- U_0001-Correct-bounds-checking-in-XkbSetNames.patch

* Correct bounds checking in XkbSetNames() [CVE-2020-14345 / ZDI 11428, boo#1174635] - U_0002-Fix-XIChangeHierarchy-integer-underflow.patch * Fix XIChangeHierarchy() integer underflow [CVE-2020-14346 / ZDI-CAN-11429, boo#1174638] - U_0003-Fix-XkbSelectEvents-integer-underflow.patch * Fix XkbSelectEvents() integer underflow [CVE-2020-14361 / ZDI-CAN 11573, boo#1174910] - U_0004-Fix-XRecordRegisterClients-Integer-underflow.patch * Fix XRecordRegisterClients() Integer underflow [CVE-2020-14362 / ZDI-CAN-11574, boo#1174913] OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=773
2020-08-25 16:11:08 +00:00 · 2020-08-25 16:11:08 +00:00 · fec607fe57
commit fec607fe57
parent d7e8d0e628
6 changed files with 325 additions and 0 deletions
--- a/U_0001-Correct-bounds-checking-in-XkbSetNames.patch
+++ b/U_0001-Correct-bounds-checking-in-XkbSetNames.patch
@ -0,0 +1,175 @@
+From f7cd1276bbd4fe3a9700096dec33b52b8440788d Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:46:32 +0200
+Subject: [PATCH 1/4] Correct bounds checking in XkbSetNames()
+
+CVE-2020-14345 / ZDI 11428
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ xkb/xkb.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 48 insertions(+)
+
+Index: xserver-1.20.8+0/xkb/xkb.c
+===================================================================
+--- xserver-1.20.8+0.orig/xkb/xkb.c
+++ xserver-1.20.8+0/xkb/xkb.c
+@@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT;
+ #define	CHK_REQ_KEY_RANGE(err,first,num,r)  \
+ 	CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue)
+ 
+static Bool
+_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) {
+    char *cstuff = (char *)stuff;
+    char *cfrom = (char *)from;
+    char *cto = (char *)to;
+
+    return cfrom < cto &&
+           cfrom >= cstuff &&
+           cfrom < cstuff + ((size_t)client->req_len << 2) &&
+           cto >= cstuff &&
+           cto <= cstuff + ((size_t)client->req_len << 2);
+}
+
+ /***====================================================================***/
+ 
+ int
+@@ -4045,6 +4058,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+             client->errorValue = _XkbErrCode2(0x04, stuff->firstType);
+             return BadAccess;
+         }
+        if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nTypes))
+            return BadLength;
+         old = tmp;
+         tmp = _XkbCheckAtoms(tmp, stuff->nTypes, client->swapped, &bad);
+         if (!tmp) {
+@@ -4074,6 +4089,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+         }
+         width = (CARD8 *) tmp;
+         tmp = (CARD32 *) (((char *) tmp) + XkbPaddedSize(stuff->nKTLevels));
+        if (!_XkbCheckRequestBounds(client, stuff, width, tmp))
+            return BadLength;
+         type = &xkb->map->types[stuff->firstKTLevel];
+         for (i = 0; i < stuff->nKTLevels; i++, type++) {
+             if (width[i] == 0)
+@@ -4083,6 +4100,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+                                                   type->num_levels, width[i]);
+                 return BadMatch;
+             }
+            if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + width[i]))
+                return BadLength;
+             tmp = _XkbCheckAtoms(tmp, width[i], client->swapped, &bad);
+             if (!tmp) {
+                 client->errorValue = bad;
+@@ -4095,6 +4114,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+             client->errorValue = 0x08;
+             return BadMatch;
+         }
+        if (!_XkbCheckRequestBounds(client, stuff, tmp,
+                                    tmp + Ones(stuff->indicators)))
+            return BadLength;
+         tmp = _XkbCheckMaskedAtoms(tmp, XkbNumIndicators, stuff->indicators,
+                                    client->swapped, &bad);
+         if (!tmp) {
+@@ -4107,6 +4129,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+             client->errorValue = 0x09;
+             return BadMatch;
+         }
+        if (!_XkbCheckRequestBounds(client, stuff, tmp,
+                                    tmp + Ones(stuff->virtualMods)))
+            return BadLength;
+         tmp = _XkbCheckMaskedAtoms(tmp, XkbNumVirtualMods,
+                                    (CARD32) stuff->virtualMods,
+                                    client->swapped, &bad);
+@@ -4120,6 +4145,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+             client->errorValue = 0x0a;
+             return BadMatch;
+         }
+        if (!_XkbCheckRequestBounds(client, stuff, tmp,
+                                    tmp + Ones(stuff->groupNames)))
+            return BadLength;
+         tmp = _XkbCheckMaskedAtoms(tmp, XkbNumKbdGroups,
+                                    (CARD32) stuff->groupNames,
+                                    client->swapped, &bad);
+@@ -4141,9 +4169,14 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+                              stuff->nKeys);
+             return BadValue;
+         }
+        if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nKeys))
+            return BadLength;
+         tmp += stuff->nKeys;
+     }
+     if ((stuff->which & XkbKeyAliasesMask) && (stuff->nKeyAliases > 0)) {
+        if (!_XkbCheckRequestBounds(client, stuff, tmp,
+                                    tmp + (stuff->nKeyAliases * 2)))
+            return BadLength;
+         tmp += stuff->nKeyAliases * 2;
+     }
+     if (stuff->which & XkbRGNamesMask) {
+@@ -4151,6 +4184,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
+             client->errorValue = _XkbErrCode2(0x0d, stuff->nRadioGroups);
+             return BadValue;
+         }
+        if (!_XkbCheckRequestBounds(client, stuff, tmp,
+                                    tmp + stuff->nRadioGroups))
+            return BadLength;
+         tmp = _XkbCheckAtoms(tmp, stuff->nRadioGroups, client->swapped, &bad);
+         if (!tmp) {
+             client->errorValue = bad;
+@@ -4344,6 +4380,8 @@ ProcXkbSetNames(ClientPtr client)
+     /* check device-independent stuff */
+     tmp = (CARD32 *) &stuff[1];
+ 
+    if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+        return BadLength;
+     if (stuff->which & XkbKeycodesNameMask) {
+         tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+         if (!tmp) {
+@@ -4351,6 +4389,8 @@ ProcXkbSetNames(ClientPtr client)
+             return BadAtom;
+         }
+     }
+    if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+        return BadLength;
+     if (stuff->which & XkbGeometryNameMask) {
+         tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+         if (!tmp) {
+@@ -4358,6 +4398,8 @@ ProcXkbSetNames(ClientPtr client)
+             return BadAtom;
+         }
+     }
+    if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+        return BadLength;
+     if (stuff->which & XkbSymbolsNameMask) {
+         tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+         if (!tmp) {
+@@ -4365,6 +4407,8 @@ ProcXkbSetNames(ClientPtr client)
+             return BadAtom;
+         }
+     }
+    if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+        return BadLength;
+     if (stuff->which & XkbPhysSymbolsNameMask) {
+         tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+         if (!tmp) {
+@@ -4372,6 +4416,8 @@ ProcXkbSetNames(ClientPtr client)
+             return BadAtom;
+         }
+     }
+    if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+        return BadLength;
+     if (stuff->which & XkbTypesNameMask) {
+         tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+         if (!tmp) {
+@@ -4379,6 +4425,8 @@ ProcXkbSetNames(ClientPtr client)
+             return BadAtom;
+         }
+     }
+    if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+        return BadLength;
+     if (stuff->which & XkbCompatNameMask) {
+         tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+         if (!tmp) {
--- a/U_0002-Fix-XIChangeHierarchy-integer-underflow.patch
+++ b/U_0002-Fix-XIChangeHierarchy-integer-underflow.patch
@ -0,0 +1,31 @@
+From c940cc8b6c0a2983c1ec974f1b3f019795dd4cff Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:49:04 +0200
+Subject: [PATCH 2/4] Fix XIChangeHierarchy() integer underflow
+
+CVE-2020-14346 / ZDI-CAN-11429
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ Xi/xichangehierarchy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
+index cbdd91258..504defe56 100644
+--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
+@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
+     if (!stuff->num_changes)
+         return rc;
+ 
+-    len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
+    len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq);
+ 
+     any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
+     while (stuff->num_changes--) {
+-- 
+2.16.4
+
--- a/U_0003-Fix-XkbSelectEvents-integer-underflow.patch
+++ b/U_0003-Fix-XkbSelectEvents-integer-underflow.patch
@ -0,0 +1,31 @@
+From 144849ea27230962227e62a943b399e2ab304787 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:52:29 +0200
+Subject: [PATCH 3/4] Fix XkbSelectEvents() integer underflow
+
+CVE-2020-14361 ZDI-CAN 11573
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ xkb/xkbSwap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c
+index 1c1ed5ff4..50cabb90e 100644
+--- a/xkb/xkbSwap.c
+++ b/xkb/xkbSwap.c
+@@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client)
+         register unsigned bit, ndx, maskLeft, dataLeft, size;
+ 
+         from.c8 = (CARD8 *) &stuff[1];
+-        dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq);
+        dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq);
+         maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask));
+         for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) {
+             if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify))
+-- 
+2.16.4
+
--- a/U_0004-Fix-XRecordRegisterClients-Integer-underflow.patch
+++ b/U_0004-Fix-XRecordRegisterClients-Integer-underflow.patch
@ -0,0 +1,62 @@
+From 2902b78535ecc6821cc027351818b28a5c7fdbdc Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:55:01 +0200
+Subject: [PATCH 4/4] Fix XRecordRegisterClients() Integer underflow
+
+CVE-2020-14362 ZDI-CAN-11574
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ record/record.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+Index: xserver-1.20.8+0/record/record.c
+===================================================================
+--- xserver-1.20.8+0.orig/record/record.c
+++ xserver-1.20.8+0/record/record.c
+@@ -2499,7 +2499,7 @@ SProcRecordQueryVersion(ClientPtr client
+ }                               /* SProcRecordQueryVersion */
+ 
+ static int _X_COLD
+-SwapCreateRegister(xRecordRegisterClientsReq * stuff)
+SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
+ {
+     int i;
+     XID *pClientID;
+@@ -2509,13 +2509,13 @@ SwapCreateRegister(xRecordRegisterClient
+     swapl(&stuff->nRanges);
+     pClientID = (XID *) &stuff[1];
+     if (stuff->nClients >
+-        stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
+        client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
+         return BadLength;
+     for (i = 0; i < stuff->nClients; i++, pClientID++) {
+         swapl(pClientID);
+     }
+     if (stuff->nRanges >
+-        stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
+        client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
+         - stuff->nClients)
+         return BadLength;
+     RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
+@@ -2530,7 +2530,7 @@ SProcRecordCreateContext(ClientPtr clien
+ 
+     swaps(&stuff->length);
+     REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
+-    if ((status = SwapCreateRegister((void *) stuff)) != Success)
+    if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
+         return status;
+     return ProcRecordCreateContext(client);
+ }                               /* SProcRecordCreateContext */
+@@ -2543,7 +2543,7 @@ SProcRecordRegisterClients(ClientPtr cli
+ 
+     swaps(&stuff->length);
+     REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
+-    if ((status = SwapCreateRegister((void *) stuff)) != Success)
+    if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
+         return status;
+     return ProcRecordRegisterClients(client);
+ }                               /* SProcRecordRegisterClients */
--- a/xorg-x11-server.changes
+++ b/xorg-x11-server.changes
@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Tue Aug 25 15:46:49 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
+
+- U_0001-Correct-bounds-checking-in-XkbSetNames.patch
+  * Correct bounds checking in XkbSetNames() 
+    [CVE-2020-14345 / ZDI 11428, boo#1174635]
+- U_0002-Fix-XIChangeHierarchy-integer-underflow.patch
+  * Fix XIChangeHierarchy() integer underflow
+    [CVE-2020-14346 / ZDI-CAN-11429, boo#1174638]
+- U_0003-Fix-XkbSelectEvents-integer-underflow.patch
+  * Fix XkbSelectEvents() integer underflow
+    [CVE-2020-14361 / ZDI-CAN 11573, boo#1174910]
+- U_0004-Fix-XRecordRegisterClients-Integer-underflow.patch
+  * Fix XRecordRegisterClients() Integer underflow
+    [CVE-2020-14362 / ZDI-CAN-11574, boo#1174913]
+
 -------------------------------------------------------------------
 Fri Jul 31 19:54:05 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>

--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -250,6 +250,11 @@ Patch1505:      U_xwayland-Allow-passing-a-fd.patch

 Patch1600:      U_glamor_egl-Reject-OpenGL-2.1-early-on.patch

+Patch1701:      U_0001-Correct-bounds-checking-in-XkbSetNames.patch
+Patch1702:      U_0002-Fix-XIChangeHierarchy-integer-underflow.patch
+Patch1703:      U_0003-Fix-XkbSelectEvents-integer-underflow.patch
+Patch1704:      U_0004-Fix-XRecordRegisterClients-Integer-underflow.patch
+
 Patch1174633:   U_FixForZDI-11426.patch

 %description
@ -401,6 +406,11 @@ sh %{SOURCE92} --verify . %{SOURCE91}
 %patch1505 -p1
 %patch1600 -p1

+%patch1701 -p1
+%patch1702 -p1
+%patch1703 -p1
+%patch1704 -p1
+
 %patch1174633 -p1

 %build