Date
1 - 4 of 4
[kirkstone][PATCH] xorg-x11-server: fix multiple xorg-x11-server bugs.
No changes required, As all the fixes available in this version.
-Thanks,
Vivek
On Mon, Jan 30, 2023 at 11:17 PM Steve Sakoman <steve@...> wrote:
On Wed, Jan 25, 2023 at 1:55 AM vkumbhar <vkumbhar@...> wrote:
>
> From: Vivek Kumbhar <vkumbhar@...>
>
> Fixed Below CVE:
> CVE-2022-4283
> CVE-2022-46340
> CVE-2022-46341
> CVE-2022-46342
> CVE-2022-46343
> CVE-2022-46344
>
> Signed-off-by: Vivek Kumbhar <vkumbhar@...>
> ---
> .../xserver-xorg/CVE-2022-4283.patch | 39 +++++++++
> .../xserver-xorg/CVE-2022-46340.patch | 55 ++++++++++++
> .../xserver-xorg/CVE-2022-46341.patch | 86 +++++++++++++++++++
> .../xserver-xorg/CVE-2022-46342.patch | 78 +++++++++++++++++
> .../xserver-xorg/CVE-2022-46343.patch | 51 +++++++++++
> .../xserver-xorg/CVE-2022-46344.patch | 75 ++++++++++++++++
> .../xorg-xserver/xserver-xorg_21.1.4.bb | 6 ++
We've done a version bump to 21.1.6 in kirkstone, so you'll need to
rework this patch (if it is still necessary)
Thanks!
Steve
> 7 files changed, 390 insertions(+)
> create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
> create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
> create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
> create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
> create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
> create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
>
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
> new file mode 100644
> index 0000000000..ce642843ab
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
> @@ -0,0 +1,39 @@
> +From ccdd431cd8f1cabae9d744f0514b6533c438908c Mon Sep 17 00:00:00 2001
> +From: Peter Hutterer <peter.hutterer@...>
> +Date: Mon, 5 Dec 2022 15:55:54 +1000
> +Subject: [PATCH] xkb: reset the radio_groups pointer to NULL after freeing it
> +
> +Unlike other elements of the keymap, this pointer was freed but not
> +reset. On a subsequent XkbGetKbdByName request, the server may access
> +already freed memory.
> +
> +CVE-2022-4283, ZDI-CAN-19530
> +
> +This vulnerability was discovered by:
> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> +
> +Signed-off-by: Peter Hutterer <peter.hutterer@...>
> +Acked-by: Olivier Fourdan <ofourdan@...>
> +
> +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ccdd431cd8f1cabae9d744f0514b6533c438908c]
> +CVE: CVE-2022-4283
> +Signed-off-by: Vivek Kumbhar <vkumbhar@...>
> +---
> + xkb/xkbUtils.c | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
> +index dd089c204..3f5791a18 100644
> +--- a/xkb/xkbUtils.c
> ++++ b/xkb/xkbUtils.c
> +@@ -1326,6 +1326,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr dst)
> + }
> + else {
> + free(dst->names->radio_groups);
> ++ dst->names->radio_groups = NULL;
> + }
> + dst->names->num_rg = src->names->num_rg;
> +
> +--
> +2.30.2
> +
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
> new file mode 100644
> index 0000000000..9bdcdfa76e
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
> @@ -0,0 +1,55 @@
> +From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001
> +From: Peter Hutterer <peter.hutterer@...>
> +Date: Tue, 29 Nov 2022 12:55:45 +1000
> +Subject: [PATCH] Xtest: disallow GenericEvents in XTestSwapFakeInput
> +
> +XTestSwapFakeInput assumes all events in this request are
> +sizeof(xEvent) and iterates through these in 32-byte increments.
> +However, a GenericEvent may be of arbitrary length longer than 32 bytes,
> +so any GenericEvent in this list would result in subsequent events to be
> +misparsed.
> +
> +Additional, the swapped event is written into a stack-allocated struct
> +xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes,
> +swapping the event may thus smash the stack like an avocado on toast.
> +
> +Catch this case early and return BadValue for any GenericEvent.
> +Which is what would happen in unswapped setups anyway since XTest
> +doesn't support GenericEvent.
> +
> +CVE-2022-46340, ZDI-CAN 19265
> +
> +This vulnerability was discovered by:
> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> +
> +Signed-off-by: Peter Hutterer <peter.hutterer@...>
> +Acked-by: Olivier Fourdan <ofourdan@...>
> +
> +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63]
> +CVE: CVE-2022-46340
> +Signed-off-by: Vivek Kumbhar <vkumbhar@...>
> +---
> + Xext/xtest.c | 5 +++--
> + 1 file changed, 3 insertions(+), 2 deletions(-)
> +
> +diff --git a/Xext/xtest.c b/Xext/xtest.c
> +index bf27eb590..2985a4ce6 100644
> +--- a/Xext/xtest.c
> ++++ b/Xext/xtest.c
> +@@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req)
> +
> + nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent);
> + for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) {
> ++ int evtype = ev->u.u.type & 0x177;
> + /* Swap event */
> +- proc = EventSwapVector[ev->u.u.type & 0177];
> ++ proc = EventSwapVector[evtype];
> + /* no swapping proc; invalid event type? */
> +- if (!proc || proc == NotImplemented) {
> ++ if (!proc || proc == NotImplemented || evtype == GenericEvent) {
> + client->errorValue = ev->u.u.type;
> + return BadValue;
> + }
> +--
> +2.30.2
> +
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
> new file mode 100644
> index 0000000000..669792a5e7
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
> @@ -0,0 +1,86 @@
> +From 51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b Mon Sep 17 00:00:00 2001
> +From: Peter Hutterer <peter.hutterer@...>
> +Date: Tue, 29 Nov 2022 13:55:32 +1000
> +Subject: [PATCH] Xi: disallow passive grabs with a detail > 255
> +
> +The XKB protocol effectively prevents us from ever using keycodes above
> +255. For buttons it's theoretically possible but realistically too niche
> +to worry about. For all other passive grabs, the detail must be zero
> +anyway.
> +
> +This fixes an OOB write:
> +
> +ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a
> +temporary grab struct which contains tempGrab->detail.exact = stuff->detail.
> +For matching existing grabs, DeleteDetailFromMask is called with the
> +stuff->detail value. This function creates a new mask with the one bit
> +representing stuff->detail cleared.
> +
> +However, the array size for the new mask is 8 * sizeof(CARD32) bits,
> +thus any detail above 255 results in an OOB array write.
> +
> +CVE-2022-46341, ZDI-CAN 19381
> +
> +This vulnerability was discovered by:
> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> +
> +Signed-off-by: Peter Hutterer <peter.hutterer@...>
> +Acked-by: Olivier Fourdan <ofourdan@...>
> +
> +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b]
> +CVE: CVE-2022-46341
> +Signed-off-by: Vivek Kumbhar <vkumbhar@...>
> +---
> + Xi/xipassivegrab.c | 22 ++++++++++++++--------
> + 1 file changed, 14 insertions(+), 8 deletions(-)
> +
> +diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
> +index 2769fb7c9..c9ac2f855 100644
> +--- a/Xi/xipassivegrab.c
> ++++ b/Xi/xipassivegrab.c
> +@@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)
> + return BadValue;
> + }
> +
> ++ /* XI2 allows 32-bit keycodes but thanks to XKB we can never
> ++ * implement this. Just return an error for all keycodes that
> ++ * cannot work anyway, same for buttons > 255. */
> ++ if (stuff->detail > 255)
> ++ return XIAlreadyGrabbed;
> ++
> + if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],
> + stuff->mask_len * 4) != Success)
> + return BadValue;
> +@@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
> + ¶m, XI2, &mask);
> + break;
> + case XIGrabtypeKeycode:
> +- /* XI2 allows 32-bit keycodes but thanks to XKB we can never
> +- * implement this. Just return an error for all keycodes that
> +- * cannot work anyway */
> +- if (stuff->detail > 255)
> +- status = XIAlreadyGrabbed;
> +- else
> +- status = GrabKey(client, dev, mod_dev, stuff->detail,
> +- ¶m, XI2, &mask);
> ++ status = GrabKey(client, dev, mod_dev, stuff->detail,
> ++ ¶m, XI2, &mask);
> + break;
> + case XIGrabtypeEnter:
> + case XIGrabtypeFocusIn:
> +@@ -334,6 +334,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
> + return BadValue;
> + }
> +
> ++ /* We don't allow passive grabs for details > 255 anyway */
> ++ if (stuff->detail > 255) {
> ++ client->errorValue = stuff->detail;
> ++ return BadValue;
> ++ }
> ++
> + rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess);
> + if (rc != Success)
> + return rc;
> +--
> +2.30.2
> +
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
> new file mode 100644
> index 0000000000..6c17b105a0
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
> @@ -0,0 +1,78 @@
> +From b79f32b57cc0c1186b2899bce7cf89f7b325161b Mon Sep 17 00:00:00 2001
> +From: Peter Hutterer <peter.hutterer@...>
> +Date: Wed, 30 Nov 2022 11:20:40 +1000
> +Subject: [PATCH] Xext: free the XvRTVideoNotify when turning off from the same
> + client
> +
> +This fixes a use-after-free bug:
> +
> +When a client first calls XvdiSelectVideoNotify() on a drawable with a
> +TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct
> +is added twice to the resources:
> + - as the drawable's XvRTVideoNotifyList. This happens only once per
> + drawable, subsequent calls append to this list.
> + - as the client's XvRTVideoNotify. This happens for every client.
> +
> +The struct keeps the ClientPtr around once it has been added for a
> +client. The idea, presumably, is that if the client disconnects we can remove
> +all structs from the drawable's list that match the client (by resetting
> +the ClientPtr to NULL), but if the drawable is destroyed we can remove
> +and free the whole list.
> +
> +However, if the same client then calls XvdiSelectVideoNotify() on the
> +same drawable with a FALSE onoff argument, only the ClientPtr on the
> +existing struct was set to NULL. The struct itself remained in the
> +client's resources.
> +
> +If the drawable is now destroyed, the resource system invokes
> +XvdiDestroyVideoNotifyList which frees the whole list for this drawable
> +- including our struct. This function however does not free the resource
> +for the client since our ClientPtr is NULL.
> +
> +Later, when the client is destroyed and the resource system invokes
> +XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On
> +a struct that has been freed previously. This is generally frowned upon.
> +
> +Fix this by calling FreeResource() on the second call instead of merely
> +setting the ClientPtr to NULL. This removes the struct from the client
> +resources (but not from the list), ensuring that it won't be accessed
> +again when the client quits.
> +
> +Note that the assignment tpn->client = NULL; is superfluous since the
> +XvdiDestroyVideoNotify function will do this anyway. But it's left for
> +clarity and to match a similar invocation in XvdiSelectPortNotify.
> +
> +CVE-2022-46342, ZDI-CAN 19400
> +
> +This vulnerability was discovered by:
> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> +
> +Signed-off-by: Peter Hutterer <peter.hutterer@...>
> +Acked-by: Olivier Fourdan <ofourdan@...>
> +
> +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b79f32b57cc0c1186b2899bce7cf89f7b325161b]
> +CVE: CVE-2022-46342
> +Signed-off-by: Vivek Kumbhar <vkumbhar@...>
> +---
> + Xext/xvmain.c | 4 +++-
> + 1 file changed, 3 insertions(+), 1 deletion(-)
> +
> +diff --git a/Xext/xvmain.c b/Xext/xvmain.c
> +index f62747193..2a08f8744 100644
> +--- a/Xext/xvmain.c
> ++++ b/Xext/xvmain.c
> +@@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff)
> + tpn = pn;
> + while (tpn) {
> + if (tpn->client == client) {
> +- if (!onoff)
> ++ if (!onoff) {
> + tpn->client = NULL;
> ++ FreeResource(tpn->id, XvRTVideoNotify);
> ++ }
> + return Success;
> + }
> + if (!tpn->client)
> +--
> +2.30.2
> +
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
> new file mode 100644
> index 0000000000..11507c3247
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
> @@ -0,0 +1,51 @@
> +From 842ca3ccef100ce010d1d8f5f6d6cc1915055900 Mon Sep 17 00:00:00 2001
> +From: Peter Hutterer <peter.hutterer@...>
> +Date: Tue, 29 Nov 2022 14:53:07 +1000
> +Subject: [PATCH] Xext: free the screen saver resource when replacing it
> +
> +This fixes a use-after-free bug:
> +
> +When a client first calls ScreenSaverSetAttributes(), a struct
> +ScreenSaverAttrRec is allocated and added to the client's
> +resources.
> +
> +When the same client calls ScreenSaverSetAttributes() again, a new
> +struct ScreenSaverAttrRec is allocated, replacing the old struct. The
> +old struct was freed but not removed from the clients resources.
> +
> +Later, when the client is destroyed the resource system invokes
> +ScreenSaverFreeAttr and attempts to clean up the already freed struct.
> +
> +Fix this by letting the resource system free the old attrs instead.
> +
> +CVE-2022-46343, ZDI-CAN 19404
> +
> +This vulnerability was discovered by:
> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> +
> +Signed-off-by: Peter Hutterer <peter.hutterer@...>
> +Acked-by: Olivier Fourdan <ofourdan@...>
> +
> +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/842ca3ccef100ce010d1d8f5f6d6cc1915055900]
> +CVE: CVE-2022-46343
> +Signed-off-by: Vivek Kumbhar <vkumbhar@...>
> +---
> + Xext/saver.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/Xext/saver.c b/Xext/saver.c
> +index f813ba08d..fd6153c31 100644
> +--- a/Xext/saver.c
> ++++ b/Xext/saver.c
> +@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client)
> + pVlist++;
> + }
> + if (pPriv->attr)
> +- FreeScreenAttr(pPriv->attr);
> ++ FreeResource(pPriv->attr->resource, AttrType);
> + pPriv->attr = pAttr;
> + pAttr->resource = FakeClientID(client->index);
> + if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))
> +--
> +2.30.2
> +
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
> new file mode 100644
> index 0000000000..92f65569ef
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
> @@ -0,0 +1,75 @@
> +From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001
> +From: Peter Hutterer <peter.hutterer@...>
> +Date: Tue, 29 Nov 2022 13:26:57 +1000
> +Subject: [PATCH] Xi: avoid integer truncation in length check of
> + ProcXIChangeProperty
> +
> +This fixes an OOB read and the resulting information disclosure.
> +
> +Length calculation for the request was clipped to a 32-bit integer. With
> +the correct stuff->num_items value the expected request size was
> +truncated, passing the REQUEST_FIXED_SIZE check.
> +
> +The server then proceeded with reading at least stuff->num_items bytes
> +(depending on stuff->format) from the request and stuffing whatever it
> +finds into the property. In the process it would also allocate at least
> +stuff->num_items bytes, i.e. 4GB.
> +
> +The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
> +so let's fix that too.
> +
> +CVE-2022-46344, ZDI-CAN 19405
> +
> +This vulnerability was discovered by:
> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> +
> +Signed-off-by: Peter Hutterer <peter.hutterer@...>
> +Acked-by: Olivier Fourdan <ofourdan@...>
> +
> +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8f454b793e1f13c99872c15f0eed1d7f3b823fe8]
> +CVE: CVE-2022-46344
> +Signed-off-by: Vivek Kumbhar <vkumbhar@...>
> +---
> + Xi/xiproperty.c | 4 ++--
> + dix/property.c | 3 ++-
> + 2 files changed, 4 insertions(+), 3 deletions(-)
> +
> +diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
> +index 68c362c62..066ba21fb 100644
> +--- a/Xi/xiproperty.c
> ++++ b/Xi/xiproperty.c
> +@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
> + REQUEST(xChangeDevicePropertyReq);
> + DeviceIntPtr dev;
> + unsigned long len;
> +- int totalSize;
> ++ uint64_t totalSize;
> + int rc;
> +
> + REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
> +@@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client)
> + {
> + int rc;
> + DeviceIntPtr dev;
> +- int totalSize;
> ++ uint64_t totalSize;
> + unsigned long len;
> +
> + REQUEST(xXIChangePropertyReq);
> +diff --git a/dix/property.c b/dix/property.c
> +index 94ef5a0ec..acce94b2c 100644
> +--- a/dix/property.c
> ++++ b/dix/property.c
> +@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
> + WindowPtr pWin;
> + char format, mode;
> + unsigned long len;
> +- int sizeInBytes, totalSize, err;
> ++ int sizeInBytes, err;
> ++ uint64_t totalSize;
> +
> + REQUEST(xChangePropertyReq);
> +
> +--
> +2.30.2
> +
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
> index aba09afec3..744bd3e2aa 100644
> --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
> @@ -4,6 +4,12 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
> file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
> file://0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch \
> file://0001-xkb-proof-GetCountedString-against-request-length-at.patch \
> + file://CVE-2022-4283.patch \
> + file://CVE-2022-46340.patch \
> + file://CVE-2022-46341.patch \
> + file://CVE-2022-46342.patch \
> + file://CVE-2022-46343.patch \
> + file://CVE-2022-46344.patch \
> "
> SRC_URI[sha256sum] = "5cc4be8ee47edb58d4a90e603a59d56b40291ad38371b0bd2471fc3cbee1c587"
>
> --
> 2.30.2
>
>
>
>
Thanks for the information. Okay, will modify the patch accordingly.
-Thanks,
Vivek
On Mon, Jan 30, 2023 at 11:17 PM Steve Sakoman <steve@...> wrote:
On Wed, Jan 25, 2023 at 1:55 AM vkumbhar <vkumbhar@...> wrote:
>
> From: Vivek Kumbhar <vkumbhar@...>
>
> Fixed Below CVE:
> CVE-2022-4283
> CVE-2022-46340
> CVE-2022-46341
> CVE-2022-46342
> CVE-2022-46343
> CVE-2022-46344
>
> Signed-off-by: Vivek Kumbhar <vkumbhar@...>
> ---
> .../xserver-xorg/CVE-2022-4283.patch | 39 +++++++++
> .../xserver-xorg/CVE-2022-46340.patch | 55 ++++++++++++
> .../xserver-xorg/CVE-2022-46341.patch | 86 +++++++++++++++++++
> .../xserver-xorg/CVE-2022-46342.patch | 78 +++++++++++++++++
> .../xserver-xorg/CVE-2022-46343.patch | 51 +++++++++++
> .../xserver-xorg/CVE-2022-46344.patch | 75 ++++++++++++++++
> .../xorg-xserver/xserver-xorg_21.1.4.bb | 6 ++
We've done a version bump to 21.1.6 in kirkstone, so you'll need to
rework this patch (if it is still necessary)
Thanks!
Steve
> 7 files changed, 390 insertions(+)
> create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
> create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
> create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
> create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
> create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
> create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
>
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
> new file mode 100644
> index 0000000000..ce642843ab
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
> @@ -0,0 +1,39 @@
> +From ccdd431cd8f1cabae9d744f0514b6533c438908c Mon Sep 17 00:00:00 2001
> +From: Peter Hutterer <peter.hutterer@...>
> +Date: Mon, 5 Dec 2022 15:55:54 +1000
> +Subject: [PATCH] xkb: reset the radio_groups pointer to NULL after freeing it
> +
> +Unlike other elements of the keymap, this pointer was freed but not
> +reset. On a subsequent XkbGetKbdByName request, the server may access
> +already freed memory.
> +
> +CVE-2022-4283, ZDI-CAN-19530
> +
> +This vulnerability was discovered by:
> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> +
> +Signed-off-by: Peter Hutterer <peter.hutterer@...>
> +Acked-by: Olivier Fourdan <ofourdan@...>
> +
> +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ccdd431cd8f1cabae9d744f0514b6533c438908c]
> +CVE: CVE-2022-4283
> +Signed-off-by: Vivek Kumbhar <vkumbhar@...>
> +---
> + xkb/xkbUtils.c | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
> +index dd089c204..3f5791a18 100644
> +--- a/xkb/xkbUtils.c
> ++++ b/xkb/xkbUtils.c
> +@@ -1326,6 +1326,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr dst)
> + }
> + else {
> + free(dst->names->radio_groups);
> ++ dst->names->radio_groups = NULL;
> + }
> + dst->names->num_rg = src->names->num_rg;
> +
> +--
> +2.30.2
> +
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
> new file mode 100644
> index 0000000000..9bdcdfa76e
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
> @@ -0,0 +1,55 @@
> +From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001
> +From: Peter Hutterer <peter.hutterer@...>
> +Date: Tue, 29 Nov 2022 12:55:45 +1000
> +Subject: [PATCH] Xtest: disallow GenericEvents in XTestSwapFakeInput
> +
> +XTestSwapFakeInput assumes all events in this request are
> +sizeof(xEvent) and iterates through these in 32-byte increments.
> +However, a GenericEvent may be of arbitrary length longer than 32 bytes,
> +so any GenericEvent in this list would result in subsequent events to be
> +misparsed.
> +
> +Additional, the swapped event is written into a stack-allocated struct
> +xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes,
> +swapping the event may thus smash the stack like an avocado on toast.
> +
> +Catch this case early and return BadValue for any GenericEvent.
> +Which is what would happen in unswapped setups anyway since XTest
> +doesn't support GenericEvent.
> +
> +CVE-2022-46340, ZDI-CAN 19265
> +
> +This vulnerability was discovered by:
> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> +
> +Signed-off-by: Peter Hutterer <peter.hutterer@...>
> +Acked-by: Olivier Fourdan <ofourdan@...>
> +
> +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63]
> +CVE: CVE-2022-46340
> +Signed-off-by: Vivek Kumbhar <vkumbhar@...>
> +---
> + Xext/xtest.c | 5 +++--
> + 1 file changed, 3 insertions(+), 2 deletions(-)
> +
> +diff --git a/Xext/xtest.c b/Xext/xtest.c
> +index bf27eb590..2985a4ce6 100644
> +--- a/Xext/xtest.c
> ++++ b/Xext/xtest.c
> +@@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req)
> +
> + nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent);
> + for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) {
> ++ int evtype = ev->u.u.type & 0x177;
> + /* Swap event */
> +- proc = EventSwapVector[ev->u.u.type & 0177];
> ++ proc = EventSwapVector[evtype];
> + /* no swapping proc; invalid event type? */
> +- if (!proc || proc == NotImplemented) {
> ++ if (!proc || proc == NotImplemented || evtype == GenericEvent) {
> + client->errorValue = ev->u.u.type;
> + return BadValue;
> + }
> +--
> +2.30.2
> +
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
> new file mode 100644
> index 0000000000..669792a5e7
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
> @@ -0,0 +1,86 @@
> +From 51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b Mon Sep 17 00:00:00 2001
> +From: Peter Hutterer <peter.hutterer@...>
> +Date: Tue, 29 Nov 2022 13:55:32 +1000
> +Subject: [PATCH] Xi: disallow passive grabs with a detail > 255
> +
> +The XKB protocol effectively prevents us from ever using keycodes above
> +255. For buttons it's theoretically possible but realistically too niche
> +to worry about. For all other passive grabs, the detail must be zero
> +anyway.
> +
> +This fixes an OOB write:
> +
> +ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a
> +temporary grab struct which contains tempGrab->detail.exact = stuff->detail.
> +For matching existing grabs, DeleteDetailFromMask is called with the
> +stuff->detail value. This function creates a new mask with the one bit
> +representing stuff->detail cleared.
> +
> +However, the array size for the new mask is 8 * sizeof(CARD32) bits,
> +thus any detail above 255 results in an OOB array write.
> +
> +CVE-2022-46341, ZDI-CAN 19381
> +
> +This vulnerability was discovered by:
> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> +
> +Signed-off-by: Peter Hutterer <peter.hutterer@...>
> +Acked-by: Olivier Fourdan <ofourdan@...>
> +
> +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b]
> +CVE: CVE-2022-46341
> +Signed-off-by: Vivek Kumbhar <vkumbhar@...>
> +---
> + Xi/xipassivegrab.c | 22 ++++++++++++++--------
> + 1 file changed, 14 insertions(+), 8 deletions(-)
> +
> +diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
> +index 2769fb7c9..c9ac2f855 100644
> +--- a/Xi/xipassivegrab.c
> ++++ b/Xi/xipassivegrab.c
> +@@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)
> + return BadValue;
> + }
> +
> ++ /* XI2 allows 32-bit keycodes but thanks to XKB we can never
> ++ * implement this. Just return an error for all keycodes that
> ++ * cannot work anyway, same for buttons > 255. */
> ++ if (stuff->detail > 255)
> ++ return XIAlreadyGrabbed;
> ++
> + if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],
> + stuff->mask_len * 4) != Success)
> + return BadValue;
> +@@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
> + ¶m, XI2, &mask);
> + break;
> + case XIGrabtypeKeycode:
> +- /* XI2 allows 32-bit keycodes but thanks to XKB we can never
> +- * implement this. Just return an error for all keycodes that
> +- * cannot work anyway */
> +- if (stuff->detail > 255)
> +- status = XIAlreadyGrabbed;
> +- else
> +- status = GrabKey(client, dev, mod_dev, stuff->detail,
> +- ¶m, XI2, &mask);
> ++ status = GrabKey(client, dev, mod_dev, stuff->detail,
> ++ ¶m, XI2, &mask);
> + break;
> + case XIGrabtypeEnter:
> + case XIGrabtypeFocusIn:
> +@@ -334,6 +334,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
> + return BadValue;
> + }
> +
> ++ /* We don't allow passive grabs for details > 255 anyway */
> ++ if (stuff->detail > 255) {
> ++ client->errorValue = stuff->detail;
> ++ return BadValue;
> ++ }
> ++
> + rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess);
> + if (rc != Success)
> + return rc;
> +--
> +2.30.2
> +
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
> new file mode 100644
> index 0000000000..6c17b105a0
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
> @@ -0,0 +1,78 @@
> +From b79f32b57cc0c1186b2899bce7cf89f7b325161b Mon Sep 17 00:00:00 2001
> +From: Peter Hutterer <peter.hutterer@...>
> +Date: Wed, 30 Nov 2022 11:20:40 +1000
> +Subject: [PATCH] Xext: free the XvRTVideoNotify when turning off from the same
> + client
> +
> +This fixes a use-after-free bug:
> +
> +When a client first calls XvdiSelectVideoNotify() on a drawable with a
> +TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct
> +is added twice to the resources:
> + - as the drawable's XvRTVideoNotifyList. This happens only once per
> + drawable, subsequent calls append to this list.
> + - as the client's XvRTVideoNotify. This happens for every client.
> +
> +The struct keeps the ClientPtr around once it has been added for a
> +client. The idea, presumably, is that if the client disconnects we can remove
> +all structs from the drawable's list that match the client (by resetting
> +the ClientPtr to NULL), but if the drawable is destroyed we can remove
> +and free the whole list.
> +
> +However, if the same client then calls XvdiSelectVideoNotify() on the
> +same drawable with a FALSE onoff argument, only the ClientPtr on the
> +existing struct was set to NULL. The struct itself remained in the
> +client's resources.
> +
> +If the drawable is now destroyed, the resource system invokes
> +XvdiDestroyVideoNotifyList which frees the whole list for this drawable
> +- including our struct. This function however does not free the resource
> +for the client since our ClientPtr is NULL.
> +
> +Later, when the client is destroyed and the resource system invokes
> +XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On
> +a struct that has been freed previously. This is generally frowned upon.
> +
> +Fix this by calling FreeResource() on the second call instead of merely
> +setting the ClientPtr to NULL. This removes the struct from the client
> +resources (but not from the list), ensuring that it won't be accessed
> +again when the client quits.
> +
> +Note that the assignment tpn->client = NULL; is superfluous since the
> +XvdiDestroyVideoNotify function will do this anyway. But it's left for
> +clarity and to match a similar invocation in XvdiSelectPortNotify.
> +
> +CVE-2022-46342, ZDI-CAN 19400
> +
> +This vulnerability was discovered by:
> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> +
> +Signed-off-by: Peter Hutterer <peter.hutterer@...>
> +Acked-by: Olivier Fourdan <ofourdan@...>
> +
> +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b79f32b57cc0c1186b2899bce7cf89f7b325161b]
> +CVE: CVE-2022-46342
> +Signed-off-by: Vivek Kumbhar <vkumbhar@...>
> +---
> + Xext/xvmain.c | 4 +++-
> + 1 file changed, 3 insertions(+), 1 deletion(-)
> +
> +diff --git a/Xext/xvmain.c b/Xext/xvmain.c
> +index f62747193..2a08f8744 100644
> +--- a/Xext/xvmain.c
> ++++ b/Xext/xvmain.c
> +@@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff)
> + tpn = pn;
> + while (tpn) {
> + if (tpn->client == client) {
> +- if (!onoff)
> ++ if (!onoff) {
> + tpn->client = NULL;
> ++ FreeResource(tpn->id, XvRTVideoNotify);
> ++ }
> + return Success;
> + }
> + if (!tpn->client)
> +--
> +2.30.2
> +
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
> new file mode 100644
> index 0000000000..11507c3247
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
> @@ -0,0 +1,51 @@
> +From 842ca3ccef100ce010d1d8f5f6d6cc1915055900 Mon Sep 17 00:00:00 2001
> +From: Peter Hutterer <peter.hutterer@...>
> +Date: Tue, 29 Nov 2022 14:53:07 +1000
> +Subject: [PATCH] Xext: free the screen saver resource when replacing it
> +
> +This fixes a use-after-free bug:
> +
> +When a client first calls ScreenSaverSetAttributes(), a struct
> +ScreenSaverAttrRec is allocated and added to the client's
> +resources.
> +
> +When the same client calls ScreenSaverSetAttributes() again, a new
> +struct ScreenSaverAttrRec is allocated, replacing the old struct. The
> +old struct was freed but not removed from the clients resources.
> +
> +Later, when the client is destroyed the resource system invokes
> +ScreenSaverFreeAttr and attempts to clean up the already freed struct.
> +
> +Fix this by letting the resource system free the old attrs instead.
> +
> +CVE-2022-46343, ZDI-CAN 19404
> +
> +This vulnerability was discovered by:
> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> +
> +Signed-off-by: Peter Hutterer <peter.hutterer@...>
> +Acked-by: Olivier Fourdan <ofourdan@...>
> +
> +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/842ca3ccef100ce010d1d8f5f6d6cc1915055900]
> +CVE: CVE-2022-46343
> +Signed-off-by: Vivek Kumbhar <vkumbhar@...>
> +---
> + Xext/saver.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/Xext/saver.c b/Xext/saver.c
> +index f813ba08d..fd6153c31 100644
> +--- a/Xext/saver.c
> ++++ b/Xext/saver.c
> +@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client)
> + pVlist++;
> + }
> + if (pPriv->attr)
> +- FreeScreenAttr(pPriv->attr);
> ++ FreeResource(pPriv->attr->resource, AttrType);
> + pPriv->attr = pAttr;
> + pAttr->resource = FakeClientID(client->index);
> + if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))
> +--
> +2.30.2
> +
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
> new file mode 100644
> index 0000000000..92f65569ef
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
> @@ -0,0 +1,75 @@
> +From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001
> +From: Peter Hutterer <peter.hutterer@...>
> +Date: Tue, 29 Nov 2022 13:26:57 +1000
> +Subject: [PATCH] Xi: avoid integer truncation in length check of
> + ProcXIChangeProperty
> +
> +This fixes an OOB read and the resulting information disclosure.
> +
> +Length calculation for the request was clipped to a 32-bit integer. With
> +the correct stuff->num_items value the expected request size was
> +truncated, passing the REQUEST_FIXED_SIZE check.
> +
> +The server then proceeded with reading at least stuff->num_items bytes
> +(depending on stuff->format) from the request and stuffing whatever it
> +finds into the property. In the process it would also allocate at least
> +stuff->num_items bytes, i.e. 4GB.
> +
> +The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
> +so let's fix that too.
> +
> +CVE-2022-46344, ZDI-CAN 19405
> +
> +This vulnerability was discovered by:
> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> +
> +Signed-off-by: Peter Hutterer <peter.hutterer@...>
> +Acked-by: Olivier Fourdan <ofourdan@...>
> +
> +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8f454b793e1f13c99872c15f0eed1d7f3b823fe8]
> +CVE: CVE-2022-46344
> +Signed-off-by: Vivek Kumbhar <vkumbhar@...>
> +---
> + Xi/xiproperty.c | 4 ++--
> + dix/property.c | 3 ++-
> + 2 files changed, 4 insertions(+), 3 deletions(-)
> +
> +diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
> +index 68c362c62..066ba21fb 100644
> +--- a/Xi/xiproperty.c
> ++++ b/Xi/xiproperty.c
> +@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
> + REQUEST(xChangeDevicePropertyReq);
> + DeviceIntPtr dev;
> + unsigned long len;
> +- int totalSize;
> ++ uint64_t totalSize;
> + int rc;
> +
> + REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
> +@@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client)
> + {
> + int rc;
> + DeviceIntPtr dev;
> +- int totalSize;
> ++ uint64_t totalSize;
> + unsigned long len;
> +
> + REQUEST(xXIChangePropertyReq);
> +diff --git a/dix/property.c b/dix/property.c
> +index 94ef5a0ec..acce94b2c 100644
> +--- a/dix/property.c
> ++++ b/dix/property.c
> +@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
> + WindowPtr pWin;
> + char format, mode;
> + unsigned long len;
> +- int sizeInBytes, totalSize, err;
> ++ int sizeInBytes, err;
> ++ uint64_t totalSize;
> +
> + REQUEST(xChangePropertyReq);
> +
> +--
> +2.30.2
> +
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
> index aba09afec3..744bd3e2aa 100644
> --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
> @@ -4,6 +4,12 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
> file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
> file://0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch \
> file://0001-xkb-proof-GetCountedString-against-request-length-at.patch \
> + file://CVE-2022-4283.patch \
> + file://CVE-2022-46340.patch \
> + file://CVE-2022-46341.patch \
> + file://CVE-2022-46342.patch \
> + file://CVE-2022-46343.patch \
> + file://CVE-2022-46344.patch \
> "
> SRC_URI[sha256sum] = "5cc4be8ee47edb58d4a90e603a59d56b40291ad38371b0bd2471fc3cbee1c587"
>
> --
> 2.30.2
>
>
>
>
Steve Sakoman
On Wed, Jan 25, 2023 at 1:55 AM vkumbhar <vkumbhar@...> wrote:
rework this patch (if it is still necessary)
Thanks!
Steve
We've done a version bump to 21.1.6 in kirkstone, so you'll need to
From: Vivek Kumbhar <vkumbhar@...>
Fixed Below CVE:
CVE-2022-4283
CVE-2022-46340
CVE-2022-46341
CVE-2022-46342
CVE-2022-46343
CVE-2022-46344
Signed-off-by: Vivek Kumbhar <vkumbhar@...>
---
.../xserver-xorg/CVE-2022-4283.patch | 39 +++++++++
.../xserver-xorg/CVE-2022-46340.patch | 55 ++++++++++++
.../xserver-xorg/CVE-2022-46341.patch | 86 +++++++++++++++++++
.../xserver-xorg/CVE-2022-46342.patch | 78 +++++++++++++++++
.../xserver-xorg/CVE-2022-46343.patch | 51 +++++++++++
.../xserver-xorg/CVE-2022-46344.patch | 75 ++++++++++++++++
.../xorg-xserver/xserver-xorg_21.1.4.bb | 6 ++
rework this patch (if it is still necessary)
Thanks!
Steve
7 files changed, 390 insertions(+)
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
new file mode 100644
index 0000000000..ce642843ab
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
@@ -0,0 +1,39 @@
+From ccdd431cd8f1cabae9d744f0514b6533c438908c Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@...>
+Date: Mon, 5 Dec 2022 15:55:54 +1000
+Subject: [PATCH] xkb: reset the radio_groups pointer to NULL after freeing it
+
+Unlike other elements of the keymap, this pointer was freed but not
+reset. On a subsequent XkbGetKbdByName request, the server may access
+already freed memory.
+
+CVE-2022-4283, ZDI-CAN-19530
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@...>
+Acked-by: Olivier Fourdan <ofourdan@...>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ccdd431cd8f1cabae9d744f0514b6533c438908c]
+CVE: CVE-2022-4283
+Signed-off-by: Vivek Kumbhar <vkumbhar@...>
+---
+ xkb/xkbUtils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
+index dd089c204..3f5791a18 100644
+--- a/xkb/xkbUtils.c
++++ b/xkb/xkbUtils.c
+@@ -1326,6 +1326,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr dst)
+ }
+ else {
+ free(dst->names->radio_groups);
++ dst->names->radio_groups = NULL;
+ }
+ dst->names->num_rg = src->names->num_rg;
+
+--
+2.30.2
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
new file mode 100644
index 0000000000..9bdcdfa76e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
@@ -0,0 +1,55 @@
+From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@...>
+Date: Tue, 29 Nov 2022 12:55:45 +1000
+Subject: [PATCH] Xtest: disallow GenericEvents in XTestSwapFakeInput
+
+XTestSwapFakeInput assumes all events in this request are
+sizeof(xEvent) and iterates through these in 32-byte increments.
+However, a GenericEvent may be of arbitrary length longer than 32 bytes,
+so any GenericEvent in this list would result in subsequent events to be
+misparsed.
+
+Additional, the swapped event is written into a stack-allocated struct
+xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes,
+swapping the event may thus smash the stack like an avocado on toast.
+
+Catch this case early and return BadValue for any GenericEvent.
+Which is what would happen in unswapped setups anyway since XTest
+doesn't support GenericEvent.
+
+CVE-2022-46340, ZDI-CAN 19265
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@...>
+Acked-by: Olivier Fourdan <ofourdan@...>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63]
+CVE: CVE-2022-46340
+Signed-off-by: Vivek Kumbhar <vkumbhar@...>
+---
+ Xext/xtest.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/Xext/xtest.c b/Xext/xtest.c
+index bf27eb590..2985a4ce6 100644
+--- a/Xext/xtest.c
++++ b/Xext/xtest.c
+@@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req)
+
+ nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent);
+ for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) {
++ int evtype = ev->u.u.type & 0x177;
+ /* Swap event */
+- proc = EventSwapVector[ev->u.u.type & 0177];
++ proc = EventSwapVector[evtype];
+ /* no swapping proc; invalid event type? */
+- if (!proc || proc == NotImplemented) {
++ if (!proc || proc == NotImplemented || evtype == GenericEvent) {
+ client->errorValue = ev->u.u.type;
+ return BadValue;
+ }
+--
+2.30.2
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
new file mode 100644
index 0000000000..669792a5e7
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
@@ -0,0 +1,86 @@
+From 51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@...>
+Date: Tue, 29 Nov 2022 13:55:32 +1000
+Subject: [PATCH] Xi: disallow passive grabs with a detail > 255
+
+The XKB protocol effectively prevents us from ever using keycodes above
+255. For buttons it's theoretically possible but realistically too niche
+to worry about. For all other passive grabs, the detail must be zero
+anyway.
+
+This fixes an OOB write:
+
+ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a
+temporary grab struct which contains tempGrab->detail.exact = stuff->detail.
+For matching existing grabs, DeleteDetailFromMask is called with the
+stuff->detail value. This function creates a new mask with the one bit
+representing stuff->detail cleared.
+
+However, the array size for the new mask is 8 * sizeof(CARD32) bits,
+thus any detail above 255 results in an OOB array write.
+
+CVE-2022-46341, ZDI-CAN 19381
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@...>
+Acked-by: Olivier Fourdan <ofourdan@...>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b]
+CVE: CVE-2022-46341
+Signed-off-by: Vivek Kumbhar <vkumbhar@...>
+---
+ Xi/xipassivegrab.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
+index 2769fb7c9..c9ac2f855 100644
+--- a/Xi/xipassivegrab.c
++++ b/Xi/xipassivegrab.c
+@@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+ return BadValue;
+ }
+
++ /* XI2 allows 32-bit keycodes but thanks to XKB we can never
++ * implement this. Just return an error for all keycodes that
++ * cannot work anyway, same for buttons > 255. */
++ if (stuff->detail > 255)
++ return XIAlreadyGrabbed;
++
+ if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],
+ stuff->mask_len * 4) != Success)
+ return BadValue;
+@@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+ ¶m, XI2, &mask);
+ break;
+ case XIGrabtypeKeycode:
+- /* XI2 allows 32-bit keycodes but thanks to XKB we can never
+- * implement this. Just return an error for all keycodes that
+- * cannot work anyway */
+- if (stuff->detail > 255)
+- status = XIAlreadyGrabbed;
+- else
+- status = GrabKey(client, dev, mod_dev, stuff->detail,
+- ¶m, XI2, &mask);
++ status = GrabKey(client, dev, mod_dev, stuff->detail,
++ ¶m, XI2, &mask);
+ break;
+ case XIGrabtypeEnter:
+ case XIGrabtypeFocusIn:
+@@ -334,6 +334,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
+ return BadValue;
+ }
+
++ /* We don't allow passive grabs for details > 255 anyway */
++ if (stuff->detail > 255) {
++ client->errorValue = stuff->detail;
++ return BadValue;
++ }
++
+ rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess);
+ if (rc != Success)
+ return rc;
+--
+2.30.2
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
new file mode 100644
index 0000000000..6c17b105a0
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
@@ -0,0 +1,78 @@
+From b79f32b57cc0c1186b2899bce7cf89f7b325161b Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@...>
+Date: Wed, 30 Nov 2022 11:20:40 +1000
+Subject: [PATCH] Xext: free the XvRTVideoNotify when turning off from the same
+ client
+
+This fixes a use-after-free bug:
+
+When a client first calls XvdiSelectVideoNotify() on a drawable with a
+TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct
+is added twice to the resources:
+ - as the drawable's XvRTVideoNotifyList. This happens only once per
+ drawable, subsequent calls append to this list.
+ - as the client's XvRTVideoNotify. This happens for every client.
+
+The struct keeps the ClientPtr around once it has been added for a
+client. The idea, presumably, is that if the client disconnects we can remove
+all structs from the drawable's list that match the client (by resetting
+the ClientPtr to NULL), but if the drawable is destroyed we can remove
+and free the whole list.
+
+However, if the same client then calls XvdiSelectVideoNotify() on the
+same drawable with a FALSE onoff argument, only the ClientPtr on the
+existing struct was set to NULL. The struct itself remained in the
+client's resources.
+
+If the drawable is now destroyed, the resource system invokes
+XvdiDestroyVideoNotifyList which frees the whole list for this drawable
+- including our struct. This function however does not free the resource
+for the client since our ClientPtr is NULL.
+
+Later, when the client is destroyed and the resource system invokes
+XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On
+a struct that has been freed previously. This is generally frowned upon.
+
+Fix this by calling FreeResource() on the second call instead of merely
+setting the ClientPtr to NULL. This removes the struct from the client
+resources (but not from the list), ensuring that it won't be accessed
+again when the client quits.
+
+Note that the assignment tpn->client = NULL; is superfluous since the
+XvdiDestroyVideoNotify function will do this anyway. But it's left for
+clarity and to match a similar invocation in XvdiSelectPortNotify.
+
+CVE-2022-46342, ZDI-CAN 19400
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@...>
+Acked-by: Olivier Fourdan <ofourdan@...>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b79f32b57cc0c1186b2899bce7cf89f7b325161b]
+CVE: CVE-2022-46342
+Signed-off-by: Vivek Kumbhar <vkumbhar@...>
+---
+ Xext/xvmain.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Xext/xvmain.c b/Xext/xvmain.c
+index f62747193..2a08f8744 100644
+--- a/Xext/xvmain.c
++++ b/Xext/xvmain.c
+@@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff)
+ tpn = pn;
+ while (tpn) {
+ if (tpn->client == client) {
+- if (!onoff)
++ if (!onoff) {
+ tpn->client = NULL;
++ FreeResource(tpn->id, XvRTVideoNotify);
++ }
+ return Success;
+ }
+ if (!tpn->client)
+--
+2.30.2
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
new file mode 100644
index 0000000000..11507c3247
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
@@ -0,0 +1,51 @@
+From 842ca3ccef100ce010d1d8f5f6d6cc1915055900 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@...>
+Date: Tue, 29 Nov 2022 14:53:07 +1000
+Subject: [PATCH] Xext: free the screen saver resource when replacing it
+
+This fixes a use-after-free bug:
+
+When a client first calls ScreenSaverSetAttributes(), a struct
+ScreenSaverAttrRec is allocated and added to the client's
+resources.
+
+When the same client calls ScreenSaverSetAttributes() again, a new
+struct ScreenSaverAttrRec is allocated, replacing the old struct. The
+old struct was freed but not removed from the clients resources.
+
+Later, when the client is destroyed the resource system invokes
+ScreenSaverFreeAttr and attempts to clean up the already freed struct.
+
+Fix this by letting the resource system free the old attrs instead.
+
+CVE-2022-46343, ZDI-CAN 19404
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@...>
+Acked-by: Olivier Fourdan <ofourdan@...>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/842ca3ccef100ce010d1d8f5f6d6cc1915055900]
+CVE: CVE-2022-46343
+Signed-off-by: Vivek Kumbhar <vkumbhar@...>
+---
+ Xext/saver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Xext/saver.c b/Xext/saver.c
+index f813ba08d..fd6153c31 100644
+--- a/Xext/saver.c
++++ b/Xext/saver.c
+@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client)
+ pVlist++;
+ }
+ if (pPriv->attr)
+- FreeScreenAttr(pPriv->attr);
++ FreeResource(pPriv->attr->resource, AttrType);
+ pPriv->attr = pAttr;
+ pAttr->resource = FakeClientID(client->index);
+ if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))
+--
+2.30.2
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
new file mode 100644
index 0000000000..92f65569ef
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
@@ -0,0 +1,75 @@
+From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@...>
+Date: Tue, 29 Nov 2022 13:26:57 +1000
+Subject: [PATCH] Xi: avoid integer truncation in length check of
+ ProcXIChangeProperty
+
+This fixes an OOB read and the resulting information disclosure.
+
+Length calculation for the request was clipped to a 32-bit integer. With
+the correct stuff->num_items value the expected request size was
+truncated, passing the REQUEST_FIXED_SIZE check.
+
+The server then proceeded with reading at least stuff->num_items bytes
+(depending on stuff->format) from the request and stuffing whatever it
+finds into the property. In the process it would also allocate at least
+stuff->num_items bytes, i.e. 4GB.
+
+The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
+so let's fix that too.
+
+CVE-2022-46344, ZDI-CAN 19405
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@...>
+Acked-by: Olivier Fourdan <ofourdan@...>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8f454b793e1f13c99872c15f0eed1d7f3b823fe8]
+CVE: CVE-2022-46344
+Signed-off-by: Vivek Kumbhar <vkumbhar@...>
+---
+ Xi/xiproperty.c | 4 ++--
+ dix/property.c | 3 ++-
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
+index 68c362c62..066ba21fb 100644
+--- a/Xi/xiproperty.c
++++ b/Xi/xiproperty.c
+@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
+ REQUEST(xChangeDevicePropertyReq);
+ DeviceIntPtr dev;
+ unsigned long len;
+- int totalSize;
++ uint64_t totalSize;
+ int rc;
+
+ REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
+@@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client)
+ {
+ int rc;
+ DeviceIntPtr dev;
+- int totalSize;
++ uint64_t totalSize;
+ unsigned long len;
+
+ REQUEST(xXIChangePropertyReq);
+diff --git a/dix/property.c b/dix/property.c
+index 94ef5a0ec..acce94b2c 100644
+--- a/dix/property.c
++++ b/dix/property.c
+@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
+ WindowPtr pWin;
+ char format, mode;
+ unsigned long len;
+- int sizeInBytes, totalSize, err;
++ int sizeInBytes, err;
++ uint64_t totalSize;
+
+ REQUEST(xChangePropertyReq);
+
+--
+2.30.2
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
index aba09afec3..744bd3e2aa 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
@@ -4,6 +4,12 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
file://0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch \
file://0001-xkb-proof-GetCountedString-against-request-length-at.patch \
+ file://CVE-2022-4283.patch \
+ file://CVE-2022-46340.patch \
+ file://CVE-2022-46341.patch \
+ file://CVE-2022-46342.patch \
+ file://CVE-2022-46343.patch \
+ file://CVE-2022-46344.patch \
"
SRC_URI[sha256sum] = "5cc4be8ee47edb58d4a90e603a59d56b40291ad38371b0bd2471fc3cbee1c587"
--
2.30.2
From: Vivek Kumbhar <vkumbhar@...>
Fixed Below CVE:
CVE-2022-4283
CVE-2022-46340
CVE-2022-46341
CVE-2022-46342
CVE-2022-46343
CVE-2022-46344
Signed-off-by: Vivek Kumbhar <vkumbhar@...>
---
.../xserver-xorg/CVE-2022-4283.patch | 39 +++++++++
.../xserver-xorg/CVE-2022-46340.patch | 55 ++++++++++++
.../xserver-xorg/CVE-2022-46341.patch | 86 +++++++++++++++++++
.../xserver-xorg/CVE-2022-46342.patch | 78 +++++++++++++++++
.../xserver-xorg/CVE-2022-46343.patch | 51 +++++++++++
.../xserver-xorg/CVE-2022-46344.patch | 75 ++++++++++++++++
.../xorg-xserver/xserver-xorg_21.1.4.bb | 6 ++
7 files changed, 390 insertions(+)
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
new file mode 100644
index 0000000000..ce642843ab
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
@@ -0,0 +1,39 @@
+From ccdd431cd8f1cabae9d744f0514b6533c438908c Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@...>
+Date: Mon, 5 Dec 2022 15:55:54 +1000
+Subject: [PATCH] xkb: reset the radio_groups pointer to NULL after freeing it
+
+Unlike other elements of the keymap, this pointer was freed but not
+reset. On a subsequent XkbGetKbdByName request, the server may access
+already freed memory.
+
+CVE-2022-4283, ZDI-CAN-19530
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@...>
+Acked-by: Olivier Fourdan <ofourdan@...>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ccdd431cd8f1cabae9d744f0514b6533c438908c]
+CVE: CVE-2022-4283
+Signed-off-by: Vivek Kumbhar <vkumbhar@...>
+---
+ xkb/xkbUtils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
+index dd089c204..3f5791a18 100644
+--- a/xkb/xkbUtils.c
++++ b/xkb/xkbUtils.c
+@@ -1326,6 +1326,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr dst)
+ }
+ else {
+ free(dst->names->radio_groups);
++ dst->names->radio_groups = NULL;
+ }
+ dst->names->num_rg = src->names->num_rg;
+
+--
+2.30.2
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
new file mode 100644
index 0000000000..9bdcdfa76e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
@@ -0,0 +1,55 @@
+From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@...>
+Date: Tue, 29 Nov 2022 12:55:45 +1000
+Subject: [PATCH] Xtest: disallow GenericEvents in XTestSwapFakeInput
+
+XTestSwapFakeInput assumes all events in this request are
+sizeof(xEvent) and iterates through these in 32-byte increments.
+However, a GenericEvent may be of arbitrary length longer than 32 bytes,
+so any GenericEvent in this list would result in subsequent events to be
+misparsed.
+
+Additional, the swapped event is written into a stack-allocated struct
+xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes,
+swapping the event may thus smash the stack like an avocado on toast.
+
+Catch this case early and return BadValue for any GenericEvent.
+Which is what would happen in unswapped setups anyway since XTest
+doesn't support GenericEvent.
+
+CVE-2022-46340, ZDI-CAN 19265
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@...>
+Acked-by: Olivier Fourdan <ofourdan@...>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63]
+CVE: CVE-2022-46340
+Signed-off-by: Vivek Kumbhar <vkumbhar@...>
+---
+ Xext/xtest.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/Xext/xtest.c b/Xext/xtest.c
+index bf27eb590..2985a4ce6 100644
+--- a/Xext/xtest.c
++++ b/Xext/xtest.c
+@@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req)
+
+ nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent);
+ for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) {
++ int evtype = ev->u.u.type & 0x177;
+ /* Swap event */
+- proc = EventSwapVector[ev->u.u.type & 0177];
++ proc = EventSwapVector[evtype];
+ /* no swapping proc; invalid event type? */
+- if (!proc || proc == NotImplemented) {
++ if (!proc || proc == NotImplemented || evtype == GenericEvent) {
+ client->errorValue = ev->u.u.type;
+ return BadValue;
+ }
+--
+2.30.2
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
new file mode 100644
index 0000000000..669792a5e7
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
@@ -0,0 +1,86 @@
+From 51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@...>
+Date: Tue, 29 Nov 2022 13:55:32 +1000
+Subject: [PATCH] Xi: disallow passive grabs with a detail > 255
+
+The XKB protocol effectively prevents us from ever using keycodes above
+255. For buttons it's theoretically possible but realistically too niche
+to worry about. For all other passive grabs, the detail must be zero
+anyway.
+
+This fixes an OOB write:
+
+ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a
+temporary grab struct which contains tempGrab->detail.exact = stuff->detail.
+For matching existing grabs, DeleteDetailFromMask is called with the
+stuff->detail value. This function creates a new mask with the one bit
+representing stuff->detail cleared.
+
+However, the array size for the new mask is 8 * sizeof(CARD32) bits,
+thus any detail above 255 results in an OOB array write.
+
+CVE-2022-46341, ZDI-CAN 19381
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@...>
+Acked-by: Olivier Fourdan <ofourdan@...>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b]
+CVE: CVE-2022-46341
+Signed-off-by: Vivek Kumbhar <vkumbhar@...>
+---
+ Xi/xipassivegrab.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
+index 2769fb7c9..c9ac2f855 100644
+--- a/Xi/xipassivegrab.c
++++ b/Xi/xipassivegrab.c
+@@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+ return BadValue;
+ }
+
++ /* XI2 allows 32-bit keycodes but thanks to XKB we can never
++ * implement this. Just return an error for all keycodes that
++ * cannot work anyway, same for buttons > 255. */
++ if (stuff->detail > 255)
++ return XIAlreadyGrabbed;
++
+ if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],
+ stuff->mask_len * 4) != Success)
+ return BadValue;
+@@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+ ¶m, XI2, &mask);
+ break;
+ case XIGrabtypeKeycode:
+- /* XI2 allows 32-bit keycodes but thanks to XKB we can never
+- * implement this. Just return an error for all keycodes that
+- * cannot work anyway */
+- if (stuff->detail > 255)
+- status = XIAlreadyGrabbed;
+- else
+- status = GrabKey(client, dev, mod_dev, stuff->detail,
+- ¶m, XI2, &mask);
++ status = GrabKey(client, dev, mod_dev, stuff->detail,
++ ¶m, XI2, &mask);
+ break;
+ case XIGrabtypeEnter:
+ case XIGrabtypeFocusIn:
+@@ -334,6 +334,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
+ return BadValue;
+ }
+
++ /* We don't allow passive grabs for details > 255 anyway */
++ if (stuff->detail > 255) {
++ client->errorValue = stuff->detail;
++ return BadValue;
++ }
++
+ rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess);
+ if (rc != Success)
+ return rc;
+--
+2.30.2
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
new file mode 100644
index 0000000000..6c17b105a0
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
@@ -0,0 +1,78 @@
+From b79f32b57cc0c1186b2899bce7cf89f7b325161b Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@...>
+Date: Wed, 30 Nov 2022 11:20:40 +1000
+Subject: [PATCH] Xext: free the XvRTVideoNotify when turning off from the same
+ client
+
+This fixes a use-after-free bug:
+
+When a client first calls XvdiSelectVideoNotify() on a drawable with a
+TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct
+is added twice to the resources:
+ - as the drawable's XvRTVideoNotifyList. This happens only once per
+ drawable, subsequent calls append to this list.
+ - as the client's XvRTVideoNotify. This happens for every client.
+
+The struct keeps the ClientPtr around once it has been added for a
+client. The idea, presumably, is that if the client disconnects we can remove
+all structs from the drawable's list that match the client (by resetting
+the ClientPtr to NULL), but if the drawable is destroyed we can remove
+and free the whole list.
+
+However, if the same client then calls XvdiSelectVideoNotify() on the
+same drawable with a FALSE onoff argument, only the ClientPtr on the
+existing struct was set to NULL. The struct itself remained in the
+client's resources.
+
+If the drawable is now destroyed, the resource system invokes
+XvdiDestroyVideoNotifyList which frees the whole list for this drawable
+- including our struct. This function however does not free the resource
+for the client since our ClientPtr is NULL.
+
+Later, when the client is destroyed and the resource system invokes
+XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On
+a struct that has been freed previously. This is generally frowned upon.
+
+Fix this by calling FreeResource() on the second call instead of merely
+setting the ClientPtr to NULL. This removes the struct from the client
+resources (but not from the list), ensuring that it won't be accessed
+again when the client quits.
+
+Note that the assignment tpn->client = NULL; is superfluous since the
+XvdiDestroyVideoNotify function will do this anyway. But it's left for
+clarity and to match a similar invocation in XvdiSelectPortNotify.
+
+CVE-2022-46342, ZDI-CAN 19400
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@...>
+Acked-by: Olivier Fourdan <ofourdan@...>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b79f32b57cc0c1186b2899bce7cf89f7b325161b]
+CVE: CVE-2022-46342
+Signed-off-by: Vivek Kumbhar <vkumbhar@...>
+---
+ Xext/xvmain.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Xext/xvmain.c b/Xext/xvmain.c
+index f62747193..2a08f8744 100644
+--- a/Xext/xvmain.c
++++ b/Xext/xvmain.c
+@@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff)
+ tpn = pn;
+ while (tpn) {
+ if (tpn->client == client) {
+- if (!onoff)
++ if (!onoff) {
+ tpn->client = NULL;
++ FreeResource(tpn->id, XvRTVideoNotify);
++ }
+ return Success;
+ }
+ if (!tpn->client)
+--
+2.30.2
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
new file mode 100644
index 0000000000..11507c3247
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
@@ -0,0 +1,51 @@
+From 842ca3ccef100ce010d1d8f5f6d6cc1915055900 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@...>
+Date: Tue, 29 Nov 2022 14:53:07 +1000
+Subject: [PATCH] Xext: free the screen saver resource when replacing it
+
+This fixes a use-after-free bug:
+
+When a client first calls ScreenSaverSetAttributes(), a struct
+ScreenSaverAttrRec is allocated and added to the client's
+resources.
+
+When the same client calls ScreenSaverSetAttributes() again, a new
+struct ScreenSaverAttrRec is allocated, replacing the old struct. The
+old struct was freed but not removed from the clients resources.
+
+Later, when the client is destroyed the resource system invokes
+ScreenSaverFreeAttr and attempts to clean up the already freed struct.
+
+Fix this by letting the resource system free the old attrs instead.
+
+CVE-2022-46343, ZDI-CAN 19404
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@...>
+Acked-by: Olivier Fourdan <ofourdan@...>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/842ca3ccef100ce010d1d8f5f6d6cc1915055900]
+CVE: CVE-2022-46343
+Signed-off-by: Vivek Kumbhar <vkumbhar@...>
+---
+ Xext/saver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Xext/saver.c b/Xext/saver.c
+index f813ba08d..fd6153c31 100644
+--- a/Xext/saver.c
++++ b/Xext/saver.c
+@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client)
+ pVlist++;
+ }
+ if (pPriv->attr)
+- FreeScreenAttr(pPriv->attr);
++ FreeResource(pPriv->attr->resource, AttrType);
+ pPriv->attr = pAttr;
+ pAttr->resource = FakeClientID(client->index);
+ if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))
+--
+2.30.2
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
new file mode 100644
index 0000000000..92f65569ef
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
@@ -0,0 +1,75 @@
+From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@...>
+Date: Tue, 29 Nov 2022 13:26:57 +1000
+Subject: [PATCH] Xi: avoid integer truncation in length check of
+ ProcXIChangeProperty
+
+This fixes an OOB read and the resulting information disclosure.
+
+Length calculation for the request was clipped to a 32-bit integer. With
+the correct stuff->num_items value the expected request size was
+truncated, passing the REQUEST_FIXED_SIZE check.
+
+The server then proceeded with reading at least stuff->num_items bytes
+(depending on stuff->format) from the request and stuffing whatever it
+finds into the property. In the process it would also allocate at least
+stuff->num_items bytes, i.e. 4GB.
+
+The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
+so let's fix that too.
+
+CVE-2022-46344, ZDI-CAN 19405
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@...>
+Acked-by: Olivier Fourdan <ofourdan@...>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8f454b793e1f13c99872c15f0eed1d7f3b823fe8]
+CVE: CVE-2022-46344
+Signed-off-by: Vivek Kumbhar <vkumbhar@...>
+---
+ Xi/xiproperty.c | 4 ++--
+ dix/property.c | 3 ++-
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
+index 68c362c62..066ba21fb 100644
+--- a/Xi/xiproperty.c
++++ b/Xi/xiproperty.c
+@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
+ REQUEST(xChangeDevicePropertyReq);
+ DeviceIntPtr dev;
+ unsigned long len;
+- int totalSize;
++ uint64_t totalSize;
+ int rc;
+
+ REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
+@@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client)
+ {
+ int rc;
+ DeviceIntPtr dev;
+- int totalSize;
++ uint64_t totalSize;
+ unsigned long len;
+
+ REQUEST(xXIChangePropertyReq);
+diff --git a/dix/property.c b/dix/property.c
+index 94ef5a0ec..acce94b2c 100644
+--- a/dix/property.c
++++ b/dix/property.c
+@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
+ WindowPtr pWin;
+ char format, mode;
+ unsigned long len;
+- int sizeInBytes, totalSize, err;
++ int sizeInBytes, err;
++ uint64_t totalSize;
+
+ REQUEST(xChangePropertyReq);
+
+--
+2.30.2
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
index aba09afec3..744bd3e2aa 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
@@ -4,6 +4,12 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
file://0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch \
file://0001-xkb-proof-GetCountedString-against-request-length-at.patch \
+ file://CVE-2022-4283.patch \
+ file://CVE-2022-46340.patch \
+ file://CVE-2022-46341.patch \
+ file://CVE-2022-46342.patch \
+ file://CVE-2022-46343.patch \
+ file://CVE-2022-46344.patch \
"
SRC_URI[sha256sum] = "5cc4be8ee47edb58d4a90e603a59d56b40291ad38371b0bd2471fc3cbee1c587"
--
2.30.2
Fixed Below CVE:
CVE-2022-4283
CVE-2022-46340
CVE-2022-46341
CVE-2022-46342
CVE-2022-46343
CVE-2022-46344
Signed-off-by: Vivek Kumbhar <vkumbhar@...>
---
.../xserver-xorg/CVE-2022-4283.patch | 39 +++++++++
.../xserver-xorg/CVE-2022-46340.patch | 55 ++++++++++++
.../xserver-xorg/CVE-2022-46341.patch | 86 +++++++++++++++++++
.../xserver-xorg/CVE-2022-46342.patch | 78 +++++++++++++++++
.../xserver-xorg/CVE-2022-46343.patch | 51 +++++++++++
.../xserver-xorg/CVE-2022-46344.patch | 75 ++++++++++++++++
.../xorg-xserver/xserver-xorg_21.1.4.bb | 6 ++
7 files changed, 390 insertions(+)
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
new file mode 100644
index 0000000000..ce642843ab
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
@@ -0,0 +1,39 @@
+From ccdd431cd8f1cabae9d744f0514b6533c438908c Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@...>
+Date: Mon, 5 Dec 2022 15:55:54 +1000
+Subject: [PATCH] xkb: reset the radio_groups pointer to NULL after freeing it
+
+Unlike other elements of the keymap, this pointer was freed but not
+reset. On a subsequent XkbGetKbdByName request, the server may access
+already freed memory.
+
+CVE-2022-4283, ZDI-CAN-19530
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@...>
+Acked-by: Olivier Fourdan <ofourdan@...>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ccdd431cd8f1cabae9d744f0514b6533c438908c]
+CVE: CVE-2022-4283
+Signed-off-by: Vivek Kumbhar <vkumbhar@...>
+---
+ xkb/xkbUtils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
+index dd089c204..3f5791a18 100644
+--- a/xkb/xkbUtils.c
++++ b/xkb/xkbUtils.c
+@@ -1326,6 +1326,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr dst)
+ }
+ else {
+ free(dst->names->radio_groups);
++ dst->names->radio_groups = NULL;
+ }
+ dst->names->num_rg = src->names->num_rg;
+
+--
+2.30.2
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
new file mode 100644
index 0000000000..9bdcdfa76e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
@@ -0,0 +1,55 @@
+From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@...>
+Date: Tue, 29 Nov 2022 12:55:45 +1000
+Subject: [PATCH] Xtest: disallow GenericEvents in XTestSwapFakeInput
+
+XTestSwapFakeInput assumes all events in this request are
+sizeof(xEvent) and iterates through these in 32-byte increments.
+However, a GenericEvent may be of arbitrary length longer than 32 bytes,
+so any GenericEvent in this list would result in subsequent events to be
+misparsed.
+
+Additional, the swapped event is written into a stack-allocated struct
+xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes,
+swapping the event may thus smash the stack like an avocado on toast.
+
+Catch this case early and return BadValue for any GenericEvent.
+Which is what would happen in unswapped setups anyway since XTest
+doesn't support GenericEvent.
+
+CVE-2022-46340, ZDI-CAN 19265
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@...>
+Acked-by: Olivier Fourdan <ofourdan@...>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63]
+CVE: CVE-2022-46340
+Signed-off-by: Vivek Kumbhar <vkumbhar@...>
+---
+ Xext/xtest.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/Xext/xtest.c b/Xext/xtest.c
+index bf27eb590..2985a4ce6 100644
+--- a/Xext/xtest.c
++++ b/Xext/xtest.c
+@@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req)
+
+ nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent);
+ for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) {
++ int evtype = ev->u.u.type & 0x177;
+ /* Swap event */
+- proc = EventSwapVector[ev->u.u.type & 0177];
++ proc = EventSwapVector[evtype];
+ /* no swapping proc; invalid event type? */
+- if (!proc || proc == NotImplemented) {
++ if (!proc || proc == NotImplemented || evtype == GenericEvent) {
+ client->errorValue = ev->u.u.type;
+ return BadValue;
+ }
+--
+2.30.2
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
new file mode 100644
index 0000000000..669792a5e7
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
@@ -0,0 +1,86 @@
+From 51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@...>
+Date: Tue, 29 Nov 2022 13:55:32 +1000
+Subject: [PATCH] Xi: disallow passive grabs with a detail > 255
+
+The XKB protocol effectively prevents us from ever using keycodes above
+255. For buttons it's theoretically possible but realistically too niche
+to worry about. For all other passive grabs, the detail must be zero
+anyway.
+
+This fixes an OOB write:
+
+ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a
+temporary grab struct which contains tempGrab->detail.exact = stuff->detail.
+For matching existing grabs, DeleteDetailFromMask is called with the
+stuff->detail value. This function creates a new mask with the one bit
+representing stuff->detail cleared.
+
+However, the array size for the new mask is 8 * sizeof(CARD32) bits,
+thus any detail above 255 results in an OOB array write.
+
+CVE-2022-46341, ZDI-CAN 19381
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@...>
+Acked-by: Olivier Fourdan <ofourdan@...>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b]
+CVE: CVE-2022-46341
+Signed-off-by: Vivek Kumbhar <vkumbhar@...>
+---
+ Xi/xipassivegrab.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
+index 2769fb7c9..c9ac2f855 100644
+--- a/Xi/xipassivegrab.c
++++ b/Xi/xipassivegrab.c
+@@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+ return BadValue;
+ }
+
++ /* XI2 allows 32-bit keycodes but thanks to XKB we can never
++ * implement this. Just return an error for all keycodes that
++ * cannot work anyway, same for buttons > 255. */
++ if (stuff->detail > 255)
++ return XIAlreadyGrabbed;
++
+ if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],
+ stuff->mask_len * 4) != Success)
+ return BadValue;
+@@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+ ¶m, XI2, &mask);
+ break;
+ case XIGrabtypeKeycode:
+- /* XI2 allows 32-bit keycodes but thanks to XKB we can never
+- * implement this. Just return an error for all keycodes that
+- * cannot work anyway */
+- if (stuff->detail > 255)
+- status = XIAlreadyGrabbed;
+- else
+- status = GrabKey(client, dev, mod_dev, stuff->detail,
+- ¶m, XI2, &mask);
++ status = GrabKey(client, dev, mod_dev, stuff->detail,
++ ¶m, XI2, &mask);
+ break;
+ case XIGrabtypeEnter:
+ case XIGrabtypeFocusIn:
+@@ -334,6 +334,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
+ return BadValue;
+ }
+
++ /* We don't allow passive grabs for details > 255 anyway */
++ if (stuff->detail > 255) {
++ client->errorValue = stuff->detail;
++ return BadValue;
++ }
++
+ rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess);
+ if (rc != Success)
+ return rc;
+--
+2.30.2
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
new file mode 100644
index 0000000000..6c17b105a0
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
@@ -0,0 +1,78 @@
+From b79f32b57cc0c1186b2899bce7cf89f7b325161b Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@...>
+Date: Wed, 30 Nov 2022 11:20:40 +1000
+Subject: [PATCH] Xext: free the XvRTVideoNotify when turning off from the same
+ client
+
+This fixes a use-after-free bug:
+
+When a client first calls XvdiSelectVideoNotify() on a drawable with a
+TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct
+is added twice to the resources:
+ - as the drawable's XvRTVideoNotifyList. This happens only once per
+ drawable, subsequent calls append to this list.
+ - as the client's XvRTVideoNotify. This happens for every client.
+
+The struct keeps the ClientPtr around once it has been added for a
+client. The idea, presumably, is that if the client disconnects we can remove
+all structs from the drawable's list that match the client (by resetting
+the ClientPtr to NULL), but if the drawable is destroyed we can remove
+and free the whole list.
+
+However, if the same client then calls XvdiSelectVideoNotify() on the
+same drawable with a FALSE onoff argument, only the ClientPtr on the
+existing struct was set to NULL. The struct itself remained in the
+client's resources.
+
+If the drawable is now destroyed, the resource system invokes
+XvdiDestroyVideoNotifyList which frees the whole list for this drawable
+- including our struct. This function however does not free the resource
+for the client since our ClientPtr is NULL.
+
+Later, when the client is destroyed and the resource system invokes
+XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On
+a struct that has been freed previously. This is generally frowned upon.
+
+Fix this by calling FreeResource() on the second call instead of merely
+setting the ClientPtr to NULL. This removes the struct from the client
+resources (but not from the list), ensuring that it won't be accessed
+again when the client quits.
+
+Note that the assignment tpn->client = NULL; is superfluous since the
+XvdiDestroyVideoNotify function will do this anyway. But it's left for
+clarity and to match a similar invocation in XvdiSelectPortNotify.
+
+CVE-2022-46342, ZDI-CAN 19400
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@...>
+Acked-by: Olivier Fourdan <ofourdan@...>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b79f32b57cc0c1186b2899bce7cf89f7b325161b]
+CVE: CVE-2022-46342
+Signed-off-by: Vivek Kumbhar <vkumbhar@...>
+---
+ Xext/xvmain.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Xext/xvmain.c b/Xext/xvmain.c
+index f62747193..2a08f8744 100644
+--- a/Xext/xvmain.c
++++ b/Xext/xvmain.c
+@@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff)
+ tpn = pn;
+ while (tpn) {
+ if (tpn->client == client) {
+- if (!onoff)
++ if (!onoff) {
+ tpn->client = NULL;
++ FreeResource(tpn->id, XvRTVideoNotify);
++ }
+ return Success;
+ }
+ if (!tpn->client)
+--
+2.30.2
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
new file mode 100644
index 0000000000..11507c3247
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
@@ -0,0 +1,51 @@
+From 842ca3ccef100ce010d1d8f5f6d6cc1915055900 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@...>
+Date: Tue, 29 Nov 2022 14:53:07 +1000
+Subject: [PATCH] Xext: free the screen saver resource when replacing it
+
+This fixes a use-after-free bug:
+
+When a client first calls ScreenSaverSetAttributes(), a struct
+ScreenSaverAttrRec is allocated and added to the client's
+resources.
+
+When the same client calls ScreenSaverSetAttributes() again, a new
+struct ScreenSaverAttrRec is allocated, replacing the old struct. The
+old struct was freed but not removed from the clients resources.
+
+Later, when the client is destroyed the resource system invokes
+ScreenSaverFreeAttr and attempts to clean up the already freed struct.
+
+Fix this by letting the resource system free the old attrs instead.
+
+CVE-2022-46343, ZDI-CAN 19404
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@...>
+Acked-by: Olivier Fourdan <ofourdan@...>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/842ca3ccef100ce010d1d8f5f6d6cc1915055900]
+CVE: CVE-2022-46343
+Signed-off-by: Vivek Kumbhar <vkumbhar@...>
+---
+ Xext/saver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Xext/saver.c b/Xext/saver.c
+index f813ba08d..fd6153c31 100644
+--- a/Xext/saver.c
++++ b/Xext/saver.c
+@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client)
+ pVlist++;
+ }
+ if (pPriv->attr)
+- FreeScreenAttr(pPriv->attr);
++ FreeResource(pPriv->attr->resource, AttrType);
+ pPriv->attr = pAttr;
+ pAttr->resource = FakeClientID(client->index);
+ if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))
+--
+2.30.2
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
new file mode 100644
index 0000000000..92f65569ef
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
@@ -0,0 +1,75 @@
+From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@...>
+Date: Tue, 29 Nov 2022 13:26:57 +1000
+Subject: [PATCH] Xi: avoid integer truncation in length check of
+ ProcXIChangeProperty
+
+This fixes an OOB read and the resulting information disclosure.
+
+Length calculation for the request was clipped to a 32-bit integer. With
+the correct stuff->num_items value the expected request size was
+truncated, passing the REQUEST_FIXED_SIZE check.
+
+The server then proceeded with reading at least stuff->num_items bytes
+(depending on stuff->format) from the request and stuffing whatever it
+finds into the property. In the process it would also allocate at least
+stuff->num_items bytes, i.e. 4GB.
+
+The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
+so let's fix that too.
+
+CVE-2022-46344, ZDI-CAN 19405
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@...>
+Acked-by: Olivier Fourdan <ofourdan@...>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8f454b793e1f13c99872c15f0eed1d7f3b823fe8]
+CVE: CVE-2022-46344
+Signed-off-by: Vivek Kumbhar <vkumbhar@...>
+---
+ Xi/xiproperty.c | 4 ++--
+ dix/property.c | 3 ++-
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
+index 68c362c62..066ba21fb 100644
+--- a/Xi/xiproperty.c
++++ b/Xi/xiproperty.c
+@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
+ REQUEST(xChangeDevicePropertyReq);
+ DeviceIntPtr dev;
+ unsigned long len;
+- int totalSize;
++ uint64_t totalSize;
+ int rc;
+
+ REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
+@@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client)
+ {
+ int rc;
+ DeviceIntPtr dev;
+- int totalSize;
++ uint64_t totalSize;
+ unsigned long len;
+
+ REQUEST(xXIChangePropertyReq);
+diff --git a/dix/property.c b/dix/property.c
+index 94ef5a0ec..acce94b2c 100644
+--- a/dix/property.c
++++ b/dix/property.c
+@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
+ WindowPtr pWin;
+ char format, mode;
+ unsigned long len;
+- int sizeInBytes, totalSize, err;
++ int sizeInBytes, err;
++ uint64_t totalSize;
+
+ REQUEST(xChangePropertyReq);
+
+--
+2.30.2
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
index aba09afec3..744bd3e2aa 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
@@ -4,6 +4,12 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
file://0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch \
file://0001-xkb-proof-GetCountedString-against-request-length-at.patch \
+ file://CVE-2022-4283.patch \
+ file://CVE-2022-46340.patch \
+ file://CVE-2022-46341.patch \
+ file://CVE-2022-46342.patch \
+ file://CVE-2022-46343.patch \
+ file://CVE-2022-46344.patch \
"
SRC_URI[sha256sum] = "5cc4be8ee47edb58d4a90e603a59d56b40291ad38371b0bd2471fc3cbee1c587"
--
2.30.2