From e340c7bb2807c3ae37bea108927a9d4f296bd2477657ac99265393158ee1bf1b Mon Sep 17 00:00:00 2001 From: Stefan Dirsch Date: Tue, 4 Jul 2017 15:48:00 +0000 Subject: [PATCH 1/3] - enable Xwayland also for s390x (bsc#1047173) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=667 --- xorg-x11-server.changes | 5 +++++ xorg-x11-server.spec | 6 ++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index 58cb679..afdeebc 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Jul 4 15:45:45 UTC 2017 - sndirsch@suse.com + +- enable Xwayland also for s390x (bsc#1047173) + ------------------------------------------------------------------- Sat Jun 10 11:52:40 UTC 2017 - sndirsch@suse.com diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 9c253e1..608c81a 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,13 +16,11 @@ # -%ifarch s390 s390x -%define have_wayland 0 -%else %define pci_ids_dir %{_sysconfdir}/X11/xorg_pci_ids %if 0%{?suse_version} >= 1330 || 0%{?build_xwayland} %define have_wayland 1 -%endif +%else +%define have_wayland 0 %endif %define build_suid_wrapper 0 From 56414dbfb13bc11354116b76c67f052f148ce0a587f8d7b120ab22cac9996093 Mon Sep 17 00:00:00 2001 From: Michal Srb Date: Fri, 7 Jul 2017 09:24:38 +0000 Subject: [PATCH 2/3] Accepting request 508727 from home:michalsrb:branches:X11:XOrg - u_Xi-Do-not-try-to-swap-GenericEvent.patch, u_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch, u_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch, u_dix-Disallow-GenericEvent-in-SendEvent-request.patch * Fix security issues in event handling. (bnc#1035283, CVE-2017-10971, CVE-2017-10972) OBS-URL: https://build.opensuse.org/request/show/508727 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=668 --- U_Xi-Do-not-try-to-swap-GenericEvent.patch | 44 ++++++++++++ ...ll-events-in-ProcXSendExtensionEvent.patch | 49 +++++++++++++ ...t-buffer-in-SProcXSendExtensionEvent.patch | 38 ++++++++++ ...ow-GenericEvent-in-SendEvent-request.patch | 70 +++++++++++++++++++ xorg-x11-server.changes | 10 +++ xorg-x11-server.spec | 10 +++ 6 files changed, 221 insertions(+) create mode 100644 U_Xi-Do-not-try-to-swap-GenericEvent.patch create mode 100644 U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch create mode 100644 U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch create mode 100644 U_dix-Disallow-GenericEvent-in-SendEvent-request.patch diff --git a/U_Xi-Do-not-try-to-swap-GenericEvent.patch b/U_Xi-Do-not-try-to-swap-GenericEvent.patch new file mode 100644 index 0000000..4ce620d --- /dev/null +++ b/U_Xi-Do-not-try-to-swap-GenericEvent.patch @@ -0,0 +1,44 @@ +Author: Michal Srb +Subject: Xi: Do not try to swap GenericEvent. +Git-commit: ba336b24052122b136486961c82deac76bbde455 +Patch-mainline: Upstream +References: bnc#1035283 CVE-2017-10971 + +The SProcXSendExtensionEvent must not attempt to swap GenericEvent because +it is assuming that the event has fixed size and gives the swapping function +xEvent-sized buffer. + +A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway. + +Signed-off-by: Michal Srb +Reviewed-by: Peter Hutterer +--- + Xi/sendexev.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 5e63bfcca..5c2e0fc56 100644 +--- a/Xi/sendexev.c ++++ b/Xi/sendexev.c +@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client) + + eventP = (xEvent *) &stuff[1]; + for (i = 0; i < stuff->num_events; i++, eventP++) { ++ if (eventP->u.u.type == GenericEvent) { ++ client->errorValue = eventP->u.u.type; ++ return BadValue; ++ } ++ + proc = EventSwapVector[eventP->u.u.type & 0177]; +- if (proc == NotImplemented) /* no swapping proc; invalid event type? */ ++ /* no swapping proc; invalid event type? */ ++ if (proc == NotImplemented) { ++ client->errorValue = eventP->u.u.type; + return BadValue; ++ } + (*proc) (eventP, &eventT); + *eventP = eventT; + } +-- +2.12.0 + diff --git a/U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch b/U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch new file mode 100644 index 0000000..8596f71 --- /dev/null +++ b/U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch @@ -0,0 +1,49 @@ +Author: Michal Srb +Subject: Xi: Verify all events in ProcXSendExtensionEvent. +Git-commit: 8caed4df36b1f802b4992edcfd282cbeeec35d9d +Patch-mainline: Upstream +References: bnc#1035283 CVE-2017-10971 + +The requirement is that events have type in range +EXTENSION_EVENT_BASE..lastEvent, but it was tested +only for first event of all. + +Signed-off-by: Michal Srb +Reviewed-by: Peter Hutterer +--- + Xi/sendexev.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 1cf118ab6..5e63bfcca 100644 +--- a/Xi/sendexev.c ++++ b/Xi/sendexev.c +@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client) + int + ProcXSendExtensionEvent(ClientPtr client) + { +- int ret; ++ int ret, i; + DeviceIntPtr dev; + xEvent *first; + XEventClass *list; +@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client) + /* The client's event type must be one defined by an extension. */ + + first = ((xEvent *) &stuff[1]); +- if (!((EXTENSION_EVENT_BASE <= first->u.u.type) && +- (first->u.u.type < lastEvent))) { +- client->errorValue = first->u.u.type; +- return BadValue; ++ for (i = 0; i < stuff->num_events; i++) { ++ if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) && ++ (first[i].u.u.type < lastEvent))) { ++ client->errorValue = first[i].u.u.type; ++ return BadValue; ++ } + } + + list = (XEventClass *) (first + stuff->num_events); +-- +2.12.0 + diff --git a/U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch b/U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch new file mode 100644 index 0000000..9e1f2b4 --- /dev/null +++ b/U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch @@ -0,0 +1,38 @@ +Author: Michal Srb +Subject: Xi: Zero target buffer in SProcXSendExtensionEvent. +Git-commit: 05442de962d3dc624f79fc1a00eca3ffc5489ced +Patch-mainline: Upstream +References: bnc#1035283 CVE-2017-10972 + +Make sure that the xEvent eventT is initialized with zeros, the same way as +in SProcSendEvent. + +Some event swapping functions do not overwrite all 32 bytes of xEvent +structure, for example XSecurityAuthorizationRevoked. Two cooperating +clients, one swapped and the other not, can send +XSecurityAuthorizationRevoked event to each other to retrieve old stack data +from X server. This can be potentialy misused to go around ASLR or +stack-protector. + +Signed-off-by: Michal Srb +Reviewed-by: Peter Hutterer +--- + Xi/sendexev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 11d82029f..1cf118ab6 100644 +--- a/Xi/sendexev.c ++++ b/Xi/sendexev.c +@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client) + { + CARD32 *p; + int i; +- xEvent eventT; ++ xEvent eventT = { .u.u.type = 0 }; + xEvent *eventP; + EventSwapPtr proc; + +-- +2.12.0 + diff --git a/U_dix-Disallow-GenericEvent-in-SendEvent-request.patch b/U_dix-Disallow-GenericEvent-in-SendEvent-request.patch new file mode 100644 index 0000000..29aae42 --- /dev/null +++ b/U_dix-Disallow-GenericEvent-in-SendEvent-request.patch @@ -0,0 +1,70 @@ +Author: Michal Srb +Subject: dix: Disallow GenericEvent in SendEvent request. +Git-commit: 215f894965df5fb0bb45b107d84524e700d2073c +Patch-mainline: Upstream +References: bnc#1035283 CVE-2017-10971 + +The SendEvent request holds xEvent which is exactly 32 bytes long, no more, +no less. Both ProcSendEvent and SProcSendEvent verify that the received data +exactly match the request size. However nothing stops the client from passing +in event with xEvent::type = GenericEvent and any value of +xGenericEvent::length. + +In the case of ProcSendEvent, the event will be eventually passed to +WriteEventsToClient which will see that it is Generic event and copy the +arbitrary length from the receive buffer (and possibly past it) and send it to +the other client. This allows clients to copy unitialized heap memory out of X +server or to crash it. + +In case of SProcSendEvent, it will attempt to swap the incoming event by +calling a swapping function from the EventSwapVector array. The swapped event +is written to target buffer, which in this case is local xEvent variable. The +xEvent variable is 32 bytes long, but the swapping functions for GenericEvents +expect that the target buffer has size matching the size of the source +GenericEvent. This allows clients to cause stack buffer overflows. + +Signed-off-by: Michal Srb +Reviewed-by: Peter Hutterer +--- + dix/events.c | 6 ++++++ + dix/swapreq.c | 7 +++++++ + 2 files changed, 13 insertions(+) + +diff --git a/dix/events.c b/dix/events.c +index cc26ba5db..3faad53a8 100644 +--- a/dix/events.c ++++ b/dix/events.c +@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client) + client->errorValue = stuff->event.u.u.type; + return BadValue; + } ++ /* Generic events can have variable size, but SendEvent request holds ++ exactly 32B of event data. */ ++ if (stuff->event.u.u.type == GenericEvent) { ++ client->errorValue = stuff->event.u.u.type; ++ return BadValue; ++ } + if (stuff->event.u.u.type == ClientMessage && + stuff->event.u.u.detail != 8 && + stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) { +diff --git a/dix/swapreq.c b/dix/swapreq.c +index 719e9b81c..67850593b 100644 +--- a/dix/swapreq.c ++++ b/dix/swapreq.c +@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client) + swapl(&stuff->destination); + swapl(&stuff->eventMask); + ++ /* Generic events can have variable size, but SendEvent request holds ++ exactly 32B of event data. */ ++ if (stuff->event.u.u.type == GenericEvent) { ++ client->errorValue = stuff->event.u.u.type; ++ return BadValue; ++ } ++ + /* Swap event */ + proc = EventSwapVector[stuff->event.u.u.type & 0177]; + if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */ +-- +2.12.0 + diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index afdeebc..6d7d049 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Fri Jul 7 09:13:23 UTC 2017 - msrb@suse.com + +- u_Xi-Do-not-try-to-swap-GenericEvent.patch, + u_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch, + u_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch, + u_dix-Disallow-GenericEvent-in-SendEvent-request.patch + * Fix security issues in event handling. (bnc#1035283, + CVE-2017-10971, CVE-2017-10972) + ------------------------------------------------------------------- Tue Jul 4 15:45:45 UTC 2017 - sndirsch@suse.com diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 608c81a..771811f 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -202,6 +202,11 @@ Patch208: u_Panning-Set-panning-state-in-xf86RandR12ScreenSetSize.patch Patch209: u_pci-primary-Fix-up-primary-PCI-device-detection-for-the-platfrom-bus.patch Patch210: u_os-connections-Check-for-stale-FDs.patch +Patch211: U_Xi-Do-not-try-to-swap-GenericEvent.patch +Patch212: U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch +Patch213: U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch +Patch214: U_dix-Disallow-GenericEvent-in-SendEvent-request.patch + Patch1000: n_xserver-optimus-autoconfig-hack.patch Patch1162: b_cache-xkbcomp-output-for-fast-start-up.patch @@ -333,6 +338,11 @@ sh %{SOURCE92} --verify . %{SOURCE91} ### not applicable anymore #%patch210 -p1 +%patch211 -p1 +%patch212 -p1 +%patch213 -p1 +%patch214 -p1 + ### disabled for now #%patch1000 -p1 From 3a5e098c7e5f26b724e88e6eb544545b828186bb5e983fd49a6d370fe2cc479b Mon Sep 17 00:00:00 2001 From: Michal Srb Date: Fri, 7 Jul 2017 09:31:30 +0000 Subject: [PATCH 3/3] Fix patch names in changelog. OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=669 --- xorg-x11-server.changes | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index 6d7d049..d873308 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,10 +1,10 @@ ------------------------------------------------------------------- Fri Jul 7 09:13:23 UTC 2017 - msrb@suse.com -- u_Xi-Do-not-try-to-swap-GenericEvent.patch, - u_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch, - u_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch, - u_dix-Disallow-GenericEvent-in-SendEvent-request.patch +- U_Xi-Do-not-try-to-swap-GenericEvent.patch, + U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch, + U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch, + U_dix-Disallow-GenericEvent-in-SendEvent-request.patch * Fix security issues in event handling. (bnc#1035283, CVE-2017-10971, CVE-2017-10972)