forked from pool/xorg-x11-server
Accepting request 508731 from X11:XOrg
- U_Xi-Do-not-try-to-swap-GenericEvent.patch, U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch, U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch, U_dix-Disallow-GenericEvent-in-SendEvent-request.patch * Fix security issues in event handling. (bnc#1035283, CVE-2017-10971, CVE-2017-10972) OBS-URL: https://build.opensuse.org/request/show/508731 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xorg-x11-server?expand=0&rev=344
This commit is contained in:
commit
dd50176346
44
U_Xi-Do-not-try-to-swap-GenericEvent.patch
Normal file
44
U_Xi-Do-not-try-to-swap-GenericEvent.patch
Normal file
@ -0,0 +1,44 @@
|
||||
Author: Michal Srb <msrb@suse.com>
|
||||
Subject: Xi: Do not try to swap GenericEvent.
|
||||
Git-commit: ba336b24052122b136486961c82deac76bbde455
|
||||
Patch-mainline: Upstream
|
||||
References: bnc#1035283 CVE-2017-10971
|
||||
|
||||
The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
|
||||
it is assuming that the event has fixed size and gives the swapping function
|
||||
xEvent-sized buffer.
|
||||
|
||||
A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
|
||||
|
||||
Signed-off-by: Michal Srb <msrb@suse.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
Xi/sendexev.c | 10 +++++++++-
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Xi/sendexev.c b/Xi/sendexev.c
|
||||
index 5e63bfcca..5c2e0fc56 100644
|
||||
--- a/Xi/sendexev.c
|
||||
+++ b/Xi/sendexev.c
|
||||
@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client)
|
||||
|
||||
eventP = (xEvent *) &stuff[1];
|
||||
for (i = 0; i < stuff->num_events; i++, eventP++) {
|
||||
+ if (eventP->u.u.type == GenericEvent) {
|
||||
+ client->errorValue = eventP->u.u.type;
|
||||
+ return BadValue;
|
||||
+ }
|
||||
+
|
||||
proc = EventSwapVector[eventP->u.u.type & 0177];
|
||||
- if (proc == NotImplemented) /* no swapping proc; invalid event type? */
|
||||
+ /* no swapping proc; invalid event type? */
|
||||
+ if (proc == NotImplemented) {
|
||||
+ client->errorValue = eventP->u.u.type;
|
||||
return BadValue;
|
||||
+ }
|
||||
(*proc) (eventP, &eventT);
|
||||
*eventP = eventT;
|
||||
}
|
||||
--
|
||||
2.12.0
|
||||
|
49
U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch
Normal file
49
U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch
Normal file
@ -0,0 +1,49 @@
|
||||
Author: Michal Srb <msrb@suse.com>
|
||||
Subject: Xi: Verify all events in ProcXSendExtensionEvent.
|
||||
Git-commit: 8caed4df36b1f802b4992edcfd282cbeeec35d9d
|
||||
Patch-mainline: Upstream
|
||||
References: bnc#1035283 CVE-2017-10971
|
||||
|
||||
The requirement is that events have type in range
|
||||
EXTENSION_EVENT_BASE..lastEvent, but it was tested
|
||||
only for first event of all.
|
||||
|
||||
Signed-off-by: Michal Srb <msrb@suse.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
Xi/sendexev.c | 12 +++++++-----
|
||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/Xi/sendexev.c b/Xi/sendexev.c
|
||||
index 1cf118ab6..5e63bfcca 100644
|
||||
--- a/Xi/sendexev.c
|
||||
+++ b/Xi/sendexev.c
|
||||
@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client)
|
||||
int
|
||||
ProcXSendExtensionEvent(ClientPtr client)
|
||||
{
|
||||
- int ret;
|
||||
+ int ret, i;
|
||||
DeviceIntPtr dev;
|
||||
xEvent *first;
|
||||
XEventClass *list;
|
||||
@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client)
|
||||
/* The client's event type must be one defined by an extension. */
|
||||
|
||||
first = ((xEvent *) &stuff[1]);
|
||||
- if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
|
||||
- (first->u.u.type < lastEvent))) {
|
||||
- client->errorValue = first->u.u.type;
|
||||
- return BadValue;
|
||||
+ for (i = 0; i < stuff->num_events; i++) {
|
||||
+ if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
|
||||
+ (first[i].u.u.type < lastEvent))) {
|
||||
+ client->errorValue = first[i].u.u.type;
|
||||
+ return BadValue;
|
||||
+ }
|
||||
}
|
||||
|
||||
list = (XEventClass *) (first + stuff->num_events);
|
||||
--
|
||||
2.12.0
|
||||
|
38
U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch
Normal file
38
U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch
Normal file
@ -0,0 +1,38 @@
|
||||
Author: Michal Srb <msrb@suse.com>
|
||||
Subject: Xi: Zero target buffer in SProcXSendExtensionEvent.
|
||||
Git-commit: 05442de962d3dc624f79fc1a00eca3ffc5489ced
|
||||
Patch-mainline: Upstream
|
||||
References: bnc#1035283 CVE-2017-10972
|
||||
|
||||
Make sure that the xEvent eventT is initialized with zeros, the same way as
|
||||
in SProcSendEvent.
|
||||
|
||||
Some event swapping functions do not overwrite all 32 bytes of xEvent
|
||||
structure, for example XSecurityAuthorizationRevoked. Two cooperating
|
||||
clients, one swapped and the other not, can send
|
||||
XSecurityAuthorizationRevoked event to each other to retrieve old stack data
|
||||
from X server. This can be potentialy misused to go around ASLR or
|
||||
stack-protector.
|
||||
|
||||
Signed-off-by: Michal Srb <msrb@suse.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
Xi/sendexev.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Xi/sendexev.c b/Xi/sendexev.c
|
||||
index 11d82029f..1cf118ab6 100644
|
||||
--- a/Xi/sendexev.c
|
||||
+++ b/Xi/sendexev.c
|
||||
@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
|
||||
{
|
||||
CARD32 *p;
|
||||
int i;
|
||||
- xEvent eventT;
|
||||
+ xEvent eventT = { .u.u.type = 0 };
|
||||
xEvent *eventP;
|
||||
EventSwapPtr proc;
|
||||
|
||||
--
|
||||
2.12.0
|
||||
|
70
U_dix-Disallow-GenericEvent-in-SendEvent-request.patch
Normal file
70
U_dix-Disallow-GenericEvent-in-SendEvent-request.patch
Normal file
@ -0,0 +1,70 @@
|
||||
Author: Michal Srb <msrb@suse.com>
|
||||
Subject: dix: Disallow GenericEvent in SendEvent request.
|
||||
Git-commit: 215f894965df5fb0bb45b107d84524e700d2073c
|
||||
Patch-mainline: Upstream
|
||||
References: bnc#1035283 CVE-2017-10971
|
||||
|
||||
The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
|
||||
no less. Both ProcSendEvent and SProcSendEvent verify that the received data
|
||||
exactly match the request size. However nothing stops the client from passing
|
||||
in event with xEvent::type = GenericEvent and any value of
|
||||
xGenericEvent::length.
|
||||
|
||||
In the case of ProcSendEvent, the event will be eventually passed to
|
||||
WriteEventsToClient which will see that it is Generic event and copy the
|
||||
arbitrary length from the receive buffer (and possibly past it) and send it to
|
||||
the other client. This allows clients to copy unitialized heap memory out of X
|
||||
server or to crash it.
|
||||
|
||||
In case of SProcSendEvent, it will attempt to swap the incoming event by
|
||||
calling a swapping function from the EventSwapVector array. The swapped event
|
||||
is written to target buffer, which in this case is local xEvent variable. The
|
||||
xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
|
||||
expect that the target buffer has size matching the size of the source
|
||||
GenericEvent. This allows clients to cause stack buffer overflows.
|
||||
|
||||
Signed-off-by: Michal Srb <msrb@suse.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
dix/events.c | 6 ++++++
|
||||
dix/swapreq.c | 7 +++++++
|
||||
2 files changed, 13 insertions(+)
|
||||
|
||||
diff --git a/dix/events.c b/dix/events.c
|
||||
index cc26ba5db..3faad53a8 100644
|
||||
--- a/dix/events.c
|
||||
+++ b/dix/events.c
|
||||
@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client)
|
||||
client->errorValue = stuff->event.u.u.type;
|
||||
return BadValue;
|
||||
}
|
||||
+ /* Generic events can have variable size, but SendEvent request holds
|
||||
+ exactly 32B of event data. */
|
||||
+ if (stuff->event.u.u.type == GenericEvent) {
|
||||
+ client->errorValue = stuff->event.u.u.type;
|
||||
+ return BadValue;
|
||||
+ }
|
||||
if (stuff->event.u.u.type == ClientMessage &&
|
||||
stuff->event.u.u.detail != 8 &&
|
||||
stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) {
|
||||
diff --git a/dix/swapreq.c b/dix/swapreq.c
|
||||
index 719e9b81c..67850593b 100644
|
||||
--- a/dix/swapreq.c
|
||||
+++ b/dix/swapreq.c
|
||||
@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client)
|
||||
swapl(&stuff->destination);
|
||||
swapl(&stuff->eventMask);
|
||||
|
||||
+ /* Generic events can have variable size, but SendEvent request holds
|
||||
+ exactly 32B of event data. */
|
||||
+ if (stuff->event.u.u.type == GenericEvent) {
|
||||
+ client->errorValue = stuff->event.u.u.type;
|
||||
+ return BadValue;
|
||||
+ }
|
||||
+
|
||||
/* Swap event */
|
||||
proc = EventSwapVector[stuff->event.u.u.type & 0177];
|
||||
if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */
|
||||
--
|
||||
2.12.0
|
||||
|
@ -1,3 +1,18 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 7 09:13:23 UTC 2017 - msrb@suse.com
|
||||
|
||||
- U_Xi-Do-not-try-to-swap-GenericEvent.patch,
|
||||
U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch,
|
||||
U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch,
|
||||
U_dix-Disallow-GenericEvent-in-SendEvent-request.patch
|
||||
* Fix security issues in event handling. (bnc#1035283,
|
||||
CVE-2017-10971, CVE-2017-10972)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 4 15:45:45 UTC 2017 - sndirsch@suse.com
|
||||
|
||||
- enable Xwayland also for s390x (bsc#1047173)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Jun 10 11:52:40 UTC 2017 - sndirsch@suse.com
|
||||
|
||||
|
@ -16,13 +16,11 @@
|
||||
#
|
||||
|
||||
|
||||
%ifarch s390 s390x
|
||||
%define have_wayland 0
|
||||
%else
|
||||
%define pci_ids_dir %{_sysconfdir}/X11/xorg_pci_ids
|
||||
%if 0%{?suse_version} >= 1330 || 0%{?build_xwayland}
|
||||
%define have_wayland 1
|
||||
%endif
|
||||
%else
|
||||
%define have_wayland 0
|
||||
%endif
|
||||
|
||||
%define build_suid_wrapper 0
|
||||
@ -204,6 +202,11 @@ Patch208: u_Panning-Set-panning-state-in-xf86RandR12ScreenSetSize.patch
|
||||
Patch209: u_pci-primary-Fix-up-primary-PCI-device-detection-for-the-platfrom-bus.patch
|
||||
Patch210: u_os-connections-Check-for-stale-FDs.patch
|
||||
|
||||
Patch211: U_Xi-Do-not-try-to-swap-GenericEvent.patch
|
||||
Patch212: U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch
|
||||
Patch213: U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch
|
||||
Patch214: U_dix-Disallow-GenericEvent-in-SendEvent-request.patch
|
||||
|
||||
Patch1000: n_xserver-optimus-autoconfig-hack.patch
|
||||
|
||||
Patch1162: b_cache-xkbcomp-output-for-fast-start-up.patch
|
||||
@ -335,6 +338,11 @@ sh %{SOURCE92} --verify . %{SOURCE91}
|
||||
### not applicable anymore
|
||||
#%patch210 -p1
|
||||
|
||||
%patch211 -p1
|
||||
%patch212 -p1
|
||||
%patch213 -p1
|
||||
%patch214 -p1
|
||||
|
||||
### disabled for now
|
||||
#%patch1000 -p1
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user