wok-current diff xorg-server/stuff/0002-dd8caf39e9e15d8f302e54045dd08d8ebf1025dc.patch @ rev 25634
Mass update, new toolchain gcc 8.3.0, glibc 2.28.0
author | Stanislas Leduc <shann@slitaz.org> |
---|---|
date | Sun Jan 14 08:12:37 2024 +0000 (7 months ago) |
parents | |
children |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/xorg-server/stuff/0002-dd8caf39e9e15d8f302e54045dd08d8ebf1025dc.patch Sun Jan 14 08:12:37 2024 +0000 1.3 @@ -0,0 +1,178 @@ 1.4 +From dd8caf39e9e15d8f302e54045dd08d8ebf1025dc Mon Sep 17 00:00:00 2001 1.5 +From: Peter Hutterer <peter.hutterer@who-t.net> 1.6 +Date: Tue, 5 Jul 2022 09:50:41 +1000 1.7 +Subject: [PATCH] xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck 1.8 + 1.9 +XKB often uses a FooCheck and Foo function pair, the former is supposed 1.10 +to check all values in the request and error out on BadLength, 1.11 +BadValue, etc. The latter is then called once we're confident the values 1.12 +are good (they may still fail on an individual device, but that's a 1.13 +different topic). 1.14 + 1.15 +In the case of XkbSetDeviceInfo, those functions were incorrectly 1.16 +named, with XkbSetDeviceInfo ending up as the checker function and 1.17 +XkbSetDeviceInfoCheck as the setter function. As a result, the setter 1.18 +function was called before the checker function, accessing request 1.19 +data and modifying device state before we ensured that the data is 1.20 +valid. 1.21 + 1.22 +In particular, the setter function relied on values being already 1.23 +byte-swapped. This in turn could lead to potential OOB memory access. 1.24 + 1.25 +Fix this by correctly naming the functions and moving the length checks 1.26 +over to the checker function. These were added in 87c64fc5b0 to the 1.27 +wrong function, probably due to the incorrect naming. 1.28 + 1.29 +Fixes ZDI-CAN 16070, CVE-2022-2320. 1.30 + 1.31 +This vulnerability was discovered by: 1.32 +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative 1.33 + 1.34 +Introduced in c06e27b2f6fd9f7b9f827623a48876a225264132 1.35 + 1.36 +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> 1.37 +--- 1.38 + xkb/xkb.c | 46 +++++++++++++++++++++++++--------------------- 1.39 + 1 file changed, 25 insertions(+), 21 deletions(-) 1.40 + 1.41 +diff --git a/xkb/xkb.c b/xkb/xkb.c 1.42 +index 64e52611e..34b2c290b 100644 1.43 +--- a/xkb/xkb.c 1.44 ++++ b/xkb/xkb.c 1.45 +@@ -6550,7 +6550,8 @@ ProcXkbGetDeviceInfo(ClientPtr client) 1.46 + static char * 1.47 + CheckSetDeviceIndicators(char *wire, 1.48 + DeviceIntPtr dev, 1.49 +- int num, int *status_rtrn, ClientPtr client) 1.50 ++ int num, int *status_rtrn, ClientPtr client, 1.51 ++ xkbSetDeviceInfoReq * stuff) 1.52 + { 1.53 + xkbDeviceLedsWireDesc *ledWire; 1.54 + int i; 1.55 +@@ -6558,6 +6559,11 @@ CheckSetDeviceIndicators(char *wire, 1.56 + 1.57 + ledWire = (xkbDeviceLedsWireDesc *) wire; 1.58 + for (i = 0; i < num; i++) { 1.59 ++ if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) { 1.60 ++ *status_rtrn = BadLength; 1.61 ++ return (char *) ledWire; 1.62 ++ } 1.63 ++ 1.64 + if (client->swapped) { 1.65 + swaps(&ledWire->ledClass); 1.66 + swaps(&ledWire->ledID); 1.67 +@@ -6585,6 +6591,11 @@ CheckSetDeviceIndicators(char *wire, 1.68 + atomWire = (CARD32 *) &ledWire[1]; 1.69 + if (nNames > 0) { 1.70 + for (n = 0; n < nNames; n++) { 1.71 ++ if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) { 1.72 ++ *status_rtrn = BadLength; 1.73 ++ return (char *) atomWire; 1.74 ++ } 1.75 ++ 1.76 + if (client->swapped) { 1.77 + swapl(atomWire); 1.78 + } 1.79 +@@ -6596,6 +6607,10 @@ CheckSetDeviceIndicators(char *wire, 1.80 + mapWire = (xkbIndicatorMapWireDesc *) atomWire; 1.81 + if (nMaps > 0) { 1.82 + for (n = 0; n < nMaps; n++) { 1.83 ++ if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) { 1.84 ++ *status_rtrn = BadLength; 1.85 ++ return (char *) mapWire; 1.86 ++ } 1.87 + if (client->swapped) { 1.88 + swaps(&mapWire->virtualMods); 1.89 + swapl(&mapWire->ctrls); 1.90 +@@ -6647,11 +6662,6 @@ SetDeviceIndicators(char *wire, 1.91 + xkbIndicatorMapWireDesc *mapWire; 1.92 + XkbSrvLedInfoPtr sli; 1.93 + 1.94 +- if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) { 1.95 +- *status_rtrn = BadLength; 1.96 +- return (char *) ledWire; 1.97 +- } 1.98 +- 1.99 + namec = mapc = statec = 0; 1.100 + sli = XkbFindSrvLedInfo(dev, ledWire->ledClass, ledWire->ledID, 1.101 + XkbXI_IndicatorMapsMask); 1.102 +@@ -6670,10 +6680,6 @@ SetDeviceIndicators(char *wire, 1.103 + memset((char *) sli->names, 0, XkbNumIndicators * sizeof(Atom)); 1.104 + for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) { 1.105 + if (ledWire->namesPresent & bit) { 1.106 +- if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) { 1.107 +- *status_rtrn = BadLength; 1.108 +- return (char *) atomWire; 1.109 +- } 1.110 + sli->names[n] = (Atom) *atomWire; 1.111 + if (sli->names[n] == None) 1.112 + ledWire->namesPresent &= ~bit; 1.113 +@@ -6691,10 +6697,6 @@ SetDeviceIndicators(char *wire, 1.114 + if (ledWire->mapsPresent) { 1.115 + for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) { 1.116 + if (ledWire->mapsPresent & bit) { 1.117 +- if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) { 1.118 +- *status_rtrn = BadLength; 1.119 +- return (char *) mapWire; 1.120 +- } 1.121 + sli->maps[n].flags = mapWire->flags; 1.122 + sli->maps[n].which_groups = mapWire->whichGroups; 1.123 + sli->maps[n].groups = mapWire->groups; 1.124 +@@ -6730,13 +6732,17 @@ SetDeviceIndicators(char *wire, 1.125 + } 1.126 + 1.127 + static int 1.128 +-_XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev, 1.129 ++_XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev, 1.130 + xkbSetDeviceInfoReq * stuff) 1.131 + { 1.132 + char *wire; 1.133 + 1.134 + wire = (char *) &stuff[1]; 1.135 + if (stuff->change & XkbXI_ButtonActionsMask) { 1.136 ++ int sz = stuff->nBtns * SIZEOF(xkbActionWireDesc); 1.137 ++ if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz)) 1.138 ++ return BadLength; 1.139 ++ 1.140 + if (!dev->button) { 1.141 + client->errorValue = _XkbErrCode2(XkbErr_BadClass, ButtonClass); 1.142 + return XkbKeyboardErrorCode; 1.143 +@@ -6747,13 +6753,13 @@ _XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev, 1.144 + dev->button->numButtons); 1.145 + return BadMatch; 1.146 + } 1.147 +- wire += (stuff->nBtns * SIZEOF(xkbActionWireDesc)); 1.148 ++ wire += sz; 1.149 + } 1.150 + if (stuff->change & XkbXI_IndicatorsMask) { 1.151 + int status = Success; 1.152 + 1.153 + wire = CheckSetDeviceIndicators(wire, dev, stuff->nDeviceLedFBs, 1.154 +- &status, client); 1.155 ++ &status, client, stuff); 1.156 + if (status != Success) 1.157 + return status; 1.158 + } 1.159 +@@ -6764,8 +6770,8 @@ _XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev, 1.160 + } 1.161 + 1.162 + static int 1.163 +-_XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev, 1.164 +- xkbSetDeviceInfoReq * stuff) 1.165 ++_XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev, 1.166 ++ xkbSetDeviceInfoReq * stuff) 1.167 + { 1.168 + char *wire; 1.169 + xkbExtensionDeviceNotify ed; 1.170 +@@ -6789,8 +6795,6 @@ _XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev, 1.171 + if (stuff->firstBtn + stuff->nBtns > nBtns) 1.172 + return BadValue; 1.173 + sz = stuff->nBtns * SIZEOF(xkbActionWireDesc); 1.174 +- if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz)) 1.175 +- return BadLength; 1.176 + memcpy((char *) &acts[stuff->firstBtn], (char *) wire, sz); 1.177 + wire += sz; 1.178 + ed.reason |= XkbXI_ButtonActionsMask; 1.179 +-- 1.180 +GitLab 1.181 +