import xorg-x11-server-1.20.11-5.el8

2022-05-10 03:11:01 -04:00 · 2022-05-10 03:11:01 -04:00 · e830a9c2cc
parent 894e155f08
commit e830a9c2cc
7 changed files with 399 additions and 1 deletions
--- a/SOURCES/0001-present-Check-for-NULL-to-prevent-crash.patch
+++ b/SOURCES/0001-present-Check-for-NULL-to-prevent-crash.patch
@ -0,0 +1,43 @@
+From 94b4a3d45451d29e9539ea234ce8b5e9ed58546c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?B=C5=82a=C5=BCej=20Szczygie=C5=82?= <spaz16@wp.pl>
+Date: Thu, 13 Jan 2022 00:47:27 +0100
+Subject: [PATCH xserver] present: Check for NULL to prevent crash
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1275
+Signed-off-by: Błażej Szczygieł <spaz16@wp.pl>
+Tested-by: Aaron Plattner <aplattner@nvidia.com>
+(cherry picked from commit 22d5818851967408bb7c903cb345b7ca8766094c)
+---
+ present/present_scmd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/present/present_scmd.c b/present/present_scmd.c
+index 3c68e690b..11391adbb 100644
+--- a/present/present_scmd.c
+++ b/present/present_scmd.c
+@@ -168,6 +168,9 @@ present_scmd_get_crtc(present_screen_priv_ptr screen_priv, WindowPtr window)
+     if (!screen_priv->info)
+         return NULL;
+ 
+    if (!screen_priv->info->get_crtc)
+        return NULL;
+
+     return (*screen_priv->info->get_crtc)(window);
+ }
+ 
+@@ -206,6 +209,9 @@ present_flush(WindowPtr window)
+     if (!screen_priv->info)
+         return;
+ 
+    if (!screen_priv->info->flush)
+        return;
+
+     (*screen_priv->info->flush) (window);
+ }
+ 
+-- 
+2.34.1
+
--- a/SOURCES/0001-record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch
+++ b/SOURCES/0001-record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch
@ -0,0 +1,35 @@
+From acc50e6097d51fec0c6c34d84c35018a50c52d5a Mon Sep 17 00:00:00 2001
+From: Povilas Kanapickas <povilas@radix.lt>
+Date: Tue, 14 Dec 2021 15:00:00 +0200
+Subject: [PATCH xserver 1/4] record: Fix out of bounds access in
+ SwapCreateRegister()
+
+ZDI-CAN-14952, CVE-2021-4011
+
+This vulnerability was discovered and the fix was suggested by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
+(cherry picked from commit e56f61c79fc3cee26d83cda0f84ae56d5979f768)
+---
+ record/record.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/record/record.c b/record/record.c
+index 05d751ac2..a8aec23bd 100644
+--- a/record/record.c
+++ b/record/record.c
+@@ -2515,8 +2515,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
+         swapl(pClientID);
+     }
+     if (stuff->nRanges >
+-        client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
+-        - stuff->nClients)
+        (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
+        - stuff->nClients) / bytes_to_int32(sz_xRecordRange))
+         return BadLength;
+     RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
+     return Success;
+-- 
+2.33.1
+
--- a/SOURCES/0001-xf86-logind-Fix-drm_drop_master-before-vt_reldisp.patch
+++ b/SOURCES/0001-xf86-logind-Fix-drm_drop_master-before-vt_reldisp.patch
@ -0,0 +1,167 @@
+From dafe5f6358edd557d89bb63265d6df2e1249f106 Mon Sep 17 00:00:00 2001
+From: Jocelyn Falempe <jfalempe@redhat.com>
+Date: Thu, 18 Nov 2021 14:45:42 +0100
+Subject: [PATCH] xf86/logind: fix call systemd_logind_vtenter after receiving
+ drm device resume
+
+logind send the resume event for input devices and drm device,
+in any order. if we call vt_enter before logind resume the drm device,
+it leads to a driver error, because logind has not done the
+DRM_IOCTL_SET_MASTER on it.
+
+Keep the old workaround to make sure we call systemd_logind_vtenter at
+least once if there are no platform device
+
+Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+
+xf86/logind: Fix drm_drop_master before vt_reldisp
+
+When switching to VT, the ioctl DRM_DROP_MASTER must be done before
+the ioctl VT_RELDISP. Otherwise the kernel can't change the modesetting
+reliably, and this leads to the console not showing up in some cases, like
+after unplugging a docking station with a DP or HDMI monitor.
+
+Before doing the VT_RELDISP, send a dbus message to logind, to
+pause the drm device, so logind will do the ioctl DRM_DROP_MASTER.
+
+With this patch, it changes the order logind will send the resume
+event, and drm will be sent last instead of first.
+so there is a also fix to call systemd_logind_vtenter() at the right time.
+
+Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+
+xf86/logind: Fix compilation error when built without logind/platform bus
+
+This was introduced by commit 8eb1396d
+
+Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1269
+Fixes: da9d012a9 - xf86/logind: Fix drm_drop_master before vt_reldisp
+
+Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+
+xf86/logind: fix missing call to vtenter if the platform device is not paused
+
+If there is one platform device, which is not paused nor resumed,
+systemd_logind_vtenter() will never get called.
+This break suspend/resume, and switching to VT on system with Nvidia
+proprietary driver.
+This is a regression introduced by f5bd039633fa83
+
+So now call systemd_logind_vtenter() if there are no paused
+platform devices.
+
+Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1271
+Fixes: f5bd0396 - xf86/logind: fix call systemd_logind_vtenter after receiving drm device resume
+
+Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
+Tested-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+---
+ hw/xfree86/common/xf86Events.c               |  4 ++
+ hw/xfree86/os-support/linux/systemd-logind.c | 41 +++++++++++++++++---
+ include/systemd-logind.h                     |  2 +
+ 3 files changed, 42 insertions(+), 5 deletions(-)
+
+diff --git a/hw/xfree86/common/xf86Events.c b/hw/xfree86/common/xf86Events.c
+index 8a800bd8f..b683d233b 100644
+--- a/hw/xfree86/common/xf86Events.c
+++ b/hw/xfree86/common/xf86Events.c
+@@ -393,6 +393,10 @@ xf86VTLeave(void)
+     for (i = 0; i < xf86NumGPUScreens; i++)
+         xf86GPUScreens[i]->LeaveVT(xf86GPUScreens[i]);
+ 
+    if (systemd_logind_controls_session()) {
+        systemd_logind_drop_master();
+    }
+
+     if (!xf86VTSwitchAway())
+         goto switch_failed;
+ 
+diff --git a/hw/xfree86/os-support/linux/systemd-logind.c b/hw/xfree86/os-support/linux/systemd-logind.c
+index 13784d15c..bd7a341f0 100644
+--- a/hw/xfree86/os-support/linux/systemd-logind.c
+++ b/hw/xfree86/os-support/linux/systemd-logind.c
+@@ -302,6 +302,37 @@ cleanup:
+     dbus_error_free(&error);
+ }
+ 
+/*
+ * Send a message to logind, to pause the drm device
+ * and ensure the drm_drop_master is done before
+ * VT_RELDISP when switching VT
+ */
+void systemd_logind_drop_master(void)
+{
+    int i;
+    for (i = 0; i < xf86_num_platform_devices; i++) {
+        if (xf86_platform_devices[i].flags & XF86_PDEV_SERVER_FD) {
+            dbus_int32_t major, minor;
+            struct systemd_logind_info *info = &logind_info;
+
+            xf86_platform_devices[i].flags |= XF86_PDEV_PAUSED;
+            major = xf86_platform_odev_attributes(i)->major;
+            minor = xf86_platform_odev_attributes(i)->minor;
+            systemd_logind_ack_pause(info, minor, major);
+        }
+    }
+}
+
+static Bool are_platform_devices_resumed(void) {
+    int i;
+    for (i = 0; i < xf86_num_platform_devices; i++) {
+        if (xf86_platform_devices[i].flags & XF86_PDEV_PAUSED) {
+            return FALSE;
+        }
+    }
+    return TRUE;
+}
+
+ static DBusHandlerResult
+ message_filter(DBusConnection * connection, DBusMessage * message, void *data)
+ {
+@@ -417,14 +448,14 @@ message_filter(DBusConnection * connection, DBusMessage * message, void *data)
+         /* info->vt_active gets set by systemd_logind_vtenter() */
+         info->active = TRUE;
+ 
+-        if (pdev)
+        if (pdev) {
+             pdev->flags &= ~XF86_PDEV_PAUSED;
+-        else
+        } else
+             systemd_logind_set_input_fd_for_all_devs(major, minor, fd,
+                                                      info->vt_active);
+-
+-        /* Always call vtenter(), in case there are only legacy video devs */
+-        systemd_logind_vtenter();
+        /* Call vtenter if all platform devices are resumed, or if there are no platform device */
+        if (are_platform_devices_resumed())
+            systemd_logind_vtenter();
+     }
+     return DBUS_HANDLER_RESULT_HANDLED;
+ }
+diff --git a/include/systemd-logind.h b/include/systemd-logind.h
+index a4067d097..5c04d0130 100644
+--- a/include/systemd-logind.h
+++ b/include/systemd-logind.h
+@@ -33,6 +33,7 @@ int systemd_logind_take_fd(int major, int minor, const char *path, Bool *paus);
+ void systemd_logind_release_fd(int major, int minor, int fd);
+ int systemd_logind_controls_session(void);
+ void systemd_logind_vtenter(void);
+void systemd_logind_drop_master(void);
+ #else
+ #define systemd_logind_init()
+ #define systemd_logind_fini()
+@@ -40,6 +41,7 @@ void systemd_logind_vtenter(void);
+ #define systemd_logind_release_fd(major, minor, fd) close(fd)
+ #define systemd_logind_controls_session() 0
+ #define systemd_logind_vtenter()
+#define systemd_logind_drop_master()
+ #endif
+ 
+ #endif
+-- 
+2.33.1
+
--- a/SOURCES/0002-xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch
+++ b/SOURCES/0002-xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch
@ -0,0 +1,44 @@
+From 6bb8aeb30a2686facc48733016caade97ece10ad Mon Sep 17 00:00:00 2001
+From: Povilas Kanapickas <povilas@radix.lt>
+Date: Tue, 14 Dec 2021 15:00:01 +0200
+Subject: [PATCH xserver 2/4] xfixes: Fix out of bounds access in
+ *ProcXFixesCreatePointerBarrier()
+
+ZDI-CAN-14950, CVE-2021-4009
+
+This vulnerability was discovered and the fix was suggested by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
+(cherry picked from commit b5196750099ae6ae582e1f46bd0a6dad29550e02)
+---
+ xfixes/cursor.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/xfixes/cursor.c b/xfixes/cursor.c
+index d4b68f3af..5f531a89a 100644
+--- a/xfixes/cursor.c
+++ b/xfixes/cursor.c
+@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client)
+ {
+     REQUEST(xXFixesCreatePointerBarrierReq);
+ 
+-    REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
+    REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
+                       pad_to_int32(stuff->num_devices * sizeof(CARD16)));
+     LEGAL_NEW_RESOURCE(stuff->barrier, client);
+ 
+     return XICreatePointerBarrier(client, stuff);
+@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
+ 
+     swaps(&stuff->length);
+     swaps(&stuff->num_devices);
+-    REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
+    REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
+                       pad_to_int32(stuff->num_devices * sizeof(CARD16)));
+ 
+     swapl(&stuff->barrier);
+     swapl(&stuff->window);
+-- 
+2.33.1
+
--- a/SOURCES/0003-Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch
+++ b/SOURCES/0003-Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch
@ -0,0 +1,34 @@
+From 67425fcab50ef24a5617e109897f38876dd81277 Mon Sep 17 00:00:00 2001
+From: Povilas Kanapickas <povilas@radix.lt>
+Date: Tue, 14 Dec 2021 15:00:02 +0200
+Subject: [PATCH xserver 3/4] Xext: Fix out of bounds access in
+ SProcScreenSaverSuspend()
+
+ZDI-CAN-14951, CVE-2021-4010
+
+This vulnerability was discovered and the fix was suggested by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
+(cherry picked from commit 6c4c53010772e3cb4cb8acd54950c8eec9c00d21)
+---
+ Xext/saver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Xext/saver.c b/Xext/saver.c
+index c27a66c80..c23907dbb 100644
+--- a/Xext/saver.c
+++ b/Xext/saver.c
+@@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client)
+     REQUEST(xScreenSaverSuspendReq);
+ 
+     swaps(&stuff->length);
+-    swapl(&stuff->suspend);
+     REQUEST_SIZE_MATCH(xScreenSaverSuspendReq);
+    swapl(&stuff->suspend);
+     return ProcScreenSaverSuspend(client);
+ }
+ 
+-- 
+2.33.1
+
--- a/SOURCES/0004-render-Fix-out-of-bounds-access-in-SProcRenderCompos.patch
+++ b/SOURCES/0004-render-Fix-out-of-bounds-access-in-SProcRenderCompos.patch
@ -0,0 +1,53 @@
+From 35b4681c79480d980bd8dcba390146aad7817c47 Mon Sep 17 00:00:00 2001
+From: Povilas Kanapickas <povilas@radix.lt>
+Date: Tue, 14 Dec 2021 15:00:03 +0200
+Subject: [PATCH xserver 4/4] render: Fix out of bounds access in
+ SProcRenderCompositeGlyphs()
+
+ZDI-CAN-14192, CVE-2021-4008
+
+This vulnerability was discovered and the fix was suggested by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
+(cherry picked from commit ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60)
+---
+ render/render.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/render/render.c b/render/render.c
+index c376090ca..456f156d4 100644
+--- a/render/render.c
+++ b/render/render.c
+@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client)
+ 
+         i = elt->len;
+         if (i == 0xff) {
+            if (buffer + 4 > end) {
+                return BadLength;
+            }
+             swapl((int *) buffer);
+             buffer += 4;
+         }
+@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client)
+                 buffer += i;
+                 break;
+             case 2:
+                if (buffer + i * 2 > end) {
+                    return BadLength;
+                }
+                 while (i--) {
+                     swaps((short *) buffer);
+                     buffer += 2;
+                 }
+                 break;
+             case 4:
+                if (buffer + i * 4 > end) {
+                    return BadLength;
+                }
+                 while (i--) {
+                     swapl((int *) buffer);
+                     buffer += 4;
+-- 
+2.33.1
+
--- a/SPECS/xorg-x11-server.spec
+++ b/SPECS/xorg-x11-server.spec
@ -46,7 +46,7 @@
 Summary:   X.Org X11 X server
 Name:      xorg-x11-server
 Version:   1.20.11
-Release:   2%{?gitdate:.%{gitdate}}%{?dist}
+Release:   5%{?gitdate:.%{gitdate}}%{?dist}
 URL:       http://www.x.org
 License:   MIT
 Group:     User Interface/X
@ -108,6 +108,17 @@ Patch200: 0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch
 Patch201: 0001-linux-Fix-platform-device-PCI-detection-for-complex-.patch
 Patch202: 0001-modesetting-Reduce-glamor-initialization-failed-mess.patch
 Patch203: 0001-xfree86-Only-switch-to-original-VT-if-it-is-active.patch
+Patch204: 0001-xf86-logind-Fix-drm_drop_master-before-vt_reldisp.patch
+Patch205: 0001-present-Check-for-NULL-to-prevent-crash.patch
+
+# CVE-2021-4011
+Patch10009: 0001-record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch
+# CVE-2021-4009
+Patch10010: 0002-xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch
+# CVE-2021-4010
+Patch10011: 0003-Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch
+# CVE-2021-4008
+Patch10012: 0004-render-Fix-out-of-bounds-access-in-SProcRenderCompos.patch

 BuildRequires: systemtap-sdt-devel
 BuildRequires: git
@ -534,6 +545,17 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete


 %changelog
+* Fri Jan 28 2022 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-5
+- Fix crash with NVIDIA proprietary driver with Present (#2046329)
+
+* Thu Jan  6 2022 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-4
+- CVE fix for: CVE-2021-4008 (#2030162), CVE-2021-4009 (#2030172),
+  CVE-2021-4010 (#2030175), CVE-2021-4011 (#2030181)
+
+* Mon Nov  29 2021 Jocelyn Falempe <jfalempe@redhat.com> - 1.20.11-3
+- xf86/logind Fix drm_drop_master before vt_reldis
+  Resolves: #1771863
+
 * Wed Jun  9 2021 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-2
 - Remove Xwayland from the xserver builds
  Resolves: #1956838