rrproperty.c
|
||||
@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
|
||||
char format, mode;
|
||||
unsigned long len;
|
||||
int sizeInBytes;
|
||||
- int totalSize;
|
||||
+ uint64_t totalSize;
|
||||
int err;
|
||||
|
||||
REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
|
||||
diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
|
||||
index b79c17f9b..90c5a9a93 100644
|
||||
--- a/randr/rrproviderproperty.c
|
||||
+++ b/randr/rrproviderproperty.c
|
||||
@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
|
||||
char format, mode;
|
||||
unsigned long len;
|
||||
int sizeInBytes;
|
||||
- int totalSize;
|
||||
+ uint64_t totalSize;
|
||||
int err;
|
||||
|
||||
REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@ -1,35 +0,0 @@
|
||||
From a8644465d98beb08759546711b77bb617861c67f Mon Sep 17 00:00:00 2001
|
||||
From: Povilas Kanapickas <povilas@radix.lt>
|
||||
Date: Tue, 14 Dec 2021 15:00:00 +0200
|
||||
Subject: [PATCH xserver 1/4] record: Fix out of bounds access in
|
||||
SwapCreateRegister()
|
||||
|
||||
ZDI-CAN-14952, CVE-2021-4011
|
||||
|
||||
This vulnerability was discovered and the fix was suggested by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
||||
(cherry picked from commit e56f61c79fc3cee26d83cda0f84ae56d5979f768)
|
||||
---
|
||||
record/record.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/record/record.c b/record/record.c
|
||||
index be154525d..e123867a7 100644
|
||||
--- a/record/record.c
|
||||
+++ b/record/record.c
|
||||
@@ -2516,8 +2516,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
|
||||
swapl(pClientID);
|
||||
}
|
||||
if (stuff->nRanges >
|
||||
- client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
|
||||
- - stuff->nClients)
|
||||
+ (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
|
||||
+ - stuff->nClients) / bytes_to_int32(sz_xRecordRange))
|
||||
return BadLength;
|
||||
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
|
||||
return Success;
|
||||
--
|
||||
2.33.1
|
||||
|
||||
@ -1,59 +0,0 @@
|
||||
From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Wed, 13 Jul 2022 11:23:09 +1000
|
||||
Subject: [PATCH xserver] xkb: fix some possible memleaks in XkbGetKbdByName
|
||||
|
||||
GetComponentByName returns an allocated string, so let's free that if we
|
||||
fail somewhere.
|
||||
|
||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
xkb/xkb.c | 26 ++++++++++++++++++++------
|
||||
1 file changed, 20 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/xkb/xkb.c b/xkb/xkb.c
|
||||
index 4692895db..b79a269e3 100644
|
||||
--- a/xkb/xkb.c
|
||||
+++ b/xkb/xkb.c
|
||||
@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client)
|
||||
xkb = dev->key->xkbInfo->desc;
|
||||
status = Success;
|
||||
str = (unsigned char *) &stuff[1];
|
||||
- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */
|
||||
- return BadMatch;
|
||||
+ {
|
||||
+ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */
|
||||
+ if (keymap) {
|
||||
+ free(keymap);
|
||||
+ return BadMatch;
|
||||
+ }
|
||||
+ }
|
||||
names.keycodes = GetComponentSpec(&str, TRUE, &status);
|
||||
names.types = GetComponentSpec(&str, TRUE, &status);
|
||||
names.compat = GetComponentSpec(&str, TRUE, &status);
|
||||
names.symbols = GetComponentSpec(&str, TRUE, &status);
|
||||
names.geometry = GetComponentSpec(&str, TRUE, &status);
|
||||
- if (status != Success)
|
||||
+ if (status == Success) {
|
||||
+ len = str - ((unsigned char *) stuff);
|
||||
+ if ((XkbPaddedSize(len) / 4) != stuff->length)
|
||||
+ status = BadLength;
|
||||
+ }
|
||||
+
|
||||
+ if (status != Success) {
|
||||
+ free(names.keycodes);
|
||||
+ free(names.types);
|
||||
+ free(names.compat);
|
||||
+ free(names.symbols);
|
||||
+ free(names.geometry);
|
||||
return status;
|
||||
- len = str - ((unsigned char *) stuff);
|
||||
- if ((XkbPaddedSize(len) / 4) != stuff->length)
|
||||
- return BadLength;
|
||||
+ }
|
||||
|
||||
CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
|
||||
CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
|
||||
--
|
||||
2.38.1
|
||||
|
||||
@ -1,35 +0,0 @@
|
||||
From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Tue, 5 Jul 2022 12:06:20 +1000
|
||||
Subject: [PATCH xserver] xkb: proof GetCountedString against request length
|
||||
attacks
|
||||
|
||||
GetCountedString did a check for the whole string to be within the
|
||||
request buffer but not for the initial 2 bytes that contain the length
|
||||
field. A swapped client could send a malformed request to trigger a
|
||||
swaps() on those bytes, writing into random memory.
|
||||
|
||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
xkb/xkb.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/xkb/xkb.c b/xkb/xkb.c
|
||||
index f42f59ef3..1841cff26 100644
|
||||
--- a/xkb/xkb.c
|
||||
+++ b/xkb/xkb.c
|
||||
@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
|
||||
CARD16 len;
|
||||
|
||||
wire = *wire_inout;
|
||||
+
|
||||
+ if (client->req_len <
|
||||
+ bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
|
||||
+ return BadValue;
|
||||
+
|
||||
len = *(CARD16 *) wire;
|
||||
if (client->swapped) {
|
||||
swaps(&len);
|
||||
--
|
||||
2.38.1
|
||||
|
||||
@ -1,77 +0,0 @@
|
||||
From c9b379ec5a1a34692af06056925bd0fc5f809713 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Tue, 5 Jul 2022 12:40:47 +1000
|
||||
Subject: [PATCH xserver 1/3] xkb: switch to array index loops to moving
|
||||
pointers
|
||||
|
||||
Most similar loops here use a pointer that advances with each loop
|
||||
iteration, let's do the same here for consistency.
|
||||
|
||||
No functional changes.
|
||||
|
||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
(cherry picked from commit f1070c01d616c5f21f939d5ebc533738779451ac)
|
||||
---
|
||||
xkb/xkb.c | 20 ++++++++++----------
|
||||
1 file changed, 10 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/xkb/xkb.c b/xkb/xkb.c
|
||||
index d056c698c..684394d77 100644
|
||||
--- a/xkb/xkb.c
|
||||
+++ b/xkb/xkb.c
|
||||
@@ -5372,16 +5372,16 @@ _CheckSetSections(XkbGeometryPtr geom,
|
||||
row->left = rWire->left;
|
||||
row->vertical = rWire->vertical;
|
||||
kWire = (xkbKeyWireDesc *) &rWire[1];
|
||||
- for (k = 0; k < rWire->nKeys; k++) {
|
||||
+ for (k = 0; k < rWire->nKeys; k++, kWire++) {
|
||||
XkbKeyPtr key;
|
||||
|
||||
key = XkbAddGeomKey(row);
|
||||
if (!key)
|
||||
return BadAlloc;
|
||||
- memcpy(key->name.name, kWire[k].name, XkbKeyNameLength);
|
||||
- key->gap = kWire[k].gap;
|
||||
- key->shape_ndx = kWire[k].shapeNdx;
|
||||
- key->color_ndx = kWire[k].colorNdx;
|
||||
+ memcpy(key->name.name, kWire->name, XkbKeyNameLength);
|
||||
+ key->gap = kWire->gap;
|
||||
+ key->shape_ndx = kWire->shapeNdx;
|
||||
+ key->color_ndx = kWire->colorNdx;
|
||||
if (key->shape_ndx >= geom->num_shapes) {
|
||||
client->errorValue = _XkbErrCode3(0x10, key->shape_ndx,
|
||||
geom->num_shapes);
|
||||
@@ -5393,7 +5393,7 @@ _CheckSetSections(XkbGeometryPtr geom,
|
||||
return BadMatch;
|
||||
}
|
||||
}
|
||||
- rWire = (xkbRowWireDesc *) &kWire[rWire->nKeys];
|
||||
+ rWire = (xkbRowWireDesc *)kWire;
|
||||
}
|
||||
wire = (char *) rWire;
|
||||
if (sWire->nDoodads > 0) {
|
||||
@@ -5458,16 +5458,16 @@ _CheckSetShapes(XkbGeometryPtr geom,
|
||||
return BadAlloc;
|
||||
ol->corner_radius = olWire->cornerRadius;
|
||||
ptWire = (xkbPointWireDesc *) &olWire[1];
|
||||
- for (p = 0, pt = ol->points; p < olWire->nPoints; p++, pt++) {
|
||||
- pt->x = ptWire[p].x;
|
||||
- pt->y = ptWire[p].y;
|
||||
+ for (p = 0, pt = ol->points; p < olWire->nPoints; p++, pt++, ptWire++) {
|
||||
+ pt->x = ptWire->x;
|
||||
+ pt->y = ptWire->y;
|
||||
if (client->swapped) {
|
||||
swaps(&pt->x);
|
||||
swaps(&pt->y);
|
||||
}
|
||||
}
|
||||
ol->num_points = olWire->nPoints;
|
||||
- olWire = (xkbOutlineWireDesc *) (&ptWire[olWire->nPoints]);
|
||||
+ olWire = (xkbOutlineWireDesc *)ptWire;
|
||||
}
|
||||
if (shapeWire->primaryNdx != XkbNoShape)
|
||||
shape->primary = &shape->outlines[shapeWire->primaryNdx];
|
||||
--
|
||||
2.36.1
|
||||
|
||||
@ -1,43 +0,0 @@
|
||||
From 0a7ed9ff7ea20f7b958a2ad9f9bd045080a3ad9a Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Mon, 15 Nov 2021 16:02:34 +0100
|
||||
Subject: [PATCH xserver 1/4] xwayland/eglstream: Demote EGLstream device
|
||||
warning
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If no EGLstream capable device is found at startup, Xwayland's EGLstream
|
||||
backend will log an error message "glamor: No eglstream capable devices
|
||||
found".
|
||||
|
||||
However, considering that the vast majority of drivers do not implement
|
||||
EGLstream, the lack of EGLstream capable device is more of the norm than
|
||||
the exception.
|
||||
|
||||
Change the error message to a log verbose message.
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Simon Ser <contact@emersion.fr>
|
||||
Reviewed-by: Jonas Ã…dahl <jadahl@gmail.com>
|
||||
(cherry picked from commit 96c82befa2c3f3dc3534743c67cc003c2106e9b0)
|
||||
---
|
||||
hw/xwayland/xwayland-glamor-eglstream.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/xwayland/xwayland-glamor-eglstream.c b/hw/xwayland/xwayland-glamor-eglstream.c
|
||||
index 8d18caaf5..93d192d58 100644
|
||||
--- a/hw/xwayland/xwayland-glamor-eglstream.c
|
||||
+++ b/hw/xwayland/xwayland-glamor-eglstream.c
|
||||
@@ -1144,7 +1144,7 @@ xwl_eglstream_get_device(struct xwl_screen *xwl_screen)
|
||||
free(devices);
|
||||
out:
|
||||
if (!device)
|
||||
- ErrorF("glamor: No eglstream capable devices found\n");
|
||||
+ LogMessageVerb(X_INFO, 3, "glamor: No eglstream capable devices found\n");
|
||||
return device;
|
||||
}
|
||||
|
||||
--
|
||||
2.33.1
|
||||
|
||||
@ -1,40 +0,0 @@
|
||||
From c5ff57676698f19ed3a1402aef58a15552e32d27 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Tue, 29 Nov 2022 13:24:00 +1000
|
||||
Subject: [PATCH xserver 2/7] Xi: return an error from XI property changes if
|
||||
verification failed
|
||||
|
||||
Both ProcXChangeDeviceProperty and ProcXIChangeProperty checked the
|
||||
property for validity but didn't actually return the potential error.
|
||||
|
||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
---
|
||||
Xi/xiproperty.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
|
||||
index a36f7d61df..68c362c628 100644
|
||||
--- a/Xi/xiproperty.c
|
||||
+++ b/Xi/xiproperty.c
|
||||
@@ -902,6 +902,8 @@ ProcXChangeDeviceProperty(ClientPtr client)
|
||||
|
||||
rc = check_change_property(client, stuff->property, stuff->type,
|
||||
stuff->format, stuff->mode, stuff->nUnits);
|
||||
+ if (rc != Success)
|
||||
+ return rc;
|
||||
|
||||
len = stuff->nUnits;
|
||||
if (len > (bytes_to_int32(0xffffffff - sizeof(xChangeDevicePropertyReq))))
|
||||
@@ -1141,6 +1143,9 @@ ProcXIChangeProperty(ClientPtr client)
|
||||
|
||||
rc = check_change_property(client, stuff->property, stuff->type,
|
||||
stuff->format, stuff->mode, stuff->num_items);
|
||||
+ if (rc != Success)
|
||||
+ return rc;
|
||||
+
|
||||
len = stuff->num_items;
|
||||
if (len > bytes_to_int32(0xffffffff - sizeof(xXIChangePropertyReq)))
|
||||
return BadLength;
|
||||
--
|
||||
2.38.1
|
||||
@ -1,86 +0,0 @@
|
||||
From 9105be1c51d6973dc8d7806108349bc152029ec5 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Mon, 18 Dec 2023 14:27:50 +1000
|
||||
Subject: [PATCH xserver 2/9] dix: Allocate sufficient xEvents for our
|
||||
DeviceStateNotify
|
||||
|
||||
If a device has both a button class and a key class and numButtons is
|
||||
zero, we can get an OOB write due to event under-allocation.
|
||||
|
||||
This function seems to assume a device has either keys or buttons, not
|
||||
both. It has two virtually identical code paths, both of which assume
|
||||
they're applying to the first event in the sequence.
|
||||
|
||||
A device with both a key and button class triggered a logic bug - only
|
||||
one xEvent was allocated but the deviceStateNotify pointer was pushed on
|
||||
once per type. So effectively this logic code:
|
||||
|
||||
int count = 1;
|
||||
if (button && nbuttons > 32) count++;
|
||||
if (key && nbuttons > 0) count++;
|
||||
if (key && nkeys > 32) count++; // this is basically always true
|
||||
// count is at 2 for our keys + zero button device
|
||||
|
||||
ev = alloc(count * sizeof(xEvent));
|
||||
FixDeviceStateNotify(ev);
|
||||
if (button)
|
||||
FixDeviceStateNotify(ev++);
|
||||
if (key)
|
||||
FixDeviceStateNotify(ev++); // santa drops into the wrong chimney here
|
||||
|
||||
If the device has more than 3 valuators, the OOB is pushed back - we're
|
||||
off by one so it will happen when the last deviceValuator event is
|
||||
written instead.
|
||||
|
||||
Fix this by allocating the maximum number of events we may allocate.
|
||||
Note that the current behavior is not protocol-correct anyway, this
|
||||
patch fixes only the allocation issue.
|
||||
|
||||
Note that this issue does not trigger if the device has at least one
|
||||
button. While the server does not prevent a button class with zero
|
||||
buttons, it is very unlikely.
|
||||
|
||||
CVE-2024-0229, ZDI-CAN-22678
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
(cherry picked from commit ece23be888a93b741aa1209d1dbf64636109d6a5)
|
||||
---
|
||||
dix/enterleave.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/dix/enterleave.c b/dix/enterleave.c
|
||||
index ded8679d7..17964b00a 100644
|
||||
--- a/dix/enterleave.c
|
||||
+++ b/dix/enterleave.c
|
||||
@@ -675,7 +675,8 @@ static void
|
||||
DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
||||
{
|
||||
int evcount = 1;
|
||||
- deviceStateNotify *ev, *sev;
|
||||
+ deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
|
||||
+ deviceStateNotify *ev;
|
||||
deviceKeyStateNotify *kev;
|
||||
deviceButtonStateNotify *bev;
|
||||
|
||||
@@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
||||
}
|
||||
}
|
||||
|
||||
- sev = ev = xallocarray(evcount, sizeof(xEvent));
|
||||
+ ev = sev;
|
||||
FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
|
||||
|
||||
if (b != NULL) {
|
||||
@@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
||||
|
||||
DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
|
||||
DeviceStateNotifyMask, NullGrab);
|
||||
- free(sev);
|
||||
}
|
||||
|
||||
void
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@ -1,44 +0,0 @@
|
||||
From 3eb5445f6f7fa9f86de87adc768105d42bdbcf74 Mon Sep 17 00:00:00 2001
|
||||
From: Povilas Kanapickas <povilas@radix.lt>
|
||||
Date: Tue, 14 Dec 2021 15:00:01 +0200
|
||||
Subject: [PATCH xserver 2/4] xfixes: Fix out of bounds access in
|
||||
*ProcXFixesCreatePointerBarrier()
|
||||
|
||||
ZDI-CAN-14950, CVE-2021-4009
|
||||
|
||||
This vulnerability was discovered and the fix was suggested by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
||||
(cherry picked from commit b5196750099ae6ae582e1f46bd0a6dad29550e02)
|
||||
---
|
||||
xfixes/cursor.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/xfixes/cursor.c b/xfixes/cursor.c
|
||||
index 60580b88f..c5d4554b2 100644
|
||||
--- a/xfixes/cursor.c
|
||||
+++ b/xfixes/cursor.c
|
||||
@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client)
|
||||
{
|
||||
REQUEST(xXFixesCreatePointerBarrierReq);
|
||||
|
||||
- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
|
||||
+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
|
||||
+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
|
||||
LEGAL_NEW_RESOURCE(stuff->barrier, client);
|
||||
|
||||
return XICreatePointerBarrier(client, stuff);
|
||||
@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
|
||||
|
||||
swaps(&stuff->length);
|
||||
swaps(&stuff->num_devices);
|
||||
- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
|
||||
+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
|
||||
+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
|
||||
|
||||
swapl(&stuff->barrier);
|
||||
swapl(&stuff->window);
|
||||
--
|
||||
2.33.1
|
||||
|
||||
@ -1,180 +0,0 @@
|
||||
From 45a0af83129eb7dc244c5118360afc1972a686c7 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Tue, 5 Jul 2022 09:50:41 +1000
|
||||
Subject: [PATCH xserver 2/3] xkb: swap XkbSetDeviceInfo and
|
||||
XkbSetDeviceInfoCheck
|
||||
|
||||
XKB often uses a FooCheck and Foo function pair, the former is supposed
|
||||
to check all values in the request and error out on BadLength,
|
||||
BadValue, etc. The latter is then called once we're confident the values
|
||||
are good (they may still fail on an individual device, but that's a
|
||||
different topic).
|
||||
|
||||
In the case of XkbSetDeviceInfo, those functions were incorrectly
|
||||
named, with XkbSetDeviceInfo ending up as the checker function and
|
||||
XkbSetDeviceInfoCheck as the setter function. As a result, the setter
|
||||
function was called before the checker function, accessing request
|
||||
data and modifying device state before we ensured that the data is
|
||||
valid.
|
||||
|
||||
In particular, the setter function relied on values being already
|
||||
byte-swapped. This in turn could lead to potential OOB memory access.
|
||||
|
||||
Fix this by correctly naming the functions and moving the length checks
|
||||
over to the checker function. These were added in 87c64fc5b0 to the
|
||||
wrong function, probably due to the incorrect naming.
|
||||
|
||||
Fixes ZDI-CAN 16070, CVE-2022-2320.
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Introduced in c06e27b2f6fd9f7b9f827623a48876a225264132
|
||||
|
||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
(cherry picked from commit dd8caf39e9e15d8f302e54045dd08d8ebf1025dc)
|
||||
---
|
||||
xkb/xkb.c | 46 +++++++++++++++++++++++++---------------------
|
||||
1 file changed, 25 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/xkb/xkb.c b/xkb/xkb.c
|
||||
index 684394d77..36464a770 100644
|
||||
--- a/xkb/xkb.c
|
||||
+++ b/xkb/xkb.c
|
||||
@@ -6554,7 +6554,8 @@ ProcXkbGetDeviceInfo(ClientPtr client)
|
||||
static char *
|
||||
CheckSetDeviceIndicators(char *wire,
|
||||
DeviceIntPtr dev,
|
||||
- int num, int *status_rtrn, ClientPtr client)
|
||||
+ int num, int *status_rtrn, ClientPtr client,
|
||||
+ xkbSetDeviceInfoReq * stuff)
|
||||
{
|
||||
xkbDeviceLedsWireDesc *ledWire;
|
||||
int i;
|
||||
@@ -6562,6 +6563,11 @@ CheckSetDeviceIndicators(char *wire,
|
||||
|
||||
ledWire = (xkbDeviceLedsWireDesc *) wire;
|
||||
for (i = 0; i < num; i++) {
|
||||
+ if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) {
|
||||
+ *status_rtrn = BadLength;
|
||||
+ return (char *) ledWire;
|
||||
+ }
|
||||
+
|
||||
if (client->swapped) {
|
||||
swaps(&ledWire->ledClass);
|
||||
swaps(&ledWire->ledID);
|
||||
@@ -6589,6 +6595,11 @@ CheckSetDeviceIndicators(char *wire,
|
||||
atomWire = (CARD32 *) &ledWire[1];
|
||||
if (nNames > 0) {
|
||||
for (n = 0; n < nNames; n++) {
|
||||
+ if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) {
|
||||
+ *status_rtrn = BadLength;
|
||||
+ return (char *) atomWire;
|
||||
+ }
|
||||
+
|
||||
if (client->swapped) {
|
||||
swapl(atomWire);
|
||||
}
|
||||
@@ -6600,6 +6611,10 @@ CheckSetDeviceIndicators(char *wire,
|
||||
mapWire = (xkbIndicatorMapWireDesc *) atomWire;
|
||||
if (nMaps > 0) {
|
||||
for (n = 0; n < nMaps; n++) {
|
||||
+ if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) {
|
||||
+ *status_rtrn = BadLength;
|
||||
+ return (char *) mapWire;
|
||||
+ }
|
||||
if (client->swapped) {
|
||||
swaps(&mapWire->virtualMods);
|
||||
swapl(&mapWire->ctrls);
|
||||
@@ -6651,11 +6666,6 @@ SetDeviceIndicators(char *wire,
|
||||
xkbIndicatorMapWireDesc *mapWire;
|
||||
XkbSrvLedInfoPtr sli;
|
||||
|
||||
- if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) {
|
||||
- *status_rtrn = BadLength;
|
||||
- return (char *) ledWire;
|
||||
- }
|
||||
-
|
||||
namec = mapc = statec = 0;
|
||||
sli = XkbFindSrvLedInfo(dev, ledWire->ledClass, ledWire->ledID,
|
||||
XkbXI_IndicatorMapsMask);
|
||||
@@ -6674,10 +6684,6 @@ SetDeviceIndicators(char *wire,
|
||||
memset((char *) sli->names, 0, XkbNumIndicators * sizeof(Atom));
|
||||
for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
|
||||
if (ledWire->namesPresent & bit) {
|
||||
- if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) {
|
||||
- *status_rtrn = BadLength;
|
||||
- return (char *) atomWire;
|
||||
- }
|
||||
sli->names[n] = (Atom) *atomWire;
|
||||
if (sli->names[n] == None)
|
||||
ledWire->namesPresent &= ~bit;
|
||||
@@ -6695,10 +6701,6 @@ SetDeviceIndicators(char *wire,
|
||||
if (ledWire->mapsPresent) {
|
||||
for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
|
||||
if (ledWire->mapsPresent & bit) {
|
||||
- if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) {
|
||||
- *status_rtrn = BadLength;
|
||||
- return (char *) mapWire;
|
||||
- }
|
||||
sli->maps[n].flags = mapWire->flags;
|
||||
sli->maps[n].which_groups = mapWire->whichGroups;
|
||||
sli->maps[n].groups = mapWire->groups;
|
||||
@@ -6734,13 +6736,17 @@ SetDeviceIndicators(char *wire,
|
||||
}
|
||||
|
||||
static int
|
||||
-_XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev,
|
||||
+_XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev,
|
||||
xkbSetDeviceInfoReq * stuff)
|
||||
{
|
||||
char *wire;
|
||||
|
||||
wire = (char *) &stuff[1];
|
||||
if (stuff->change & XkbXI_ButtonActionsMask) {
|
||||
+ int sz = stuff->nBtns * SIZEOF(xkbActionWireDesc);
|
||||
+ if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz))
|
||||
+ return BadLength;
|
||||
+
|
||||
if (!dev->button) {
|
||||
client->errorValue = _XkbErrCode2(XkbErr_BadClass, ButtonClass);
|
||||
return XkbKeyboardErrorCode;
|
||||
@@ -6751,13 +6757,13 @@ _XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev,
|
||||
dev->button->numButtons);
|
||||
return BadMatch;
|
||||
}
|
||||
- wire += (stuff->nBtns * SIZEOF(xkbActionWireDesc));
|
||||
+ wire += sz;
|
||||
}
|
||||
if (stuff->change & XkbXI_IndicatorsMask) {
|
||||
int status = Success;
|
||||
|
||||
wire = CheckSetDeviceIndicators(wire, dev, stuff->nDeviceLedFBs,
|
||||
- &status, client);
|
||||
+ &status, client, stuff);
|
||||
if (status != Success)
|
||||
return status;
|
||||
}
|
||||
@@ -6768,8 +6774,8 @@ _XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev,
|
||||
}
|
||||
|
||||
static int
|
||||
-_XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev,
|
||||
- xkbSetDeviceInfoReq * stuff)
|
||||
+_XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev,
|
||||
+ xkbSetDeviceInfoReq * stuff)
|
||||
{
|
||||
char *wire;
|
||||
xkbExtensionDeviceNotify ed;
|
||||
@@ -6793,8 +6799,6 @@ _XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev,
|
||||
if (stuff->firstBtn + stuff->nBtns > nBtns)
|
||||
return BadValue;
|
||||
sz = stuff->nBtns * SIZEOF(xkbActionWireDesc);
|
||||
- if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz))
|
||||
- return BadLength;
|
||||
memcpy((char *) &acts[stuff->firstBtn], (char *) wire, sz);
|
||||
wire += sz;
|
||||
ed.reason |= XkbXI_ButtonActionsMask;
|
||||
--
|
||||
2.36.1
|
||||
|
||||
@ -1,88 +0,0 @@
|
||||
From a515f4f4336efb8a2adf9a3ac141129708297d80 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Mon, 29 Nov 2021 11:45:35 +0100
|
||||
Subject: [PATCH xserver 2/4] xwayland/glamor: Change errors to verbose
|
||||
messages
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
On a normal startup sequence, the Xwayland glamor backend would log
|
||||
an error whenever a required Wayland protocol is missing.
|
||||
|
||||
Those are not really errors though, more informational messages along
|
||||
the glamor backend selection process.
|
||||
|
||||
Demote those errors to verbose messages to reduce the verbosity of
|
||||
Xwayland at startup by default.
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Jonas Ã…dahl <jadahl@gmail.com>
|
||||
(cherry picked from commit 30d0d4a19be61dd7b61f5ced992cb299e6a38068)
|
||||
---
|
||||
hw/xwayland/xwayland-glamor-eglstream.c | 6 ++++--
|
||||
hw/xwayland/xwayland-glamor-gbm.c | 2 +-
|
||||
hw/xwayland/xwayland-glamor.c | 6 ++++--
|
||||
3 files changed, 9 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/xwayland/xwayland-glamor-eglstream.c b/hw/xwayland/xwayland-glamor-eglstream.c
|
||||
index 93d192d58..5a20b452f 100644
|
||||
--- a/hw/xwayland/xwayland-glamor-eglstream.c
|
||||
+++ b/hw/xwayland/xwayland-glamor-eglstream.c
|
||||
@@ -753,12 +753,14 @@ xwl_glamor_eglstream_has_wl_interfaces(struct xwl_screen *xwl_screen)
|
||||
xwl_eglstream_get(xwl_screen);
|
||||
|
||||
if (xwl_eglstream->display == NULL) {
|
||||
- ErrorF("glamor: 'wl_eglstream_display' not supported\n");
|
||||
+ LogMessageVerb(X_INFO, 3,
|
||||
+ "glamor: 'wl_eglstream_display' not supported\n");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (xwl_eglstream->controller == NULL) {
|
||||
- ErrorF("glamor: 'wl_eglstream_controller' not supported\n");
|
||||
+ LogMessageVerb(X_INFO, 3,
|
||||
+ "glamor: 'wl_eglstream_controller' not supported\n");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
diff --git a/hw/xwayland/xwayland-glamor-gbm.c b/hw/xwayland/xwayland-glamor-gbm.c
|
||||
index 466a1b052..e06b6f54b 100644
|
||||
--- a/hw/xwayland/xwayland-glamor-gbm.c
|
||||
+++ b/hw/xwayland/xwayland-glamor-gbm.c
|
||||
@@ -835,7 +835,7 @@ xwl_glamor_gbm_has_wl_interfaces(struct xwl_screen *xwl_screen)
|
||||
struct xwl_gbm_private *xwl_gbm = xwl_gbm_get(xwl_screen);
|
||||
|
||||
if (xwl_gbm->drm == NULL) {
|
||||
- ErrorF("glamor: 'wl_drm' not supported\n");
|
||||
+ LogMessageVerb(X_INFO, 3, "glamor: 'wl_drm' not supported\n");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
diff --git a/hw/xwayland/xwayland-glamor.c b/hw/xwayland/xwayland-glamor.c
|
||||
index deb398f91..541d5e923 100644
|
||||
--- a/hw/xwayland/xwayland-glamor.c
|
||||
+++ b/hw/xwayland/xwayland-glamor.c
|
||||
@@ -412,7 +412,8 @@ xwl_glamor_select_gbm_backend(struct xwl_screen *xwl_screen)
|
||||
return TRUE;
|
||||
}
|
||||
else
|
||||
- ErrorF("Missing Wayland requirements for glamor GBM backend\n");
|
||||
+ LogMessageVerb(X_INFO, 3,
|
||||
+ "Missing Wayland requirements for glamor GBM backend\n");
|
||||
#endif
|
||||
|
||||
return FALSE;
|
||||
@@ -428,7 +429,8 @@ xwl_glamor_select_eglstream_backend(struct xwl_screen *xwl_screen)
|
||||
return TRUE;
|
||||
}
|
||||
else
|
||||
- ErrorF("Missing Wayland requirements for glamor EGLStream backend\n");
|
||||
+ LogMessageVerb(X_INFO, 3,
|
||||
+ "Missing Wayland requirements for glamor EGLStream backend\n");
|
||||
#endif
|
||||
|
||||
return FALSE;
|
||||
--
|
||||
2.33.1
|
||||
|
||||
@ -1,34 +0,0 @@
|
||||
From fe0c050276c09f43cc1ae80b4553db42398ca84c Mon Sep 17 00:00:00 2001
|
||||
From: Povilas Kanapickas <povilas@radix.lt>
|
||||
Date: Tue, 14 Dec 2021 15:00:02 +0200
|
||||
Subject: [PATCH xserver 3/4] Xext: Fix out of bounds access in
|
||||
SProcScreenSaverSuspend()
|
||||
|
||||
ZDI-CAN-14951, CVE-2021-4010
|
||||
|
||||
This vulnerability was discovered and the fix was suggested by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
||||
(cherry picked from commit 6c4c53010772e3cb4cb8acd54950c8eec9c00d21)
|
||||
---
|
||||
Xext/saver.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Xext/saver.c b/Xext/saver.c
|
||||
index 1d7e3cadf..f813ba08d 100644
|
||||
--- a/Xext/saver.c
|
||||
+++ b/Xext/saver.c
|
||||
@@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client)
|
||||
REQUEST(xScreenSaverSuspendReq);
|
||||
|
||||
swaps(&stuff->length);
|
||||
- swapl(&stuff->suspend);
|
||||
REQUEST_SIZE_MATCH(xScreenSaverSuspendReq);
|
||||
+ swapl(&stuff->suspend);
|
||||
return ProcScreenSaverSuspend(client);
|
||||
}
|
||||
|
||||
--
|
||||
2.33.1
|
||||
|
||||
@ -1,70 +0,0 @@
|
||||
From f9c435822c852659e3926502829f1b13ce6efc37 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Tue, 29 Nov 2022 13:26:57 +1000
|
||||
Subject: [PATCH xserver 3/7] Xi: avoid integer truncation in length check of
|
||||
ProcXIChangeProperty
|
||||
|
||||
This fixes an OOB read and the resulting information disclosure.
|
||||
|
||||
Length calculation for the request was clipped to a 32-bit integer. With
|
||||
the correct stuff->num_items value the expected request size was
|
||||
truncated, passing the REQUEST_FIXED_SIZE check.
|
||||
|
||||
The server then proceeded with reading at least stuff->num_items bytes
|
||||
(depending on stuff->format) from the request and stuffing whatever it
|
||||
finds into the property. In the process it would also allocate at least
|
||||
stuff->num_items bytes, i.e. 4GB.
|
||||
|
||||
The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
|
||||
so let's fix that too.
|
||||
|
||||
CVE-2022-46344, ZDI-CAN 19405
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
---
|
||||
Xi/xiproperty.c | 4 ++--
|
||||
dix/property.c | 3 ++-
|
||||
2 files changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
|
||||
index 68c362c628..066ba21fba 100644
|
||||
--- a/Xi/xiproperty.c
|
||||
+++ b/Xi/xiproperty.c
|
||||
@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
|
||||
REQUEST(xChangeDevicePropertyReq);
|
||||
DeviceIntPtr dev;
|
||||
unsigned long len;
|
||||
- int totalSize;
|
||||
+ uint64_t totalSize;
|
||||
int rc;
|
||||
|
||||
REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
|
||||
@@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client)
|
||||
{
|
||||
int rc;
|
||||
DeviceIntPtr dev;
|
||||
- int totalSize;
|
||||
+ uint64_t totalSize;
|
||||
unsigned long len;
|
||||
|
||||
REQUEST(xXIChangePropertyReq);
|
||||
diff --git a/dix/property.c b/dix/property.c
|
||||
index 94ef5a0ec0..acce94b2c6 100644
|
||||
--- a/dix/property.c
|
||||
+++ b/dix/property.c
|
||||
@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
|
||||
WindowPtr pWin;
|
||||
char format, mode;
|
||||
unsigned long len;
|
||||
- int sizeInBytes, totalSize, err;
|
||||
+ int sizeInBytes, err;
|
||||
+ uint64_t totalSize;
|
||||
|
||||
REQUEST(xChangePropertyReq);
|
||||
|
||||
--
|
||||
2.38.1
|
||||
@ -1,219 +0,0 @@
|
||||
From ee5377d94ea587f584adbc9ab8372b3842cfa149 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Mon, 18 Dec 2023 12:26:20 +1000
|
||||
Subject: [PATCH xserver 3/9] dix: fix DeviceStateNotify event calculation
|
||||
|
||||
The previous code only made sense if one considers buttons and keys to
|
||||
be mutually exclusive on a device. That is not necessarily true, causing
|
||||
a number of issues.
|
||||
|
||||
This function allocates and fills in the number of xEvents we need to
|
||||
send the device state down the wire. This is split across multiple
|
||||
32-byte devices including one deviceStateNotify event and optional
|
||||
deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple)
|
||||
deviceValuator events.
|
||||
|
||||
The previous behavior would instead compose a sequence
|
||||
of [state, buttonstate, state, keystate, valuator...]. This is not
|
||||
protocol correct, and on top of that made the code extremely convoluted.
|
||||
|
||||
Fix this by streamlining: add both button and key into the deviceStateNotify
|
||||
and then append the key state and button state, followed by the
|
||||
valuators. Finally, the deviceValuator events contain up to 6 valuators
|
||||
per event but we only ever sent through 3 at a time. Let's double that
|
||||
troughput.
|
||||
|
||||
CVE-2024-0229, ZDI-CAN-22678
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
(cherry picked from commit 219c54b8a3337456ce5270ded6a67bcde53553d5)
|
||||
---
|
||||
dix/enterleave.c | 121 ++++++++++++++++++++---------------------------
|
||||
1 file changed, 52 insertions(+), 69 deletions(-)
|
||||
|
||||
diff --git a/dix/enterleave.c b/dix/enterleave.c
|
||||
index 17964b00a..7b7ba1098 100644
|
||||
--- a/dix/enterleave.c
|
||||
+++ b/dix/enterleave.c
|
||||
@@ -615,9 +615,15 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
|
||||
|
||||
ev->type = DeviceValuator;
|
||||
ev->deviceid = dev->id;
|
||||
- ev->num_valuators = nval < 3 ? nval : 3;
|
||||
+ ev->num_valuators = nval < 6 ? nval : 6;
|
||||
ev->first_valuator = first;
|
||||
switch (ev->num_valuators) {
|
||||
+ case 6:
|
||||
+ ev->valuator2 = v->axisVal[first + 5];
|
||||
+ case 5:
|
||||
+ ev->valuator2 = v->axisVal[first + 4];
|
||||
+ case 4:
|
||||
+ ev->valuator2 = v->axisVal[first + 3];
|
||||
case 3:
|
||||
ev->valuator2 = v->axisVal[first + 2];
|
||||
case 2:
|
||||
@@ -626,7 +632,6 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
|
||||
ev->valuator0 = v->axisVal[first];
|
||||
break;
|
||||
}
|
||||
- first += ev->num_valuators;
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -646,7 +651,7 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
|
||||
ev->num_buttons = b->numButtons;
|
||||
memcpy((char *) ev->buttons, (char *) b->down, 4);
|
||||
}
|
||||
- else if (k) {
|
||||
+ if (k) {
|
||||
ev->classes_reported |= (1 << KeyClass);
|
||||
ev->num_keys = k->xkbInfo->desc->max_key_code -
|
||||
k->xkbInfo->desc->min_key_code;
|
||||
@@ -670,15 +675,26 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
|
||||
}
|
||||
}
|
||||
|
||||
-
|
||||
+/**
|
||||
+ * The device state notify event is split across multiple 32-byte events.
|
||||
+ * The first one contains the first 32 button state bits, the first 32
|
||||
+ * key state bits, and the first 3 valuator values.
|
||||
+ *
|
||||
+ * If a device has more than that, the server sends out:
|
||||
+ * - one deviceButtonStateNotify for buttons 32 and above
|
||||
+ * - one deviceKeyStateNotify for keys 32 and above
|
||||
+ * - one deviceValuator event per 6 valuators above valuator 4
|
||||
+ *
|
||||
+ * All events but the last one have the deviceid binary ORed with MORE_EVENTS,
|
||||
+ */
|
||||
static void
|
||||
DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
||||
{
|
||||
+ /* deviceStateNotify, deviceKeyStateNotify, deviceButtonStateNotify
|
||||
+ * and one deviceValuator for each 6 valuators */
|
||||
+ deviceStateNotify sev[3 + (MAX_VALUATORS + 6)/6];
|
||||
int evcount = 1;
|
||||
- deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
|
||||
- deviceStateNotify *ev;
|
||||
- deviceKeyStateNotify *kev;
|
||||
- deviceButtonStateNotify *bev;
|
||||
+ deviceStateNotify *ev = sev;
|
||||
|
||||
KeyClassPtr k;
|
||||
ButtonClassPtr b;
|
||||
@@ -691,82 +707,49 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
||||
|
||||
if ((b = dev->button) != NULL) {
|
||||
nbuttons = b->numButtons;
|
||||
- if (nbuttons > 32)
|
||||
+ if (nbuttons > 32) /* first 32 are encoded in deviceStateNotify */
|
||||
evcount++;
|
||||
}
|
||||
if ((k = dev->key) != NULL) {
|
||||
nkeys = k->xkbInfo->desc->max_key_code - k->xkbInfo->desc->min_key_code;
|
||||
- if (nkeys > 32)
|
||||
+ if (nkeys > 32) /* first 32 are encoded in deviceStateNotify */
|
||||
evcount++;
|
||||
- if (nbuttons > 0) {
|
||||
- evcount++;
|
||||
- }
|
||||
}
|
||||
if ((v = dev->valuator) != NULL) {
|
||||
nval = v->numAxes;
|
||||
-
|
||||
- if (nval > 3)
|
||||
- evcount++;
|
||||
- if (nval > 6) {
|
||||
- if (!(k && b))
|
||||
- evcount++;
|
||||
- if (nval > 9)
|
||||
- evcount += ((nval - 7) / 3);
|
||||
- }
|
||||
+ /* first three are encoded in deviceStateNotify, then
|
||||
+ * it's 6 per deviceValuator event */
|
||||
+ evcount += ((nval - 3) + 6)/6;
|
||||
}
|
||||
|
||||
- ev = sev;
|
||||
- FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
|
||||
-
|
||||
- if (b != NULL) {
|
||||
- FixDeviceStateNotify(dev, ev++, NULL, b, v, first);
|
||||
- first += 3;
|
||||
- nval -= 3;
|
||||
- if (nbuttons > 32) {
|
||||
- (ev - 1)->deviceid |= MORE_EVENTS;
|
||||
- bev = (deviceButtonStateNotify *) ev++;
|
||||
- bev->type = DeviceButtonStateNotify;
|
||||
- bev->deviceid = dev->id;
|
||||
- memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
|
||||
- DOWN_LENGTH - 4);
|
||||
- }
|
||||
- if (nval > 0) {
|
||||
- (ev - 1)->deviceid |= MORE_EVENTS;
|
||||
- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
|
||||
- first += 3;
|
||||
- nval -= 3;
|
||||
- }
|
||||
+ BUG_RETURN(evcount <= ARRAY_SIZE(sev));
|
||||
+
|
||||
+ FixDeviceStateNotify(dev, ev, k, b, v, first);
|
||||
+
|
||||
+ if (b != NULL && nbuttons > 32) {
|
||||
+ deviceButtonStateNotify *bev = (deviceButtonStateNotify *) ++ev;
|
||||
+ (ev - 1)->deviceid |= MORE_EVENTS;
|
||||
+ bev->type = DeviceButtonStateNotify;
|
||||
+ bev->deviceid = dev->id;
|
||||
+ memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
|
||||
+ DOWN_LENGTH - 4);
|
||||
}
|
||||
|
||||
- if (k != NULL) {
|
||||
- FixDeviceStateNotify(dev, ev++, k, NULL, v, first);
|
||||
- first += 3;
|
||||
- nval -= 3;
|
||||
- if (nkeys > 32) {
|
||||
- (ev - 1)->deviceid |= MORE_EVENTS;
|
||||
- kev = (deviceKeyStateNotify *) ev++;
|
||||
- kev->type = DeviceKeyStateNotify;
|
||||
- kev->deviceid = dev->id;
|
||||
- memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
|
||||
- }
|
||||
- if (nval > 0) {
|
||||
- (ev - 1)->deviceid |= MORE_EVENTS;
|
||||
- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
|
||||
- first += 3;
|
||||
- nval -= 3;
|
||||
- }
|
||||
+ if (k != NULL && nkeys > 32) {
|
||||
+ deviceKeyStateNotify *kev = (deviceKeyStateNotify *) ++ev;
|
||||
+ (ev - 1)->deviceid |= MORE_EVENTS;
|
||||
+ kev->type = DeviceKeyStateNotify;
|
||||
+ kev->deviceid = dev->id;
|
||||
+ memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
|
||||
}
|
||||
|
||||
+ first = 3;
|
||||
+ nval -= 3;
|
||||
while (nval > 0) {
|
||||
- FixDeviceStateNotify(dev, ev++, NULL, NULL, v, first);
|
||||
- first += 3;
|
||||
- nval -= 3;
|
||||
- if (nval > 0) {
|
||||
- (ev - 1)->deviceid |= MORE_EVENTS;
|
||||
- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
|
||||
- first += 3;
|
||||
- nval -= 3;
|
||||
- }
|
||||
+ ev->deviceid |= MORE_EVENTS;
|
||||
+ FixDeviceValuator(dev, (deviceValuator *) ++ev, v, first);
|
||||
+ first += 6;
|
||||
+ nval -= 6;
|
||||
}
|
||||
|
||||
DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@ -1,183 +0,0 @@
|
||||
From bd134231e282d9eb126b6fdaa40bb383180fa72b Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Tue, 5 Jul 2022 11:11:06 +1000
|
||||
Subject: [PATCH xserver 3/3] xkb: add request length validation for
|
||||
XkbSetGeometry
|
||||
| < | ||||