| Message ID | 20221125164436.923171-1-soumya.sambu@windriver.com |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [kirkstone,1/1] xserver-xorg: fix CVE-2022-3550, CVE-2022-3551 | expand |
On Fri, Nov 25, 2022 at 6:44 AM Soumya <soumya.sambu@windriver.com> wrote: > > A vulnerability classified as critical was found in X.org Server. Affected > by this vulnerability is the function _GetCountedString of the file > xkb/xkb.c. The manipulation leads to buffer overflow. It is recommended to > apply a patch to fix this issue. The associated identifier of this > vulnerability is VDB-211051. > > A vulnerability, which was classified as problematic, has been found in > X.org Server. Affected by this issue is the function ProcXkbGetKbdByName > of the file xkb/xkb.c. The manipulation leads to memory leak. It is > recommended to apply a patch to fix this issue. The identifier of this > vulnerability is VDB-211052. > > References: > https://nvd.nist.gov/vuln/detail/CVE-2022-3550 > https://nvd.nist.gov/vuln/detail/CVE-2022-3551 > > Upstream patches: > https://gitlab.freedesktop.org/xorg/xserver/commit/11beef0b7f1ed290348e45618e5fa0d2bffcb72e > https://gitlab.freedesktop.org/xorg/xserver/commit/18f91b950e22c2a342a4fbc55e9ddf7534a707d2 > > Signed-off-by: Soumya <soumya.sambu@windriver.com> > --- > ...possible-memleaks-in-XkbGetKbdByName.patch | 63 +++++++++++++++++++ > ...ntedString-against-request-length-at.patch | 38 +++++++++++ > 2 files changed, 101 insertions(+) > create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch > create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch You forgot to add the patches to the recipe! Steve > > diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch > new file mode 100644 > index 0000000000..0e61ec5953 > --- /dev/null > +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch > @@ -0,0 +1,63 @@ > +CVE: CVE-2022-3551 > +Upstream-Status: Backport > +Signed-off-by: Ross Burton <ross.burton@arm.com> > + > +From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001 > +From: Peter Hutterer <peter.hutterer@who-t.net> > +Date: Wed, 13 Jul 2022 11:23:09 +1000 > +Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName > + > +GetComponentByName returns an allocated string, so let's free that if we > +fail somewhere. > + > +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> > +--- > + xkb/xkb.c | 26 ++++++++++++++++++++------ > + 1 file changed, 20 insertions(+), 6 deletions(-) > + > +diff --git a/xkb/xkb.c b/xkb/xkb.c > +index 4692895db..b79a269e3 100644 > +--- a/xkb/xkb.c > ++++ b/xkb/xkb.c > +@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client) > + xkb = dev->key->xkbInfo->desc; > + status = Success; > + str = (unsigned char *) &stuff[1]; > +- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */ > +- return BadMatch; > ++ { > ++ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */ > ++ if (keymap) { > ++ free(keymap); > ++ return BadMatch; > ++ } > ++ } > + names.keycodes = GetComponentSpec(&str, TRUE, &status); > + names.types = GetComponentSpec(&str, TRUE, &status); > + names.compat = GetComponentSpec(&str, TRUE, &status); > + names.symbols = GetComponentSpec(&str, TRUE, &status); > + names.geometry = GetComponentSpec(&str, TRUE, &status); > +- if (status != Success) > ++ if (status == Success) { > ++ len = str - ((unsigned char *) stuff); > ++ if ((XkbPaddedSize(len) / 4) != stuff->length) > ++ status = BadLength; > ++ } > ++ > ++ if (status != Success) { > ++ free(names.keycodes); > ++ free(names.types); > ++ free(names.compat); > ++ free(names.symbols); > ++ free(names.geometry); > + return status; > +- len = str - ((unsigned char *) stuff); > +- if ((XkbPaddedSize(len) / 4) != stuff->length) > +- return BadLength; > ++ } > + > + CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask); > + CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask); > +-- > +2.34.1 > + > diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch > new file mode 100644 > index 0000000000..6f862e82f9 > --- /dev/null > +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch > @@ -0,0 +1,38 @@ > +CVE: CVE-2022-3550 > +Upstream-Status: Backport > +Signed-off-by: Ross Burton <ross.burton@arm.com> > + > +From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001 > +From: Peter Hutterer <peter.hutterer@who-t.net> > +Date: Tue, 5 Jul 2022 12:06:20 +1000 > +Subject: [PATCH] xkb: proof GetCountedString against request length attacks > + > +GetCountedString did a check for the whole string to be within the > +request buffer but not for the initial 2 bytes that contain the length > +field. A swapped client could send a malformed request to trigger a > +swaps() on those bytes, writing into random memory. > + > +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> > +--- > + xkb/xkb.c | 5 +++++ > + 1 file changed, 5 insertions(+) > + > +diff --git a/xkb/xkb.c b/xkb/xkb.c > +index f42f59ef3..1841cff26 100644 > +--- a/xkb/xkb.c > ++++ b/xkb/xkb.c > +@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) > + CARD16 len; > + > + wire = *wire_inout; > ++ > ++ if (client->req_len < > ++ bytes_to_int32(wire + 2 - (char *) client->requestBuffer)) > ++ return BadValue; > ++ > + len = *(CARD16 *) wire; > + if (client->swapped) { > + swaps(&len); > +-- > +2.34.1 > + > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#173777): https://lists.openembedded.org/g/openembedded-core/message/173777 > Mute This Topic: https://lists.openembedded.org/mt/95257196/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch new file mode 100644 index 0000000000..0e61ec5953 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch @@ -0,0 +1,63 @@ +CVE: CVE-2022-3551 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Wed, 13 Jul 2022 11:23:09 +1000 +Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName + +GetComponentByName returns an allocated string, so let's free that if we +fail somewhere. + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + xkb/xkb.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 4692895db..b79a269e3 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client) + xkb = dev->key->xkbInfo->desc; + status = Success; + str = (unsigned char *) &stuff[1]; +- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */ +- return BadMatch; ++ { ++ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */ ++ if (keymap) { ++ free(keymap); ++ return BadMatch; ++ } ++ } + names.keycodes = GetComponentSpec(&str, TRUE, &status); + names.types = GetComponentSpec(&str, TRUE, &status); + names.compat = GetComponentSpec(&str, TRUE, &status); + names.symbols = GetComponentSpec(&str, TRUE, &status); + names.geometry = GetComponentSpec(&str, TRUE, &status); +- if (status != Success) ++ if (status == Success) { ++ len = str - ((unsigned char *) stuff); ++ if ((XkbPaddedSize(len) / 4) != stuff->length) ++ status = BadLength; ++ } ++ ++ if (status != Success) { ++ free(names.keycodes); ++ free(names.types); ++ free(names.compat); ++ free(names.symbols); ++ free(names.geometry); + return status; +- len = str - ((unsigned char *) stuff); +- if ((XkbPaddedSize(len) / 4) != stuff->length) +- return BadLength; ++ } + + CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask); + CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask); +-- +2.34.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch new file mode 100644 index 0000000000..6f862e82f9 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch @@ -0,0 +1,38 @@ +CVE: CVE-2022-3550 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 5 Jul 2022 12:06:20 +1000 +Subject: [PATCH] xkb: proof GetCountedString against request length attacks + +GetCountedString did a check for the whole string to be within the +request buffer but not for the initial 2 bytes that contain the length +field. A swapped client could send a malformed request to trigger a +swaps() on those bytes, writing into random memory. + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + xkb/xkb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index f42f59ef3..1841cff26 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) + CARD16 len; + + wire = *wire_inout; ++ ++ if (client->req_len < ++ bytes_to_int32(wire + 2 - (char *) client->requestBuffer)) ++ return BadValue; ++ + len = *(CARD16 *) wire; + if (client->swapped) { + swaps(&len); +-- +2.34.1 +
A vulnerability classified as critical was found in X.org Server. Affected by this vulnerability is the function _GetCountedString of the file xkb/xkb.c. The manipulation leads to buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211051. A vulnerability, which was classified as problematic, has been found in X.org Server. Affected by this issue is the function ProcXkbGetKbdByName of the file xkb/xkb.c. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211052. References: https://nvd.nist.gov/vuln/detail/CVE-2022-3550 https://nvd.nist.gov/vuln/detail/CVE-2022-3551 Upstream patches: https://gitlab.freedesktop.org/xorg/xserver/commit/11beef0b7f1ed290348e45618e5fa0d2bffcb72e https://gitlab.freedesktop.org/xorg/xserver/commit/18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Signed-off-by: Soumya <soumya.sambu@windriver.com> --- ...possible-memleaks-in-XkbGetKbdByName.patch | 63 +++++++++++++++++++ ...ntedString-against-request-length-at.patch | 38 +++++++++++ 2 files changed, 101 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch