From a688fe2dc6a3c304fdbdfb5a4a44cd25c15be76b Mon Sep 17 00:00:00 2001 From: orange-snn Date: Wed, 9 Dec 2020 11:00:51 +0800 Subject: [PATCH] add CVE-2020-14345 --- CVE-2020-14345.patch | 179 +++++++++++++++++++++++++++++++++++++++++++ xorg-x11-server.spec | 11 ++- 2 files changed, 188 insertions(+), 2 deletions(-) create mode 100644 CVE-2020-14345.patch diff --git a/CVE-2020-14345.patch b/CVE-2020-14345.patch new file mode 100644 index 0000000..06bf715 --- /dev/null +++ b/CVE-2020-14345.patch @@ -0,0 +1,179 @@ +From f7cd1276bbd4fe3a9700096dec33b52b8440788d Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Tue, 18 Aug 2020 14:46:32 +0200 +Subject: [PATCH] Correct bounds checking in XkbSetNames() + +CVE-2020-14345 / ZDI 11428 +reference£ºhttps://gitlab.freedesktop.org/xorg/xserver/-/commit/f7cd1276bbd4fe3a9700096dec33b52b8440788d + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Matthieu Herrb +--- + xkb/xkb.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 48 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 3162574..ca7f44a 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT; + #define CHK_REQ_KEY_RANGE(err,first,num,r) \ + CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue) + ++static Bool ++_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) { ++ char *cstuff = (char *)stuff; ++ char *cfrom = (char *)from; ++ char *cto = (char *)to; ++ ++ return cfrom < cto && ++ cfrom >= cstuff && ++ cfrom < cstuff + ((size_t)client->req_len << 2) && ++ cto >= cstuff && ++ cto <= cstuff + ((size_t)client->req_len << 2); ++} ++ + /***====================================================================***/ + + int +@@ -4045,6 +4058,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + client->errorValue = _XkbErrCode2(0x04, stuff->firstType); + return BadAccess; + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nTypes)) ++ return BadLength; + old = tmp; + tmp = _XkbCheckAtoms(tmp, stuff->nTypes, client->swapped, &bad); + if (!tmp) { +@@ -4074,6 +4089,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + } + width = (CARD8 *) tmp; + tmp = (CARD32 *) (((char *) tmp) + XkbPaddedSize(stuff->nKTLevels)); ++ if (!_XkbCheckRequestBounds(client, stuff, width, tmp)) ++ return BadLength; + type = &xkb->map->types[stuff->firstKTLevel]; + for (i = 0; i < stuff->nKTLevels; i++, type++) { + if (width[i] == 0) +@@ -4083,6 +4100,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + type->num_levels, width[i]); + return BadMatch; + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + width[i])) ++ return BadLength; + tmp = _XkbCheckAtoms(tmp, width[i], client->swapped, &bad); + if (!tmp) { + client->errorValue = bad; +@@ -4095,6 +4114,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + client->errorValue = 0x08; + return BadMatch; + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, ++ tmp + Ones(stuff->indicators))) ++ return BadLength; + tmp = _XkbCheckMaskedAtoms(tmp, XkbNumIndicators, stuff->indicators, + client->swapped, &bad); + if (!tmp) { +@@ -4107,6 +4129,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + client->errorValue = 0x09; + return BadMatch; + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, ++ tmp + Ones(stuff->virtualMods))) ++ return BadLength; + tmp = _XkbCheckMaskedAtoms(tmp, XkbNumVirtualMods, + (CARD32) stuff->virtualMods, + client->swapped, &bad); +@@ -4120,6 +4145,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + client->errorValue = 0x0a; + return BadMatch; + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, ++ tmp + Ones(stuff->groupNames))) ++ return BadLength; + tmp = _XkbCheckMaskedAtoms(tmp, XkbNumKbdGroups, + (CARD32) stuff->groupNames, + client->swapped, &bad); +@@ -4141,9 +4169,14 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + stuff->nKeys); + return BadValue; + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nKeys)) ++ return BadLength; + tmp += stuff->nKeys; + } + if ((stuff->which & XkbKeyAliasesMask) && (stuff->nKeyAliases > 0)) { ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, ++ tmp + (stuff->nKeyAliases * 2))) ++ return BadLength; + tmp += stuff->nKeyAliases * 2; + } + if (stuff->which & XkbRGNamesMask) { +@@ -4151,6 +4184,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + client->errorValue = _XkbErrCode2(0x0d, stuff->nRadioGroups); + return BadValue; + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, ++ tmp + stuff->nRadioGroups)) ++ return BadLength; + tmp = _XkbCheckAtoms(tmp, stuff->nRadioGroups, client->swapped, &bad); + if (!tmp) { + client->errorValue = bad; +@@ -4344,6 +4380,8 @@ ProcXkbSetNames(ClientPtr client) + /* check device-independent stuff */ + tmp = (CARD32 *) &stuff[1]; + ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) ++ return BadLength; + if (stuff->which & XkbKeycodesNameMask) { + tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); + if (!tmp) { +@@ -4351,6 +4389,8 @@ ProcXkbSetNames(ClientPtr client) + return BadAtom; + } + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) ++ return BadLength; + if (stuff->which & XkbGeometryNameMask) { + tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); + if (!tmp) { +@@ -4358,6 +4398,8 @@ ProcXkbSetNames(ClientPtr client) + return BadAtom; + } + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) ++ return BadLength; + if (stuff->which & XkbSymbolsNameMask) { + tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); + if (!tmp) { +@@ -4365,6 +4407,8 @@ ProcXkbSetNames(ClientPtr client) + return BadAtom; + } + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) ++ return BadLength; + if (stuff->which & XkbPhysSymbolsNameMask) { + tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); + if (!tmp) { +@@ -4372,6 +4416,8 @@ ProcXkbSetNames(ClientPtr client) + return BadAtom; + } + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) ++ return BadLength; + if (stuff->which & XkbTypesNameMask) { + tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); + if (!tmp) { +@@ -4379,6 +4425,8 @@ ProcXkbSetNames(ClientPtr client) + return BadAtom; + } + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) ++ return BadLength; + if (stuff->which & XkbCompatNameMask) { + tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); + if (!tmp) { +-- +2.27.0 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 41bd3b5..9d5d7b5 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.8 -Release: 2 +Release: 3 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -81,6 +81,7 @@ Patch0029: xorg-s11-server-CVE-2018-20839.patch Patch0030: CVE-2020-14346.patch Patch0031: CVE-2020-14361.patch Patch0032: CVE-2020-14362.patch +Patch0033: CVE-2020-14345.patch BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex flex-devel git BuildRequires: systemtap-sdt-devel libtool pkgconfig @@ -323,9 +324,15 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_libdir}/xorg/protocol.txt %changelog +* Wed Dec 09 2020 orange-snn - 1.20.8-3 +- Type:CVE +- Id:CVE-2020-14345 +- SUG:NA +- DESC:fix CVE-2020-14345 + * Tue Dec 08 2020 zhanzhimin - 1.20.8-2 - Type:CVE -- CVE:CVE-2020-14346,CVE-2020-14361,CVE-2020-14362 +- Id:CVE-2020-14346,CVE-2020-14361,CVE-2020-14362 - SUG:NA - DESC:fix CVE-2020-14346,CVE-2020-14361,CVE-2020-14362 -- Gitee