Commits:
-
c1ad8df2
by nerdopolis at 2023-10-25T11:35:42-04:00
xephyr: Don't check for SeatId anymore
After a change for the xserver to automatically determine the seat
based on the XDG_SEAT variable, xephyr stopped working. This was
because of an old feature where xephyr used to handle evdev
directly. This was dropped some time ago, and now this check is
not needed
(cherry picked from commit 4c03b67d334b05b814239420776f2fdd4c4a98ac)
-
58e83c68
by Peter Hutterer at 2023-12-13T11:00:13+10:00
randr: avoid integer truncation in length check of ProcRRChange*Property
Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
See also xserver@8f454b79 where this same bug was fixed for the core
protocol and XI.
This fixes an OOB read and the resulting information disclosure.
Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->nUnits value the expected request size was
truncated, passing the REQUEST_FIXED_SIZE check.
The server then proceeded with reading at least stuff->num_items bytes
(depending on stuff->format) from the request and stuffing whatever it
finds into the property. In the process it would also allocate at least
stuff->nUnits bytes, i.e. 4GB.
CVE-2023-6478, ZDI-CAN-22561
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
(cherry picked from commit 14f480010a93ff962fef66a16412fafff81ad632)
-
a7bda308
by Peter Hutterer at 2023-12-13T11:00:15+10:00
Xi: allocate enough XkbActions for our buttons
button->xkb_acts is supposed to be an array sufficiently large for all
our buttons, not just a single XkbActions struct. Allocating
insufficient memory here means when we memcpy() later in
XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
leading to the usual security ooopsiedaisies.
CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
(cherry picked from commit 0c1a93d319558fe3ab2d94f51d174b4f93810afd)
-
15e24097
by Peter Hutterer at 2023-12-13T11:12:59+10:00
xserver 21.1.10
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
7 changed files:
Changes:
Xi/exevents.c
| ... |
... |
@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) |
|
611
|
611
|
}
|
|
612
|
612
|
|
|
613
|
613
|
if (from->button->xkb_acts) {
|
|
614
|
|
- if (!to->button->xkb_acts) {
|
|
615
|
|
- to->button->xkb_acts = calloc(1, sizeof(XkbAction));
|
|
616
|
|
- if (!to->button->xkb_acts)
|
|
617
|
|
- FatalError("[Xi] not enough memory for xkb_acts.\n");
|
|
618
|
|
- }
|
|
|
614
|
+ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
|
|
|
615
|
+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
|
|
|
616
|
+ maxbuttons,
|
|
|
617
|
+ sizeof(XkbAction));
|
|
|
618
|
+ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
|
|
619
|
619
|
memcpy(to->button->xkb_acts, from->button->xkb_acts,
|
|
620
|
|
- sizeof(XkbAction));
|
|
|
620
|
+ from->button->numButtons * sizeof(XkbAction));
|
|
621
|
621
|
}
|
|
622
|
622
|
else {
|
|
623
|
623
|
free(to->button->xkb_acts);
|
configure.ac
| ... |
... |
@@ -26,8 +26,8 @@ dnl |
|
26
|
26
|
dnl Process this file with autoconf to create configure.
|
|
27
|
27
|
|
|
28
|
28
|
AC_PREREQ(2.60)
|
|
29
|
|
-AC_INIT([xorg-server], 21.1.9, [https://gitlab.freedesktop.org/xorg/xserver/issues], xorg-server)
|
|
30
|
|
-RELEASE_DATE="2023-10-25"
|
|
|
29
|
+AC_INIT([xorg-server], 21.1.10, [https://gitlab.freedesktop.org/xorg/xserver/issues], xorg-server)
|
|
|
30
|
+RELEASE_DATE="2023-12-13"
|
|
31
|
31
|
RELEASE_NAME="Caramel Ice Cream"
|
|
32
|
32
|
AC_CONFIG_SRCDIR([Makefile.am])
|
|
33
|
33
|
AC_CONFIG_MACRO_DIR([m4])
|
dix/devices.c
| ... |
... |
@@ -2525,6 +2525,8 @@ RecalculateMasterButtons(DeviceIntPtr slave) |
|
2525
|
2525
|
|
|
2526
|
2526
|
if (master->button && master->button->numButtons != maxbuttons) {
|
|
2527
|
2527
|
int i;
|
|
|
2528
|
+ int last_num_buttons = master->button->numButtons;
|
|
|
2529
|
+
|
|
2528
|
2530
|
DeviceChangedEvent event = {
|
|
2529
|
2531
|
.header = ET_Internal,
|
|
2530
|
2532
|
.type = ET_DeviceChanged,
|
| ... |
... |
@@ -2535,6 +2537,14 @@ RecalculateMasterButtons(DeviceIntPtr slave) |
|
2535
|
2537
|
};
|
|
2536
|
2538
|
|
|
2537
|
2539
|
master->button->numButtons = maxbuttons;
|
|
|
2540
|
+ if (last_num_buttons < maxbuttons) {
|
|
|
2541
|
+ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
|
|
|
2542
|
+ maxbuttons,
|
|
|
2543
|
+ sizeof(XkbAction));
|
|
|
2544
|
+ memset(&master->button->xkb_acts[last_num_buttons],
|
|
|
2545
|
+ 0,
|
|
|
2546
|
+ (maxbuttons - last_num_buttons) * sizeof(XkbAction));
|
|
|
2547
|
+ }
|
|
2538
|
2548
|
|
|
2539
|
2549
|
memcpy(&event.buttons.names, master->button->labels, maxbuttons *
|
|
2540
|
2550
|
sizeof(Atom));
|
hw/kdrive/ephyr/ephyrinit.c
| ... |
... |
@@ -70,25 +70,23 @@ InitInput(int argc, char **argv) |
|
70
|
70
|
KdKeyboardInfo *ki;
|
|
71
|
71
|
KdPointerInfo *pi;
|
|
72
|
72
|
|
|
73
|
|
- if (!SeatId) {
|
|
74
|
|
- KdAddKeyboardDriver(&EphyrKeyboardDriver);
|
|
75
|
|
- KdAddPointerDriver(&EphyrMouseDriver);
|
|
76
|
|
-
|
|
77
|
|
- if (!kdHasKbd) {
|
|
78
|
|
- ki = KdNewKeyboard();
|
|
79
|
|
- if (!ki)
|
|
80
|
|
- FatalError("Couldn't create Xephyr keyboard\n");
|
|
81
|
|
- ki->driver = &EphyrKeyboardDriver;
|
|
82
|
|
- KdAddKeyboard(ki);
|
|
83
|
|
- }
|
|
|
73
|
+ KdAddKeyboardDriver(&EphyrKeyboardDriver);
|
|
|
74
|
+ KdAddPointerDriver(&EphyrMouseDriver);
|
|
|
75
|
+
|
|
|
76
|
+ if (!kdHasKbd) {
|
|
|
77
|
+ ki = KdNewKeyboard();
|
|
|
78
|
+ if (!ki)
|
|
|
79
|
+ FatalError("Couldn't create Xephyr keyboard\n");
|
|
|
80
|
+ ki->driver = &EphyrKeyboardDriver;
|
|
|
81
|
+ KdAddKeyboard(ki);
|
|
|
82
|
+ }
|
|
84
|
83
|
|
|
85
|
|
- if (!kdHasPointer) {
|
|
86
|
|
- pi = KdNewPointer();
|
|
87
|
|
- if (!pi)
|
|
88
|
|
- FatalError("Couldn't create Xephyr pointer\n");
|
|
89
|
|
- pi->driver = &EphyrMouseDriver;
|
|
90
|
|
- KdAddPointer(pi);
|
|
91
|
|
- }
|
|
|
84
|
+ if (!kdHasPointer) {
|
|
|
85
|
+ pi = KdNewPointer();
|
|
|
86
|
+ if (!pi)
|
|
|
87
|
+ FatalError("Couldn't create Xephyr pointer\n");
|
|
|
88
|
+ pi->driver = &EphyrMouseDriver;
|
|
|
89
|
+ KdAddPointer(pi);
|
|
92
|
90
|
}
|
|
93
|
91
|
|
|
94
|
92
|
KdInitInput();
|
meson.build
| ... |
... |
@@ -3,10 +3,10 @@ project('xserver', 'c', |
|
3
|
3
|
'buildtype=debugoptimized',
|
|
4
|
4
|
'c_std=gnu99',
|
|
5
|
5
|
],
|
|
6
|
|
- version: '21.1.9',
|
|
|
6
|
+ version: '21.1.10',
|
|
7
|
7
|
meson_version: '>= 0.47.0',
|
|
8
|
8
|
)
|
|
9
|
|
-release_date = '2023-10-25'
|
|
|
9
|
+release_date = '2023-12-13'
|
|
10
|
10
|
|
|
11
|
11
|
add_project_arguments('-DHAVE_DIX_CONFIG_H', language: ['c', 'objc'])
|
|
12
|
12
|
cc = meson.get_compiler('c')
|
randr/rrproperty.c
| ... |
... |
@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client) |
|
530
|
530
|
char format, mode;
|
|
531
|
531
|
unsigned long len;
|
|
532
|
532
|
int sizeInBytes;
|
|
533
|
|
- int totalSize;
|
|
|
533
|
+ uint64_t totalSize;
|
|
534
|
534
|
int err;
|
|
535
|
535
|
|
|
536
|
536
|
REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
|
randr/rrproviderproperty.c
| ... |
... |
@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client) |
|
498
|
498
|
char format, mode;
|
|
499
|
499
|
unsigned long len;
|
|
500
|
500
|
int sizeInBytes;
|
|
501
|
|
- int totalSize;
|
|
|
501
|
+ uint64_t totalSize;
|
|
502
|
502
|
int err;
|
|
503
|
503
|
|
|
504
|
504
|
REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
|
|