import xorg-x11-server-1.20.11-5.el8

This commit is contained in:
CentOS Sources 2022-03-29 11:57:30 -04:00 committed by Stepan Oksanichenko
parent 626f97ae4b
commit c7aba470a3
7 changed files with 399 additions and 1 deletions

View File

@ -0,0 +1,43 @@
From 94b4a3d45451d29e9539ea234ce8b5e9ed58546c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?B=C5=82a=C5=BCej=20Szczygie=C5=82?= <spaz16@wp.pl>
Date: Thu, 13 Jan 2022 00:47:27 +0100
Subject: [PATCH xserver] present: Check for NULL to prevent crash
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1275
Signed-off-by: Błażej Szczygieł <spaz16@wp.pl>
Tested-by: Aaron Plattner <aplattner@nvidia.com>
(cherry picked from commit 22d5818851967408bb7c903cb345b7ca8766094c)
---
present/present_scmd.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/present/present_scmd.c b/present/present_scmd.c
index 3c68e690b..11391adbb 100644
--- a/present/present_scmd.c
+++ b/present/present_scmd.c
@@ -168,6 +168,9 @@ present_scmd_get_crtc(present_screen_priv_ptr screen_priv, WindowPtr window)
if (!screen_priv->info)
return NULL;
+ if (!screen_priv->info->get_crtc)
+ return NULL;
+
return (*screen_priv->info->get_crtc)(window);
}
@@ -206,6 +209,9 @@ present_flush(WindowPtr window)
if (!screen_priv->info)
return;
+ if (!screen_priv->info->flush)
+ return;
+
(*screen_priv->info->flush) (window);
}
--
2.34.1

View File

@ -0,0 +1,35 @@
From acc50e6097d51fec0c6c34d84c35018a50c52d5a Mon Sep 17 00:00:00 2001
From: Povilas Kanapickas <povilas@radix.lt>
Date: Tue, 14 Dec 2021 15:00:00 +0200
Subject: [PATCH xserver 1/4] record: Fix out of bounds access in
SwapCreateRegister()
ZDI-CAN-14952, CVE-2021-4011
This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
(cherry picked from commit e56f61c79fc3cee26d83cda0f84ae56d5979f768)
---
record/record.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/record/record.c b/record/record.c
index 05d751ac2..a8aec23bd 100644
--- a/record/record.c
+++ b/record/record.c
@@ -2515,8 +2515,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
swapl(pClientID);
}
if (stuff->nRanges >
- client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
- - stuff->nClients)
+ (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
+ - stuff->nClients) / bytes_to_int32(sz_xRecordRange))
return BadLength;
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
return Success;
--
2.33.1

View File

@ -0,0 +1,167 @@
From dafe5f6358edd557d89bb63265d6df2e1249f106 Mon Sep 17 00:00:00 2001
From: Jocelyn Falempe <jfalempe@redhat.com>
Date: Thu, 18 Nov 2021 14:45:42 +0100
Subject: [PATCH] xf86/logind: fix call systemd_logind_vtenter after receiving
drm device resume
logind send the resume event for input devices and drm device,
in any order. if we call vt_enter before logind resume the drm device,
it leads to a driver error, because logind has not done the
DRM_IOCTL_SET_MASTER on it.
Keep the old workaround to make sure we call systemd_logind_vtenter at
least once if there are no platform device
Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
xf86/logind: Fix drm_drop_master before vt_reldisp
When switching to VT, the ioctl DRM_DROP_MASTER must be done before
the ioctl VT_RELDISP. Otherwise the kernel can't change the modesetting
reliably, and this leads to the console not showing up in some cases, like
after unplugging a docking station with a DP or HDMI monitor.
Before doing the VT_RELDISP, send a dbus message to logind, to
pause the drm device, so logind will do the ioctl DRM_DROP_MASTER.
With this patch, it changes the order logind will send the resume
event, and drm will be sent last instead of first.
so there is a also fix to call systemd_logind_vtenter() at the right time.
Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
xf86/logind: Fix compilation error when built without logind/platform bus
This was introduced by commit 8eb1396d
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1269
Fixes: da9d012a9 - xf86/logind: Fix drm_drop_master before vt_reldisp
Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
xf86/logind: fix missing call to vtenter if the platform device is not paused
If there is one platform device, which is not paused nor resumed,
systemd_logind_vtenter() will never get called.
This break suspend/resume, and switching to VT on system with Nvidia
proprietary driver.
This is a regression introduced by f5bd039633fa83
So now call systemd_logind_vtenter() if there are no paused
platform devices.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1271
Fixes: f5bd0396 - xf86/logind: fix call systemd_logind_vtenter after receiving drm device resume
Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
Tested-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
---
hw/xfree86/common/xf86Events.c | 4 ++
hw/xfree86/os-support/linux/systemd-logind.c | 41 +++++++++++++++++---
include/systemd-logind.h | 2 +
3 files changed, 42 insertions(+), 5 deletions(-)
diff --git a/hw/xfree86/common/xf86Events.c b/hw/xfree86/common/xf86Events.c
index 8a800bd8f..b683d233b 100644
--- a/hw/xfree86/common/xf86Events.c
+++ b/hw/xfree86/common/xf86Events.c
@@ -393,6 +393,10 @@ xf86VTLeave(void)
for (i = 0; i < xf86NumGPUScreens; i++)
xf86GPUScreens[i]->LeaveVT(xf86GPUScreens[i]);
+ if (systemd_logind_controls_session()) {
+ systemd_logind_drop_master();
+ }
+
if (!xf86VTSwitchAway())
goto switch_failed;
diff --git a/hw/xfree86/os-support/linux/systemd-logind.c b/hw/xfree86/os-support/linux/systemd-logind.c
index 13784d15c..bd7a341f0 100644
--- a/hw/xfree86/os-support/linux/systemd-logind.c
+++ b/hw/xfree86/os-support/linux/systemd-logind.c
@@ -302,6 +302,37 @@ cleanup:
dbus_error_free(&error);
}
+/*
+ * Send a message to logind, to pause the drm device
+ * and ensure the drm_drop_master is done before
+ * VT_RELDISP when switching VT
+ */
+void systemd_logind_drop_master(void)
+{
+ int i;
+ for (i = 0; i < xf86_num_platform_devices; i++) {
+ if (xf86_platform_devices[i].flags & XF86_PDEV_SERVER_FD) {
+ dbus_int32_t major, minor;
+ struct systemd_logind_info *info = &logind_info;
+
+ xf86_platform_devices[i].flags |= XF86_PDEV_PAUSED;
+ major = xf86_platform_odev_attributes(i)->major;
+ minor = xf86_platform_odev_attributes(i)->minor;
+ systemd_logind_ack_pause(info, minor, major);
+ }
+ }
+}
+
+static Bool are_platform_devices_resumed(void) {
+ int i;
+ for (i = 0; i < xf86_num_platform_devices; i++) {
+ if (xf86_platform_devices[i].flags & XF86_PDEV_PAUSED) {
+ return FALSE;
+ }
+ }
+ return TRUE;
+}
+
static DBusHandlerResult
message_filter(DBusConnection * connection, DBusMessage * message, void *data)
{
@@ -417,14 +448,14 @@ message_filter(DBusConnection * connection, DBusMessage * message, void *data)
/* info->vt_active gets set by systemd_logind_vtenter() */
info->active = TRUE;
- if (pdev)
+ if (pdev) {
pdev->flags &= ~XF86_PDEV_PAUSED;
- else
+ } else
systemd_logind_set_input_fd_for_all_devs(major, minor, fd,
info->vt_active);
-
- /* Always call vtenter(), in case there are only legacy video devs */
- systemd_logind_vtenter();
+ /* Call vtenter if all platform devices are resumed, or if there are no platform device */
+ if (are_platform_devices_resumed())
+ systemd_logind_vtenter();
}
return DBUS_HANDLER_RESULT_HANDLED;
}
diff --git a/include/systemd-logind.h b/include/systemd-logind.h
index a4067d097..5c04d0130 100644
--- a/include/systemd-logind.h
+++ b/include/systemd-logind.h
@@ -33,6 +33,7 @@ int systemd_logind_take_fd(int major, int minor, const char *path, Bool *paus);
void systemd_logind_release_fd(int major, int minor, int fd);
int systemd_logind_controls_session(void);
void systemd_logind_vtenter(void);
+void systemd_logind_drop_master(void);
#else
#define systemd_logind_init()
#define systemd_logind_fini()
@@ -40,6 +41,7 @@ void systemd_logind_vtenter(void);
#define systemd_logind_release_fd(major, minor, fd) close(fd)
#define systemd_logind_controls_session() 0
#define systemd_logind_vtenter()
+#define systemd_logind_drop_master()
#endif
#endif
--
2.33.1

View File

@ -0,0 +1,44 @@
From 6bb8aeb30a2686facc48733016caade97ece10ad Mon Sep 17 00:00:00 2001
From: Povilas Kanapickas <povilas@radix.lt>
Date: Tue, 14 Dec 2021 15:00:01 +0200
Subject: [PATCH xserver 2/4] xfixes: Fix out of bounds access in
*ProcXFixesCreatePointerBarrier()
ZDI-CAN-14950, CVE-2021-4009
This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
(cherry picked from commit b5196750099ae6ae582e1f46bd0a6dad29550e02)
---
xfixes/cursor.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/xfixes/cursor.c b/xfixes/cursor.c
index d4b68f3af..5f531a89a 100644
--- a/xfixes/cursor.c
+++ b/xfixes/cursor.c
@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client)
{
REQUEST(xXFixesCreatePointerBarrierReq);
- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
LEGAL_NEW_RESOURCE(stuff->barrier, client);
return XICreatePointerBarrier(client, stuff);
@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
swaps(&stuff->length);
swaps(&stuff->num_devices);
- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
swapl(&stuff->barrier);
swapl(&stuff->window);
--
2.33.1

View File

@ -0,0 +1,34 @@
From 67425fcab50ef24a5617e109897f38876dd81277 Mon Sep 17 00:00:00 2001
From: Povilas Kanapickas <povilas@radix.lt>
Date: Tue, 14 Dec 2021 15:00:02 +0200
Subject: [PATCH xserver 3/4] Xext: Fix out of bounds access in
SProcScreenSaverSuspend()
ZDI-CAN-14951, CVE-2021-4010
This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
(cherry picked from commit 6c4c53010772e3cb4cb8acd54950c8eec9c00d21)
---
Xext/saver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Xext/saver.c b/Xext/saver.c
index c27a66c80..c23907dbb 100644
--- a/Xext/saver.c
+++ b/Xext/saver.c
@@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client)
REQUEST(xScreenSaverSuspendReq);
swaps(&stuff->length);
- swapl(&stuff->suspend);
REQUEST_SIZE_MATCH(xScreenSaverSuspendReq);
+ swapl(&stuff->suspend);
return ProcScreenSaverSuspend(client);
}
--
2.33.1

View File

@ -0,0 +1,53 @@
From 35b4681c79480d980bd8dcba390146aad7817c47 Mon Sep 17 00:00:00 2001
From: Povilas Kanapickas <povilas@radix.lt>
Date: Tue, 14 Dec 2021 15:00:03 +0200
Subject: [PATCH xserver 4/4] render: Fix out of bounds access in
SProcRenderCompositeGlyphs()
ZDI-CAN-14192, CVE-2021-4008
This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
(cherry picked from commit ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60)
---
render/render.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/render/render.c b/render/render.c
index c376090ca..456f156d4 100644
--- a/render/render.c
+++ b/render/render.c
@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client)
i = elt->len;
if (i == 0xff) {
+ if (buffer + 4 > end) {
+ return BadLength;
+ }
swapl((int *) buffer);
buffer += 4;
}
@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client)
buffer += i;
break;
case 2:
+ if (buffer + i * 2 > end) {
+ return BadLength;
+ }
while (i--) {
swaps((short *) buffer);
buffer += 2;
}
break;
case 4:
+ if (buffer + i * 4 > end) {
+ return BadLength;
+ }
while (i--) {
swapl((int *) buffer);
buffer += 4;
--
2.33.1

View File

@ -46,7 +46,7 @@
Summary: X.Org X11 X server
Name: xorg-x11-server
Version: 1.20.11
Release: 2%{?gitdate:.%{gitdate}}%{?dist}
Release: 5%{?gitdate:.%{gitdate}}%{?dist}
URL: http://www.x.org
License: MIT
Group: User Interface/X
@ -108,6 +108,17 @@ Patch200: 0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch
Patch201: 0001-linux-Fix-platform-device-PCI-detection-for-complex-.patch
Patch202: 0001-modesetting-Reduce-glamor-initialization-failed-mess.patch
Patch203: 0001-xfree86-Only-switch-to-original-VT-if-it-is-active.patch
Patch204: 0001-xf86-logind-Fix-drm_drop_master-before-vt_reldisp.patch
Patch205: 0001-present-Check-for-NULL-to-prevent-crash.patch
# CVE-2021-4011
Patch10009: 0001-record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch
# CVE-2021-4009
Patch10010: 0002-xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch
# CVE-2021-4010
Patch10011: 0003-Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch
# CVE-2021-4008
Patch10012: 0004-render-Fix-out-of-bounds-access-in-SProcRenderCompos.patch
BuildRequires: systemtap-sdt-devel
BuildRequires: git
@ -534,6 +545,17 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
%changelog
* Fri Jan 28 2022 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-5
- Fix crash with NVIDIA proprietary driver with Present (#2046329)
* Thu Jan 6 2022 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-4
- CVE fix for: CVE-2021-4008 (#2030162), CVE-2021-4009 (#2030172),
CVE-2021-4010 (#2030175), CVE-2021-4011 (#2030181)
* Mon Nov 29 2021 Jocelyn Falempe <jfalempe@redhat.com> - 1.20.11-3
- xf86/logind Fix drm_drop_master before vt_reldis
Resolves: #1771863
* Wed Jun 9 2021 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-2
- Remove Xwayland from the xserver builds
Resolves: #1956838