forked from pool/xorg-x11-server
- U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
* Out-of-bounds memory write in XKB button actions (CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413, bsc#1217765) - U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch * Out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty (CVE-2023-6478, ZDI-CAN-22561, bsc#1217766) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=862
This commit is contained in:
parent
f2b0c39e9f
commit
d3adf84eb2
@ -0,0 +1,75 @@
|
|||||||
|
From 924fbcb74ae5434afa7ce4603cd85ebcbdcccad5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||||
|
Date: Tue, 28 Nov 2023 15:19:04 +1000
|
||||||
|
Subject: [PATCH xserver] Xi: allocate enough XkbActions for our buttons
|
||||||
|
|
||||||
|
button->xkb_acts is supposed to be an array sufficiently large for all
|
||||||
|
our buttons, not just a single XkbActions struct. Allocating
|
||||||
|
insufficient memory here means when we memcpy() later in
|
||||||
|
XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
|
||||||
|
leading to the usual security ooopsiedaisies.
|
||||||
|
|
||||||
|
CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
|
||||||
|
|
||||||
|
This vulnerability was discovered by:
|
||||||
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||||
|
---
|
||||||
|
Xi/exevents.c | 8 ++++++--
|
||||||
|
dix/devices.c | 11 +++++++++++
|
||||||
|
2 files changed, 17 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/Xi/exevents.c b/Xi/exevents.c
|
||||||
|
index dcd4efb3bc..f24de9eec4 100644
|
||||||
|
--- a/Xi/exevents.c
|
||||||
|
+++ b/Xi/exevents.c
|
||||||
|
@@ -612,12 +612,16 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
|
||||||
|
|
||||||
|
if (from->button->xkb_acts) {
|
||||||
|
if (!to->button->xkb_acts) {
|
||||||
|
- to->button->xkb_acts = calloc(1, sizeof(XkbAction));
|
||||||
|
+ to->button->xkb_acts = calloc(from->button->numButtons, sizeof(XkbAction));
|
||||||
|
if (!to->button->xkb_acts)
|
||||||
|
FatalError("[Xi] not enough memory for xkb_acts.\n");
|
||||||
|
+ } else {
|
||||||
|
+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
|
||||||
|
+ from->button->numButtons,
|
||||||
|
+ sizeof(XkbAction));
|
||||||
|
}
|
||||||
|
memcpy(to->button->xkb_acts, from->button->xkb_acts,
|
||||||
|
- sizeof(XkbAction));
|
||||||
|
+ from->button->numButtons * sizeof(XkbAction));
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
free(to->button->xkb_acts);
|
||||||
|
diff --git a/dix/devices.c b/dix/devices.c
|
||||||
|
index 7150734a58..deb3010206 100644
|
||||||
|
--- a/dix/devices.c
|
||||||
|
+++ b/dix/devices.c
|
||||||
|
@@ -2530,6 +2530,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
|
||||||
|
|
||||||
|
if (master->button && master->button->numButtons != maxbuttons) {
|
||||||
|
int i;
|
||||||
|
+ int last_num_buttons = master->button->numButtons;
|
||||||
|
+
|
||||||
|
DeviceChangedEvent event = {
|
||||||
|
.header = ET_Internal,
|
||||||
|
.type = ET_DeviceChanged,
|
||||||
|
@@ -2540,6 +2542,15 @@ RecalculateMasterButtons(DeviceIntPtr slave)
|
||||||
|
};
|
||||||
|
|
||||||
|
master->button->numButtons = maxbuttons;
|
||||||
|
+ if (last_num_buttons < maxbuttons) {
|
||||||
|
+ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
|
||||||
|
+ maxbuttons,
|
||||||
|
+ sizeof(XkbAction));
|
||||||
|
+ memset(&master->button->xkb_acts[last_num_buttons],
|
||||||
|
+ 0,
|
||||||
|
+ (maxbuttons - last_num_buttons) * sizeof(XkbAction));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
|
||||||
|
memcpy(&event.buttons.names, master->button->labels, maxbuttons *
|
||||||
|
sizeof(Atom));
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -0,0 +1,59 @@
|
|||||||
|
From bd59316fe54b2bcad94c883e81fe7cae2a90cdd6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||||
|
Date: Mon, 27 Nov 2023 16:27:49 +1000
|
||||||
|
Subject: [PATCH xserver] randr: avoid integer truncation in length check of
|
||||||
|
ProcRRChange*Property
|
||||||
|
|
||||||
|
Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
|
||||||
|
See also xserver@8f454b79 where this same bug was fixed for the core
|
||||||
|
protocol and XI.
|
||||||
|
|
||||||
|
This fixes an OOB read and the resulting information disclosure.
|
||||||
|
|
||||||
|
Length calculation for the request was clipped to a 32-bit integer. With
|
||||||
|
the correct stuff->nUnits value the expected request size was
|
||||||
|
truncated, passing the REQUEST_FIXED_SIZE check.
|
||||||
|
|
||||||
|
The server then proceeded with reading at least stuff->num_items bytes
|
||||||
|
(depending on stuff->format) from the request and stuffing whatever it
|
||||||
|
finds into the property. In the process it would also allocate at least
|
||||||
|
stuff->nUnits bytes, i.e. 4GB.
|
||||||
|
|
||||||
|
CVE-2023-XXXXX, ZDI-CAN-22561
|
||||||
|
|
||||||
|
This vulnerability was discovered by:
|
||||||
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||||
|
---
|
||||||
|
randr/rrproperty.c | 2 +-
|
||||||
|
randr/rrproviderproperty.c | 2 +-
|
||||||
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/randr/rrproperty.c b/randr/rrproperty.c
|
||||||
|
index 25469f57b2..c4fef8a1f6 100644
|
||||||
|
--- a/randr/rrproperty.c
|
||||||
|
+++ b/randr/rrproperty.c
|
||||||
|
@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
|
||||||
|
char format, mode;
|
||||||
|
unsigned long len;
|
||||||
|
int sizeInBytes;
|
||||||
|
- int totalSize;
|
||||||
|
+ uint64_t totalSize;
|
||||||
|
int err;
|
||||||
|
|
||||||
|
REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
|
||||||
|
diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
|
||||||
|
index b79c17f9bf..90c5a9a933 100644
|
||||||
|
--- a/randr/rrproviderproperty.c
|
||||||
|
+++ b/randr/rrproviderproperty.c
|
||||||
|
@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
|
||||||
|
char format, mode;
|
||||||
|
unsigned long len;
|
||||||
|
int sizeInBytes;
|
||||||
|
- int totalSize;
|
||||||
|
+ uint64_t totalSize;
|
||||||
|
int err;
|
||||||
|
|
||||||
|
REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -1,3 +1,14 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Dec 4 18:49:47 UTC 2023 - Stefan Dirsch <sndirsch@suse.com>
|
||||||
|
|
||||||
|
- U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
|
||||||
|
* Out-of-bounds memory write in XKB button actions (CVE-2023-6377,
|
||||||
|
ZDI-CAN-22412, ZDI-CAN-22413, bsc#1217765)
|
||||||
|
- U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
|
||||||
|
* Out-of-bounds memory read in RRChangeOutputProperty and
|
||||||
|
RRChangeProviderProperty (CVE-2023-6478, ZDI-CAN-22561,
|
||||||
|
bsc#1217766)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Oct 25 11:05:06 UTC 2023 - Stefan Dirsch <sndirsch@suse.com>
|
Wed Oct 25 11:05:06 UTC 2023 - Stefan Dirsch <sndirsch@suse.com>
|
||||||
|
|
||||||
|
@ -243,6 +243,9 @@ Patch1940: U_xephyr-Don-t-check-for-SeatId-anymore.patch
|
|||||||
|
|
||||||
Patch1960: u_sync-pci-ids-with-Mesa.patch
|
Patch1960: u_sync-pci-ids-with-Mesa.patch
|
||||||
|
|
||||||
|
Patch1217765: U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
|
||||||
|
Patch1217766: U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
This package contains the X.Org Server.
|
This package contains the X.Org Server.
|
||||||
|
|
||||||
@ -401,6 +404,9 @@ sh %{SOURCE92} --verify . %{SOURCE91}
|
|||||||
%patch1940 -p1
|
%patch1940 -p1
|
||||||
%patch1960 -p1
|
%patch1960 -p1
|
||||||
|
|
||||||
|
%patch1217765 -p1
|
||||||
|
%patch1217766 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# We have some -z now related errors during X default startup (boo#1197994):
|
# We have some -z now related errors during X default startup (boo#1197994):
|
||||||
# - when loading modesetting: gbm_bo_get_plane_count
|
# - when loading modesetting: gbm_bo_get_plane_count
|
||||||
|
Loading…
Reference in New Issue
Block a user