* [bug#27600] [PATCH] gnu: xorg-server: Fix CVE-2017-{10971,10972}.
@ 2017-07-06 19:28 Kei Kebreau
2017-07-06 23:43 ` [bug#27600] [PATCH] gnu: xorg-server: Fix CVE-2017-{10971, 10972} Leo Famulari
0 siblings, 1 reply; 4+ messages in thread
From: Kei Kebreau @ 2017-07-06 19:28 UTC (permalink / raw)
To: 27600; +Cc: Kei Kebreau
* gnu/packages/xorg.scm (xorg-server)[source]: Add patches.
* gnu/packages/patches/xorg-CVE-2017-10971.patch,
gnu/packages/patches/xorg-CVE-2017-10972.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
---
gnu/local.mk | 2 +
gnu/packages/patches/xorg-CVE-2017-10971.patch | 153 +++++++++++++++++++++++++
gnu/packages/patches/xorg-CVE-2017-10972.patch | 35 ++++++
gnu/packages/xorg.scm | 5 +-
4 files changed, 194 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/xorg-CVE-2017-10971.patch
create mode 100644 gnu/packages/patches/xorg-CVE-2017-10972.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 8dbce7c05..bb93cac53 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1081,6 +1081,8 @@ dist_patch_DATA = \
%D%/packages/patches/xinetd-fix-fd-leak.patch \
%D%/packages/patches/xinetd-CVE-2013-4342.patch \
%D%/packages/patches/xmodmap-asprintf.patch \
+ %D%/packages/patches/xorg-CVE-2017-10971.patch \
+ %D%/packages/patches/xorg-CVE-2017-10972.patch \
%D%/packages/patches/libyaml-CVE-2014-9130.patch \
%D%/packages/patches/zathura-plugindir-environment-variable.patch \
%D%/packages/patches/zziplib-CVE-2017-5974.patch \
diff --git a/gnu/packages/patches/xorg-CVE-2017-10971.patch b/gnu/packages/patches/xorg-CVE-2017-10971.patch
new file mode 100644
index 000000000..2696033e5
--- /dev/null
+++ b/gnu/packages/patches/xorg-CVE-2017-10971.patch
@@ -0,0 +1,153 @@
+From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Wed, 24 May 2017 15:54:40 +0300
+Subject: dix: Disallow GenericEvent in SendEvent request.
+
+The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
+no less. Both ProcSendEvent and SProcSendEvent verify that the received data
+exactly match the request size. However nothing stops the client from passing
+in event with xEvent::type = GenericEvent and any value of
+xGenericEvent::length.
+
+In the case of ProcSendEvent, the event will be eventually passed to
+WriteEventsToClient which will see that it is Generic event and copy the
+arbitrary length from the receive buffer (and possibly past it) and send it to
+the other client. This allows clients to copy unitialized heap memory out of X
+server or to crash it.
+
+In case of SProcSendEvent, it will attempt to swap the incoming event by
+calling a swapping function from the EventSwapVector array. The swapped event
+is written to target buffer, which in this case is local xEvent variable. The
+xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
+expect that the target buffer has size matching the size of the source
+GenericEvent. This allows clients to cause stack buffer overflows.
+
+Signed-off-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+diff --git a/dix/events.c b/dix/events.c
+index 3e3a01e..d3a33ea 100644
+--- a/dix/events.c
++++ b/dix/events.c
+@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client)
+ client->errorValue = stuff->event.u.u.type;
+ return BadValue;
+ }
++ /* Generic events can have variable size, but SendEvent request holds
++ exactly 32B of event data. */
++ if (stuff->event.u.u.type == GenericEvent) {
++ client->errorValue = stuff->event.u.u.type;
++ return BadValue;
++ }
+ if (stuff->event.u.u.type == ClientMessage &&
+ stuff->event.u.u.detail != 8 &&
+ stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) {
+diff --git a/dix/swapreq.c b/dix/swapreq.c
+index 719e9b8..6785059 100644
+--- a/dix/swapreq.c
++++ b/dix/swapreq.c
+@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client)
+ swapl(&stuff->destination);
+ swapl(&stuff->eventMask);
+
++ /* Generic events can have variable size, but SendEvent request holds
++ exactly 32B of event data. */
++ if (stuff->event.u.u.type == GenericEvent) {
++ client->errorValue = stuff->event.u.u.type;
++ return BadValue;
++ }
++
+ /* Swap event */
+ proc = EventSwapVector[stuff->event.u.u.type & 0177];
+ if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */
+--
+cgit v0.10.2
+
+From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Wed, 24 May 2017 15:54:41 +0300
+Subject: Xi: Verify all events in ProcXSendExtensionEvent.
+
+The requirement is that events have type in range
+EXTENSION_EVENT_BASE..lastEvent, but it was tested
+only for first event of all.
+
+Signed-off-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 1cf118a..5e63bfc 100644
+--- a/Xi/sendexev.c
++++ b/Xi/sendexev.c
+@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client)
+ int
+ ProcXSendExtensionEvent(ClientPtr client)
+ {
+- int ret;
++ int ret, i;
+ DeviceIntPtr dev;
+ xEvent *first;
+ XEventClass *list;
+@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client)
+ /* The client's event type must be one defined by an extension. */
+
+ first = ((xEvent *) &stuff[1]);
+- if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
+- (first->u.u.type < lastEvent))) {
+- client->errorValue = first->u.u.type;
+- return BadValue;
++ for (i = 0; i < stuff->num_events; i++) {
++ if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
++ (first[i].u.u.type < lastEvent))) {
++ client->errorValue = first[i].u.u.type;
++ return BadValue;
++ }
+ }
+
+ list = (XEventClass *) (first + stuff->num_events);
+--
+cgit v0.10.2
+
+From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Wed, 24 May 2017 15:54:42 +0300
+Subject: Xi: Do not try to swap GenericEvent.
+
+The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
+it is assuming that the event has fixed size and gives the swapping function
+xEvent-sized buffer.
+
+A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
+
+Signed-off-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 5e63bfc..5c2e0fc 100644
+--- a/Xi/sendexev.c
++++ b/Xi/sendexev.c
+@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client)
+
+ eventP = (xEvent *) &stuff[1];
+ for (i = 0; i < stuff->num_events; i++, eventP++) {
++ if (eventP->u.u.type == GenericEvent) {
++ client->errorValue = eventP->u.u.type;
++ return BadValue;
++ }
++
+ proc = EventSwapVector[eventP->u.u.type & 0177];
+- if (proc == NotImplemented) /* no swapping proc; invalid event type? */
++ /* no swapping proc; invalid event type? */
++ if (proc == NotImplemented) {
++ client->errorValue = eventP->u.u.type;
+ return BadValue;
++ }
+ (*proc) (eventP, &eventT);
+ *eventP = eventT;
+ }
+--
+cgit v0.10.2
+
diff --git a/gnu/packages/patches/xorg-CVE-2017-10972.patch b/gnu/packages/patches/xorg-CVE-2017-10972.patch
new file mode 100644
index 000000000..f24e9c0ae
--- /dev/null
+++ b/gnu/packages/patches/xorg-CVE-2017-10972.patch
@@ -0,0 +1,35 @@
+From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Wed, 24 May 2017 15:54:39 +0300
+Subject: Xi: Zero target buffer in SProcXSendExtensionEvent.
+
+Make sure that the xEvent eventT is initialized with zeros, the same way as
+in SProcSendEvent.
+
+Some event swapping functions do not overwrite all 32 bytes of xEvent
+structure, for example XSecurityAuthorizationRevoked. Two cooperating
+clients, one swapped and the other not, can send
+XSecurityAuthorizationRevoked event to each other to retrieve old stack data
+from X server. This can be potentialy misused to go around ASLR or
+stack-protector.
+
+Signed-off-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 11d8202..1cf118a 100644
+--- a/Xi/sendexev.c
++++ b/Xi/sendexev.c
+@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
+ {
+ CARD32 *p;
+ int i;
+- xEvent eventT;
++ xEvent eventT = { .u.u.type = 0 };
+ xEvent *eventP;
+ EventSwapPtr proc;
+
+--
+cgit v0.10.2
+
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 7b1d00f47..ec6fe6069 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -5000,7 +5000,10 @@ over Xlib, including:
name "-" version ".tar.bz2"))
(sha256
(base32
- "162s1v901djr57gxmmk4airk8hiwcz79dqyz72972x1lw1k82yk7"))))
+ "162s1v901djr57gxmmk4airk8hiwcz79dqyz72972x1lw1k82yk7"))
+ (patches
+ (search-patches "xorg-CVE-2017-10971.patch"
+ "xorg-CVE-2017-10972.patch"))))
(build-system gnu-build-system)
(propagated-inputs
`(("dri2proto" ,dri2proto)
--
2.13.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [bug#27600] [PATCH] gnu: xorg-server: Fix CVE-2017-{10971, 10972}.
2017-07-06 19:28 [bug#27600] [PATCH] gnu: xorg-server: Fix CVE-2017-{10971,10972} Kei Kebreau
@ 2017-07-06 23:43 ` Leo Famulari
2017-07-07 3:53 ` bug#27600: " Leo Famulari
0 siblings, 1 reply; 4+ messages in thread
From: Leo Famulari @ 2017-07-06 23:43 UTC (permalink / raw)
To: Kei Kebreau; +Cc: 27600
[-- Attachment #1: Type: text/plain, Size: 904 bytes --]
On Thu, Jul 06, 2017 at 03:28:07PM -0400, Kei Kebreau wrote:
> * gnu/packages/xorg.scm (xorg-server)[source]: Add patches.
> * gnu/packages/patches/xorg-CVE-2017-10971.patch,
> gnu/packages/patches/xorg-CVE-2017-10972.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
Yikes, these bugs!
> ---
> gnu/local.mk | 2 +
> gnu/packages/patches/xorg-CVE-2017-10971.patch | 153 +++++++++++++++++++++++++
> gnu/packages/patches/xorg-CVE-2017-10972.patch | 35 ++++++
> gnu/packages/xorg.scm | 5 +-
> 4 files changed, 194 insertions(+), 1 deletion(-)
> create mode 100644 gnu/packages/patches/xorg-CVE-2017-10971.patch
> create mode 100644 gnu/packages/patches/xorg-CVE-2017-10972.patch
Please rename the patch files to include the name of the package
(xorg-server), adjust the changes to local.mk accordingly, and please
push!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#27600: [PATCH] gnu: xorg-server: Fix CVE-2017-{10971, 10972}.
2017-07-06 23:43 ` [bug#27600] [PATCH] gnu: xorg-server: Fix CVE-2017-{10971, 10972} Leo Famulari
@ 2017-07-07 3:53 ` Leo Famulari
2017-07-07 4:20 ` [bug#27600] " Kei Kebreau
0 siblings, 1 reply; 4+ messages in thread
From: Leo Famulari @ 2017-07-07 3:53 UTC (permalink / raw)
To: Kei Kebreau; +Cc: 27600-done
[-- Attachment #1: Type: text/plain, Size: 1113 bytes --]
On Thu, Jul 06, 2017 at 07:43:43PM -0400, Leo Famulari wrote:
> On Thu, Jul 06, 2017 at 03:28:07PM -0400, Kei Kebreau wrote:
> > * gnu/packages/xorg.scm (xorg-server)[source]: Add patches.
> > * gnu/packages/patches/xorg-CVE-2017-10971.patch,
> > gnu/packages/patches/xorg-CVE-2017-10972.patch: New files.
> > * gnu/local.mk (dist_patch_DATA): Add them.
>
> Yikes, these bugs!
>
> > ---
> > gnu/local.mk | 2 +
> > gnu/packages/patches/xorg-CVE-2017-10971.patch | 153 +++++++++++++++++++++++++
> > gnu/packages/patches/xorg-CVE-2017-10972.patch | 35 ++++++
> > gnu/packages/xorg.scm | 5 +-
> > 4 files changed, 194 insertions(+), 1 deletion(-)
> > create mode 100644 gnu/packages/patches/xorg-CVE-2017-10971.patch
> > create mode 100644 gnu/packages/patches/xorg-CVE-2017-10972.patch
>
> Please rename the patch files to include the name of the package
> (xorg-server), adjust the changes to local.mk accordingly, and please
> push!
I had some time so I made the adjustment and pushed on your behalf.
Thanks again!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [bug#27600] [PATCH] gnu: xorg-server: Fix CVE-2017-{10971, 10972}.
2017-07-07 3:53 ` bug#27600: " Leo Famulari
@ 2017-07-07 4:20 ` Kei Kebreau
0 siblings, 0 replies; 4+ messages in thread
From: Kei Kebreau @ 2017-07-07 4:20 UTC (permalink / raw)
To: Leo Famulari; +Cc: 27600-done
[-- Attachment #1: Type: text/plain, Size: 1198 bytes --]
Leo Famulari <leo@famulari.name> writes:
> On Thu, Jul 06, 2017 at 07:43:43PM -0400, Leo Famulari wrote:
>> On Thu, Jul 06, 2017 at 03:28:07PM -0400, Kei Kebreau wrote:
>> > * gnu/packages/xorg.scm (xorg-server)[source]: Add patches.
>> > * gnu/packages/patches/xorg-CVE-2017-10971.patch,
>> > gnu/packages/patches/xorg-CVE-2017-10972.patch: New files.
>> > * gnu/local.mk (dist_patch_DATA): Add them.
>>
>> Yikes, these bugs!
>>
>> > ---
>> > gnu/local.mk | 2 +
>> > gnu/packages/patches/xorg-CVE-2017-10971.patch | 153 +++++++++++++++++++++++++
>> > gnu/packages/patches/xorg-CVE-2017-10972.patch | 35 ++++++
>> > gnu/packages/xorg.scm | 5 +-
>> > 4 files changed, 194 insertions(+), 1 deletion(-)
>> > create mode 100644 gnu/packages/patches/xorg-CVE-2017-10971.patch
>> > create mode 100644 gnu/packages/patches/xorg-CVE-2017-10972.patch
>>
>> Please rename the patch files to include the name of the package
>> (xorg-server), adjust the changes to local.mk accordingly, and please
>> push!
>
> I had some time so I made the adjustment and pushed on your behalf.
> Thanks again!
Thank you!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-07-07 4:22 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-07-06 19:28 [bug#27600] [PATCH] gnu: xorg-server: Fix CVE-2017-{10971,10972} Kei Kebreau
2017-07-06 23:43 ` [bug#27600] [PATCH] gnu: xorg-server: Fix CVE-2017-{10971, 10972} Leo Famulari
2017-07-07 3:53 ` bug#27600: " Leo Famulari
2017-07-07 4:20 ` [bug#27600] " Kei Kebreau
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.