[Midnightbsd-cvs] mports [24079] trunk/x11-servers/xorg-server/files: add security patches
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Sun Sep 2 17:39:15 EDT 2018
Revision: 24079
http://svnweb.midnightbsd.org/mports/?rev=24079
Author: laffer1
Date: 2018-09-02 17:39:14 -0400 (Sun, 02 Sep 2018)
Log Message:
-----------
add security patches
Added Paths:
-----------
trunk/x11-servers/xorg-server/files/patch-CVE-2017-10971
trunk/x11-servers/xorg-server/files/patch-CVE-2017-10972
trunk/x11-servers/xorg-server/files/patch-CVE-2017-12176
trunk/x11-servers/xorg-server/files/patch-CVE-2017-12177
trunk/x11-servers/xorg-server/files/patch-CVE-2017-12178
trunk/x11-servers/xorg-server/files/patch-CVE-2017-12179
trunk/x11-servers/xorg-server/files/patch-CVE-2017-12183
trunk/x11-servers/xorg-server/files/patch-CVE-2017-1218x
trunk/x11-servers/xorg-server/files/patch-CVE-2017-1218y
trunk/x11-servers/xorg-server/files/patch-CVE-2017-13721
trunk/x11-servers/xorg-server/files/patch-CVE-2017-13723
Added: trunk/x11-servers/xorg-server/files/patch-CVE-2017-10971
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2017-10971 (rev 0)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2017-10971 2018-09-02 21:39:14 UTC (rev 24079)
@@ -0,0 +1,163 @@
+From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb at suse.com>
+Date: Wed, 24 May 2017 15:54:40 +0300
+Subject: dix: Disallow GenericEvent in SendEvent request.
+
+The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
+no less. Both ProcSendEvent and SProcSendEvent verify that the received data
+exactly match the request size. However nothing stops the client from passing
+in event with xEvent::type = GenericEvent and any value of
+xGenericEvent::length.
+
+In the case of ProcSendEvent, the event will be eventually passed to
+WriteEventsToClient which will see that it is Generic event and copy the
+arbitrary length from the receive buffer (and possibly past it) and send it to
+the other client. This allows clients to copy unitialized heap memory out of X
+server or to crash it.
+
+In case of SProcSendEvent, it will attempt to swap the incoming event by
+calling a swapping function from the EventSwapVector array. The swapped event
+is written to target buffer, which in this case is local xEvent variable. The
+xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
+expect that the target buffer has size matching the size of the source
+GenericEvent. This allows clients to cause stack buffer overflows.
+
+Signed-off-by: Michal Srb <msrb at suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
+---
+ dix/events.c | 6 ++++++
+ dix/swapreq.c | 7 +++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/dix/events.c b/dix/events.c
+index 3e3a01e..d3a33ea 100644
+--- dix/events.c
++++ dix/events.c
+@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client)
+ client->errorValue = stuff->event.u.u.type;
+ return BadValue;
+ }
++ /* Generic events can have variable size, but SendEvent request holds
++ exactly 32B of event data. */
++ if (stuff->event.u.u.type == GenericEvent) {
++ client->errorValue = stuff->event.u.u.type;
++ return BadValue;
++ }
+ if (stuff->event.u.u.type == ClientMessage &&
+ stuff->event.u.u.detail != 8 &&
+ stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) {
+diff --git a/dix/swapreq.c b/dix/swapreq.c
+index 719e9b8..6785059 100644
+--- dix/swapreq.c
++++ dix/swapreq.c
+@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client)
+ swapl(&stuff->destination);
+ swapl(&stuff->eventMask);
+
++ /* Generic events can have variable size, but SendEvent request holds
++ exactly 32B of event data. */
++ if (stuff->event.u.u.type == GenericEvent) {
++ client->errorValue = stuff->event.u.u.type;
++ return BadValue;
++ }
++
+ /* Swap event */
+ proc = EventSwapVector[stuff->event.u.u.type & 0177];
+ if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */
+--
+cgit v1.1
+
+From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb at suse.com>
+Date: Wed, 24 May 2017 15:54:41 +0300
+Subject: Xi: Verify all events in ProcXSendExtensionEvent.
+
+The requirement is that events have type in range
+EXTENSION_EVENT_BASE..lastEvent, but it was tested
+only for first event of all.
+
+Signed-off-by: Michal Srb <msrb at suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
+---
+ Xi/sendexev.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 1cf118a..5e63bfc 100644
+--- Xi/sendexev.c
++++ Xi/sendexev.c
+@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client)
+ int
+ ProcXSendExtensionEvent(ClientPtr client)
+ {
+- int ret;
++ int ret, i;
+ DeviceIntPtr dev;
+ xEvent *first;
+ XEventClass *list;
+@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client)
+ /* The client's event type must be one defined by an extension. */
+
+ first = ((xEvent *) &stuff[1]);
+- if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
+- (first->u.u.type < lastEvent))) {
+- client->errorValue = first->u.u.type;
+- return BadValue;
++ for (i = 0; i < stuff->num_events; i++) {
++ if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
++ (first[i].u.u.type < lastEvent))) {
++ client->errorValue = first[i].u.u.type;
++ return BadValue;
++ }
+ }
+
+ list = (XEventClass *) (first + stuff->num_events);
+--
+cgit v1.1
+
+From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb at suse.com>
+Date: Wed, 24 May 2017 15:54:42 +0300
+Subject: Xi: Do not try to swap GenericEvent.
+
+The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
+it is assuming that the event has fixed size and gives the swapping function
+xEvent-sized buffer.
+
+A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
+
+Signed-off-by: Michal Srb <msrb at suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
+---
+ Xi/sendexev.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 5e63bfc..5c2e0fc 100644
+--- Xi/sendexev.c
++++ Xi/sendexev.c
+@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client)
+
+ eventP = (xEvent *) &stuff[1];
+ for (i = 0; i < stuff->num_events; i++, eventP++) {
++ if (eventP->u.u.type == GenericEvent) {
++ client->errorValue = eventP->u.u.type;
++ return BadValue;
++ }
++
+ proc = EventSwapVector[eventP->u.u.type & 0177];
+- if (proc == NotImplemented) /* no swapping proc; invalid event type? */
++ /* no swapping proc; invalid event type? */
++ if (proc == NotImplemented) {
++ client->errorValue = eventP->u.u.type;
+ return BadValue;
++ }
+ (*proc) (eventP, &eventT);
+ *eventP = eventT;
+ }
+--
+cgit v1.1
+
Property changes on: trunk/x11-servers/xorg-server/files/patch-CVE-2017-10971
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: trunk/x11-servers/xorg-server/files/patch-CVE-2017-10972
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2017-10972 (rev 0)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2017-10972 2018-09-02 21:39:14 UTC (rev 24079)
@@ -0,0 +1,38 @@
+From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb at suse.com>
+Date: Wed, 24 May 2017 15:54:39 +0300
+Subject: Xi: Zero target buffer in SProcXSendExtensionEvent.
+
+Make sure that the xEvent eventT is initialized with zeros, the same way as
+in SProcSendEvent.
+
+Some event swapping functions do not overwrite all 32 bytes of xEvent
+structure, for example XSecurityAuthorizationRevoked. Two cooperating
+clients, one swapped and the other not, can send
+XSecurityAuthorizationRevoked event to each other to retrieve old stack data
+from X server. This can be potentialy misused to go around ASLR or
+stack-protector.
+
+Signed-off-by: Michal Srb <msrb at suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
+---
+ Xi/sendexev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 11d8202..1cf118a 100644
+--- Xi/sendexev.c
++++ Xi/sendexev.c
+@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
+ {
+ CARD32 *p;
+ int i;
+- xEvent eventT;
++ xEvent eventT = { .u.u.type = 0 };
+ xEvent *eventP;
+ EventSwapPtr proc;
+
+--
+cgit v1.1
+
Property changes on: trunk/x11-servers/xorg-server/files/patch-CVE-2017-10972
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: trunk/x11-servers/xorg-server/files/patch-CVE-2017-12176
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2017-12176 (rev 0)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2017-12176 2018-09-02 21:39:14 UTC (rev 24079)
@@ -0,0 +1,31 @@
+From 95f605b42d8bbb6bea2834a1abfc205981c5b803 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd at opentext.com>
+Date: Fri, 9 Jan 2015 10:15:46 -0500
+Subject: Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
+
+Reviewed-by: Julien Cristau <jcristau at debian.org>
+Signed-off-by: Nathan Kidd <nkidd at opentext.com>
+Signed-off-by: Julien Cristau <jcristau at debian.org>
+(cherry picked from commit b747da5e25be944337a9cd1415506fc06b70aa81)
+
+diff --git a/dix/dispatch.c b/dix/dispatch.c
+index 0da431b..0fdfe11 100644
+--- dix/dispatch.c
++++ dix/dispatch.c
+@@ -3703,7 +3703,12 @@ ProcEstablishConnection(ClientPtr client)
+ prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq);
+ auth_proto = (char *) prefix + sz_xConnClientPrefix;
+ auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
+- if ((prefix->majorVersion != X_PROTOCOL) ||
++
++ if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
++ pad_to_int32(prefix->nbytesAuthProto) +
++ pad_to_int32(prefix->nbytesAuthString))
++ reason = "Bad length";
++ else if ((prefix->majorVersion != X_PROTOCOL) ||
+ (prefix->minorVersion != X_PROTOCOL_REVISION))
+ reason = "Protocol version mismatch";
+ else
+--
+cgit v0.10.2
+
Property changes on: trunk/x11-servers/xorg-server/files/patch-CVE-2017-12176
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: trunk/x11-servers/xorg-server/files/patch-CVE-2017-12177
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2017-12177 (rev 0)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2017-12177 2018-09-02 21:39:14 UTC (rev 24079)
@@ -0,0 +1,41 @@
+From cc41e5b581d287c56f8d7113a97a4882dcfdd696 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd at opentext.com>
+Date: Fri, 9 Jan 2015 10:09:14 -0500
+Subject: dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo
+ (CVE-2017-12177)
+
+v2: Protect against integer overflow (Alan Coopersmith)
+
+Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
+Reviewed-by: Julien Cristau <jcristau at debian.org>
+Signed-off-by: Nathan Kidd <nkidd at opentext.com>
+Signed-off-by: Julien Cristau <jcristau at debian.org>
+(cherry picked from commit 4ca68b878e851e2136c234f40a25008297d8d831)
+
+diff --git a/dbe/dbe.c b/dbe/dbe.c
+index 23f7e16..f31766f 100644
+--- dbe/dbe.c
++++ dbe/dbe.c
+@@ -574,6 +574,9 @@ ProcDbeGetVisualInfo(ClientPtr client)
+ XdbeScreenVisualInfo *pScrVisInfo;
+
+ REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
++ if (stuff->n > UINT32_MAX / sizeof(CARD32))
++ return BadLength;
++ REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32));
+
+ if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
+ return BadAlloc;
+@@ -924,7 +927,7 @@ SProcDbeSwapBuffers(ClientPtr client)
+
+ swapl(&stuff->n);
+ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
+- return BadAlloc;
++ return BadLength;
+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
+
+ if (stuff->n != 0) {
+--
+cgit v0.10.2
+
Property changes on: trunk/x11-servers/xorg-server/files/patch-CVE-2017-12177
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: trunk/x11-servers/xorg-server/files/patch-CVE-2017-12178
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2017-12178 (rev 0)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2017-12178 2018-09-02 21:39:14 UTC (rev 24079)
@@ -0,0 +1,29 @@
+From 6c15122163a2d2615db7e998e8d436815a08dec6 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd at opentext.com>
+Date: Wed, 24 Dec 2014 16:22:18 -0500
+Subject: Xi: fix wrong extra length check in ProcXIChangeHierarchy
+ (CVE-2017-12178)
+
+Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
+Reviewed-by: Julien Cristau <jcristau at debian.org>
+Signed-off-by: Nathan Kidd <nkidd at opentext.com>
+Signed-off-by: Julien Cristau <jcristau at debian.org>
+(cherry picked from commit 859b08d523307eebde7724fd1a0789c44813e821)
+
+diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
+index f2b7785..7286eff 100644
+--- Xi/xichangehierarchy.c
++++ Xi/xichangehierarchy.c
+@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
+ if (!stuff->num_changes)
+ return rc;
+
+- len = ((size_t)stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
++ len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
+
+ any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
+ while (stuff->num_changes--) {
+--
+cgit v0.10.2
+
Property changes on: trunk/x11-servers/xorg-server/files/patch-CVE-2017-12178
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: trunk/x11-servers/xorg-server/files/patch-CVE-2017-12179
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2017-12179 (rev 0)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2017-12179 2018-09-02 21:39:14 UTC (rev 24079)
@@ -0,0 +1,52 @@
+From c77cd08efcf386bcc5d8dfbd0427134b2b2d0888 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd at opentext.com>
+Date: Fri, 9 Jan 2015 10:04:41 -0500
+Subject: Xi: integer overflow and unvalidated length in
+ (S)ProcXIBarrierReleasePointer
+
+[jcristau: originally this patch fixed the same issue as commit
+ 211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the
+ addition of these checks]
+
+This addresses CVE-2017-12179
+
+Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
+Reviewed-by: Julien Cristau <jcristau at debian.org>
+Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
+Signed-off-by: Nathan Kidd <nkidd at opentext.com>
+Signed-off-by: Julien Cristau <jcristau at debian.org>
+(cherry picked from commit d088e3c1286b548a58e62afdc70bb40981cdb9e8)
+
+
+--- Xi/xibarriers.c.orig 2016-07-15 18:17:45.000000000 +0200
++++ Xi/xibarriers.c 2017-10-13 18:26:09.226006000 +0200
+@@ -830,10 +830,15 @@
+ REQUEST(xXIBarrierReleasePointerReq);
+ int i;
+
+- info = (xXIBarrierReleasePointerInfo*) &stuff[1];
+-
+ swaps(&stuff->length);
++ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
++
+ swapl(&stuff->num_barriers);
++ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
++ return BadLength;
++ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
++
++ info = (xXIBarrierReleasePointerInfo*) &stuff[1];
+ for (i = 0; i < stuff->num_barriers; i++, info++) {
+ swaps(&info->deviceid);
+ swapl(&info->barrier);
+@@ -854,6 +859,10 @@
+
+ REQUEST(xXIBarrierReleasePointerReq);
+ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
++ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
++ return BadLength;
++ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
++
+
+ info = (xXIBarrierReleasePointerInfo*) &stuff[1];
+ for (i = 0; i < stuff->num_barriers; i++, info++) {
Property changes on: trunk/x11-servers/xorg-server/files/patch-CVE-2017-12179
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: trunk/x11-servers/xorg-server/files/patch-CVE-2017-12183
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2017-12183 (rev 0)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2017-12183 2018-09-02 21:39:14 UTC (rev 24079)
@@ -0,0 +1,95 @@
+From 61502107a30d64f991784648c3228ebc6694a032 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd at opentext.com>
+Date: Fri, 9 Jan 2015 11:43:05 -0500
+Subject: xfixes: unvalidated lengths (CVE-2017-12183)
+
+v2: Use before swap (Jeremy Huddleston Sequoia)
+
+v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)
+
+Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
+Reviewed-by: Julien Cristau <jcristau at debian.org>
+Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
+Signed-off-by: Nathan Kidd <nkidd at opentext.com>
+Signed-off-by: Julien Cristau <jcristau at debian.org>
+(cherry picked from commit 55caa8b08c84af2b50fbc936cf334a5a93dd7db5)
+
+diff --git a/xfixes/cursor.c b/xfixes/cursor.c
+index f009a78..6e84d71 100644
+--- xfixes/cursor.c
++++ xfixes/cursor.c
+@@ -281,6 +281,7 @@ int
+ SProcXFixesSelectCursorInput(ClientPtr client)
+ {
+ REQUEST(xXFixesSelectCursorInputReq);
++ REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq);
+
+ swaps(&stuff->length);
+ swapl(&stuff->window);
+@@ -414,7 +415,7 @@ ProcXFixesSetCursorName(ClientPtr client)
+ REQUEST(xXFixesSetCursorNameReq);
+ Atom atom;
+
+- REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq);
++ REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes);
+ VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess);
+ tchar = (char *) &stuff[1];
+ atom = MakeAtom(tchar, stuff->nbytes, TRUE);
+@@ -1007,6 +1008,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
+ int i;
+ CARD16 *in_devices = (CARD16 *) &stuff[1];
+
++ REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq);
++
+ swaps(&stuff->length);
+ swaps(&stuff->num_devices);
+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
+diff --git a/xfixes/region.c b/xfixes/region.c
+index dd74d7f..f300d2b 100644
+--- xfixes/region.c
++++ xfixes/region.c
+@@ -359,6 +359,7 @@ ProcXFixesCopyRegion(ClientPtr client)
+ RegionPtr pSource, pDestination;
+
+ REQUEST(xXFixesCopyRegionReq);
++ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
+
+ VERIFY_REGION(pSource, stuff->source, client, DixReadAccess);
+ VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess);
+@@ -375,7 +376,7 @@ SProcXFixesCopyRegion(ClientPtr client)
+ REQUEST(xXFixesCopyRegionReq);
+
+ swaps(&stuff->length);
+- REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq);
++ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
+ swapl(&stuff->source);
+ swapl(&stuff->destination);
+ return (*ProcXFixesVector[stuff->xfixesReqType]) (client);
+diff --git a/xfixes/saveset.c b/xfixes/saveset.c
+index eb3f658..aa365cf 100644
+--- xfixes/saveset.c
++++ xfixes/saveset.c
+@@ -62,6 +62,7 @@ int
+ SProcXFixesChangeSaveSet(ClientPtr client)
+ {
+ REQUEST(xXFixesChangeSaveSetReq);
++ REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq);
+
+ swaps(&stuff->length);
+ swapl(&stuff->window);
+diff --git a/xfixes/xfixes.c b/xfixes/xfixes.c
+index 8d1bd4c..8b45c53 100644
+--- xfixes/xfixes.c
++++ xfixes/xfixes.c
+@@ -160,6 +160,7 @@ static int
+ SProcXFixesQueryVersion(ClientPtr client)
+ {
+ REQUEST(xXFixesQueryVersionReq);
++ REQUEST_SIZE_MATCH(xXFixesQueryVersionReq);
+
+ swaps(&stuff->length);
+ swapl(&stuff->majorVersion);
+--
+cgit v0.10.2
+
Property changes on: trunk/x11-servers/xorg-server/files/patch-CVE-2017-12183
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: trunk/x11-servers/xorg-server/files/patch-CVE-2017-1218x
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2017-1218x (rev 0)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2017-1218x 2018-09-02 21:39:14 UTC (rev 24079)
@@ -0,0 +1,601 @@
+From d264da92f7f8129b8aad4f0114a6467fc38fc896 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd at opentext.com>
+Date: Sun, 21 Dec 2014 01:10:03 -0500
+Subject: hw/xfree86: unvalidated lengths
+
+This addresses:
+CVE-2017-12180 in XFree86-VidModeExtension
+CVE-2017-12181 in XFree86-DGA
+CVE-2017-12182 in XFree86-DRI
+
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
+Reviewed-by: Julien Cristau <jcristau at debian.org>
+Signed-off-by: Nathan Kidd <nkidd at opentext.com>
+Signed-off-by: Julien Cristau <jcristau at debian.org>
+(cherry picked from commit 1b1d4c04695dced2463404174b50b3581dbd857b)
+
+diff --git a/Xext/vidmode.c b/Xext/vidmode.c
+index ea3ad13..76055c8 100644
+--- Xext/vidmode.c
++++ Xext/vidmode.c
+@@ -454,6 +454,20 @@ ProcVidModeAddModeLine(ClientPtr client)
+ DEBUG_P("XF86VidModeAddModeline");
+
+ ver = ClientMajorVersion(client);
++
++ if (ver < 2) {
++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq));
++ }
++ else {
++ REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq));
++ }
++
+ if (ver < 2) {
+ /* convert from old format */
+ stuff = &newstuff;
+@@ -501,18 +515,6 @@ ProcVidModeAddModeLine(ClientPtr client)
+ stuff->after_vsyncend, stuff->after_vtotal,
+ (unsigned long) stuff->after_flags);
+
+- if (ver < 2) {
+- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq));
+- }
+- else {
+- REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq));
+- }
+ if (len != stuff->privsize)
+ return BadLength;
+
+@@ -622,6 +624,20 @@ ProcVidModeDeleteModeLine(ClientPtr client)
+ DEBUG_P("XF86VidModeDeleteModeline");
+
+ ver = ClientMajorVersion(client);
++
++ if (ver < 2) {
++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq));
++ }
++ else {
++ REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq));
++ }
++
+ if (ver < 2) {
+ /* convert from old format */
+ stuff = &newstuff;
+@@ -649,18 +665,6 @@ ProcVidModeDeleteModeLine(ClientPtr client)
+ stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal,
+ (unsigned long) stuff->flags);
+
+- if (ver < 2) {
+- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq));
+- }
+- else {
+- REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq));
+- }
+ if (len != stuff->privsize) {
+ DebugF("req_len = %ld, sizeof(Req) = %d, privsize = %ld, "
+ "len = %d, length = %d\n",
+@@ -744,6 +748,20 @@ ProcVidModeModModeLine(ClientPtr client)
+ DEBUG_P("XF86VidModeModModeline");
+
+ ver = ClientMajorVersion(client);
++
++ if (ver < 2) {
++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq));
++ }
++ else {
++ REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86VidModeModModeLineReq));
++ }
++
+ if (ver < 2) {
+ /* convert from old format */
+ stuff = &newstuff;
+@@ -768,18 +786,6 @@ ProcVidModeModModeLine(ClientPtr client)
+ stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend,
+ stuff->vtotal, (unsigned long) stuff->flags);
+
+- if (ver < 2) {
+- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq));
+- }
+- else {
+- REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86VidModeModModeLineReq));
+- }
+ if (len != stuff->privsize)
+ return BadLength;
+
+@@ -877,6 +883,19 @@ ProcVidModeValidateModeLine(ClientPtr client)
+ DEBUG_P("XF86VidModeValidateModeline");
+
+ ver = ClientMajorVersion(client);
++
++ if (ver < 2) {
++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq);
++ len = client->req_len -
++ bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq));
++ }
++ else {
++ REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq));
++ }
++
+ if (ver < 2) {
+ /* convert from old format */
+ stuff = &newstuff;
+@@ -905,17 +924,6 @@ ProcVidModeValidateModeLine(ClientPtr client)
+ stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal,
+ (unsigned long) stuff->flags);
+
+- if (ver < 2) {
+- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq);
+- len = client->req_len -
+- bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq));
+- }
+- else {
+- REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq));
+- }
+ if (len != stuff->privsize)
+ return BadLength;
+
+@@ -1027,6 +1035,20 @@ ProcVidModeSwitchToMode(ClientPtr client)
+ DEBUG_P("XF86VidModeSwitchToMode");
+
+ ver = ClientMajorVersion(client);
++
++ if (ver < 2) {
++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq));
++ }
++ else {
++ REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq));
++ }
++
+ if (ver < 2) {
+ /* convert from old format */
+ stuff = &newstuff;
+@@ -1055,18 +1077,6 @@ ProcVidModeSwitchToMode(ClientPtr client)
+ stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal,
+ (unsigned long) stuff->flags);
+
+- if (ver < 2) {
+- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq));
+- }
+- else {
+- REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq));
+- }
+ if (len != stuff->privsize)
+ return BadLength;
+
+@@ -1457,6 +1467,7 @@ ProcVidModeSetGammaRamp(ClientPtr client)
+ VidModePtr pVidMode;
+
+ REQUEST(xXF86VidModeSetGammaRampReq);
++ REQUEST_AT_LEAST_SIZE(xXF86VidModeSetGammaRampReq);
+
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+diff --git a/hw/xfree86/common/xf86DGA.c b/hw/xfree86/common/xf86DGA.c
+index c689dcb..039f38d 100644
+--- hw/xfree86/common/xf86DGA.c
++++ hw/xfree86/common/xf86DGA.c
+@@ -1272,13 +1272,14 @@ ProcXDGAOpenFramebuffer(ClientPtr client)
+ char *deviceName;
+ int nameSize;
+
++ REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (!DGAAvailable(stuff->screen))
+ return DGAErrorBase + XF86DGANoDirectVideoMode;
+
+- REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -1305,14 +1306,14 @@ ProcXDGACloseFramebuffer(ClientPtr client)
+ {
+ REQUEST(xXDGACloseFramebufferReq);
+
++ REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (!DGAAvailable(stuff->screen))
+ return DGAErrorBase + XF86DGANoDirectVideoMode;
+
+- REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq);
+-
+ DGACloseFramebuffer(stuff->screen);
+
+ return Success;
+@@ -1328,10 +1329,11 @@ ProcXDGAQueryModes(ClientPtr client)
+ xXDGAModeInfo info;
+ XDGAModePtr mode;
+
++ REQUEST_SIZE_MATCH(xXDGAQueryModesReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+- REQUEST_SIZE_MATCH(xXDGAQueryModesReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.number = 0;
+@@ -1443,11 +1445,12 @@ ProcXDGASetMode(ClientPtr client)
+ ClientPtr owner;
+ int size;
+
++ REQUEST_SIZE_MATCH(xXDGASetModeReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+ owner = DGA_GETCLIENT(stuff->screen);
+
+- REQUEST_SIZE_MATCH(xXDGASetModeReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.offset = 0;
+@@ -1533,14 +1536,14 @@ ProcXDGASetViewport(ClientPtr client)
+ {
+ REQUEST(xXDGASetViewportReq);
+
++ REQUEST_SIZE_MATCH(xXDGASetViewportReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGASetViewportReq);
+-
+ DGASetViewport(stuff->screen, stuff->x, stuff->y, stuff->flags);
+
+ return Success;
+@@ -1554,14 +1557,14 @@ ProcXDGAInstallColormap(ClientPtr client)
+
+ REQUEST(xXDGAInstallColormapReq);
+
++ REQUEST_SIZE_MATCH(xXDGAInstallColormapReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGAInstallColormapReq);
+-
+ rc = dixLookupResourceByType((void **) &cmap, stuff->cmap, RT_COLORMAP,
+ client, DixInstallAccess);
+ if (rc != Success)
+@@ -1575,14 +1578,14 @@ ProcXDGASelectInput(ClientPtr client)
+ {
+ REQUEST(xXDGASelectInputReq);
+
++ REQUEST_SIZE_MATCH(xXDGASelectInputReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGASelectInputReq);
+-
+ if (DGA_GETCLIENT(stuff->screen) == client)
+ DGASelectInput(stuff->screen, client, stuff->mask);
+
+@@ -1594,14 +1597,14 @@ ProcXDGAFillRectangle(ClientPtr client)
+ {
+ REQUEST(xXDGAFillRectangleReq);
+
++ REQUEST_SIZE_MATCH(xXDGAFillRectangleReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGAFillRectangleReq);
+-
+ if (Success != DGAFillRect(stuff->screen, stuff->x, stuff->y,
+ stuff->width, stuff->height, stuff->color))
+ return BadMatch;
+@@ -1614,14 +1617,14 @@ ProcXDGACopyArea(ClientPtr client)
+ {
+ REQUEST(xXDGACopyAreaReq);
+
++ REQUEST_SIZE_MATCH(xXDGACopyAreaReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGACopyAreaReq);
+-
+ if (Success != DGABlitRect(stuff->screen, stuff->srcx, stuff->srcy,
+ stuff->width, stuff->height, stuff->dstx,
+ stuff->dsty))
+@@ -1635,14 +1638,14 @@ ProcXDGACopyTransparentArea(ClientPtr client)
+ {
+ REQUEST(xXDGACopyTransparentAreaReq);
+
++ REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq);
+-
+ if (Success != DGABlitTransRect(stuff->screen, stuff->srcx, stuff->srcy,
+ stuff->width, stuff->height, stuff->dstx,
+ stuff->dsty, stuff->key))
+@@ -1657,13 +1660,14 @@ ProcXDGAGetViewportStatus(ClientPtr client)
+ REQUEST(xXDGAGetViewportStatusReq);
+ xXDGAGetViewportStatusReply rep;
+
++ REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -1680,13 +1684,14 @@ ProcXDGASync(ClientPtr client)
+ REQUEST(xXDGASyncReq);
+ xXDGASyncReply rep;
+
++ REQUEST_SIZE_MATCH(xXDGASyncReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGASyncReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -1725,13 +1730,14 @@ ProcXDGAChangePixmapMode(ClientPtr client)
+ xXDGAChangePixmapModeReply rep;
+ int x, y;
+
++ REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -1755,14 +1761,14 @@ ProcXDGACreateColormap(ClientPtr client)
+ REQUEST(xXDGACreateColormapReq);
+ int result;
+
++ REQUEST_SIZE_MATCH(xXDGACreateColormapReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGACreateColormapReq);
+-
+ if (!stuff->mode)
+ return BadValue;
+
+@@ -1791,10 +1797,11 @@ ProcXF86DGAGetVideoLL(ClientPtr client)
+ int num, offset, flags;
+ char *name;
+
++ REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+- REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -1831,9 +1838,10 @@ ProcXF86DGADirectVideo(ClientPtr client)
+
+ REQUEST(xXF86DGADirectVideoReq);
+
++ REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+- REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq);
+
+ if (!DGAAvailable(stuff->screen))
+ return DGAErrorBase + XF86DGANoDirectVideoMode;
+@@ -1889,10 +1897,11 @@ ProcXF86DGAGetViewPortSize(ClientPtr client)
+ REQUEST(xXF86DGAGetViewPortSizeReq);
+ xXF86DGAGetViewPortSizeReply rep;
+
++ REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+- REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -1917,14 +1926,14 @@ ProcXF86DGASetViewPort(ClientPtr client)
+ {
+ REQUEST(xXF86DGASetViewPortReq);
+
++ REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq);
+-
+ if (!DGAAvailable(stuff->screen))
+ return DGAErrorBase + XF86DGANoDirectVideoMode;
+
+@@ -1944,10 +1953,11 @@ ProcXF86DGAGetVidPage(ClientPtr client)
+ REQUEST(xXF86DGAGetVidPageReq);
+ xXF86DGAGetVidPageReply rep;
+
++ REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+- REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -1962,11 +1972,11 @@ ProcXF86DGASetVidPage(ClientPtr client)
+ {
+ REQUEST(xXF86DGASetVidPageReq);
+
++ REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+- REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq);
+-
+ /* silently fail */
+
+ return Success;
+@@ -1980,14 +1990,14 @@ ProcXF86DGAInstallColormap(ClientPtr client)
+
+ REQUEST(xXF86DGAInstallColormapReq);
+
++ REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq);
+-
+ if (!DGAActive(stuff->screen))
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+@@ -2008,10 +2018,11 @@ ProcXF86DGAQueryDirectVideo(ClientPtr client)
+ REQUEST(xXF86DGAQueryDirectVideoReq);
+ xXF86DGAQueryDirectVideoReply rep;
+
++ REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+- REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -2030,14 +2041,14 @@ ProcXF86DGAViewPortChanged(ClientPtr client)
+ REQUEST(xXF86DGAViewPortChangedReq);
+ xXF86DGAViewPortChangedReply rep;
+
++ REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq);
+-
+ if (!DGAActive(stuff->screen))
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+diff --git a/hw/xfree86/dri/xf86dri.c b/hw/xfree86/dri/xf86dri.c
+index 68f8b7e..65f368e 100644
+--- hw/xfree86/dri/xf86dri.c
++++ hw/xfree86/dri/xf86dri.c
+@@ -570,6 +570,7 @@ static int
+ SProcXF86DRIQueryDirectRenderingCapable(register ClientPtr client)
+ {
+ REQUEST(xXF86DRIQueryDirectRenderingCapableReq);
++ REQUEST_SIZE_MATCH(xXF86DRIQueryDirectRenderingCapableReq);
+ swaps(&stuff->length);
+ swapl(&stuff->screen);
+ return ProcXF86DRIQueryDirectRenderingCapable(client);
+--
+cgit v0.10.2
+
Property changes on: trunk/x11-servers/xorg-server/files/patch-CVE-2017-1218x
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: trunk/x11-servers/xorg-server/files/patch-CVE-2017-1218y
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2017-1218y (rev 0)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2017-1218y 2018-09-02 21:39:14 UTC (rev 24079)
@@ -0,0 +1,139 @@
+From c206f36a4b6ecf2555ab2291c349ab7d7d0b02f5 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd at opentext.com>
+Date: Fri, 9 Jan 2015 09:57:23 -0500
+Subject: Unvalidated lengths
+
+v2: Add overflow check and remove unnecessary check (Julien Cristau)
+
+This addresses:
+CVE-2017-12184 in XINERAMA
+CVE-2017-12185 in MIT-SCREEN-SAVER
+CVE-2017-12186 in X-Resource
+CVE-2017-12187 in RENDER
+
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
+Reviewed-by: Julien Cristau <jcristau at debian.org>
+Signed-off-by: Nathan Kidd <nkidd at opentext.com>
+Signed-off-by: Julien Cristau <jcristau at debian.org>
+(cherry picked from commit cad5a1050b7184d828aef9c1dd151c3ab649d37e)
+
+diff --git a/Xext/panoramiX.c b/Xext/panoramiX.c
+index 209df29..844ea49 100644
+--- Xext/panoramiX.c
++++ Xext/panoramiX.c
+@@ -988,10 +988,11 @@ ProcPanoramiXGetScreenSize(ClientPtr client)
+ xPanoramiXGetScreenSizeReply rep;
+ int rc;
+
++ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
++
+ if (stuff->screen >= PanoramiXNumScreens)
+ return BadMatch;
+
+- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+ rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
+ if (rc != Success)
+ return rc;
+diff --git a/Xext/saver.c b/Xext/saver.c
+index 750b8b9..45ac4d2 100644
+--- Xext/saver.c
++++ Xext/saver.c
+@@ -1185,6 +1185,8 @@ ProcScreenSaverUnsetAttributes(ClientPtr client)
+ PanoramiXRes *draw;
+ int rc, i;
+
++ REQUEST_SIZE_MATCH(xScreenSaverUnsetAttributesReq);
++
+ rc = dixLookupResourceByClass((void **) &draw, stuff->drawable,
+ XRC_DRAWABLE, client, DixWriteAccess);
+ if (rc != Success)
+diff --git a/Xext/xres.c b/Xext/xres.c
+index ae779df..bc54133 100644
+--- Xext/xres.c
++++ Xext/xres.c
+@@ -947,6 +947,8 @@ ProcXResQueryResourceBytes (ClientPtr client)
+ ConstructResourceBytesCtx ctx;
+
+ REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq);
++ if (stuff->numSpecs > UINT32_MAX / sizeof(ctx.specs[0]))
++ return BadLength;
+ REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq,
+ stuff->numSpecs * sizeof(ctx.specs[0]));
+
+@@ -1052,8 +1054,8 @@ SProcXResQueryResourceBytes (ClientPtr client)
+ int c;
+ xXResResourceIdSpec *specs = (void*) ((char*) stuff + sizeof(*stuff));
+
+- swapl(&stuff->numSpecs);
+ REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq);
++ swapl(&stuff->numSpecs);
+ REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq,
+ stuff->numSpecs * sizeof(specs[0]));
+
+diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c
+index 8a35b7b..4d412b8 100644
+--- Xext/xvdisp.c
++++ Xext/xvdisp.c
+@@ -1493,12 +1493,14 @@ XineramaXvShmPutImage(ClientPtr client)
+ {
+ REQUEST(xvShmPutImageReq);
+ PanoramiXRes *draw, *gc, *port;
+- Bool send_event = stuff->send_event;
++ Bool send_event;
+ Bool isRoot;
+ int result, i, x, y;
+
+ REQUEST_SIZE_MATCH(xvShmPutImageReq);
+
++ send_event = stuff->send_event;
++
+ result = dixLookupResourceByClass((void **) &draw, stuff->drawable,
+ XRC_DRAWABLE, client, DixWriteAccess);
+ if (result != Success)
+diff --git a/hw/dmx/dmxpict.c b/hw/dmx/dmxpict.c
+index 1f1022e..63caec9 100644
+--- hw/dmx/dmxpict.c
++++ hw/dmx/dmxpict.c
+@@ -716,6 +716,8 @@ dmxProcRenderSetPictureFilter(ClientPtr client)
+ filter = (char *) (stuff + 1);
+ params = (XFixed *) (filter + ((stuff->nbytes + 3) & ~3));
+ nparams = ((XFixed *) stuff + client->req_len) - params;
++ if (nparams < 0)
++ return BadLength;
+
+ XRenderSetPictureFilter(dmxScreen->beDisplay,
+ pPictPriv->pict, filter, params, nparams);
+diff --git a/pseudoramiX/pseudoramiX.c b/pseudoramiX/pseudoramiX.c
+index d8b2593..95f6e10 100644
+--- pseudoramiX/pseudoramiX.c
++++ pseudoramiX/pseudoramiX.c
+@@ -297,10 +297,11 @@ ProcPseudoramiXGetScreenSize(ClientPtr client)
+
+ TRACE;
+
++ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
++
+ if (stuff->screen >= pseudoramiXNumScreens)
+ return BadMatch;
+
+- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+ rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
+ if (rc != Success)
+ return rc;
+diff --git a/render/render.c b/render/render.c
+index bfacaa0..3a41e33 100644
+--- render/render.c
++++ render/render.c
+@@ -1757,6 +1757,9 @@ ProcRenderSetPictureFilter(ClientPtr client)
+ name = (char *) (stuff + 1);
+ params = (xFixed *) (name + pad_to_int32(stuff->nbytes));
+ nparams = ((xFixed *) stuff + client->req_len) - params;
++ if (nparams < 0)
++ return BadLength;
++
+ result = SetPictureFilter(pPicture, name, stuff->nbytes, params, nparams);
+ return result;
+ }
+--
+cgit v0.10.2
+
Property changes on: trunk/x11-servers/xorg-server/files/patch-CVE-2017-1218y
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: trunk/x11-servers/xorg-server/files/patch-CVE-2017-13721
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2017-13721 (rev 0)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2017-13721 2018-09-02 21:39:14 UTC (rev 24079)
@@ -0,0 +1,26 @@
+From b95f25af141d33a65f6f821ea9c003f66a01e1f1 Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb at suse.com>
+Date: Fri, 28 Jul 2017 16:27:10 +0200
+Subject: Xext/shm: Validate shmseg resource id (CVE-2017-13721)
+
+Otherwise it can belong to a non-existing client and abort X server with
+FatalError "client not in use", or overwrite existing segment of another
+existing client.
+
+Signed-off-by: Julien Cristau <jcristau at debian.org>
+
+diff --git a/Xext/shm.c b/Xext/shm.c
+index 91ea90b..2f9a788 100644
+--- Xext/shm.c
++++ Xext/shm.c
+@@ -1238,6 +1238,7 @@ ProcShmCreateSegment(ClientPtr client)
+ };
+
+ REQUEST_SIZE_MATCH(xShmCreateSegmentReq);
++ LEGAL_NEW_RESOURCE(stuff->shmseg, client);
+ if ((stuff->readOnly != xTrue) && (stuff->readOnly != xFalse)) {
+ client->errorValue = stuff->readOnly;
+ return BadValue;
+--
+cgit v0.10.2
+
Property changes on: trunk/x11-servers/xorg-server/files/patch-CVE-2017-13721
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: trunk/x11-servers/xorg-server/files/patch-CVE-2017-13723
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2017-13723 (rev 0)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2017-13723 2018-09-02 21:39:14 UTC (rev 24079)
@@ -0,0 +1,115 @@
+From 94f11ca5cf011ef123bd222cabeaef6f424d76ac Mon Sep 17 00:00:00 2001
+From: Keith Packard <keithp at keithp.com>
+Date: Thu, 27 Jul 2017 10:08:32 -0700
+Subject: xkb: Handle xkb formated string output safely (CVE-2017-13723)
+
+Generating strings for XKB data used a single shared static buffer,
+which offered several opportunities for errors. Use a ring of
+resizable buffers instead, to avoid problems when strings end up
+longer than anticipated.
+
+Reviewed-by: Michal Srb <msrb at suse.com>
+Signed-off-by: Keith Packard <keithp at keithp.com>
+Signed-off-by: Julien Cristau <jcristau at debian.org>
+
+diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c
+index ead2b1a..d2a2567 100644
+--- xkb/xkbtext.c
++++ xkb/xkbtext.c
+@@ -47,23 +47,27 @@
+
+ /***====================================================================***/
+
+-#define BUFFER_SIZE 512
+-
+-static char textBuffer[BUFFER_SIZE];
+-static int tbNext = 0;
++#define NUM_BUFFER 8
++static struct textBuffer {
++ int size;
++ char *buffer;
++} textBuffer[NUM_BUFFER];
++static int textBufferIndex;
+
+ static char *
+ tbGetBuffer(unsigned size)
+ {
+- char *rtrn;
++ struct textBuffer *tb;
+
+- if (size >= BUFFER_SIZE)
+- return NULL;
+- if ((BUFFER_SIZE - tbNext) <= size)
+- tbNext = 0;
+- rtrn = &textBuffer[tbNext];
+- tbNext += size;
+- return rtrn;
++ tb = &textBuffer[textBufferIndex];
++ textBufferIndex = (textBufferIndex + 1) % NUM_BUFFER;
++
++ if (size > tb->size) {
++ free(tb->buffer);
++ tb->buffer = xnfalloc(size);
++ tb->size = size;
++ }
++ return tb->buffer;
+ }
+
+ /***====================================================================***/
+@@ -79,8 +83,6 @@ XkbAtomText(Atom atm, unsigned format)
+ int len;
+
+ len = strlen(atmstr) + 1;
+- if (len > BUFFER_SIZE)
+- len = BUFFER_SIZE - 2;
+ rtrn = tbGetBuffer(len);
+ strlcpy(rtrn, atmstr, len);
+ }
+@@ -128,8 +130,6 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format)
+ len = strlen(tmp) + 1;
+ if (format == XkbCFile)
+ len += 4;
+- if (len >= BUFFER_SIZE)
+- len = BUFFER_SIZE - 1;
+ rtrn = tbGetBuffer(len);
+ if (format == XkbCFile) {
+ strcpy(rtrn, "vmod_");
+@@ -140,6 +140,8 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format)
+ return rtrn;
+ }
+
++#define VMOD_BUFFER_SIZE 512
++
+ char *
+ XkbVModMaskText(XkbDescPtr xkb,
+ unsigned modMask, unsigned mask, unsigned format)
+@@ -147,7 +149,7 @@ XkbVModMaskText(XkbDescPtr xkb,
+ register int i, bit;
+ int len;
+ char *mm, *rtrn;
+- char *str, buf[BUFFER_SIZE];
++ char *str, buf[VMOD_BUFFER_SIZE];
+
+ if ((modMask == 0) && (mask == 0)) {
+ rtrn = tbGetBuffer(5);
+@@ -173,7 +175,7 @@ XkbVModMaskText(XkbDescPtr xkb,
+ len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
+ if (format == XkbCFile)
+ len += 4;
+- if ((str - (buf + len)) <= BUFFER_SIZE) {
++ if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) {
+ if (str != buf) {
+ if (format == XkbCFile)
+ *str++ = '|';
+@@ -199,8 +201,6 @@ XkbVModMaskText(XkbDescPtr xkb,
+ len = 0;
+ if (str)
+ len += strlen(str) + (mm == NULL ? 0 : 1);
+- if (len >= BUFFER_SIZE)
+- len = BUFFER_SIZE - 1;
+ rtrn = tbGetBuffer(len + 1);
+ rtrn[0] = '\0';
+
+--
+cgit v0.10.2
+
Property changes on: trunk/x11-servers/xorg-server/files/patch-CVE-2017-13723
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
More information about the Midnightbsd-cvs
mailing list