From f9e77ef4da49c376fb87915ece75959b462a444b Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 27 Aug 2020 10:51:48 +0200
Subject: [PATCH] Import Debian changes 2:1.20.4-1+deb10u1
xorg-server (2:1.20.4-1+deb10u1) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fix for ZDI-11426 (CVE-2020-14347) (Closes: #968986)
* Correct bounds checking in XkbSetNames() (CVE-2020-14345)
* Fix XIChangeHierarchy() integer underflow (CVE-2020-14346)
* Fix XkbSelectEvents() integer underflow (CVE-2020-14361)
* Fix XRecordRegisterClients() Integer underflow (CVE-2020-14362)
---
debian/changelog | 11 ++
debian/patches/08_fix-for-ZDI-11426.patch | 35 ++++
...rrect-bounds-checking-in-XkbSetNames.patch | 179 ++++++++++++++++++
...-XIChangeHierarchy-integer-underflow.patch | 32 ++++
...ix-XkbSelectEvents-integer-underflow.patch | 32 ++++
...ordRegisterClients-Integer-underflow.patch | 66 +++++++
debian/patches/series | 5 +
7 files changed, 360 insertions(+)
create mode 100644 debian/patches/08_fix-for-ZDI-11426.patch
create mode 100644 debian/patches/09_Correct-bounds-checking-in-XkbSetNames.patch
create mode 100644 debian/patches/10_Fix-XIChangeHierarchy-integer-underflow.patch
create mode 100644 debian/patches/11_Fix-XkbSelectEvents-integer-underflow.patch
create mode 100644 debian/patches/12_Fix-XRecordRegisterClients-Integer-underflow.patch
diff --git a/debian/changelog b/debian/changelog
index ab4743d..66fb5ac 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+xorg-server (2:1.20.4-1+deb10u1) buster-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix for ZDI-11426 (CVE-2020-14347) (Closes: #968986)
+ * Correct bounds checking in XkbSetNames() (CVE-2020-14345)
+ * Fix XIChangeHierarchy() integer underflow (CVE-2020-14346)
+ * Fix XkbSelectEvents() integer underflow (CVE-2020-14361)
+ * Fix XRecordRegisterClients() Integer underflow (CVE-2020-14362)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Thu, 27 Aug 2020 10:51:48 +0200
+
xorg-server (2:1.20.4-1) unstable; urgency=medium
[ Timo Aaltonen ]
diff --git a/debian/patches/08_fix-for-ZDI-11426.patch b/debian/patches/08_fix-for-ZDI-11426.patch
new file mode 100644
index 0000000..b4b66cd
--- /dev/null
+++ b/debian/patches/08_fix-for-ZDI-11426.patch
@@ -0,0 +1,35 @@
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Sat, 25 Jul 2020 19:33:50 +0200
+Subject: fix for ZDI-11426
+Origin: https://gitlab.freedesktop.org/xorg/xserver/-/commit/aac28e162e5108510065ad4c323affd6deffd816
+Bug-Debian: https://bugs.debian.org/968986
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-14347
+
+Avoid leaking un-initalized memory to clients by zeroing the
+whole pixmap on initial allocation.
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ dix/pixmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dix/pixmap.c b/dix/pixmap.c
+index 1186d7dbbf62..5a0146bbb667 100644
+--- a/dix/pixmap.c
++++ b/dix/pixmap.c
+@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize)
+ if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize)
+ return NullPixmap;
+
+- pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize);
++ pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize);
+ if (!pPixmap)
+ return NullPixmap;
+
+--
+2.28.0
+
diff --git a/debian/patches/09_Correct-bounds-checking-in-XkbSetNames.patch b/debian/patches/09_Correct-bounds-checking-in-XkbSetNames.patch
new file mode 100644
index 0000000..953e773
--- /dev/null
+++ b/debian/patches/09_Correct-bounds-checking-in-XkbSetNames.patch
@@ -0,0 +1,179 @@
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:46:32 +0200
+Subject: Correct bounds checking in XkbSetNames()
+Origin: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f7cd1276bbd4fe3a9700096dec33b52b8440788d
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-14345
+
+CVE-2020-14345 / ZDI 11428
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ xkb/xkb.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 48 insertions(+)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index d93078a6e3bd..8e016cd7467e 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT;
+ #define CHK_REQ_KEY_RANGE(err,first,num,r) \
+ CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue)
+
++static Bool
++_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) {
++ char *cstuff = (char *)stuff;
++ char *cfrom = (char *)from;
++ char *cto = (char *)to;
++
++ return cfrom < cto &&
++ cfrom >= cstuff &&
++ cfrom < cstuff + ((size_t)client->req_len << 2) &&
++ cto >= cstuff &&
++ cto <= cstuff + ((size_t)client->req_len << 2);
++}
++
+ /***====================================================================***/
+
+ int
+@@ -4048,6 +4061,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ client->errorValue = _XkbErrCode2(0x04, stuff->firstType);
+ return BadAccess;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nTypes))
++ return BadLength;
+ old = tmp;
+ tmp = _XkbCheckAtoms(tmp, stuff->nTypes, client->swapped, &bad);
+ if (!tmp) {
+@@ -4077,6 +4092,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ }
+ width = (CARD8 *) tmp;
+ tmp = (CARD32 *) (((char *) tmp) + XkbPaddedSize(stuff->nKTLevels));
++ if (!_XkbCheckRequestBounds(client, stuff, width, tmp))
++ return BadLength;
+ type = &xkb->map->types[stuff->firstKTLevel];
+ for (i = 0; i < stuff->nKTLevels; i++, type++) {
+ if (width[i] == 0)
+@@ -4086,6 +4103,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ type->num_levels, width[i]);
+ return BadMatch;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + width[i]))
++ return BadLength;
+ tmp = _XkbCheckAtoms(tmp, width[i], client->swapped, &bad);
+ if (!tmp) {
+ client->errorValue = bad;
+@@ -4098,6 +4117,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ client->errorValue = 0x08;
+ return BadMatch;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp,
++ tmp + Ones(stuff->indicators)))
++ return BadLength;
+ tmp = _XkbCheckMaskedAtoms(tmp, XkbNumIndicators, stuff->indicators,
+ client->swapped, &bad);
+ if (!tmp) {
+@@ -4110,6 +4132,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ client->errorValue = 0x09;
+ return BadMatch;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp,
++ tmp + Ones(stuff->virtualMods)))
++ return BadLength;
+ tmp = _XkbCheckMaskedAtoms(tmp, XkbNumVirtualMods,
+ (CARD32) stuff->virtualMods,
+ client->swapped, &bad);
+@@ -4123,6 +4148,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ client->errorValue = 0x0a;
+ return BadMatch;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp,
++ tmp + Ones(stuff->groupNames)))
++ return BadLength;
+ tmp = _XkbCheckMaskedAtoms(tmp, XkbNumKbdGroups,
+ (CARD32) stuff->groupNames,
+ client->swapped, &bad);
+@@ -4144,9 +4172,14 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ stuff->nKeys);
+ return BadValue;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nKeys))
++ return BadLength;
+ tmp += stuff->nKeys;
+ }
+ if ((stuff->which & XkbKeyAliasesMask) && (stuff->nKeyAliases > 0)) {
++ if (!_XkbCheckRequestBounds(client, stuff, tmp,
++ tmp + (stuff->nKeyAliases * 2)))
++ return BadLength;
+ tmp += stuff->nKeyAliases * 2;
+ }
+ if (stuff->which & XkbRGNamesMask) {
+@@ -4154,6 +4187,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ client->errorValue = _XkbErrCode2(0x0d, stuff->nRadioGroups);
+ return BadValue;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp,
++ tmp + stuff->nRadioGroups))
++ return BadLength;
+ tmp = _XkbCheckAtoms(tmp, stuff->nRadioGroups, client->swapped, &bad);
+ if (!tmp) {
+ client->errorValue = bad;
+@@ -4347,6 +4383,8 @@ ProcXkbSetNames(ClientPtr client)
+ /* check device-independent stuff */
+ tmp = (CARD32 *) &stuff[1];
+
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbKeycodesNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+@@ -4354,6 +4392,8 @@ ProcXkbSetNames(ClientPtr client)
+ return BadAtom;
+ }
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbGeometryNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+@@ -4361,6 +4401,8 @@ ProcXkbSetNames(ClientPtr client)
+ return BadAtom;
+ }
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbSymbolsNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+@@ -4368,6 +4410,8 @@ ProcXkbSetNames(ClientPtr client)
+ return BadAtom;
+ }
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbPhysSymbolsNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+@@ -4375,6 +4419,8 @@ ProcXkbSetNames(ClientPtr client)
+ return BadAtom;
+ }
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbTypesNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+@@ -4382,6 +4428,8 @@ ProcXkbSetNames(ClientPtr client)
+ return BadAtom;
+ }
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbCompatNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+--
+2.28.0
+
diff --git a/debian/patches/10_Fix-XIChangeHierarchy-integer-underflow.patch b/debian/patches/10_Fix-XIChangeHierarchy-integer-underflow.patch
new file mode 100644
index 0000000..99daadf
--- /dev/null
+++ b/debian/patches/10_Fix-XIChangeHierarchy-integer-underflow.patch
@@ -0,0 +1,32 @@
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:49:04 +0200
+Subject: Fix XIChangeHierarchy() integer underflow
+Origin: https://gitlab.freedesktop.org/xorg/xserver/-/commit/c940cc8b6c0a2983c1ec974f1b3f019795dd4cff
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-14346
+
+CVE-2020-14346 / ZDI-CAN-11429
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ Xi/xichangehierarchy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
+index cbdd91258179..504defe5663d 100644
+--- a/Xi/xichangehierarchy.c
++++ b/Xi/xichangehierarchy.c
+@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
+ if (!stuff->num_changes)
+ return rc;
+
+- len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
++ len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq);
+
+ any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
+ while (stuff->num_changes--) {
+--
+2.28.0
+
diff --git a/debian/patches/11_Fix-XkbSelectEvents-integer-underflow.patch b/debian/patches/11_Fix-XkbSelectEvents-integer-underflow.patch
new file mode 100644
index 0000000..b90b01c
--- /dev/null
+++ b/debian/patches/11_Fix-XkbSelectEvents-integer-underflow.patch
@@ -0,0 +1,32 @@
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:52:29 +0200
+Subject: Fix XkbSelectEvents() integer underflow
+Origin: https://gitlab.freedesktop.org/xorg/xserver/-/commit/144849ea27230962227e62a943b399e2ab304787
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-14361
+
+CVE-2020-14361 ZDI-CAN 11573
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ xkb/xkbSwap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c
+index 1c1ed5ff4647..50cabb90e557 100644
+--- a/xkb/xkbSwap.c
++++ b/xkb/xkbSwap.c
+@@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client)
+ register unsigned bit, ndx, maskLeft, dataLeft, size;
+
+ from.c8 = (CARD8 *) &stuff[1];
+- dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq);
++ dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq);
+ maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask));
+ for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) {
+ if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify))
+--
+2.28.0
+
diff --git a/debian/patches/12_Fix-XRecordRegisterClients-Integer-underflow.patch b/debian/patches/12_Fix-XRecordRegisterClients-Integer-underflow.patch
new file mode 100644
index 0000000..fbaa8a7
--- /dev/null
+++ b/debian/patches/12_Fix-XRecordRegisterClients-Integer-underflow.patch
@@ -0,0 +1,66 @@
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:55:01 +0200
+Subject: Fix XRecordRegisterClients() Integer underflow
+Origin: https://gitlab.freedesktop.org/xorg/xserver/-/commit/2902b78535ecc6821cc027351818b28a5c7fdbdc
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-14362
+
+CVE-2020-14362 ZDI-CAN-11574
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ record/record.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/record/record.c b/record/record.c
+index f2d38c877e97..be154525d2b3 100644
+--- a/record/record.c
++++ b/record/record.c
+@@ -2500,7 +2500,7 @@ SProcRecordQueryVersion(ClientPtr client)
+ } /* SProcRecordQueryVersion */
+
+ static int _X_COLD
+-SwapCreateRegister(xRecordRegisterClientsReq * stuff)
++SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
+ {
+ int i;
+ XID *pClientID;
+@@ -2510,13 +2510,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
+ swapl(&stuff->nRanges);
+ pClientID = (XID *) &stuff[1];
+ if (stuff->nClients >
+- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
++ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
+ return BadLength;
+ for (i = 0; i < stuff->nClients; i++, pClientID++) {
+ swapl(pClientID);
+ }
+ if (stuff->nRanges >
+- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
++ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
+ - stuff->nClients)
+ return BadLength;
+ RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
+@@ -2531,7 +2531,7 @@ SProcRecordCreateContext(ClientPtr client)
+
+ swaps(&stuff->length);
+ REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
+- if ((status = SwapCreateRegister((void *) stuff)) != Success)
++ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
+ return status;
+ return ProcRecordCreateContext(client);
+ } /* SProcRecordCreateContext */
+@@ -2544,7 +2544,7 @@ SProcRecordRegisterClients(ClientPtr client)
+
+ swaps(&stuff->length);
+ REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
+- if ((status = SwapCreateRegister((void *) stuff)) != Success)
++ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
+ return status;
+ return ProcRecordRegisterClients(client);
+ } /* SProcRecordRegisterClients */
+--
+2.28.0
+
diff --git a/debian/patches/series b/debian/patches/series
index ca1cf41..a22a72e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,8 @@
05_Revert-Unload-submodules.diff
06_use-intel-only-on-pre-gen4.diff
07_use-modesetting-driver-by-default-on-GeForce.diff
+08_fix-for-ZDI-11426.patch
+09_Correct-bounds-checking-in-XkbSetNames.patch
+10_Fix-XIChangeHierarchy-integer-underflow.patch
+11_Fix-XkbSelectEvents-integer-underflow.patch
+12_Fix-XRecordRegisterClients-Integer-underflow.patch
--
GitLab