Projects
openEuler:Mainline
xorg-x11-server
Sign Up
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 2
View file
_service:tar_scm:xorg-x11-server.spec
Changed
@@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.11 -Release: 6 +Release: 18 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -30,7 +30,7 @@ # for requires generation in drivers Source30: xserver-sdk-abi-requires.release -Source31: xserver-sdk-abi-requires.git +Source31: xserver-sdk-abi-requires-git # maintainer convenience script Source40: driver-abi-rebuild.sh @@ -76,13 +76,34 @@ Patch0026: 0022-xwayland-Call-xwl_window_check_resolution_change_emu.patch Patch0027: 0023-xwayland-Fix-setting-of-_XWAYLAND_RANDR_EMU_MONITOR_.patch Patch0028: 0024-xwayland-Remove-unnecessary-xwl_window_is_toplevel-c.patch - + +Patch0100: 0001-Fix-the-crash-in-shadowUpdatePacked-because-of-memcp.patch +Patch0101: 0002-present-Crash-in-present_scmd_get_crtc-and-present_flush.patch + Patch0029: xorg-s11-server-CVE-2018-20839.patch Patch6000: backport-CVE-2021-4008.patch Patch6001: backport-CVE-2021-4009.patch Patch6002: backport-CVE-2021-4010.patch Patch6003: backport-CVE-2021-4011.patch Patch6004: backport-rename-bool-to-boolean.patch +Patch6005: backport-0001-CVE-2022-2319.patch +Patch6006: backport-0002-CVE-2022-2319.patch +Patch6007: backport-CVE-2022-2320.patch +Patch6008: backport-CVE-2022-3551.patch +%ifarch sw_64 +Patch6009: xorg-server-1.20.11-sw.patch +%endif +Patch6010: backport-CVE-2022-3553.patch +Patch6011: backport-0001-CVE-2022-46340.patch +Patch6012: backport-0002-CVE-2022-46340.patch +Patch6013: backport-CVE-2022-46341.patch +Patch6014: backport-CVE-2022-46342.patch +Patch6015: backport-CVE-2022-46343.patch +Patch6016: backport-Xi-return-an-error-from-XI-property-changes-if-verification-failed.patch +Patch6017: backport-CVE-2022-46344.patch +Patch6018: backport-CVE-2022-4283.patch +Patch6019: backport-CVE-2023-0494.patch +Patch6020: backport-CVE-2023-1393.patch BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex git gcc BuildRequires: systemtap-sdt-devel libtool pkgconfig @@ -100,7 +121,7 @@ BuildRequires: mesa-libGL-devel >= 9.2 libpciaccess-devel >= 0.13.1 BuildRequires: wayland-devel wayland-protocols-devel egl-wayland-devel -%ifarch aarch64 %{arm} x86_64 +%ifarch aarch64 %{arm} x86_64 sw_64 BuildRequires: libunwind-devel %endif @@ -253,14 +274,14 @@ export CXXFLAGS="$RPM_OPT_FLAGS -specs=/usr/lib/rpm/generic-hardened-cc1" export CFLAGS="$RPM_OPT_FLAGS -specs=/usr/lib/rpm/generic-hardened-cc1" -%ifnarch %{ix86} x86_64 +%ifnarch %{ix86} x86_64 sw_64 %global no_int10 --disable-vbe --disable-int10-module %endif %global xservers --enable-xvfb --enable-xnest %{kdrive} --enable-xorg %global default_font_path "catalogue:/etc/X11/fontpath.d,built-ins" %global kdrive --enable-kdrive --enable-xephyr --disable-xfake --disable-xfbdev -%global bodhi_flags --with-vendor-name="openEuler Project" +%global bodhi_flags --with-vendor-name="%{_vendor} Project" %global dri_flags --enable-dri --enable-dri2 --enable-dri3 --enable-suid-wrapper --enable-glamor autoreconf -ivf || exit 1 @@ -334,7 +355,7 @@ { %delete_la -%ifnarch %{ix86} x86_64 +%ifnarch %{ix86} x86_64 sw_64 rm -f %{buildroot}/%{_libdir}/xorg/modules/lib{int10,vbe}.so %endif } @@ -385,7 +406,6 @@ %files Xnest %{_bindir}/Xnest -%{_mandir}/man1/Xnest.1* %files Xdmx %{_bindir}/Xdmx @@ -404,11 +424,9 @@ %files Xvfb %{_bindir}/Xvfb %{_bindir}/xvfb-run -%{_mandir}/man1/Xvfb.1* %files Xephyr %{_bindir}/Xephyr -%{_mandir}/man1/Xephyr.1* %files source %{xserver_source_dir} @@ -426,6 +444,49 @@ %{_mandir}/man*/* %changelog +* Wed Apr 12 2023 liweiganga <liweiganga@uniontech.com> -1.20.11-18 +- fix CVE-2023-1393 + +* Mon Mar 20 2023 liweiganga <liweiganga@uniontech.com> -1.20.11-17 +- feat: all man files is provided by help package + +* Fri Feb 17 2023 liweiganga <liweiganga@uniontech.com> -1.20.11-16 +- fix CVE-2023-0494 + +* Tue Jan 10 2023 zhouwenpei <zhouwenpei1@h-partners.com> -1.20.11-15 +- add missing patches + +* Thu Dec 22 2022 wanglin <wangl29@chinatelecom.cn> - 1.20.11-14 +- Fix openEuler hard code problem +- use -git instead of .git as the filename, to avoid .git ignore +- Fix changelog date + +* Wed Dec 21 2022 zhouwenpei <zhouwenpei1@h-partners.com> -1.20.11-13 +- fix CVE-2022-4283,CVE-2022-46340,CVE-2022-46341,CVE-2022-46342,CVE-2022-46343,CVE-2022-46344 + +* Fri Nov 18 2022 wangkerong <wangkerong@h-partners.com> -1.20.11-12 +- fix CVE-2022-3551,CVE-2022-3553 + +* Wed Oct 26 2022 wuzx<wuzx1226@qq.com> - 1.20.11-11 +- Add sw64 architecture + +* Mon Oct 24 2022 qz_cx <wangqingzheng@kylinos.cn> - 1.20.11-10 +- Type:CVE +- ID:NA +- SUG:NA +- DESC: fix CVE-2022-3551 + +* Wed Aug 03 2022 wangkerong<wangkerong@h-partners.com> - 1.20.11-9 +- fix CVE-2022-2319,CVE-2022-2320 + +* Fri Jul 22 2022 baiguo<baiguo@kylinos.cn> - 1.20.11-8 +- xkb: switch to array index loops to moving pointers +- fix CVE-2022-2319 + +* Fri Jul 22 2022 ouyangminxiang<ouyangminxiang@kylinsec.com.cn> - 1.20.11-7 +- Fix the crash in shadowUpdatePacked because of memcpy acts randomly with overlapping areas. +- Fix the problem of black screen after entering the login interface + * Fri Jun 24 2022 wangkerong<wangkerong@h-partners.com> - 1.20.11-6 - disable Xwayland provide by xorg-x11-server-Xwayland - delete the same files of common and help @@ -519,7 +580,7 @@ - SUG:NA - DESC:update version to 1.20.6 -* Thu Jan 3 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.20.1-12 +* Fri Jan 3 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.20.1-12 - Type:bugfix - ID:NA - SUG:NA
View file
_service:tar_scm:0001-Fix-the-crash-in-shadowUpdatePacked-because-of-memcp.patch
Added
@@ -0,0 +1,26 @@ +From de7b67924425b3aa540c19c8431ff0d7c5892608 Mon Sep 17 00:00:00 2001 +From: rpm-build <rpm-build> +Date: Tue, 24 May 2022 09:49:36 +0800 +Subject: PATCH Fix the crash in shadowUpdatePacked because of memcpy acts + randomly with overlapping areas. + +Signed-off-by: tangjie02 <tangjie02@kylinsec.com.cn> +--- + miext/shadow/shpacked.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/miext/shadow/shpacked.c b/miext/shadow/shpacked.c +index 5220854..8b16a98 100644 +--- a/miext/shadow/shpacked.c ++++ b/miext/shadow/shpacked.c +@@ -98,7 +98,7 @@ shadowUpdatePacked(ScreenPtr pScreen, shadowBufPtr pBuf) + i = width; + width -= i; + scr += i; +- memcpy(win, sha, i * sizeof(FbBits)); ++ memmove(win, sha, i * sizeof(FbBits)); + sha += i; + } + shaLine += shaStride; +-- +2.33.0
View file
_service:tar_scm:0002-present-Crash-in-present_scmd_get_crtc-and-present_flush.patch
Added
@@ -0,0 +1,24 @@ +diff --git a/present/present_scmd.c b/present/present_scmd.c +index da836ea6b..239055bc1 100644 +--- a/present/present_scmd.c ++++ b/present/present_scmd.c +@@ -158,6 +158,9 @@ present_scmd_get_crtc(present_screen_priv_ptr screen_priv, WindowPtr window) + if (!screen_priv->info) + return NULL; + ++ if (!screen_priv->info->get_crtc) ++ return NULL; ++ + return (*screen_priv->info->get_crtc)(window); + } + +@@ -196,6 +199,9 @@ present_flush(WindowPtr window) + if (!screen_priv->info) + return; + ++ if (!screen_priv->info->flush) ++ return; ++ + (*screen_priv->info->flush) (window); + } +
View file
_service:tar_scm:backport-0001-CVE-2022-2319.patch
Added
@@ -0,0 +1,74 @@ +From 7b6db1b9ac7493163cb76898ac593dafc76988f6 Mon Sep 17 00:00:00 2001 +From: rpm-build <rpm-build> +Date: Fri, 22 Jul 2022 11:04:30 +0800 +Subject: PATCH xkb: switch to array index loops to moving pointers Most + similar loops here use a pointer that advances with each loop iteration, + let's do the same here for consistency. + +No functional changes. + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Reviewed-by: Olivier Fourdan <ofourdan@redhat.com> +--- + xkb/xkb.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 68c59df..8b6aea8 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5369,16 +5369,16 @@ _CheckSetSections(XkbGeometryPtr geom, + row->left = rWire->left; + row->vertical = rWire->vertical; + kWire = (xkbKeyWireDesc *) &rWire1; +- for (k = 0; k < rWire->nKeys; k++) { ++ for (k = 0; k < rWire->nKeys; k++, kWire++) { + XkbKeyPtr key; + + key = XkbAddGeomKey(row); + if (!key) + return BadAlloc; +- memcpy(key->name.name, kWirek.name, XkbKeyNameLength); +- key->gap = kWirek.gap; +- key->shape_ndx = kWirek.shapeNdx; +- key->color_ndx = kWirek.colorNdx; ++ memcpy(key->name.name, kWire->name, XkbKeyNameLength); ++ key->gap = kWire->gap; ++ key->shape_ndx = kWire->shapeNdx; ++ key->color_ndx = kWire->colorNdx; + if (key->shape_ndx >= geom->num_shapes) { + client->errorValue = _XkbErrCode3(0x10, key->shape_ndx, + geom->num_shapes); +@@ -5390,7 +5390,7 @@ _CheckSetSections(XkbGeometryPtr geom, + return BadMatch; + } + } +- rWire = (xkbRowWireDesc *) &kWirerWire->nKeys; ++ rWire = (xkbRowWireDesc *)kWire; + } + wire = (char *) rWire; + if (sWire->nDoodads > 0) { +@@ -5455,16 +5455,16 @@ _CheckSetShapes(XkbGeometryPtr geom, + return BadAlloc; + ol->corner_radius = olWire->cornerRadius; + ptWire = (xkbPointWireDesc *) &olWire1; +- for (p = 0, pt = ol->points; p < olWire->nPoints; p++, pt++) { +- pt->x = ptWirep.x; +- pt->y = ptWirep.y; ++ for (p = 0, pt = ol->points; p < olWire->nPoints; p++, pt++, ptWire++) { ++ pt->x = ptWire->x; ++ pt->y = ptWire->y; + if (client->swapped) { + swaps(&pt->x); + swaps(&pt->y); + } + } + ol->num_points = olWire->nPoints; +- olWire = (xkbOutlineWireDesc *) (&ptWireolWire->nPoints); ++ olWire = (xkbOutlineWireDesc *)ptWire; + } + if (shapeWire->primaryNdx != XkbNoShape) + shape->primary = &shape->outlinesshapeWire->primaryNdx; +-- +2.33.0 +
View file
_service:tar_scm:backport-0001-CVE-2022-46340.patch
Added
@@ -0,0 +1,50 @@ +From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 29 Nov 2022 12:55:45 +1000 +Subject: PATCH Xtest: disallow GenericEvents in XTestSwapFakeInput + +XTestSwapFakeInput assumes all events in this request are +sizeof(xEvent) and iterates through these in 32-byte increments. +However, a GenericEvent may be of arbitrary length longer than 32 bytes, +so any GenericEvent in this list would result in subsequent events to be +misparsed. + +Additional, the swapped event is written into a stack-allocated struct +xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes, +swapping the event may thus smash the stack like an avocado on toast. + +Catch this case early and return BadValue for any GenericEvent. +Which is what would happen in unswapped setups anyway since XTest +doesn't support GenericEvent. + +CVE-2022-46340, ZDI-CAN 19265 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Acked-by: Olivier Fourdan <ofourdan@redhat.com> +--- + Xext/xtest.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/Xext/xtest.c b/Xext/xtest.c +index bf27eb590..2985a4ce6 100644 +--- a/Xext/xtest.c ++++ b/Xext/xtest.c +@@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req) + + nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent); + for (ev = (xEvent *) &req1; --nev >= 0; ev++) { ++ int evtype = ev->u.u.type & 0x177; + /* Swap event */ +- proc = EventSwapVectorev->u.u.type & 0177; ++ proc = EventSwapVectorevtype; + /* no swapping proc; invalid event type? */ +- if (!proc || proc == NotImplemented) { ++ if (!proc || proc == NotImplemented || evtype == GenericEvent) { + client->errorValue = ev->u.u.type; + return BadValue; + } +-- +GitLab
View file
_service:tar_scm:backport-0002-CVE-2022-2319.patch
Added
@@ -0,0 +1,182 @@ +From 6907b6ea2b4ce949cb07271f5b678d5966d9df42 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 5 Jul 2022 11:11:06 +1000 +Subject: PATCH xkb: add request length validation for XkbSetGeometry + +No validation of the various fields on that report were done, so a +malicious client could send a short request that claims it had N +sections, or rows, or keys, and the server would process the request for +N sections, running out of bounds of the actual request data. + +Fix this by adding size checks to ensure our data is valid. + +ZDI-CAN 16062, CVE-2022-2319. + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +Conflict:NA +Reference:https://github.com/freedesktop/xorg-xserver/commit/6907b6ea2b4ce949cb07271f5b678d5966d9df42 +--- + xkb/xkb.c | 43 ++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 38 insertions(+), 5 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 34b2c290be..4692895dbd 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5156,7 +5156,7 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) + } + + static Status +-_CheckSetDoodad(char **wire_inout, ++_CheckSetDoodad(char **wire_inout, xkbSetGeometryReq *req, + XkbGeometryPtr geom, XkbSectionPtr section, ClientPtr client) + { + char *wire; +@@ -5167,6 +5167,9 @@ _CheckSetDoodad(char **wire_inout, + Status status; + + dWire = (xkbDoodadWireDesc *) (*wire_inout); ++ if (!_XkbCheckRequestBounds(client, req, dWire, dWire + 1)) ++ return BadLength; ++ + any = dWire->any; + wire = (char *) &dWire1; + if (client->swapped) { +@@ -5269,7 +5272,7 @@ _CheckSetDoodad(char **wire_inout, + } + + static Status +-_CheckSetOverlay(char **wire_inout, ++_CheckSetOverlay(char **wire_inout, xkbSetGeometryReq *req, + XkbGeometryPtr geom, XkbSectionPtr section, ClientPtr client) + { + register int r; +@@ -5280,6 +5283,9 @@ _CheckSetOverlay(char **wire_inout, + + wire = *wire_inout; + olWire = (xkbOverlayWireDesc *) wire; ++ if (!_XkbCheckRequestBounds(client, req, olWire, olWire + 1)) ++ return BadLength; ++ + if (client->swapped) { + swapl(&olWire->name); + } +@@ -5291,6 +5297,9 @@ _CheckSetOverlay(char **wire_inout, + xkbOverlayKeyWireDesc *kWire; + XkbOverlayRowPtr row; + ++ if (!_XkbCheckRequestBounds(client, req, rWire, rWire + 1)) ++ return BadLength; ++ + if (rWire->rowUnder > section->num_rows) { + client->errorValue = _XkbErrCode4(0x20, r, section->num_rows, + rWire->rowUnder); +@@ -5299,6 +5308,9 @@ _CheckSetOverlay(char **wire_inout, + row = XkbAddGeomOverlayRow(ol, rWire->rowUnder, rWire->nKeys); + kWire = (xkbOverlayKeyWireDesc *) &rWire1; + for (k = 0; k < rWire->nKeys; k++, kWire++) { ++ if (!_XkbCheckRequestBounds(client, req, kWire, kWire + 1)) ++ return BadLength; ++ + if (XkbAddGeomOverlayKey(ol, row, + (char *) kWire->over, + (char *) kWire->under) == NULL) { +@@ -5332,6 +5344,9 @@ _CheckSetSections(XkbGeometryPtr geom, + register int r; + xkbRowWireDesc *rWire; + ++ if (!_XkbCheckRequestBounds(client, req, sWire, sWire + 1)) ++ return BadLength; ++ + if (client->swapped) { + swapl(&sWire->name); + swaps(&sWire->top); +@@ -5357,6 +5372,9 @@ _CheckSetSections(XkbGeometryPtr geom, + XkbRowPtr row; + xkbKeyWireDesc *kWire; + ++ if (!_XkbCheckRequestBounds(client, req, rWire, rWire + 1)) ++ return BadLength; ++ + if (client->swapped) { + swaps(&rWire->top); + swaps(&rWire->left); +@@ -5371,6 +5389,9 @@ _CheckSetSections(XkbGeometryPtr geom, + for (k = 0; k < rWire->nKeys; k++, kWire++) { + XkbKeyPtr key; + ++ if (!_XkbCheckRequestBounds(client, req, kWire, kWire + 1)) ++ return BadLength; ++ + key = XkbAddGeomKey(row); + if (!key) + return BadAlloc; +@@ -5396,7 +5417,7 @@ _CheckSetSections(XkbGeometryPtr geom, + register int d; + + for (d = 0; d < sWire->nDoodads; d++) { +- status = _CheckSetDoodad(&wire, geom, section, client); ++ status = _CheckSetDoodad(&wire, req, geom, section, client); + if (status != Success) + return status; + } +@@ -5405,7 +5426,7 @@ _CheckSetSections(XkbGeometryPtr geom, + register int o; + + for (o = 0; o < sWire->nOverlays; o++) { +- status = _CheckSetOverlay(&wire, geom, section, client); ++ status = _CheckSetOverlay(&wire, req, geom, section, client); + if (status != Success) + return status; + } +@@ -5439,6 +5460,9 @@ _CheckSetShapes(XkbGeometryPtr geom, + xkbOutlineWireDesc *olWire; + XkbOutlinePtr ol; + ++ if (!_XkbCheckRequestBounds(client, req, shapeWire, shapeWire + 1)) ++ return BadLength; ++ + shape = + XkbAddGeomShape(geom, shapeWire->name, shapeWire->nOutlines); + if (!shape) +@@ -5449,12 +5473,18 @@ _CheckSetShapes(XkbGeometryPtr geom, + XkbPointPtr pt; + xkbPointWireDesc *ptWire; + ++ if (!_XkbCheckRequestBounds(client, req, olWire, olWire + 1)) ++ return BadLength; ++ + ol = XkbAddGeomOutline(shape, olWire->nPoints); + if (!ol) + return BadAlloc; + ol->corner_radius = olWire->cornerRadius; + ptWire = (xkbPointWireDesc *) &olWire1; + for (p = 0, pt = ol->points; p < olWire->nPoints; p++, pt++, ptWire++) { ++ if (!_XkbCheckRequestBounds(client, req, ptWire, ptWire + 1)) ++ return BadLength; ++ + pt->x = ptWire->x; + pt->y = ptWire->y; + if (client->swapped) { +@@ -5560,12 +5590,15 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client) + return status; + + for (i = 0; i < req->nDoodads; i++) { +- status = _CheckSetDoodad(&wire, geom, NULL, client); ++ status = _CheckSetDoodad(&wire, req, geom, NULL, client); + if (status != Success) + return status; + } + + for (i = 0; i < req->nKeyAliases; i++) { ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbKeyNameLength)) ++ return BadLength; ++ + if (XkbAddGeomKeyAlias(geom, &wireXkbKeyNameLength, wire) == NULL) + return BadAlloc; + wire += 2 * XkbKeyNameLength; +
View file
_service:tar_scm:backport-0002-CVE-2022-46340.patch
Added
@@ -0,0 +1,34 @@ +From bb1711b7fba42f2a0c7d1c09beee241a1b2bcc30 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Mon, 19 Dec 2022 10:06:45 +1000 +Subject: PATCH Xext: fix invalid event type mask in XTestSwapFakeInput + +In commit b320ca0 the mask was inadvertently changed from octal 0177 to +hexadecimal 0x177. + +Fixes commit b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 + Xtest: disallow GenericEvents in XTestSwapFakeInput + +Found by Stuart Cassoff + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + Xext/xtest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Xext/xtest.c b/Xext/xtest.c +index 2985a4ce6..dde5c4cf9 100644 +--- a/Xext/xtest.c ++++ b/Xext/xtest.c +@@ -502,7 +502,7 @@ XTestSwapFakeInput(ClientPtr client, xReq * req) + + nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent); + for (ev = (xEvent *) &req1; --nev >= 0; ev++) { +- int evtype = ev->u.u.type & 0x177; ++ int evtype = ev->u.u.type & 0177; + /* Swap event */ + proc = EventSwapVectorevtype; + /* no swapping proc; invalid event type? */ +-- +GitLab +
View file
_service:tar_scm:backport-CVE-2022-2320.patch
Added
@@ -0,0 +1,179 @@ +From dd8caf39e9e15d8f302e54045dd08d8ebf1025dc Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 5 Jul 2022 09:50:41 +1000 +Subject: PATCH xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck + +XKB often uses a FooCheck and Foo function pair, the former is supposed +to check all values in the request and error out on BadLength, +BadValue, etc. The latter is then called once we're confident the values +are good (they may still fail on an individual device, but that's a +different topic). + +In the case of XkbSetDeviceInfo, those functions were incorrectly +named, with XkbSetDeviceInfo ending up as the checker function and +XkbSetDeviceInfoCheck as the setter function. As a result, the setter +function was called before the checker function, accessing request +data and modifying device state before we ensured that the data is +valid. + +In particular, the setter function relied on values being already +byte-swapped. This in turn could lead to potential OOB memory access. + +Fix this by correctly naming the functions and moving the length checks +over to the checker function. These were added in 87c64fc5b0 to the +wrong function, probably due to the incorrect naming. + +Fixes ZDI-CAN 16070, CVE-2022-2320. + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Introduced in c06e27b2f6fd9f7b9f827623a48876a225264132 + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +Conflict:NA +Reference:https://github.com/freedesktop/xorg-xserver/commit/dd8caf39e9e15d8f302e54045dd08d8ebf1025dc +--- + xkb/xkb.c | 46 +++++++++++++++++++++++++--------------------- + 1 file changed, 25 insertions(+), 21 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 64e52611ee..34b2c290be 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -6550,7 +6550,8 @@ ProcXkbGetDeviceInfo(ClientPtr client) + static char * + CheckSetDeviceIndicators(char *wire, + DeviceIntPtr dev, +- int num, int *status_rtrn, ClientPtr client) ++ int num, int *status_rtrn, ClientPtr client, ++ xkbSetDeviceInfoReq * stuff) + { + xkbDeviceLedsWireDesc *ledWire; + int i; +@@ -6558,6 +6559,11 @@ CheckSetDeviceIndicators(char *wire, + + ledWire = (xkbDeviceLedsWireDesc *) wire; + for (i = 0; i < num; i++) { ++ if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) { ++ *status_rtrn = BadLength; ++ return (char *) ledWire; ++ } ++ + if (client->swapped) { + swaps(&ledWire->ledClass); + swaps(&ledWire->ledID); +@@ -6585,6 +6591,11 @@ CheckSetDeviceIndicators(char *wire, + atomWire = (CARD32 *) &ledWire1; + if (nNames > 0) { + for (n = 0; n < nNames; n++) { ++ if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) { ++ *status_rtrn = BadLength; ++ return (char *) atomWire; ++ } ++ + if (client->swapped) { + swapl(atomWire); + } +@@ -6596,6 +6607,10 @@ CheckSetDeviceIndicators(char *wire, + mapWire = (xkbIndicatorMapWireDesc *) atomWire; + if (nMaps > 0) { + for (n = 0; n < nMaps; n++) { ++ if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) { ++ *status_rtrn = BadLength; ++ return (char *) mapWire; ++ } + if (client->swapped) { + swaps(&mapWire->virtualMods); + swapl(&mapWire->ctrls); +@@ -6647,11 +6662,6 @@ SetDeviceIndicators(char *wire, + xkbIndicatorMapWireDesc *mapWire; + XkbSrvLedInfoPtr sli; + +- if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) { +- *status_rtrn = BadLength; +- return (char *) ledWire; +- } +- + namec = mapc = statec = 0; + sli = XkbFindSrvLedInfo(dev, ledWire->ledClass, ledWire->ledID, + XkbXI_IndicatorMapsMask); +@@ -6670,10 +6680,6 @@ SetDeviceIndicators(char *wire, + memset((char *) sli->names, 0, XkbNumIndicators * sizeof(Atom)); + for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) { + if (ledWire->namesPresent & bit) { +- if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) { +- *status_rtrn = BadLength; +- return (char *) atomWire; +- } + sli->namesn = (Atom) *atomWire; + if (sli->namesn == None) + ledWire->namesPresent &= ~bit; +@@ -6691,10 +6697,6 @@ SetDeviceIndicators(char *wire, + if (ledWire->mapsPresent) { + for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) { + if (ledWire->mapsPresent & bit) { +- if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) { +- *status_rtrn = BadLength; +- return (char *) mapWire; +- } + sli->mapsn.flags = mapWire->flags; + sli->mapsn.which_groups = mapWire->whichGroups; + sli->mapsn.groups = mapWire->groups; +@@ -6730,13 +6732,17 @@ SetDeviceIndicators(char *wire, + } + + static int +-_XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev, ++_XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev, + xkbSetDeviceInfoReq * stuff) + { + char *wire; + + wire = (char *) &stuff1; + if (stuff->change & XkbXI_ButtonActionsMask) { ++ int sz = stuff->nBtns * SIZEOF(xkbActionWireDesc); ++ if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz)) ++ return BadLength; ++ + if (!dev->button) { + client->errorValue = _XkbErrCode2(XkbErr_BadClass, ButtonClass); + return XkbKeyboardErrorCode; +@@ -6747,13 +6753,13 @@ _XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev, + dev->button->numButtons); + return BadMatch; + } +- wire += (stuff->nBtns * SIZEOF(xkbActionWireDesc)); ++ wire += sz; + } + if (stuff->change & XkbXI_IndicatorsMask) { + int status = Success; + + wire = CheckSetDeviceIndicators(wire, dev, stuff->nDeviceLedFBs, +- &status, client); ++ &status, client, stuff); + if (status != Success) + return status; + } +@@ -6764,8 +6770,8 @@ _XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev, + } + + static int +-_XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev, +- xkbSetDeviceInfoReq * stuff) ++_XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev, ++ xkbSetDeviceInfoReq * stuff) + { + char *wire; + xkbExtensionDeviceNotify ed; +@@ -6789,8 +6795,6 @@ _XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev, + if (stuff->firstBtn + stuff->nBtns > nBtns) + return BadValue; + sz = stuff->nBtns * SIZEOF(xkbActionWireDesc); +- if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz)) +- return BadLength; + memcpy((char *) &actsstuff->firstBtn, (char *) wire, sz); + wire += sz; + ed.reason |= XkbXI_ButtonActionsMask; +
View file
_service:tar_scm:backport-CVE-2022-3551.patch
Added
@@ -0,0 +1,62 @@ +From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Wed, 13 Jul 2022 11:23:09 +1000 +Subject: xkb: fix some possible memleaks in XkbGetKbdByName + +GetComponentByName returns an allocated string, so let's free that if we +fail somewhere. + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +Conflict:NA +Reference:https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2 +--- + xkb/xkb.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 4692895db..b79a269e3 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client) + xkb = dev->key->xkbInfo->desc; + status = Success; + str = (unsigned char *) &stuff1; +- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */ +- return BadMatch; ++ { ++ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */ ++ if (keymap) { ++ free(keymap); ++ return BadMatch; ++ } ++ } + names.keycodes = GetComponentSpec(&str, TRUE, &status); + names.types = GetComponentSpec(&str, TRUE, &status); + names.compat = GetComponentSpec(&str, TRUE, &status); + names.symbols = GetComponentSpec(&str, TRUE, &status); + names.geometry = GetComponentSpec(&str, TRUE, &status); +- if (status != Success) ++ if (status == Success) { ++ len = str - ((unsigned char *) stuff); ++ if ((XkbPaddedSize(len) / 4) != stuff->length) ++ status = BadLength; ++ } ++ ++ if (status != Success) { ++ free(names.keycodes); ++ free(names.types); ++ free(names.compat); ++ free(names.symbols); ++ free(names.geometry); + return status; +- len = str - ((unsigned char *) stuff); +- if ((XkbPaddedSize(len) / 4) != stuff->length) +- return BadLength; ++ } + + CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask); + CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask); +-- +cgit v1.2.1 +
View file
_service:tar_scm:backport-CVE-2022-3553.patch
Added
@@ -0,0 +1,46 @@ +From dfd057996b26420309c324ec844a5ba6dd07eda3 Mon Sep 17 00:00:00 2001 +From: Jeremy Huddleston Sequoia <jeremyhu@apple.com> +Date: Sat, 2 Jul 2022 14:17:18 -0700 +Subject: xquartz: Fix a possible crash when editing the Application menu due + to mutaing immutable arrays + +Crashing on exception: -__NSCFArray replaceObjectAtIndex:withObject:: mutating method sent to immutable object + +Application Specific Backtrace 0: +0 CoreFoundation 0x00007ff80d2c5e9b __exceptionPreprocess + 242 +1 libobjc.A.dylib 0x00007ff80d027e48 objc_exception_throw + 48 +2 CoreFoundation 0x00007ff80d38167b _CFThrowFormattedException + 194 +3 CoreFoundation 0x00007ff80d382a25 -__NSCFArray removeObjectAtIndex:.cold.1 + 0 +4 CoreFoundation 0x00007ff80d2e6c0b -__NSCFArray replaceObjectAtIndex:withObject: + 119 +5 X11.bin 0x00000001003180f9 -X11Controller tableView:setObjectValue:forTableColumn:row: + 169 + +Fixes: https://github.com/XQuartz/XQuartz/issues/267 +Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> + +Conflict:NA +Reference:https://cgit.freedesktop.org/xorg/xserver/commit/?id=dfd057996b26420309c324ec844a5ba6dd07eda3 +--- + hw/xquartz/X11Controller.m | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/hw/xquartz/X11Controller.m b/hw/xquartz/X11Controller.m +index 3b55bb6a5..e9a939312 100644 +--- a/hw/xquartz/X11Controller.m ++++ b/hw/xquartz/X11Controller.m +@@ -469,8 +469,11 @@ extern char *bundle_id_prefix; + self.table_apps = table_apps; + + NSArray * const apps = self.apps; +- if (apps != nil) +- table_apps addObjectsFromArray:apps; ++ if (apps != nil) { ++ for (NSArray <NSString *> * row in apps) { ++ table_apps addObject:row.mutableCopy; ++ } ++ } + + columns = apps_table tableColumns; + columns objectAtIndex:0 setIdentifier:@"0"; +-- +cgit v1.2.1 +
View file
_service:tar_scm:backport-CVE-2022-4283.patch
Added
@@ -0,0 +1,34 @@ +From ccdd431cd8f1cabae9d744f0514b6533c438908c Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Mon, 5 Dec 2022 15:55:54 +1000 +Subject: PATCH xkb: reset the radio_groups pointer to NULL after freeing it + +Unlike other elements of the keymap, this pointer was freed but not +reset. On a subsequent XkbGetKbdByName request, the server may access +already freed memory. + +CVE-2022-4283, ZDI-CAN-19530 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Acked-by: Olivier Fourdan <ofourdan@redhat.com> +--- + xkb/xkbUtils.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c +index dd089c204..3f5791a18 100644 +--- a/xkb/xkbUtils.c ++++ b/xkb/xkbUtils.c +@@ -1326,6 +1326,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr dst) + } + else { + free(dst->names->radio_groups); ++ dst->names->radio_groups = NULL; + } + dst->names->num_rg = src->names->num_rg; + +-- +GitLab
View file
_service:tar_scm:backport-CVE-2022-46341.patch
Added
@@ -0,0 +1,81 @@ +From 51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 29 Nov 2022 13:55:32 +1000 +Subject: PATCH Xi: disallow passive grabs with a detail > 255 + +The XKB protocol effectively prevents us from ever using keycodes above +255. For buttons it's theoretically possible but realistically too niche +to worry about. For all other passive grabs, the detail must be zero +anyway. + +This fixes an OOB write: + +ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a +temporary grab struct which contains tempGrab->detail.exact = stuff->detail. +For matching existing grabs, DeleteDetailFromMask is called with the +stuff->detail value. This function creates a new mask with the one bit +representing stuff->detail cleared. + +However, the array size for the new mask is 8 * sizeof(CARD32) bits, +thus any detail above 255 results in an OOB array write. + +CVE-2022-46341, ZDI-CAN 19381 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Acked-by: Olivier Fourdan <ofourdan@redhat.com> +--- + Xi/xipassivegrab.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c +index 2769fb7c9..c9ac2f855 100644 +--- a/Xi/xipassivegrab.c ++++ b/Xi/xipassivegrab.c +@@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client) + return BadValue; + } + ++ /* XI2 allows 32-bit keycodes but thanks to XKB we can never ++ * implement this. Just return an error for all keycodes that ++ * cannot work anyway, same for buttons > 255. */ ++ if (stuff->detail > 255) ++ return XIAlreadyGrabbed; ++ + if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff1, + stuff->mask_len * 4) != Success) + return BadValue; +@@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client) + ¶m, XI2, &mask); + break; + case XIGrabtypeKeycode: +- /* XI2 allows 32-bit keycodes but thanks to XKB we can never +- * implement this. Just return an error for all keycodes that +- * cannot work anyway */ +- if (stuff->detail > 255) +- status = XIAlreadyGrabbed; +- else +- status = GrabKey(client, dev, mod_dev, stuff->detail, +- ¶m, XI2, &mask); ++ status = GrabKey(client, dev, mod_dev, stuff->detail, ++ ¶m, XI2, &mask); + break; + case XIGrabtypeEnter: + case XIGrabtypeFocusIn: +@@ -334,6 +334,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client) + return BadValue; + } + ++ /* We don't allow passive grabs for details > 255 anyway */ ++ if (stuff->detail > 255) { ++ client->errorValue = stuff->detail; ++ return BadValue; ++ } ++ + rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess); + if (rc != Success) + return rc; +-- +GitLab
View file
_service:tar_scm:backport-CVE-2022-46342.patch
Added
@@ -0,0 +1,73 @@ +From b79f32b57cc0c1186b2899bce7cf89f7b325161b Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Wed, 30 Nov 2022 11:20:40 +1000 +Subject: PATCH Xext: free the XvRTVideoNotify when turning off from the same + client + +This fixes a use-after-free bug: + +When a client first calls XvdiSelectVideoNotify() on a drawable with a +TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct +is added twice to the resources: + - as the drawable's XvRTVideoNotifyList. This happens only once per + drawable, subsequent calls append to this list. + - as the client's XvRTVideoNotify. This happens for every client. + +The struct keeps the ClientPtr around once it has been added for a +client. The idea, presumably, is that if the client disconnects we can remove +all structs from the drawable's list that match the client (by resetting +the ClientPtr to NULL), but if the drawable is destroyed we can remove +and free the whole list. + +However, if the same client then calls XvdiSelectVideoNotify() on the +same drawable with a FALSE onoff argument, only the ClientPtr on the +existing struct was set to NULL. The struct itself remained in the +client's resources. + +If the drawable is now destroyed, the resource system invokes +XvdiDestroyVideoNotifyList which frees the whole list for this drawable +- including our struct. This function however does not free the resource +for the client since our ClientPtr is NULL. + +Later, when the client is destroyed and the resource system invokes +XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On +a struct that has been freed previously. This is generally frowned upon. + +Fix this by calling FreeResource() on the second call instead of merely +setting the ClientPtr to NULL. This removes the struct from the client +resources (but not from the list), ensuring that it won't be accessed +again when the client quits. + +Note that the assignment tpn->client = NULL; is superfluous since the +XvdiDestroyVideoNotify function will do this anyway. But it's left for +clarity and to match a similar invocation in XvdiSelectPortNotify. + +CVE-2022-46342, ZDI-CAN 19400 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Acked-by: Olivier Fourdan <ofourdan@redhat.com> +--- + Xext/xvmain.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/Xext/xvmain.c b/Xext/xvmain.c +index f62747193..2a08f8744 100644 +--- a/Xext/xvmain.c ++++ b/Xext/xvmain.c +@@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff) + tpn = pn; + while (tpn) { + if (tpn->client == client) { +- if (!onoff) ++ if (!onoff) { + tpn->client = NULL; ++ FreeResource(tpn->id, XvRTVideoNotify); ++ } + return Success; + } + if (!tpn->client) +-- +GitLab
View file
_service:tar_scm:backport-CVE-2022-46343.patch
Added
@@ -0,0 +1,46 @@ +From 842ca3ccef100ce010d1d8f5f6d6cc1915055900 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 29 Nov 2022 14:53:07 +1000 +Subject: PATCH Xext: free the screen saver resource when replacing it + +This fixes a use-after-free bug: + +When a client first calls ScreenSaverSetAttributes(), a struct +ScreenSaverAttrRec is allocated and added to the client's +resources. + +When the same client calls ScreenSaverSetAttributes() again, a new +struct ScreenSaverAttrRec is allocated, replacing the old struct. The +old struct was freed but not removed from the clients resources. + +Later, when the client is destroyed the resource system invokes +ScreenSaverFreeAttr and attempts to clean up the already freed struct. + +Fix this by letting the resource system free the old attrs instead. + +CVE-2022-46343, ZDI-CAN 19404 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Acked-by: Olivier Fourdan <ofourdan@redhat.com> +--- + Xext/saver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Xext/saver.c b/Xext/saver.c +index f813ba08d..fd6153c31 100644 +--- a/Xext/saver.c ++++ b/Xext/saver.c +@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client) + pVlist++; + } + if (pPriv->attr) +- FreeScreenAttr(pPriv->attr); ++ FreeResource(pPriv->attr->resource, AttrType); + pPriv->attr = pAttr; + pAttr->resource = FakeClientID(client->index); + if (!AddResource(pAttr->resource, AttrType, (void *) pAttr)) +-- +GitLab
View file
_service:tar_scm:backport-CVE-2022-46344.patch
Added
@@ -0,0 +1,70 @@ +From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 29 Nov 2022 13:26:57 +1000 +Subject: PATCH Xi: avoid integer truncation in length check of + ProcXIChangeProperty + +This fixes an OOB read and the resulting information disclosure. + +Length calculation for the request was clipped to a 32-bit integer. With +the correct stuff->num_items value the expected request size was +truncated, passing the REQUEST_FIXED_SIZE check. + +The server then proceeded with reading at least stuff->num_items bytes +(depending on stuff->format) from the request and stuffing whatever it +finds into the property. In the process it would also allocate at least +stuff->num_items bytes, i.e. 4GB. + +The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty, +so let's fix that too. + +CVE-2022-46344, ZDI-CAN 19405 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Acked-by: Olivier Fourdan <ofourdan@redhat.com> +--- + Xi/xiproperty.c | 4 ++-- + dix/property.c | 3 ++- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c +index 68c362c62..066ba21fb 100644 +--- a/Xi/xiproperty.c ++++ b/Xi/xiproperty.c +@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client) + REQUEST(xChangeDevicePropertyReq); + DeviceIntPtr dev; + unsigned long len; +- int totalSize; ++ uint64_t totalSize; + int rc; + + REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq); +@@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client) + { + int rc; + DeviceIntPtr dev; +- int totalSize; ++ uint64_t totalSize; + unsigned long len; + + REQUEST(xXIChangePropertyReq); +diff --git a/dix/property.c b/dix/property.c +index 94ef5a0ec..acce94b2c 100644 +--- a/dix/property.c ++++ b/dix/property.c +@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client) + WindowPtr pWin; + char format, mode; + unsigned long len; +- int sizeInBytes, totalSize, err; ++ int sizeInBytes, err; ++ uint64_t totalSize; + + REQUEST(xChangePropertyReq); + +-- +GitLab
View file
_service:tar_scm:backport-CVE-2023-0494.patch
Added
@@ -0,0 +1,28 @@ +From 4005f77c03f67f1527519969b047c599cba32e36 Mon Sep 17 00:00:00 2001 +From: rpm-build <rpm-build> +Date: Fri, 17 Feb 2023 16:34:39 +0800 +Subject: PATCH fix CVE-2023-0494 + +--- + Xi/exevents.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/Xi/exevents.c b/Xi/exevents.c +index 659816a..0cb8d78 100644 +--- a/Xi/exevents.c ++++ b/Xi/exevents.c +@@ -575,8 +575,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) + memcpy(to->button->xkb_acts, from->button->xkb_acts, + sizeof(XkbAction)); + } +- else ++ else { + free(to->button->xkb_acts); ++ to->button->xkb_acts = NULL; ++ } + + memcpy(to->button->labels, from->button->labels, + from->button->numButtons * sizeof(Atom)); +-- +2.20.1 +
View file
_service:tar_scm:backport-CVE-2023-1393.patch
Added
@@ -0,0 +1,42 @@ +From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan <ofourdan@redhat.com> +Date: Mon, 13 Mar 2023 11:08:47 +0100 +Subject: PATCH xserver composite: Fix use-after-free of the COW + +ZDI-CAN-19866/CVE-2023-1393 + +If a client explicitly destroys the compositor overlay window (aka COW), +we would leave a dangling pointer to that window in the CompScreen +structure, which will trigger a use-after-free later. + +Make sure to clear the CompScreen pointer to the COW when the latter gets +destroyed explicitly by the client. + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> +Reviewed-by: Adam Jackson <ajax@redhat.com> +--- + composite/compwindow.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/composite/compwindow.c b/composite/compwindow.c +index 4e2494b86..b30da589e 100644 +--- a/composite/compwindow.c ++++ b/composite/compwindow.c +@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin) + ret = (*pScreen->DestroyWindow) (pWin); + cs->DestroyWindow = pScreen->DestroyWindow; + pScreen->DestroyWindow = compDestroyWindow; ++ ++ /* Did we just destroy the overlay window? */ ++ if (pWin == cs->pOverlayWin) ++ cs->pOverlayWin = NULL; ++ + /* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/ + return ret; + } +-- +2.40.0 +
View file
_service:tar_scm:backport-Xi-return-an-error-from-XI-property-changes-if-verification-failed.patch
Added
@@ -0,0 +1,41 @@ +From b8a84cb0f2807b07ab70ca9915fcdee21301b8ca Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 29 Nov 2022 13:24:00 +1000 +Subject: PATCH Xi: return an error from XI property changes if verification + failed + +Both ProcXChangeDeviceProperty and ProcXIChangeProperty checked the +property for validity but didn't actually return the potential error. + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Acked-by: Olivier Fourdan <ofourdan@redhat.com> +--- + Xi/xiproperty.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c +index a36f7d61d..68c362c62 100644 +--- a/Xi/xiproperty.c ++++ b/Xi/xiproperty.c +@@ -902,6 +902,8 @@ ProcXChangeDeviceProperty(ClientPtr client) + + rc = check_change_property(client, stuff->property, stuff->type, + stuff->format, stuff->mode, stuff->nUnits); ++ if (rc != Success) ++ return rc; + + len = stuff->nUnits; + if (len > (bytes_to_int32(0xffffffff - sizeof(xChangeDevicePropertyReq)))) +@@ -1141,6 +1143,9 @@ ProcXIChangeProperty(ClientPtr client) + + rc = check_change_property(client, stuff->property, stuff->type, + stuff->format, stuff->mode, stuff->num_items); ++ if (rc != Success) ++ return rc; ++ + len = stuff->num_items; + if (len > bytes_to_int32(0xffffffff - sizeof(xXIChangePropertyReq))) + return BadLength; +-- +GitLab +
View file
_service:tar_scm:xorg-server-1.20.11-sw.patch
Added
@@ -0,0 +1,673 @@ +From c99b7ba27942230458a127e9925d073ac75466af Mon Sep 17 00:00:00 2001 +From: rpm-build <rpm-build> +Date: Fri, 26 Aug 2022 11:09:12 +0000 +Subject: PATCH sw + +--- + configure | 24 +++ + configure.ac | 9 + + hw/xfree86/common/compiler.h | 24 ++- + hw/xfree86/dri/dri.c | 2 +- + hw/xfree86/dri/sarea.h | 2 +- + hw/xfree86/os-support/bsd/Makefile.am | 6 + + hw/xfree86/os-support/bsd/Makefile.in | 24 ++- + hw/xfree86/os-support/bsd/sw_64_video.c | 234 ++++++++++++++++++++++++ + hw/xfree86/os-support/linux/lnx_video.c | 4 +- + hw/xfree86/os-support/meson.build | 2 + + hw/xfree86/os-support/misc/SlowBcopy.c | 4 +- + include/do-not-use-config.h.in | 3 + + include/xorg-config.h.in | 3 + + include/xorg-config.h.meson.in | 3 + + xkb/xkbInit.c | 2 +- + 15 files changed, 322 insertions(+), 24 deletions(-) + create mode 100644 hw/xfree86/os-support/bsd/sw_64_video.c + +diff --git a/configure b/configure +index 7e53cbd..009e48a 100755 +--- a/configure ++++ b/configure +@@ -1055,6 +1055,8 @@ I386_VIDEO_FALSE + I386_VIDEO_TRUE + ARM_VIDEO_FALSE + ARM_VIDEO_TRUE ++SW_64_VIDEO_FALSE ++SW_64_VIDEO_TRUE + ALPHA_VIDEO_FALSE + ALPHA_VIDEO_TRUE + GLX_ARCH_DEFINES +@@ -23208,6 +23210,16 @@ DEFAULT_INT10="x86emu" + + + case $host_cpu in ++ sw_64*) ++ SW_64_VIDEO=yes ++ case $host_os in ++ *freebsd*) SYS_LIBS=-lio ;; ++ *netbsd*) ++$as_echo "#define USE_SW_64_PIO 1" >>confdefs.h ++ ;; ++ esac ++ GLX_ARCH_DEFINES="-D__GLX_ALIGN64 -mieee" ++ ;; + alpha*) + ALPHA_VIDEO=yes + case $host_os in +@@ -23289,6 +23301,14 @@ else + ALPHA_VIDEO_FALSE= + fi + ++ if test "x$SW_64_VIDEO" = xyes; then ++ SW_64_VIDEO_TRUE= ++ SW_64_VIDEO_FALSE='#' ++else ++ SW_64_VIDEO_TRUE='#' ++ SW_64_VIDEO_FALSE= ++fi ++ + if test "x$ARM_VIDEO" = xyes; then + ARM_VIDEO_TRUE= + ARM_VIDEO_FALSE='#' +@@ -32898,6 +32918,10 @@ if test -z "${BSD_KQUEUE_APM_TRUE}" && test -z "${BSD_KQUEUE_APM_FALSE}"; then + as_fn_error $? "conditional \"BSD_KQUEUE_APM\" was never defined. + Usually this means the macro was only invoked conditionally." "$LINENO" 5 + fi ++if test -z "${SW_64_VIDEO_TRUE}" && test -z "${SW_64_VIDEO_FALSE}"; then ++ as_fn_error $? "conditional \"SW_64_VIDEO\" was never defined. ++Usually this means the macro was only invoked conditionally." "$LINENO" 5 ++fi + if test -z "${ALPHA_VIDEO_TRUE}" && test -z "${ALPHA_VIDEO_FALSE}"; then + as_fn_error $? "conditional \"ALPHA_VIDEO\" was never defined. + Usually this means the macro was only invoked conditionally." "$LINENO" 5 +diff --git a/configure.ac b/configure.ac +index 7ba6d05..3a8b759 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -258,6 +258,14 @@ DEFAULT_INT10="x86emu" + dnl Override defaults as needed for specific platforms: + + case $host_cpu in ++ sw_64*) ++ SW_64_VIDEO=yes ++ case $host_os in ++ *freebsd*) SYS_LIBS=-lio ;; ++ *netbsd*) AC_DEFINE(USE_SW_64_PIO, 1, NetBSD PIO sw_64 IO) ;; ++ esac ++ GLX_ARCH_DEFINES="-D__GLX_ALIGN64 -mieee" ++ ;; + alpha*) + ALPHA_VIDEO=yes + case $host_os in +@@ -319,6 +327,7 @@ AC_SUBST(GLX_ARCH_DEFINES) + + dnl BSD *_video.c selection + AM_CONDITIONAL(ALPHA_VIDEO, test "x$ALPHA_VIDEO" = xyes) ++AM_CONDITIONAL(SW_64_VIDEO, test "x$SW_64_VIDEO" = xyes) + AM_CONDITIONAL(ARM_VIDEO, test "x$ARM_VIDEO" = xyes) + AM_CONDITIONAL(I386_VIDEO, test "x$I386_VIDEO" = xyes) + AM_CONDITIONAL(PPC_VIDEO, test "x$PPC_VIDEO" = xyes) +diff --git a/hw/xfree86/common/compiler.h b/hw/xfree86/common/compiler.h +index 2b2008b..c416d65 100644 +--- a/hw/xfree86/common/compiler.h ++++ b/hw/xfree86/common/compiler.h +@@ -99,6 +99,7 @@ + #if !defined(__arm__) + #if !defined(__sparc__) && !defined(__arm32__) && !defined(__nds32__) \ + && !(defined(__alpha__) && defined(__linux__)) \ ++ && !(defined(__sw_64__) && defined(__linux__)) \ + && !(defined(__ia64__) && defined(__linux__)) \ + && !(defined(__mips64) && defined(__linux__)) \ + +@@ -109,7 +110,7 @@ extern _X_EXPORT unsigned int inb(unsigned short); + extern _X_EXPORT unsigned int inw(unsigned short); + extern _X_EXPORT unsigned int inl(unsigned short); + +-#else /* __sparc__, __arm32__, __alpha__, __nds32__ */ ++#else /* __sparc__, __arm32__, __alpha__, __sw_64__, __nds32__ */ + extern _X_EXPORT void outb(unsigned long, unsigned char); + extern _X_EXPORT void outw(unsigned long, unsigned short); + extern _X_EXPORT void outl(unsigned long, unsigned int); +@@ -129,7 +130,7 @@ extern _X_EXPORT void xf86WriteMmio16Le (void *, unsigned long, unsigned int); + extern _X_EXPORT void xf86WriteMmio32Be (void *, unsigned long, unsigned int); + extern _X_EXPORT void xf86WriteMmio32Le (void *, unsigned long, unsigned int); + #endif /* _SUNPRO_C */ +-#endif /* __sparc__, __arm32__, __alpha__, __nds32__ */ ++#endif /* __sparc__, __arm32__, __alpha__, __sw_64__, __nds32__ */ + #endif /* __arm__ */ + + #endif /* NO_INLINE || DO_PROTOTYPES */ +@@ -149,6 +150,11 @@ extern _X_EXPORT void xf86WriteMmio32Le (void *, unsigned long, unsigned int); + #define mem_barrier() __asm__ __volatile__ ("lock; addl $0,0(%%esp)" : : : "memory") + #endif + ++#elif defined __sw_64__ ++ ++#define mem_barrier() __asm__ __volatile__ ("memb" : : : "memory") ++#define write_mem_barrier() __asm__ __volatile__ ("memb" : : : "memory") ++ + #elif defined __alpha__ + + #define mem_barrier() __asm__ __volatile__ ("mb" : : : "memory") +@@ -213,7 +219,7 @@ extern _X_EXPORT void xf86WriteMmio32Le (void *, unsigned long, unsigned int); + #endif + + #ifdef __GNUC__ +-#if defined(__alpha__) ++#if defined(__alpha__) || defined(__sw_64__) + + #ifdef __linux__ + /* for Linux on Alpha, we use the LIBC _inx/_outx routines */ +@@ -955,7 +961,7 @@ inl(unsigned PORT_SIZE port) + #define MMIO_IS_BE + #endif + +-#ifdef __alpha__ ++#if defined __alpha__ || defined __sw_64__ + static inline int + xf86ReadMmio8(void *Base, unsigned long Offset) + { +@@ -1068,7 +1074,7 @@ extern _X_EXPORT void xf86SlowBCopyToBus(unsigned char *, unsigned char *, int); + xf86WriteMmio32(base, offset, (CARD32)(val)) + #endif + +-#else /* !__alpha__ && !__powerpc__ && !__sparc__ */ ++#else /* !__alpha__ && !__sw_64__ && !__powerpc__ && !__sparc__ */ + + #define MMIO_IN8(base, offset) \ + *(volatile CARD8 *)(((CARD8*)(base)) + (offset)) +@@ -1083,19 +1089,19 @@ extern _X_EXPORT void xf86SlowBCopyToBus(unsigned char *, unsigned char *, int); + #define MMIO_OUT32(base, offset, val) \ + *(volatile CARD32 *)(void *)(((CARD8*)(base)) + (offset)) = (val) + +-#endif /* __alpha__ */ ++#endif /* __alpha__, __sw_64__ */ + + /* + * With Intel, the version in os-support/misc/SlowBcopy.s is used. + * This avoids port I/O during the copy (which causes problems with + * some hardware). + */ +-#ifdef __alpha__ ++#if defined __alpha__ || defined __sw_64__ + #define slowbcopy_tobus(src,dst,count) xf86SlowBCopyToBus(src,dst,count) + #define slowbcopy_frombus(src,dst,count) xf86SlowBCopyFromBus(src,dst,count) +-#else /* __alpha__ */ ++#else /* __alpha__, __sw_64__ */ + #define slowbcopy_tobus(src,dst,count) xf86SlowBcopy(src,dst,count) + #define slowbcopy_frombus(src,dst,count) xf86SlowBcopy(src,dst,count) +-#endif /* __alpha__ */ ++#endif /* __alpha__, __sw_64__ */ +
View file
_service
Changed
@@ -2,7 +2,7 @@ <service name="tar_scm"> <param name="scm">git</param> <param name="url">git@gitee.com:src-openeuler/xorg-x11-server.git</param> - <param name="revision">9987d8b518b198999e0aa626d07a3c049cdfdd35</param> + <param name="revision">master</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
View file
_service:tar_scm:xserver-sdk-abi-requires-git
Added
@@ -0,0 +1,14 @@ +#!/bin/sh +# +# The X server provides capabilities of the form: +# +# Provides: xserver-abi(ansic-0) = 4 +# +# for an ABI version of 0.4. The major number is encoded into the name so +# that major number changes force upgrades. If we didn't, then +# +# Requires: xserver-abi(ansic) >= 0.4 +# +# would also match 1.0, which is wrong since major numbers mean an ABI break. + +echo "xserver-abi($1-@MAJOR@) >= @MINOR@"
View file
_service:tar_scm:xserver-sdk-abi-requires.git
Deleted
@@ -1,14 +0,0 @@ -#!/bin/sh -# -# The X server provides capabilities of the form: -# -# Provides: xserver-abi(ansic-0) = 4 -# -# for an ABI version of 0.4. The major number is encoded into the name so -# that major number changes force upgrades. If we didn't, then -# -# Requires: xserver-abi(ansic) >= 0.4 -# -# would also match 1.0, which is wrong since major numbers mean an ABI break. - -echo "xserver-abi($1-@MAJOR@) >= @MINOR@"
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2