From a800c112e559f56058ddff120484d618caf022a5 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 13 2022 12:57:07 +0000 Subject: import xorg-x11-server-1.20.11-4.el8 --- diff --git a/SOURCES/0001-record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch b/SOURCES/0001-record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch new file mode 100644 index 0000000..b53c7bf --- /dev/null +++ b/SOURCES/0001-record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch @@ -0,0 +1,35 @@ +From acc50e6097d51fec0c6c34d84c35018a50c52d5a Mon Sep 17 00:00:00 2001 +From: Povilas Kanapickas +Date: Tue, 14 Dec 2021 15:00:00 +0200 +Subject: [PATCH xserver 1/4] record: Fix out of bounds access in + SwapCreateRegister() + +ZDI-CAN-14952, CVE-2021-4011 + +This vulnerability was discovered and the fix was suggested by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Povilas Kanapickas +(cherry picked from commit e56f61c79fc3cee26d83cda0f84ae56d5979f768) +--- + record/record.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/record/record.c b/record/record.c +index 05d751ac2..a8aec23bd 100644 +--- a/record/record.c ++++ b/record/record.c +@@ -2515,8 +2515,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff) + swapl(pClientID); + } + if (stuff->nRanges > +- client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) +- - stuff->nClients) ++ (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) ++ - stuff->nClients) / bytes_to_int32(sz_xRecordRange)) + return BadLength; + RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); + return Success; +-- +2.33.1 + diff --git a/SOURCES/0001-xf86-logind-Fix-drm_drop_master-before-vt_reldisp.patch b/SOURCES/0001-xf86-logind-Fix-drm_drop_master-before-vt_reldisp.patch new file mode 100644 index 0000000..0d55af7 --- /dev/null +++ b/SOURCES/0001-xf86-logind-Fix-drm_drop_master-before-vt_reldisp.patch @@ -0,0 +1,167 @@ +From dafe5f6358edd557d89bb63265d6df2e1249f106 Mon Sep 17 00:00:00 2001 +From: Jocelyn Falempe +Date: Thu, 18 Nov 2021 14:45:42 +0100 +Subject: [PATCH] xf86/logind: fix call systemd_logind_vtenter after receiving + drm device resume + +logind send the resume event for input devices and drm device, +in any order. if we call vt_enter before logind resume the drm device, +it leads to a driver error, because logind has not done the +DRM_IOCTL_SET_MASTER on it. + +Keep the old workaround to make sure we call systemd_logind_vtenter at +least once if there are no platform device + +Signed-off-by: Jocelyn Falempe +Reviewed-by: Hans de Goede + +xf86/logind: Fix drm_drop_master before vt_reldisp + +When switching to VT, the ioctl DRM_DROP_MASTER must be done before +the ioctl VT_RELDISP. Otherwise the kernel can't change the modesetting +reliably, and this leads to the console not showing up in some cases, like +after unplugging a docking station with a DP or HDMI monitor. + +Before doing the VT_RELDISP, send a dbus message to logind, to +pause the drm device, so logind will do the ioctl DRM_DROP_MASTER. + +With this patch, it changes the order logind will send the resume +event, and drm will be sent last instead of first. +so there is a also fix to call systemd_logind_vtenter() at the right time. + +Signed-off-by: Jocelyn Falempe +Reviewed-by: Hans de Goede + +xf86/logind: Fix compilation error when built without logind/platform bus + +This was introduced by commit 8eb1396d + +Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1269 +Fixes: da9d012a9 - xf86/logind: Fix drm_drop_master before vt_reldisp + +Signed-off-by: Jocelyn Falempe +Reviewed-by: Hans de Goede + +xf86/logind: fix missing call to vtenter if the platform device is not paused + +If there is one platform device, which is not paused nor resumed, +systemd_logind_vtenter() will never get called. +This break suspend/resume, and switching to VT on system with Nvidia +proprietary driver. +This is a regression introduced by f5bd039633fa83 + +So now call systemd_logind_vtenter() if there are no paused +platform devices. + +Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1271 +Fixes: f5bd0396 - xf86/logind: fix call systemd_logind_vtenter after receiving drm device resume + +Signed-off-by: Jocelyn Falempe +Tested-by: Olivier Fourdan +Reviewed-by: Hans de Goede +--- + hw/xfree86/common/xf86Events.c | 4 ++ + hw/xfree86/os-support/linux/systemd-logind.c | 41 +++++++++++++++++--- + include/systemd-logind.h | 2 + + 3 files changed, 42 insertions(+), 5 deletions(-) + +diff --git a/hw/xfree86/common/xf86Events.c b/hw/xfree86/common/xf86Events.c +index 8a800bd8f..b683d233b 100644 +--- a/hw/xfree86/common/xf86Events.c ++++ b/hw/xfree86/common/xf86Events.c +@@ -393,6 +393,10 @@ xf86VTLeave(void) + for (i = 0; i < xf86NumGPUScreens; i++) + xf86GPUScreens[i]->LeaveVT(xf86GPUScreens[i]); + ++ if (systemd_logind_controls_session()) { ++ systemd_logind_drop_master(); ++ } ++ + if (!xf86VTSwitchAway()) + goto switch_failed; + +diff --git a/hw/xfree86/os-support/linux/systemd-logind.c b/hw/xfree86/os-support/linux/systemd-logind.c +index 13784d15c..bd7a341f0 100644 +--- a/hw/xfree86/os-support/linux/systemd-logind.c ++++ b/hw/xfree86/os-support/linux/systemd-logind.c +@@ -302,6 +302,37 @@ cleanup: + dbus_error_free(&error); + } + ++/* ++ * Send a message to logind, to pause the drm device ++ * and ensure the drm_drop_master is done before ++ * VT_RELDISP when switching VT ++ */ ++void systemd_logind_drop_master(void) ++{ ++ int i; ++ for (i = 0; i < xf86_num_platform_devices; i++) { ++ if (xf86_platform_devices[i].flags & XF86_PDEV_SERVER_FD) { ++ dbus_int32_t major, minor; ++ struct systemd_logind_info *info = &logind_info; ++ ++ xf86_platform_devices[i].flags |= XF86_PDEV_PAUSED; ++ major = xf86_platform_odev_attributes(i)->major; ++ minor = xf86_platform_odev_attributes(i)->minor; ++ systemd_logind_ack_pause(info, minor, major); ++ } ++ } ++} ++ ++static Bool are_platform_devices_resumed(void) { ++ int i; ++ for (i = 0; i < xf86_num_platform_devices; i++) { ++ if (xf86_platform_devices[i].flags & XF86_PDEV_PAUSED) { ++ return FALSE; ++ } ++ } ++ return TRUE; ++} ++ + static DBusHandlerResult + message_filter(DBusConnection * connection, DBusMessage * message, void *data) + { +@@ -417,14 +448,14 @@ message_filter(DBusConnection * connection, DBusMessage * message, void *data) + /* info->vt_active gets set by systemd_logind_vtenter() */ + info->active = TRUE; + +- if (pdev) ++ if (pdev) { + pdev->flags &= ~XF86_PDEV_PAUSED; +- else ++ } else + systemd_logind_set_input_fd_for_all_devs(major, minor, fd, + info->vt_active); +- +- /* Always call vtenter(), in case there are only legacy video devs */ +- systemd_logind_vtenter(); ++ /* Call vtenter if all platform devices are resumed, or if there are no platform device */ ++ if (are_platform_devices_resumed()) ++ systemd_logind_vtenter(); + } + return DBUS_HANDLER_RESULT_HANDLED; + } +diff --git a/include/systemd-logind.h b/include/systemd-logind.h +index a4067d097..5c04d0130 100644 +--- a/include/systemd-logind.h ++++ b/include/systemd-logind.h +@@ -33,6 +33,7 @@ int systemd_logind_take_fd(int major, int minor, const char *path, Bool *paus); + void systemd_logind_release_fd(int major, int minor, int fd); + int systemd_logind_controls_session(void); + void systemd_logind_vtenter(void); ++void systemd_logind_drop_master(void); + #else + #define systemd_logind_init() + #define systemd_logind_fini() +@@ -40,6 +41,7 @@ void systemd_logind_vtenter(void); + #define systemd_logind_release_fd(major, minor, fd) close(fd) + #define systemd_logind_controls_session() 0 + #define systemd_logind_vtenter() ++#define systemd_logind_drop_master() + #endif + + #endif +-- +2.33.1 + diff --git a/SOURCES/0002-xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch b/SOURCES/0002-xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch new file mode 100644 index 0000000..35f88ed --- /dev/null +++ b/SOURCES/0002-xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch @@ -0,0 +1,44 @@ +From 6bb8aeb30a2686facc48733016caade97ece10ad Mon Sep 17 00:00:00 2001 +From: Povilas Kanapickas +Date: Tue, 14 Dec 2021 15:00:01 +0200 +Subject: [PATCH xserver 2/4] xfixes: Fix out of bounds access in + *ProcXFixesCreatePointerBarrier() + +ZDI-CAN-14950, CVE-2021-4009 + +This vulnerability was discovered and the fix was suggested by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Povilas Kanapickas +(cherry picked from commit b5196750099ae6ae582e1f46bd0a6dad29550e02) +--- + xfixes/cursor.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/xfixes/cursor.c b/xfixes/cursor.c +index d4b68f3af..5f531a89a 100644 +--- a/xfixes/cursor.c ++++ b/xfixes/cursor.c +@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client) + { + REQUEST(xXFixesCreatePointerBarrierReq); + +- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); ++ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, ++ pad_to_int32(stuff->num_devices * sizeof(CARD16))); + LEGAL_NEW_RESOURCE(stuff->barrier, client); + + return XICreatePointerBarrier(client, stuff); +@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client) + + swaps(&stuff->length); + swaps(&stuff->num_devices); +- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); ++ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, ++ pad_to_int32(stuff->num_devices * sizeof(CARD16))); + + swapl(&stuff->barrier); + swapl(&stuff->window); +-- +2.33.1 + diff --git a/SOURCES/0003-Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch b/SOURCES/0003-Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch new file mode 100644 index 0000000..698dea2 --- /dev/null +++ b/SOURCES/0003-Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch @@ -0,0 +1,34 @@ +From 67425fcab50ef24a5617e109897f38876dd81277 Mon Sep 17 00:00:00 2001 +From: Povilas Kanapickas +Date: Tue, 14 Dec 2021 15:00:02 +0200 +Subject: [PATCH xserver 3/4] Xext: Fix out of bounds access in + SProcScreenSaverSuspend() + +ZDI-CAN-14951, CVE-2021-4010 + +This vulnerability was discovered and the fix was suggested by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Povilas Kanapickas +(cherry picked from commit 6c4c53010772e3cb4cb8acd54950c8eec9c00d21) +--- + Xext/saver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Xext/saver.c b/Xext/saver.c +index c27a66c80..c23907dbb 100644 +--- a/Xext/saver.c ++++ b/Xext/saver.c +@@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client) + REQUEST(xScreenSaverSuspendReq); + + swaps(&stuff->length); +- swapl(&stuff->suspend); + REQUEST_SIZE_MATCH(xScreenSaverSuspendReq); ++ swapl(&stuff->suspend); + return ProcScreenSaverSuspend(client); + } + +-- +2.33.1 + diff --git a/SOURCES/0004-render-Fix-out-of-bounds-access-in-SProcRenderCompos.patch b/SOURCES/0004-render-Fix-out-of-bounds-access-in-SProcRenderCompos.patch new file mode 100644 index 0000000..f2de693 --- /dev/null +++ b/SOURCES/0004-render-Fix-out-of-bounds-access-in-SProcRenderCompos.patch @@ -0,0 +1,53 @@ +From 35b4681c79480d980bd8dcba390146aad7817c47 Mon Sep 17 00:00:00 2001 +From: Povilas Kanapickas +Date: Tue, 14 Dec 2021 15:00:03 +0200 +Subject: [PATCH xserver 4/4] render: Fix out of bounds access in + SProcRenderCompositeGlyphs() + +ZDI-CAN-14192, CVE-2021-4008 + +This vulnerability was discovered and the fix was suggested by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Povilas Kanapickas +(cherry picked from commit ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60) +--- + render/render.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/render/render.c b/render/render.c +index c376090ca..456f156d4 100644 +--- a/render/render.c ++++ b/render/render.c +@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client) + + i = elt->len; + if (i == 0xff) { ++ if (buffer + 4 > end) { ++ return BadLength; ++ } + swapl((int *) buffer); + buffer += 4; + } +@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client) + buffer += i; + break; + case 2: ++ if (buffer + i * 2 > end) { ++ return BadLength; ++ } + while (i--) { + swaps((short *) buffer); + buffer += 2; + } + break; + case 4: ++ if (buffer + i * 4 > end) { ++ return BadLength; ++ } + while (i--) { + swapl((int *) buffer); + buffer += 4; +-- +2.33.1 + diff --git a/SPECS/xorg-x11-server.spec b/SPECS/xorg-x11-server.spec index 6d4ff02..062551a 100644 --- a/SPECS/xorg-x11-server.spec +++ b/SPECS/xorg-x11-server.spec @@ -46,7 +46,7 @@ Summary: X.Org X11 X server Name: xorg-x11-server Version: 1.20.11 -Release: 2%{?gitdate:.%{gitdate}}%{?dist} +Release: 4%{?gitdate:.%{gitdate}}%{?dist} URL: http://www.x.org License: MIT Group: User Interface/X @@ -108,6 +108,16 @@ Patch200: 0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch Patch201: 0001-linux-Fix-platform-device-PCI-detection-for-complex-.patch Patch202: 0001-modesetting-Reduce-glamor-initialization-failed-mess.patch Patch203: 0001-xfree86-Only-switch-to-original-VT-if-it-is-active.patch +Patch204: 0001-xf86-logind-Fix-drm_drop_master-before-vt_reldisp.patch + +# CVE-2021-4011 +Patch10009: 0001-record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch +# CVE-2021-4009 +Patch10010: 0002-xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch +# CVE-2021-4010 +Patch10011: 0003-Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch +# CVE-2021-4008 +Patch10012: 0004-render-Fix-out-of-bounds-access-in-SProcRenderCompos.patch BuildRequires: systemtap-sdt-devel BuildRequires: git @@ -534,6 +544,14 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %changelog +* Thu Jan 6 2022 Olivier Fourdan - 1.20.11-4 +- CVE fix for: CVE-2021-4008 (#2030162), CVE-2021-4009 (#2030172), + CVE-2021-4010 (#2030175), CVE-2021-4011 (#2030181) + +* Mon Nov 29 2021 Jocelyn Falempe - 1.20.11-3 +- xf86/logind Fix drm_drop_master before vt_reldis + Resolves: #1771863 + * Wed Jun 9 2021 Olivier Fourdan - 1.20.11-2 - Remove Xwayland from the xserver builds Resolves: #1956838