From 37a0e4ddff58c0120cc5cfef104b60d0e180638c Mon Sep 17 00:00:00 2001 From: Brad Bishop Date: Mon, 4 Dec 2017 01:01:44 -0500 Subject: Squashed 'import-layers/yocto-poky/' changes from dc8508f6099..67491b0c104 Yocto 2.2.2 (Morty) Change-Id: Id9a452e28940d9f166957de243d9cb1d8818704e git-subtree-dir: import-layers/yocto-poky git-subtree-split: 67491b0c104101bb9f366d697edd23c895be4302 Signed-off-by: Brad Bishop --- .../yocto-poky/meta/recipes-graphics/mesa/mesa.inc | 3 + .../ttf-fonts/liberation-fonts_1.04.bb | 4 +- ...on-1.11-config-option-for-no-input-device.patch | 123 ++++++ .../meta/recipes-graphics/wayland/weston_1.11.0.bb | 1 + .../recipes-graphics/xorg-app/mkfontdir_1.0.7.bb | 3 + .../recipes-graphics/xorg-app/mkfontscale_1.1.2.bb | 2 + .../xorg-font/xorg-font-common.inc | 1 + .../xorg-lib/libx11/CVE-2016-7942.patch | 69 ++++ .../xorg-lib/libx11/CVE-2016-7943.patch | 103 +++++ .../meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb | 2 + .../libxrandr/CVE-2016-7947_CVE-2016-7948.patch | 439 +++++++++++++++++++++ .../recipes-graphics/xorg-lib/libxrandr_1.5.0.bb | 3 + .../xorg-lib/libxrender/CVE-2016-7949.patch | 59 +++ .../recipes-graphics/xorg-lib/libxrender_0.9.9.bb | 3 + .../recipes-graphics/xorg-lib/libxtst_1.2.2.bb | 20 - .../recipes-graphics/xorg-lib/libxtst_1.2.3.bb | 20 + 16 files changed, 833 insertions(+), 22 deletions(-) create mode 100644 import-layers/yocto-poky/meta/recipes-graphics/wayland/weston/weston-1.11-config-option-for-no-input-device.patch create mode 100644 import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch create mode 100644 import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch create mode 100644 import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr/CVE-2016-7947_CVE-2016-7948.patch create mode 100644 import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch delete mode 100644 import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.2.bb create mode 100644 import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.3.bb (limited to 'import-layers/yocto-poky/meta/recipes-graphics') diff --git a/import-layers/yocto-poky/meta/recipes-graphics/mesa/mesa.inc b/import-layers/yocto-poky/meta/recipes-graphics/mesa/mesa.inc index e4880ffed..525a2d54c 100644 --- a/import-layers/yocto-poky/meta/recipes-graphics/mesa/mesa.inc +++ b/import-layers/yocto-poky/meta/recipes-graphics/mesa/mesa.inc @@ -79,6 +79,9 @@ EXCLUDE_FROM_WORLD = "1" # Remove the mesa dependency on mesa-dev, as mesa is empty RDEPENDS_${PN}-dev = "" +# Add dependency so that GLES3 header don't need to be added manually +RDEPENDS_libgles2-mesa-dev += "libgles3-mesa-dev" + PACKAGES =+ "libegl-mesa libegl-mesa-dev \ libosmesa libosmesa-dev \ libgl-mesa libgl-mesa-dev \ diff --git a/import-layers/yocto-poky/meta/recipes-graphics/ttf-fonts/liberation-fonts_1.04.bb b/import-layers/yocto-poky/meta/recipes-graphics/ttf-fonts/liberation-fonts_1.04.bb index bda82e7ef..74212e7e5 100644 --- a/import-layers/yocto-poky/meta/recipes-graphics/ttf-fonts/liberation-fonts_1.04.bb +++ b/import-layers/yocto-poky/meta/recipes-graphics/ttf-fonts/liberation-fonts_1.04.bb @@ -2,7 +2,7 @@ SUMMARY = "Liberation(tm) Fonts" DESCRIPTION = "The Liberation(tm) Fonts is a font family originally \ created by Ascender(c) which aims at metric compatibility with \ Arial, Times New Roman, Courier New." -HOMEPAGE = "https://fedorahosted.org/liberation-fonts/" +HOMEPAGE = "https://releases.pagure.org/liberation-fonts/" BUGTRACKER = "https://bugzilla.redhat.com/" RECIPE_NO_UPDATE_REASON = "2.x depends on fontforge package, which is not yet provided in oe-core" @@ -17,7 +17,7 @@ inherit allarch fontcache FONT_PACKAGES = "${PN}" -SRC_URI = "https://fedorahosted.org/releases/l/i/liberation-fonts/liberation-fonts-${PV}.tar.gz \ +SRC_URI = "https://releases.pagure.org/liberation-fonts/liberation-fonts-${PV}.tar.gz \ file://30-liberation-aliases.conf" SRC_URI[md5sum] = "4846797ef0fc70b0cbaede2514677c58" diff --git a/import-layers/yocto-poky/meta/recipes-graphics/wayland/weston/weston-1.11-config-option-for-no-input-device.patch b/import-layers/yocto-poky/meta/recipes-graphics/wayland/weston/weston-1.11-config-option-for-no-input-device.patch new file mode 100644 index 000000000..6f5ad6652 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-graphics/wayland/weston/weston-1.11-config-option-for-no-input-device.patch @@ -0,0 +1,123 @@ +From bbf2e6ebbd9c051775f43e1e3c3a2f41322342e8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20D=C3=ADaz?= +Date: Fri, 21 Oct 2016 14:03:13 -0500 +Subject: [PATCH] Add configuration option for no input device. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[Backported from master, 75b7197.] + +As it has been discussed in the past [1], running Weston +without any input device at launch might be beneficial for +some use cases. + +Certainly, it's best for the vast majority of users (and +the project) to require an input device to be present, as +to avoid frustration and hassle, but for those brave souls +that so prefer, this patch lets them run without any input +device at all. + +This introduces a simple configuration in weston.ini: + [core] + require-input=true + +True is the default, so no behavioral change is introduced. + +[1] https://lists.freedesktop.org/archives/wayland-devel/2015-November/025193.html + +Signed-off-by: Daniel Díaz +--- + man/weston.ini.man | 5 +++++ + src/compositor.h | 4 ++++ + src/libinput-seat.c | 6 ++++++ + src/main.c | 5 +++++ + weston.ini.in | 1 + + 5 files changed, 21 insertions(+) + +diff --git a/man/weston.ini.man b/man/weston.ini.man +index d7c4a6f..c7d0f01 100644 +--- a/man/weston.ini.man ++++ b/man/weston.ini.man +@@ -169,6 +169,11 @@ time, the one specified in the command-line will be used. On the other + hand, if none of these sets the value, default idle timeout will be + set to 300 seconds. + .RS ++.PP ++.RE ++.TP 7 ++.BI "require-input=" true ++require an input device for launch + + .SH "LIBINPUT SECTION" + The +diff --git a/src/compositor.h b/src/compositor.h +index 0bbf458..476b650 100644 +--- a/src/compositor.h ++++ b/src/compositor.h +@@ -803,6 +803,10 @@ struct weston_compositor { + + void *user_data; + void (*exit)(struct weston_compositor *c); ++ ++ /* Whether to let the compositor run without any input device. */ ++ bool require_input; ++ + }; + + struct weston_buffer { +diff --git a/src/libinput-seat.c b/src/libinput-seat.c +index 8ce0ee0..e1fdcf0 100644 +--- a/src/libinput-seat.c ++++ b/src/libinput-seat.c +@@ -255,6 +255,12 @@ udev_input_enable(struct udev_input *input) + devices_found = 1; + } + ++ if (devices_found == 0 && !c->require_input) { ++ weston_log("warning: no input devices found, but none required " ++ "as per configuration.\n"); ++ return 0; ++ } ++ + if (devices_found == 0) { + weston_log( + "warning: no input devices on entering Weston. " +diff --git a/src/main.c b/src/main.c +index 3279ac6..09905ea 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -1298,6 +1298,7 @@ int main(int argc, char *argv[]) + struct wl_client *primary_client; + struct wl_listener primary_client_destroyed; + struct weston_seat *seat; ++ int require_input; + + const struct weston_option core_options[] = { + { WESTON_OPTION_STRING, "backend", 'B', &backend }, +@@ -1373,6 +1374,10 @@ int main(int argc, char *argv[]) + if (weston_compositor_init_config(ec, config) < 0) + goto out; + ++ weston_config_section_get_bool(section, "require-input", ++ &require_input, true); ++ ec->require_input = require_input; ++ + if (load_backend(ec, backend, &argc, argv, config) < 0) { + weston_log("fatal: failed to create compositor backend\n"); + goto out; +diff --git a/weston.ini.in b/weston.ini.in +index 14a4c0c..d837fb5 100644 +--- a/weston.ini.in ++++ b/weston.ini.in +@@ -2,6 +2,7 @@ + #modules=xwayland.so,cms-colord.so + #shell=desktop-shell.so + #gbm-format=xrgb2101010 ++#require-input=true + + [shell] + background-image=/usr/share/backgrounds/gnome/Aqua.jpg +-- +1.9.1 + diff --git a/import-layers/yocto-poky/meta/recipes-graphics/wayland/weston_1.11.0.bb b/import-layers/yocto-poky/meta/recipes-graphics/wayland/weston_1.11.0.bb index 3ad309dab..9740ce9c9 100644 --- a/import-layers/yocto-poky/meta/recipes-graphics/wayland/weston_1.11.0.bb +++ b/import-layers/yocto-poky/meta/recipes-graphics/wayland/weston_1.11.0.bb @@ -14,6 +14,7 @@ SRC_URI = "https://wayland.freedesktop.org/releases/${BPN}-${PV}.tar.xz \ file://xwayland.weston-start \ file://make-weston-launch-exit-for-unrecognized-option.patch \ file://0001-weston-launch-Provide-a-default-version-that-doesn-t.patch \ + file://weston-1.11-config-option-for-no-input-device.patch \ " SRC_URI[md5sum] = "bc6f90a2039163804aecfa663b69c4c2" SRC_URI[sha256sum] = "05e086e9f186a06843b9f7a5e1abf19347b1a6e4be26d7e74927abc17b6b7125" diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-app/mkfontdir_1.0.7.bb b/import-layers/yocto-poky/meta/recipes-graphics/xorg-app/mkfontdir_1.0.7.bb index a453e2487..737bc9de4 100644 --- a/import-layers/yocto-poky/meta/recipes-graphics/xorg-app/mkfontdir_1.0.7.bb +++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-app/mkfontdir_1.0.7.bb @@ -11,6 +11,9 @@ files." PE = "1" PR = "${INC_PR}.0" +DEPENDS = "util-macros-native" +REQUIRED_DISTRO_FEATURES_class-native = "" + RDEPENDS_${PN} += "mkfontscale" RDEPENDS_${PN}_class-native += "mkfontscale-native" diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-app/mkfontscale_1.1.2.bb b/import-layers/yocto-poky/meta/recipes-graphics/xorg-app/mkfontscale_1.1.2.bb index 31cf18676..d1aa9b361 100644 --- a/import-layers/yocto-poky/meta/recipes-graphics/xorg-app/mkfontscale_1.1.2.bb +++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-app/mkfontscale_1.1.2.bb @@ -10,6 +10,8 @@ is used by the mkfontdir program." DEPENDS = "util-macros-native zlib libfontenc freetype xproto" +REQUIRED_DISTRO_FEATURES_class-native = "" + BBCLASSEXTEND = "native" LIC_FILES_CHKSUM = "file://COPYING;md5=2e0d129d05305176d1a790e0ac1acb7f" diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-font/xorg-font-common.inc b/import-layers/yocto-poky/meta/recipes-graphics/xorg-font/xorg-font-common.inc index d5267f59a..da20ab9b5 100644 --- a/import-layers/yocto-poky/meta/recipes-graphics/xorg-font/xorg-font-common.inc +++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-font/xorg-font-common.inc @@ -18,6 +18,7 @@ inherit autotools pkgconfig distro_features_check # The mkfontscale-native requires x11 in DISTRO_FEATURES REQUIRED_DISTRO_FEATURES = "x11" +REQUIRED_DISTRO_FEATURES_class-native = "" EXTRA_OEMAKE += "FCCACHE=/bin/true UTIL_DIR=${STAGING_DIR_TARGET}\$\(MAPFILES_PATH\)" diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch new file mode 100644 index 000000000..f5b4d69d4 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch @@ -0,0 +1,69 @@ +From 8ea762f94f4c942d898fdeb590a1630c83235c17 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Sun, 25 Sep 2016 21:25:25 +0200 +Subject: Validation of server responses in XGetImage() + +Check if enough bytes were received for specified image type and +geometry. Otherwise GetPixel and other functions could trigger an +out of boundary read later on. + +CVE: CVE-2016-7942 +Upstream-Status: Backport + +Signed-off-by: Tobias Stoeckmann +Reviewed-by: Matthieu Herrb +Signed-off-by: Sona Sarmadi + +diff --git a/src/GetImage.c b/src/GetImage.c +index c461abc..ff32d58 100644 +--- a/src/GetImage.c ++++ b/src/GetImage.c +@@ -59,6 +59,7 @@ XImage *XGetImage ( + char *data; + unsigned long nbytes; + XImage *image; ++ int planes; + LockDisplay(dpy); + GetReq (GetImage, req); + /* +@@ -91,18 +92,28 @@ XImage *XGetImage ( + return (XImage *) NULL; + } + _XReadPad (dpy, data, nbytes); +- if (format == XYPixmap) +- image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual), +- Ones (plane_mask & +- (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))), +- format, 0, data, width, height, dpy->bitmap_pad, 0); +- else /* format == ZPixmap */ +- image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual), +- rep.depth, ZPixmap, 0, data, width, height, +- _XGetScanlinePad(dpy, (int) rep.depth), 0); ++ if (format == XYPixmap) { ++ image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual), ++ Ones (plane_mask & ++ (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))), ++ format, 0, data, width, height, dpy->bitmap_pad, 0); ++ planes = image->depth; ++ } else { /* format == ZPixmap */ ++ image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual), ++ rep.depth, ZPixmap, 0, data, width, height, ++ _XGetScanlinePad(dpy, (int) rep.depth), 0); ++ planes = 1; ++ } + + if (!image) + Xfree(data); ++ if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 || ++ INT_MAX / image->height <= image->bytes_per_line || ++ INT_MAX / planes <= image->height * image->bytes_per_line || ++ nbytes < planes * image->height * image->bytes_per_line) { ++ XDestroyImage(image); ++ image = NULL; ++ } + UnlockDisplay(dpy); + SyncHandle(); + return (image); +-- +cgit v0.10.2 + diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch new file mode 100644 index 000000000..50024236d --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch @@ -0,0 +1,103 @@ +From 8c29f1607a31dac0911e45a0dd3d74173822b3c9 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Sun, 25 Sep 2016 21:22:57 +0200 +Subject: The validation of server responses avoids out of boundary accesses. + +v2: FontNames.c return a NULL list whenever a single +length field from the server is incohent. + +CVE: CVE-2016-7943 +Upstream-Status: Backport + +Signed-off-by: Tobias Stoeckmann +Reviewed-by: Matthieu Herrb +Signed-off-by: Sona Sarmadi + +diff --git a/src/FontNames.c b/src/FontNames.c +index 21dcafe..e55f338 100644 +--- a/src/FontNames.c ++++ b/src/FontNames.c +@@ -66,7 +66,7 @@ int *actualCount) /* RETURN */ + + if (rep.nFonts) { + flist = Xmalloc (rep.nFonts * sizeof(char *)); +- if (rep.length < (INT_MAX >> 2)) { ++ if (rep.length > 0 && rep.length < (INT_MAX >> 2)) { + rlen = rep.length << 2; + ch = Xmalloc(rlen + 1); + /* +1 to leave room for last null-terminator */ +@@ -93,11 +93,22 @@ int *actualCount) /* RETURN */ + if (ch + length < chend) { + flist[i] = ch + 1; /* skip over length */ + ch += length + 1; /* find next length ... */ +- length = *(unsigned char *)ch; +- *ch = '\0'; /* and replace with null-termination */ +- count++; +- } else +- flist[i] = NULL; ++ if (ch <= chend) { ++ length = *(unsigned char *)ch; ++ *ch = '\0'; /* and replace with null-termination */ ++ count++; ++ } else { ++ Xfree(flist); ++ flist = NULL; ++ count = 0; ++ break; ++ } ++ } else { ++ Xfree(flist); ++ flist = NULL; ++ count = 0; ++ break; ++ } + } + } + *actualCount = count; +diff --git a/src/ListExt.c b/src/ListExt.c +index be6b989..0516e45 100644 +--- a/src/ListExt.c ++++ b/src/ListExt.c +@@ -55,7 +55,7 @@ char **XListExtensions( + + if (rep.nExtensions) { + list = Xmalloc (rep.nExtensions * sizeof (char *)); +- if (rep.length < (INT_MAX >> 2)) { ++ if (rep.length > 0 && rep.length < (INT_MAX >> 2)) { + rlen = rep.length << 2; + ch = Xmalloc (rlen + 1); + /* +1 to leave room for last null-terminator */ +@@ -80,9 +80,13 @@ char **XListExtensions( + if (ch + length < chend) { + list[i] = ch+1; /* skip over length */ + ch += length + 1; /* find next length ... */ +- length = *ch; +- *ch = '\0'; /* and replace with null-termination */ +- count++; ++ if (ch <= chend) { ++ length = *ch; ++ *ch = '\0'; /* and replace with null-termination */ ++ count++; ++ } else { ++ list[i] = NULL; ++ } + } else + list[i] = NULL; + } +diff --git a/src/ModMap.c b/src/ModMap.c +index a809aa2..49a5d08 100644 +--- a/src/ModMap.c ++++ b/src/ModMap.c +@@ -42,7 +42,8 @@ XGetModifierMapping(register Display *dpy) + GetEmptyReq(GetModifierMapping, req); + (void) _XReply (dpy, (xReply *)&rep, 0, xFalse); + +- if (rep.length < (INT_MAX >> 2)) { ++ if (rep.length < (INT_MAX >> 2) && ++ (rep.length >> 1) == rep.numKeyPerModifier) { + nbytes = (unsigned long)rep.length << 2; + res = Xmalloc(sizeof (XModifierKeymap)); + if (res) +-- +cgit v0.10.2 + diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb index 8e531c745..23a77891e 100644 --- a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb +++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb @@ -5,6 +5,8 @@ BBCLASSEXTEND = "native nativesdk" SRC_URI += "file://disable_tests.patch \ file://libX11-Add-missing-NULL-check.patch \ + file://CVE-2016-7942.patch \ + file://CVE-2016-7943.patch \ " SRC_URI[md5sum] = "2e36b73f8a42143142dda8129f02e4e0" diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr/CVE-2016-7947_CVE-2016-7948.patch b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr/CVE-2016-7947_CVE-2016-7948.patch new file mode 100644 index 000000000..a9b3dbc65 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr/CVE-2016-7947_CVE-2016-7948.patch @@ -0,0 +1,439 @@ +From a0df3e1c7728205e5c7650b2e6dce684139254a6 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Sun, 25 Sep 2016 22:21:40 +0200 +Subject: Avoid out of boundary accesses on illegal responses + +The responses of the connected X server have to be properly checked +to avoid out of boundary accesses that could otherwise be triggered +by a malicious server. + +CVE: CVE-2016-7947 +libXrandr: Insufficient validation of server responses result in Integer overflows + +CVE: CVE-2016-7948 +libXrandr: Insufficient validation of server responses result in various data mishandlings + +Upstream-Status: Backport + +Signed-off-by: Tobias Stoeckmann +Reviewed-by: Matthieu Herrb +Signed-off-by: Sona Sarmadi + +diff --git a/src/XrrConfig.c b/src/XrrConfig.c +index 2f0282b..e68c45a 100644 +--- a/src/XrrConfig.c ++++ b/src/XrrConfig.c +@@ -29,6 +29,7 @@ + #include + #endif + ++#include + #include + #include + /* we need to be able to manipulate the Display structure on events */ +@@ -272,23 +273,30 @@ static XRRScreenConfiguration *_XRRGetScreenInfo (Display *dpy, + rep.rate = 0; + rep.nrateEnts = 0; + } ++ if (rep.length < INT_MAX >> 2) { ++ nbytes = (long) rep.length << 2; + +- nbytes = (long) rep.length << 2; ++ nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) + ++ ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF(CARD16) */); + +- nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) + +- ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF (CARD16) */); ++ /* ++ * first we must compute how much space to allocate for ++ * randr library's use; we'll allocate the structures in a single ++ * allocation, on cleanlyness grounds. ++ */ + +- /* +- * first we must compute how much space to allocate for +- * randr library's use; we'll allocate the structures in a single +- * allocation, on cleanlyness grounds. +- */ ++ rbytes = sizeof (XRRScreenConfiguration) + ++ (rep.nSizes * sizeof (XRRScreenSize) + ++ rep.nrateEnts * sizeof (int)); + +- rbytes = sizeof (XRRScreenConfiguration) + +- (rep.nSizes * sizeof (XRRScreenSize) + +- rep.nrateEnts * sizeof (int)); ++ scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes); ++ } else { ++ nbytes = 0; ++ nbytesRead = 0; ++ rbytes = 0; ++ scp = NULL; ++ } + +- scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes); + if (scp == NULL) { + _XEatData (dpy, (unsigned long) nbytes); + return NULL; +diff --git a/src/XrrCrtc.c b/src/XrrCrtc.c +index 5ae35c5..6665092 100644 +--- a/src/XrrCrtc.c ++++ b/src/XrrCrtc.c +@@ -24,6 +24,7 @@ + #include + #endif + ++#include + #include + #include + /* we need to be able to manipulate the Display structure on events */ +@@ -57,22 +58,33 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenResources *resources, RRCrtc crtc) + return NULL; + } + +- nbytes = (long) rep.length << 2; ++ if (rep.length < INT_MAX >> 2) ++ { ++ nbytes = (long) rep.length << 2; + +- nbytesRead = (long) (rep.nOutput * 4 + +- rep.nPossibleOutput * 4); ++ nbytesRead = (long) (rep.nOutput * 4 + ++ rep.nPossibleOutput * 4); + +- /* +- * first we must compute how much space to allocate for +- * randr library's use; we'll allocate the structures in a single +- * allocation, on cleanlyness grounds. +- */ ++ /* ++ * first we must compute how much space to allocate for ++ * randr library's use; we'll allocate the structures in a single ++ * allocation, on cleanlyness grounds. ++ */ + +- rbytes = (sizeof (XRRCrtcInfo) + +- rep.nOutput * sizeof (RROutput) + +- rep.nPossibleOutput * sizeof (RROutput)); ++ rbytes = (sizeof (XRRCrtcInfo) + ++ rep.nOutput * sizeof (RROutput) + ++ rep.nPossibleOutput * sizeof (RROutput)); ++ ++ xci = (XRRCrtcInfo *) Xmalloc(rbytes); ++ } ++ else ++ { ++ nbytes = 0; ++ nbytesRead = 0; ++ rbytes = 0; ++ xci = NULL; ++ } + +- xci = (XRRCrtcInfo *) Xmalloc(rbytes); + if (xci == NULL) { + _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); +@@ -194,12 +206,21 @@ XRRGetCrtcGamma (Display *dpy, RRCrtc crtc) + if (!_XReply (dpy, (xReply *) &rep, 0, xFalse)) + goto out; + +- nbytes = (long) rep.length << 2; ++ if (rep.length < INT_MAX >> 2) ++ { ++ nbytes = (long) rep.length << 2; + +- /* three channels of CARD16 data */ +- nbytesRead = (rep.size * 2 * 3); ++ /* three channels of CARD16 data */ ++ nbytesRead = (rep.size * 2 * 3); + +- crtc_gamma = XRRAllocGamma (rep.size); ++ crtc_gamma = XRRAllocGamma (rep.size); ++ } ++ else ++ { ++ nbytes = 0; ++ nbytesRead = 0; ++ crtc_gamma = NULL; ++ } + + if (!crtc_gamma) + { +@@ -357,7 +378,7 @@ XRRGetCrtcTransform (Display *dpy, + xRRGetCrtcTransformReq *req; + int major_version, minor_version; + XRRCrtcTransformAttributes *attr; +- char *extra = NULL, *e; ++ char *extra = NULL, *end = NULL, *e; + int p; + + *attributes = NULL; +@@ -395,9 +416,17 @@ XRRGetCrtcTransform (Display *dpy, + else + { + int extraBytes = rep.length * 4 - CrtcTransformExtra; +- extra = Xmalloc (extraBytes); ++ if (rep.length < INT_MAX / 4 && ++ rep.length * 4 >= CrtcTransformExtra) { ++ extra = Xmalloc (extraBytes); ++ end = extra + extraBytes; ++ } else ++ extra = NULL; + if (!extra) { +- _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2)); ++ if (rep.length > (CrtcTransformExtra >> 2)) ++ _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2)); ++ else ++ _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return False; +@@ -429,22 +458,38 @@ XRRGetCrtcTransform (Display *dpy, + + e = extra; + ++ if (e + rep.pendingNbytesFilter > end) { ++ XFree (extra); ++ return False; ++ } + memcpy (attr->pendingFilter, e, rep.pendingNbytesFilter); + attr->pendingFilter[rep.pendingNbytesFilter] = '\0'; + e += (rep.pendingNbytesFilter + 3) & ~3; + for (p = 0; p < rep.pendingNparamsFilter; p++) { + INT32 f; ++ if (e + 4 > end) { ++ XFree (extra); ++ return False; ++ } + memcpy (&f, e, 4); + e += 4; + attr->pendingParams[p] = (XFixed) f; + } + attr->pendingNparams = rep.pendingNparamsFilter; + ++ if (e + rep.currentNbytesFilter > end) { ++ XFree (extra); ++ return False; ++ } + memcpy (attr->currentFilter, e, rep.currentNbytesFilter); + attr->currentFilter[rep.currentNbytesFilter] = '\0'; + e += (rep.currentNbytesFilter + 3) & ~3; + for (p = 0; p < rep.currentNparamsFilter; p++) { + INT32 f; ++ if (e + 4 > end) { ++ XFree (extra); ++ return False; ++ } + memcpy (&f, e, 4); + e += 4; + attr->currentParams[p] = (XFixed) f; +diff --git a/src/XrrMonitor.c b/src/XrrMonitor.c +index a9eaa7b..adc5330 100644 +--- a/src/XrrMonitor.c ++++ b/src/XrrMonitor.c +@@ -24,6 +24,7 @@ + #include + #endif + ++#include + #include + #include + /* we need to be able to manipulate the Display structure on events */ +@@ -65,6 +66,15 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors) + return NULL; + } + ++ if (rep.length > INT_MAX >> 2 || ++ rep.nmonitors > INT_MAX / SIZEOF(xRRMonitorInfo) || ++ rep.noutputs > INT_MAX / 4 || ++ rep.nmonitors * SIZEOF(xRRMonitorInfo) > INT_MAX - rep.noutputs * 4) { ++ _XEatData (dpy, rep.length); ++ UnlockDisplay (dpy); ++ SyncHandle (); ++ return NULL; ++ } + nbytes = (long) rep.length << 2; + nmon = rep.nmonitors; + noutput = rep.noutputs; +@@ -111,6 +121,14 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors) + mon[m].outputs = output; + buf += SIZEOF (xRRMonitorInfo); + xoutput = (CARD32 *) buf; ++ if (xmon->noutput > rep.noutputs) { ++ Xfree(buf); ++ Xfree(mon); ++ UnlockDisplay (dpy); ++ SyncHandle (); ++ return NULL; ++ } ++ rep.noutputs -= xmon->noutput; + for (o = 0; o < xmon->noutput; o++) + output[o] = xoutput[o]; + output += xmon->noutput; +diff --git a/src/XrrOutput.c b/src/XrrOutput.c +index 85f0b6e..30f3d40 100644 +--- a/src/XrrOutput.c ++++ b/src/XrrOutput.c +@@ -25,6 +25,7 @@ + #include + #endif + ++#include + #include + #include + /* we need to be able to manipulate the Display structure on events */ +@@ -60,6 +61,16 @@ XRRGetOutputInfo (Display *dpy, XRRScreenResources *resources, RROutput output) + return NULL; + } + ++ if (rep.length > INT_MAX >> 2 || rep.length < (OutputInfoExtra >> 2)) ++ { ++ if (rep.length > (OutputInfoExtra >> 2)) ++ _XEatDataWords (dpy, rep.length - (OutputInfoExtra >> 2)); ++ else ++ _XEatDataWords (dpy, rep.length); ++ UnlockDisplay (dpy); ++ SyncHandle (); ++ return NULL; ++ } + nbytes = ((long) (rep.length) << 2) - OutputInfoExtra; + + nbytesRead = (long) (rep.nCrtcs * 4 + +diff --git a/src/XrrProvider.c b/src/XrrProvider.c +index 9e620c7..d796cd0 100644 +--- a/src/XrrProvider.c ++++ b/src/XrrProvider.c +@@ -25,6 +25,7 @@ + #include + #endif + ++#include + #include + #include + /* we need to be able to manipulate the Display structure on events */ +@@ -59,12 +60,20 @@ XRRGetProviderResources(Display *dpy, Window window) + return NULL; + } + +- nbytes = (long) rep.length << 2; ++ if (rep.length < INT_MAX >> 2) { ++ nbytes = (long) rep.length << 2; + +- nbytesRead = (long) (rep.nProviders * 4); ++ nbytesRead = (long) (rep.nProviders * 4); + +- rbytes = (sizeof(XRRProviderResources) + rep.nProviders * sizeof(RRProvider)); +- xrpr = (XRRProviderResources *) Xmalloc(rbytes); ++ rbytes = (sizeof(XRRProviderResources) + rep.nProviders * ++ sizeof(RRProvider)); ++ xrpr = (XRRProviderResources *) Xmalloc(rbytes); ++ } else { ++ nbytes = 0; ++ nbytesRead = 0; ++ rbytes = 0; ++ xrpr = NULL; ++ } + + if (xrpr == NULL) { + _XEatDataWords (dpy, rep.length); +@@ -121,6 +130,17 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi + return NULL; + } + ++ if (rep.length > INT_MAX >> 2 || rep.length < ProviderInfoExtra >> 2) ++ { ++ if (rep.length < ProviderInfoExtra >> 2) ++ _XEatDataWords (dpy, rep.length); ++ else ++ _XEatDataWords (dpy, rep.length - (ProviderInfoExtra >> 2)); ++ UnlockDisplay (dpy); ++ SyncHandle (); ++ return NULL; ++ } ++ + nbytes = ((long) rep.length << 2) - ProviderInfoExtra; + + nbytesRead = (long)(rep.nCrtcs * 4 + +diff --git a/src/XrrScreen.c b/src/XrrScreen.c +index b8ce7e5..1f7ffe6 100644 +--- a/src/XrrScreen.c ++++ b/src/XrrScreen.c +@@ -24,6 +24,7 @@ + #include + #endif + ++#include + #include + #include + /* we need to be able to manipulate the Display structure on events */ +@@ -105,27 +106,36 @@ doGetScreenResources (Display *dpy, Window window, int poll) + xrri->has_rates = _XRRHasRates (xrri->minor_version, xrri->major_version); + } + +- nbytes = (long) rep.length << 2; ++ if (rep.length < INT_MAX >> 2) { ++ nbytes = (long) rep.length << 2; + +- nbytesRead = (long) (rep.nCrtcs * 4 + +- rep.nOutputs * 4 + +- rep.nModes * SIZEOF (xRRModeInfo) + +- ((rep.nbytesNames + 3) & ~3)); ++ nbytesRead = (long) (rep.nCrtcs * 4 + ++ rep.nOutputs * 4 + ++ rep.nModes * SIZEOF (xRRModeInfo) + ++ ((rep.nbytesNames + 3) & ~3)); + +- /* +- * first we must compute how much space to allocate for +- * randr library's use; we'll allocate the structures in a single +- * allocation, on cleanlyness grounds. +- */ ++ /* ++ * first we must compute how much space to allocate for ++ * randr library's use; we'll allocate the structures in a single ++ * allocation, on cleanlyness grounds. ++ */ ++ ++ rbytes = (sizeof (XRRScreenResources) + ++ rep.nCrtcs * sizeof (RRCrtc) + ++ rep.nOutputs * sizeof (RROutput) + ++ rep.nModes * sizeof (XRRModeInfo) + ++ rep.nbytesNames + rep.nModes); /* '\0' terminate names */ + +- rbytes = (sizeof (XRRScreenResources) + +- rep.nCrtcs * sizeof (RRCrtc) + +- rep.nOutputs * sizeof (RROutput) + +- rep.nModes * sizeof (XRRModeInfo) + +- rep.nbytesNames + rep.nModes); /* '\0' terminate names */ ++ xrsr = (XRRScreenResources *) Xmalloc(rbytes); ++ wire_names = (char *) Xmalloc (rep.nbytesNames); ++ } else { ++ nbytes = 0; ++ nbytesRead = 0; ++ rbytes = 0; ++ xrsr = NULL; ++ wire_names = NULL; ++ } + +- xrsr = (XRRScreenResources *) Xmalloc(rbytes); +- wire_names = (char *) Xmalloc (rep.nbytesNames); + if (xrsr == NULL || wire_names == NULL) { + Xfree (xrsr); + Xfree (wire_names); +@@ -174,6 +184,14 @@ doGetScreenResources (Display *dpy, Window window, int poll) + wire_name = wire_names; + for (i = 0; i < rep.nModes; i++) { + xrsr->modes[i].name = names; ++ if (xrsr->modes[i].nameLength > rep.nbytesNames) { ++ Xfree (xrsr); ++ Xfree (wire_names); ++ UnlockDisplay (dpy); ++ SyncHandle (); ++ return NULL; ++ } ++ rep.nbytesNames -= xrsr->modes[i].nameLength; + memcpy (names, wire_name, xrsr->modes[i].nameLength); + names[xrsr->modes[i].nameLength] = '\0'; + names += xrsr->modes[i].nameLength + 1; +-- +cgit v0.10.2 + diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr_1.5.0.bb b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr_1.5.0.bb index abbbae552..35c60b419 100644 --- a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr_1.5.0.bb +++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr_1.5.0.bb @@ -19,5 +19,8 @@ XORG_PN = "libXrandr" BBCLASSEXTEND = "native nativesdk" +SRC_URI += "file://CVE-2016-7947_CVE-2016-7948.patch \ + " + SRC_URI[md5sum] = "309762867e41c6fd813da880d8a1bc93" SRC_URI[sha256sum] = "6f864959b7fc35db11754b270d71106ef5b5cf363426aa58589cb8ac8266de58" diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch new file mode 100644 index 000000000..73315b108 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch @@ -0,0 +1,59 @@ +From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Sun, 25 Sep 2016 21:43:09 +0200 +Subject: Validate lengths while parsing server data. + +Individual lengths inside received server data can overflow +the previously reserved memory. + +It is therefore important to validate every single length +field to not overflow the previously agreed sum of all invidual +length fields. + +v2: consume remaining bytes in the reply buffer on error. + +CVE: CVE-2016-7949 +Upstream-Status: Backport + +Signed-off-by: Tobias Stoeckmann +Reviewed-by: Matthieu Herrb@laas.fr +Signed-off-by: Sona Sarmadi + +diff --git a/src/Xrender.c b/src/Xrender.c +index 3102eb2..71cf3e6 100644 +--- a/src/Xrender.c ++++ b/src/Xrender.c +@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy) + screen->fallback = _XRenderFindFormat (xri, xScreen->fallback); + screen->subpixel = SubPixelUnknown; + xDepth = (xPictDepth *) (xScreen + 1); ++ if (screen->ndepths > rep.numDepths) { ++ Xfree (xri); ++ Xfree (xData); ++ _XEatDataWords (dpy, rep.length); ++ UnlockDisplay (dpy); ++ SyncHandle (); ++ return 0; ++ } ++ rep.numDepths -= screen->ndepths; + for (nd = 0; nd < screen->ndepths; nd++) + { + depth->depth = xDepth->depth; + depth->nvisuals = xDepth->nPictVisuals; + depth->visuals = visual; + xVisual = (xPictVisual *) (xDepth + 1); ++ if (depth->nvisuals > rep.numVisuals) { ++ Xfree (xri); ++ Xfree (xData); ++ _XEatDataWords (dpy, rep.length); ++ UnlockDisplay (dpy); ++ SyncHandle (); ++ return 0; ++ } ++ rep.numVisuals -= depth->nvisuals; + for (nv = 0; nv < depth->nvisuals; nv++) + { + visual->visual = _XRenderFindVisual (dpy, xVisual->visual); +-- +cgit v0.10.2 + diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb index 44cb2e0eb..eac367906 100644 --- a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb +++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb @@ -19,5 +19,8 @@ XORG_PN = "libXrender" BBCLASSEXTEND = "native nativesdk" +SRC_URI += "file://CVE-2016-7949.patch \ + " + SRC_URI[md5sum] = "5db92962b124ca3a8147daae4adbd622" SRC_URI[sha256sum] = "fc2fe57980a14092426dffcd1f2d9de0987b9d40adea663bd70d6342c0e9be1a" diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.2.bb b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.2.bb deleted file mode 100644 index 1b0bcf391..000000000 --- a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.2.bb +++ /dev/null @@ -1,20 +0,0 @@ -require xorg-lib-common.inc - -SUMMARY = "XTest: X Test extension library" - -DESCRIPTION = "This extension is a minimal set of client and server \ -extensions required to completely test the X11 server with no user \ -intervention." - -LICENSE = "MIT-style" -LIC_FILES_CHKSUM = "file://COPYING;md5=bb4f89972c3869f617f61c1a79ad1952 \ - file://src/XTest.c;beginline=2;endline=32;md5=b1c8c9dff842b4d5b89ca5fa32c40e99" - -DEPENDS += "libxext recordproto inputproto libxi" -PROVIDES = "xtst" -PE = "1" - -XORG_PN = "libXtst" - -SRC_URI[md5sum] = "25c6b366ac3dc7a12c5d79816ce96a59" -SRC_URI[sha256sum] = "ef0a7ffd577e5f1a25b1663b375679529663a1880151beaa73e9186c8309f6d9" diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.3.bb b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.3.bb new file mode 100644 index 000000000..31ea4392d --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.3.bb @@ -0,0 +1,20 @@ +require xorg-lib-common.inc + +SUMMARY = "XTest: X Test extension library" + +DESCRIPTION = "This extension is a minimal set of client and server \ +extensions required to completely test the X11 server with no user \ +intervention." + +LICENSE = "MIT-style" +LIC_FILES_CHKSUM = "file://COPYING;md5=bb4f89972c3869f617f61c1a79ad1952 \ + file://src/XTest.c;beginline=2;endline=32;md5=b1c8c9dff842b4d5b89ca5fa32c40e99" + +DEPENDS += "libxext recordproto inputproto libxi" +PROVIDES = "xtst" +PE = "1" + +XORG_PN = "libXtst" + +SRC_URI[md5sum] = "ef8c2c1d16a00bd95b9fdcef63b8a2ca" +SRC_URI[sha256sum] = "4655498a1b8e844e3d6f21f3b2c4e2b571effb5fd83199d428a6ba7ea4bf5204" -- cgit v1.2.3