new file mode 100644
@@ -0,0 +1,71 @@
+From d55a6f1f849e38d2ca41c6d6683b773981f7e6c0 Mon Sep 17 00:00:00 2001
+From: baldurk <baldurk@baldurk.org>
+Date: Fri, 19 May 2023 09:57:03 +0100
+Subject: [PATCH] Verify array sizes when serialising for strings
+
+* We also limit the array size to 1GB for 32-bit. The 4GB/1GB limit is far
+ larger than reasonable for strings but can be handled the same way regardless.
+
+CVE: CVE-2023-33863 CVE-2023-33864 CVE-2023-33865
+Upstream-Status: Backport [https://github.com/baldurk/renderdoc/commit/601ed56111ce3803d8476d438ade1c92d6092856]
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ renderdoc/serialise/serialiser.h | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/renderdoc/serialise/serialiser.h b/renderdoc/serialise/serialiser.h
+index 9393876ba..de42e54b4 100644
+--- a/renderdoc/serialise/serialiser.h
++++ b/renderdoc/serialise/serialiser.h
+@@ -721,7 +721,7 @@ public:
+ arr.ReserveChildren((size_t)size);
+
+ if(IsReading())
+- el.resize((int)size);
++ el.resize((size_t)size);
+
+ if(m_LazyThreshold > 0 && size > m_LazyThreshold)
+ {
+@@ -756,7 +756,7 @@ public:
+ else
+ {
+ if(IsReading())
+- el.resize((int)size);
++ el.resize((size_t)size);
+
+ for(size_t i = 0; i < (size_t)size; i++)
+ SerialiseDispatch<Serialiser, U>::Do(*this, el[i]);
+@@ -1271,7 +1271,8 @@ public:
+ if(IsReading())
+ {
+ m_Read->Read(len);
+- el.resize((int)len);
++ VerifyArraySize(len);
++ el.resize((size_t)len);
+ if(len > 0)
+ m_Read->Read(&el[0], len);
+ }
+@@ -1386,13 +1387,20 @@ private:
+ }
+ };
+
+- void VerifyArraySize(uint64_t &count)
++ template <typename intSize>
++ void VerifyArraySize(intSize &count)
+ {
+ uint64_t size = m_Read->GetSize();
+
+- // for streaming, just take 4GB as a 'semi reasonable' upper limit for array sizes
++// for streaming, just take 4GB as a 'semi reasonable' upper limit for array sizes
++// use 1GB on 32-bit to avoid overflows
++#if ENABLED(RDOC_X64)
+ if(m_DataStreaming)
+ size = 0xFFFFFFFFU;
++#else
++ if(m_DataStreaming)
++ size = 0x3FFFFFFFU;
++#endif
+
+ if(count > size)
+ {
new file mode 100644
@@ -0,0 +1,72 @@
+From f451eb1d46c9cf71376e41ac95ed236d58eba817 Mon Sep 17 00:00:00 2001
+From: baldurk <baldurk@baldurk.org>
+Date: Fri, 19 May 2023 09:58:49 +0100
+Subject: [PATCH] Don't call ReadLargeBuffer for socket reads
+
+* In ReadLargeBuffer we read directly into an external buffer with ReadExternal,
+ but for sockets when reading externally we want to read ahead of the current
+ spot (non-blocking) as much as possible to batch small reads together. Rather
+ than making ReadExternal handle or detect reads to external buffers, we
+ instead avoid ReadLargeBuffer as it is an optimisation for direct I/O to avoid
+ unnecessary memcpy's and is not relevant for sockets.
+
+CVE: CVE-2023-33836 CVE-2023-33864 CVE-2023-33865
+Upstream-Status: Backport [https://github.com/baldurk/renderdoc/commit/e0464fea4f9a7f149c4ee1d84e5ac57839a4a862]
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ renderdoc/serialise/streamio.cpp | 11 ++++++++++-
+ renderdoc/serialise/streamio.h | 4 +++-
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/renderdoc/serialise/streamio.cpp b/renderdoc/serialise/streamio.cpp
+index d8863b537..24294f62b 100644
+--- a/renderdoc/serialise/streamio.cpp
++++ b/renderdoc/serialise/streamio.cpp
+@@ -267,7 +267,7 @@ bool StreamReader::Reserve(uint64_t numBytes)
+
+ bool StreamReader::ReadLargeBuffer(void *buffer, uint64_t length)
+ {
+- RDCASSERT(m_Sock || m_File || m_Decompressor);
++ RDCASSERT(m_File || m_Decompressor);
+
+ byte *dest = (byte *)buffer;
+
+@@ -384,6 +384,9 @@ bool StreamReader::ReadFromExternal(void *buffer, uint64_t length)
+ // first get the required data blocking (this will sleep the thread until it comes in).
+ byte *readDest = (byte *)buffer;
+
++ // we expect to be reading into our window buffer
++ RDCASSERT(readDest >= m_BufferBase && readDest <= m_BufferBase + m_BufferSize);
++
+ success = m_Sock->RecvDataBlocking(readDest, (uint32_t)length);
+
+ if(success)
+@@ -393,6 +396,12 @@ bool StreamReader::ReadFromExternal(void *buffer, uint64_t length)
+
+ uint32_t bufSize = uint32_t(m_BufferSize - m_InputSize);
+
++ if(m_InputSize > m_BufferSize)
++ {
++ bufSize = 0;
++ RDCERR("Invalid read in ReadFromExternal!");
++ }
++
+ // now read more, as much as possible, to try and batch future reads
+ success = m_Sock->RecvDataNonBlocking(readDest, bufSize);
+
+diff --git a/renderdoc/serialise/streamio.h b/renderdoc/serialise/streamio.h
+index a069f6321..2bf719b7b 100644
+--- a/renderdoc/serialise/streamio.h
++++ b/renderdoc/serialise/streamio.h
+@@ -170,7 +170,9 @@ public:
+ // and larger by just skating over the limit each time, but that's fine because the main
+ // case we want to catch is a window that's only a few MB and then suddenly we read 100s of
+ // MB.
+- if(numBytes >= 10 * 1024 * 1024 && Available() + 128 < numBytes)
++ // We don't do this on sockets since we want to opportunistically read more into the window
++ // to batch lots of small reads together.
++ if(m_Sock == NULL && numBytes >= 10 * 1024 * 1024 && Available() + 128 < numBytes)
+ {
+ success = ReadLargeBuffer(data, numBytes);
+ alreadyread = true;
new file mode 100644
@@ -0,0 +1,160 @@
+From 79ecca7aeb1766f26b25e6c4f45fc0057197c8ab Mon Sep 17 00:00:00 2001
+From: baldurk <baldurk@baldurk.org>
+Date: Fri, 19 May 2023 10:28:58 +0100
+Subject: [PATCH] Sanitise strings printed when received from target
+ control/remote server
+
+* Given socket corruption or network errors these strings could contain
+ unprintable characters so we sanitise them reasonably. This also ameliorates a
+ potential security concern with arbitrary strings being written to a log, but
+ these connections are still considered trusted and users should not be
+ exposing RenderDoc ports to the internet.
+
+CVE: CVE-2023-33836 CVE-2023-33864 CVE-2023-33865
+Upstream-Status: Backport [https://github.com/baldurk/renderdoc/commit/1f72a09e3b4fd8ba45be4b0db4889444ef5179e2]
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ renderdoc/common/common.cpp | 11 +++++++++++
+ renderdoc/core/remote_server.cpp | 2 +-
+ renderdoc/core/target_control.cpp | 25 ++++++++++++++-----------
+ renderdoc/strings/string_utils.cpp | 12 ++++++++++++
+ renderdoc/strings/string_utils.h | 5 +++++
+ 5 files changed, 43 insertions(+), 12 deletions(-)
+
+diff --git a/renderdoc/common/common.cpp b/renderdoc/common/common.cpp
+index 120e6edd2..efe6254bd 100644
+--- a/renderdoc/common/common.cpp
++++ b/renderdoc/common/common.cpp
+@@ -448,6 +448,17 @@ void rdclog_direct(time_t utcTime, uint32_t pid, LogType type, const char *proje
+ va_end(args2);
+ }
+
++ // normalise newlines
++ {
++ char *nl = base;
++ while(*nl)
++ {
++ if(*nl == '\r')
++ *nl = '\n';
++ nl++;
++ }
++ }
++
+ // likely path - string contains no newlines
+ char *nl = strchr(base, '\n');
+ if(nl == NULL)
+diff --git a/renderdoc/core/remote_server.cpp b/renderdoc/core/remote_server.cpp
+index 525a4c4e7..085f4f733 100644
+--- a/renderdoc/core/remote_server.cpp
++++ b/renderdoc/core/remote_server.cpp
+@@ -439,7 +439,7 @@ static void ActiveRemoteClientThread(ClientThread *threadData,
+
+ reader.EndChunk();
+
+- RDCLOG("Taking ownership of '%s'.", path.c_str());
++ RDCLOG("Taking ownership of capture.");
+
+ tempFiles.push_back(path);
+ }
+diff --git a/renderdoc/core/target_control.cpp b/renderdoc/core/target_control.cpp
+index 121e3ad18..198955f80 100644
+--- a/renderdoc/core/target_control.cpp
++++ b/renderdoc/core/target_control.cpp
+@@ -31,6 +31,7 @@
+ #include "os/os_specific.h"
+ #include "replay/replay_driver.h"
+ #include "serialise/serialiser.h"
++#include "strings/string_utils.h"
+
+ static const uint32_t TargetControlProtocolVersion = 6;
+
+@@ -443,6 +444,8 @@ void RenderDoc::TargetControlServerThread(Network::Socket *sock)
+
+ ser.EndChunk();
+
++ strip_nonbasic(newClient);
++
+ if(newClient.empty() || !IsProtocolVersionSupported(version))
+ {
+ RDCLOG("Invalid/Unsupported handshake '%s' / %d", newClient.c_str(), version);
+@@ -564,12 +567,23 @@ public:
+
+ m_Version = 0;
+
++ if(type == ePacket_Handshake)
+ {
+ READ_DATA_SCOPE();
+ SERIALISE_ELEMENT(m_Version);
+ SERIALISE_ELEMENT(m_Target);
+ SERIALISE_ELEMENT(m_PID);
+ }
++ else if(type == ePacket_Busy)
++ {
++ READ_DATA_SCOPE();
++ SERIALISE_ELEMENT(m_Version);
++ SERIALISE_ELEMENT(m_Target);
++ SERIALISE_ELEMENT(m_BusyClient);
++ }
++
++ strip_nonbasic(m_Target);
++ strip_nonbasic(m_BusyClient);
+
+ reader.EndChunk();
+
+@@ -704,17 +718,6 @@ public:
+ reader.EndChunk();
+ return msg;
+ }
+- else if(type == ePacket_Busy)
+- {
+- READ_DATA_SCOPE();
+- SERIALISE_ELEMENT(msg.busy.clientName).Named("Client Name"_lit);
+-
+- SAFE_DELETE(m_Socket);
+-
+- RDCLOG("Got busy signal: '%s", msg.busy.clientName.c_str());
+- msg.type = TargetControlMessageType::Busy;
+- return msg;
+- }
+ else if(type == ePacket_NewChild)
+ {
+ msg.type = TargetControlMessageType::NewChild;
+diff --git a/renderdoc/strings/string_utils.cpp b/renderdoc/strings/string_utils.cpp
+index 5d8f40844..019a83c3a 100644
+--- a/renderdoc/strings/string_utils.cpp
++++ b/renderdoc/strings/string_utils.cpp
+@@ -141,6 +141,18 @@ rdcstr strip_extension(const rdcstr &path)
+ return path.substr(0, offs);
+ }
+
++rdcstr strip_nonbasic(rdcstr &str)
++{
++ for(char &c : str)
++ {
++ if((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || (c >= '0' && c <= '9') || c == '.' ||
++ c == ' ')
++ continue;
++
++ c = '_';
++ }
++}
++
+ void split(const rdcstr &in, rdcarray<rdcstr> &out, const char sep)
+ {
+ if(in.empty())
+diff --git a/renderdoc/strings/string_utils.h b/renderdoc/strings/string_utils.h
+index 5164fe676..7c05a30f8 100644
+--- a/renderdoc/strings/string_utils.h
++++ b/renderdoc/strings/string_utils.h
+@@ -37,5 +37,10 @@ rdcstr get_basename(const rdcstr &path);
+ rdcstr get_dirname(const rdcstr &path);
+ rdcstr strip_extension(const rdcstr &path);
+
++// remove everything but alphanumeric ' ' and '.'
++// It replaces everything else with _
++// for logging strings where they might contain garbage characters
++rdcstr strip_nonbasic(rdcstr &str);
++
+ void split(const rdcstr &in, rdcarray<rdcstr> &out, const char sep);
+ void merge(const rdcarray<rdcstr> &in, rdcstr &out, const char sep);
new file mode 100644
@@ -0,0 +1,28 @@
+From a3ddb69c93a39901c2659a165a119f001cf8b1f4 Mon Sep 17 00:00:00 2001
+From: baldurk <baldurk@baldurk.org>
+Date: Fri, 19 May 2023 10:47:12 +0100
+Subject: [PATCH] Don't open symlinks when opening logfile
+
+CVE: CVE-2023-33836 CVE-2023-33864 CVE-2023-33865
+Upstream-Status: Backport [https://github.com/baldurk/renderdoc/commit/203fc8382a79d53d2035613d9425d966b1d4958e]
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ renderdoc/os/posix/posix_stringio.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/renderdoc/os/posix/posix_stringio.cpp b/renderdoc/os/posix/posix_stringio.cpp
+index 59701e532..6f4389773 100644
+--- a/renderdoc/os/posix/posix_stringio.cpp
++++ b/renderdoc/os/posix/posix_stringio.cpp
+@@ -499,8 +499,8 @@ rdcstr logfile_readall(uint64_t offset, const rdcstr &filename)
+
+ LogFileHandle *logfile_open(const rdcstr &filename)
+ {
+- int fd =
+- open(filename.c_str(), O_APPEND | O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
++ int fd = open(filename.c_str(), O_APPEND | O_WRONLY | O_CREAT | O_NOFOLLOW,
++ S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+
+ if(fd < 0)
+ {
new file mode 100644
@@ -0,0 +1,40 @@
+From 3be494014166fbccd1b951aeeb26534d44ceab37 Mon Sep 17 00:00:00 2001
+From: baldurk <baldurk@baldurk.org>
+Date: Fri, 19 May 2023 10:58:29 +0100
+Subject: [PATCH] Fix incorrect return type
+
+CVE: CVE-2023-33836 CVE-2023-33864 CVE-2023-33865
+Upstream-Status: Backport [https://github.com/baldurk/renderdoc/commit/771aa8e769b72e6a36b31d6e2116db9952dcbe9b]
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ renderdoc/strings/string_utils.cpp | 2 +-
+ renderdoc/strings/string_utils.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/renderdoc/strings/string_utils.cpp b/renderdoc/strings/string_utils.cpp
+index 019a83c3a..7c42ede4e 100644
+--- a/renderdoc/strings/string_utils.cpp
++++ b/renderdoc/strings/string_utils.cpp
+@@ -141,7 +141,7 @@ rdcstr strip_extension(const rdcstr &path)
+ return path.substr(0, offs);
+ }
+
+-rdcstr strip_nonbasic(rdcstr &str)
++void strip_nonbasic(rdcstr &str)
+ {
+ for(char &c : str)
+ {
+diff --git a/renderdoc/strings/string_utils.h b/renderdoc/strings/string_utils.h
+index 7c05a30f8..58c6b4f9c 100644
+--- a/renderdoc/strings/string_utils.h
++++ b/renderdoc/strings/string_utils.h
+@@ -40,7 +40,7 @@ rdcstr strip_extension(const rdcstr &path);
+ // remove everything but alphanumeric ' ' and '.'
+ // It replaces everything else with _
+ // for logging strings where they might contain garbage characters
+-rdcstr strip_nonbasic(rdcstr &str);
++void strip_nonbasic(rdcstr &str);
+
+ void split(const rdcstr &in, rdcarray<rdcstr> &out, const char sep);
+ void merge(const rdcarray<rdcstr> &in, rdcstr &out, const char sep);
@@ -5,10 +5,14 @@ LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE.md;md5=5486c0df458c74c85828e0cdbffd499e"
SRCREV = "cc05b288b6d1660ab04c6cf01173f1bb62e6f5dd"
-SRC_URI = " \
- git://github.com/baldurk/${BPN}.git;protocol=https;branch=v1.x \
- file://0001-renderdoc-use-xxd-instead-of-cross-compiling-shim-bi.patch \
-"
+SRC_URI = "git://github.com/baldurk/${BPN}.git;protocol=https;branch=v1.x \
+ file://0001-renderdoc-use-xxd-instead-of-cross-compiling-shim-bi.patch \
+ file://CVE-2023-33863-33864-33865-1.patch \
+ file://CVE-2023-33863-33864-33865-2.patch \
+ file://CVE-2023-33863-33864-33865-3.patch \
+ file://CVE-2023-33863-33864-33865-4.patch \
+ file://CVE-2023-33863-33864-33865-5.patch \
+ "
S = "${WORKDIR}/git"
DEPENDS += "virtual/libx11 virtual/libgl libxcb xcb-util-keysyms vim-native"
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-33863 https://nvd.nist.gov/vuln/detail/CVE-2023-33864 https://nvd.nist.gov/vuln/detail/CVE-2023-33865 Take the patches mentioned from the original researcher's report[1] [1]: https://www.qualys.com/2023/06/06/renderdoc/renderdoc.txt (summary section) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../CVE-2023-33863-33864-33865-1.patch | 71 ++++++++ .../CVE-2023-33863-33864-33865-2.patch | 72 ++++++++ .../CVE-2023-33863-33864-33865-3.patch | 160 ++++++++++++++++++ .../CVE-2023-33863-33864-33865-4.patch | 28 +++ .../CVE-2023-33863-33864-33865-5.patch | 40 +++++ .../renderdoc/renderdoc_1.13.bb | 12 +- 6 files changed, 379 insertions(+), 4 deletions(-) create mode 100644 meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-1.patch create mode 100644 meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-2.patch create mode 100644 meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-3.patch create mode 100644 meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-4.patch create mode 100644 meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-5.patch