diff --git a/x11-servers/xorg-server/Makefile b/x11-servers/xorg-server/Makefile index 7b275af548a7..519675c16d7e 100644 --- a/x11-servers/xorg-server/Makefile +++ b/x11-servers/xorg-server/Makefile @@ -1,137 +1,137 @@ # Created by: Eric Anholt # $FreeBSD$ PORTNAME?= xorg-server PORTVERSION?= 1.18.4 -PORTREVISION?= 6 +PORTREVISION?= 7 PORTEPOCH?= 1 CATEGORIES= x11-servers MASTER_SITES= XORG/individual/xserver DISTNAME= xorg-server-${PORTVERSION} MAINTAINER= x11@FreeBSD.org COMMENT?= X.Org X server and related programs LICENSE= MIT RUN_DEPENDS+= xkeyboard-config>=2.5:x11/xkeyboard-config \ xkbcomp:x11/xkbcomp XORG_CAT= xserver SLAVE_PORT?= no OPTIONS_SUB= yes OPTIONS_DEFINE= SUID OPTIONS_RADIO= CONF OPTIONS_RADIO_CONF= DEVD HAL DEVD_DESC= Use devd for autoconfiguration of input devices HAL_DESC= Use hald for autoconfiguration of input devices SUID_DESC= Install the Xorg server with setuid bit set OPTIONS_DEFAULT=DEVD SUID OPTIONS_EXCLUDE_sparc64= HAL .include USES= gmake libtool perl5 ssl tar:bzip2 USE_PERL5= build USE_GL+= gl USE_XORG+= bigreqsproto compositeproto damageproto dri2proto dri3proto \ fixesproto fontsproto glproto inputproto kbproto pixman \ presentproto randrproto recordproto renderproto \ resourceproto scrnsaverproto videoproto xau \ xcmiscproto xdmcp xextproto xf86driproto xfont \ xineramaproto xkbfile xproto xshmfence xtrans CONFIGURE_ARGS+=--without-doxygen --without-xmlto --without-fop \ --localstatedir=/var --with-shared-memory-dir=/tmp \ --disable-config-udev --disable-config-udev-kms \ --without-dtrace --enable-glamor INSTALL_TARGET= install-strip .if ${SLAVE_PORT} == "no" || ${PORTNAME} == "xephyr" || ${PORTNAME} == "xwayland" LIB_DEPENDS+= libdrm.so:graphics/libdrm \ libepoxy.so:graphics/libepoxy .else BUILD_DEPENDS+= libepoxy>0:graphics/libepoxy # only for configure .endif .if ${SLAVE_PORT} == "no" USE_GL+= gbm USE_XORG+= pciaccess xf86dgaproto xf86vidmodeproto CONFIGURE_ARGS+=--disable-dmx --disable-xephyr --disable-xnest --disable-xvfb \ --disable-xwayland SUB_FILES= pkg-install pkg-deinstall .else CONFIGURE_ARGS+=--disable-xorg # for slave ports we need to overwrite PLIST, so it doesn't overwrite # PLIST_FILES, with the masterport plist. PLIST= ${.CURDIR}/pkg-plist .endif .include .if ${SSL_DEFAULT} == base # The reason why I use this is cause openssl from base doesn't install a .pc file # and configure will fail trying to find it. Setting both of those variables to # a *non-empty* value by-passes the pkg-config check. CONFIGURE_ENV= SHA1_LIB="-L/usr/lib -lcrypto" SHA1_CFLAGS="-I/usr/include" .endif .if ${PORT_OPTIONS:MHAL} LIB_DEPENDS+= libhal.so:sysutils/hal CONFIGURE_ARGS+= --enable-config-hal .else CONFIGURE_ARGS+= --disable-config-hal .endif # We handle Xorg setuid in the plist. This allows to build xorg-server as a user. CONFIGURE_ARGS+=--disable-install-setuid .if ${ARCH} == "i386" || ${ARCH} == "amd64" LIB_DEPENDS+= libunwind.so:devel/libunwind .endif .if ${ARCH} == "sparc64" PLIST_SUB+= SPARC64="" .else PLIST_SUB+= SPARC64="@comment " .endif .if ${PORT_OPTIONS:MSUID} pre-everything:: @${ECHO_MSG} "By default, the X Server installs as a set-user-id root binary. When run by" @${ECHO_MSG} "a normal user, it checks arguments and environment as done in the x11/wrapper" @${ECHO_MSG} "port before handling them normally. If you are concerned about the security" @${ECHO_MSG} "of this, but still want to run an X Server (for example using xdm/kdm/gdm," @${ECHO_MSG} "which will still run the server as root), you can cancel the build and set" @${ECHO_MSG} "xorg-server_UNSET=SUID in /etc/make.conf." .endif post-patch: @${REINPLACE_CMD} 's/test.*-traditional.*;/true;/' \ ${WRKSRC}/configure # build libglx.so but don't install it yet. which is done in pre-install. @${REINPLACE_CMD} -e 's|@GLX_TRUE@GLXMODS =|@GLX_BOGUS@GLXMODS =|g' \ -e 's|^LTLIBRARIES = |LTLIBRARIES = libglx.la |g' \ ${WRKSRC}/hw/xfree86/dixmods/Makefile.in post-configure: .if ${PORT_OPTIONS:MDEVD} @${REINPLACE_CMD} -e 's|config\.c|config.c devd.c|g' \ -e 's|config\.lo|config.lo devd.lo|g' \ ${WRKSRC}/config/Makefile @${REINPLACE_CMD} -e 's|^/\* #undef CONFIG_UDEV \*/|#define CONFIG_DEVD 1|' \ ${WRKSRC}/include/dix-config.h .endif .if ${SLAVE_PORT} == "no" post-install: # The .xorg dir because else the xorg-server might not load the correct # libglx module. @${MKDIR} ${STAGEDIR}${PREFIX}/lib/xorg/modules/extensions/.xorg ${INSTALL_LIB} ${WRKSRC}/hw/xfree86/dixmods/.libs/libglx.so \ ${STAGEDIR}${PREFIX}/lib/xorg/modules/extensions/.xorg/ @${MKDIR} ${STAGEDIR}${PREFIX}/etc/X11/xorg.conf.d .endif # ! SLAVE_PORT .include diff --git a/x11-servers/xorg-server/files/patch-CVE-2017-10971 b/x11-servers/xorg-server/files/patch-CVE-2017-10971 new file mode 100644 index 000000000000..6eae9000fe40 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2017-10971 @@ -0,0 +1,163 @@ +From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001 +From: Michal Srb +Date: Wed, 24 May 2017 15:54:40 +0300 +Subject: dix: Disallow GenericEvent in SendEvent request. + +The SendEvent request holds xEvent which is exactly 32 bytes long, no more, +no less. Both ProcSendEvent and SProcSendEvent verify that the received data +exactly match the request size. However nothing stops the client from passing +in event with xEvent::type = GenericEvent and any value of +xGenericEvent::length. + +In the case of ProcSendEvent, the event will be eventually passed to +WriteEventsToClient which will see that it is Generic event and copy the +arbitrary length from the receive buffer (and possibly past it) and send it to +the other client. This allows clients to copy unitialized heap memory out of X +server or to crash it. + +In case of SProcSendEvent, it will attempt to swap the incoming event by +calling a swapping function from the EventSwapVector array. The swapped event +is written to target buffer, which in this case is local xEvent variable. The +xEvent variable is 32 bytes long, but the swapping functions for GenericEvents +expect that the target buffer has size matching the size of the source +GenericEvent. This allows clients to cause stack buffer overflows. + +Signed-off-by: Michal Srb +Reviewed-by: Peter Hutterer +Signed-off-by: Peter Hutterer +--- + dix/events.c | 6 ++++++ + dix/swapreq.c | 7 +++++++ + 2 files changed, 13 insertions(+) + +diff --git a/dix/events.c b/dix/events.c +index 3e3a01e..d3a33ea 100644 +--- dix/events.c ++++ dix/events.c +@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client) + client->errorValue = stuff->event.u.u.type; + return BadValue; + } ++ /* Generic events can have variable size, but SendEvent request holds ++ exactly 32B of event data. */ ++ if (stuff->event.u.u.type == GenericEvent) { ++ client->errorValue = stuff->event.u.u.type; ++ return BadValue; ++ } + if (stuff->event.u.u.type == ClientMessage && + stuff->event.u.u.detail != 8 && + stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) { +diff --git a/dix/swapreq.c b/dix/swapreq.c +index 719e9b8..6785059 100644 +--- dix/swapreq.c ++++ dix/swapreq.c +@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client) + swapl(&stuff->destination); + swapl(&stuff->eventMask); + ++ /* Generic events can have variable size, but SendEvent request holds ++ exactly 32B of event data. */ ++ if (stuff->event.u.u.type == GenericEvent) { ++ client->errorValue = stuff->event.u.u.type; ++ return BadValue; ++ } ++ + /* Swap event */ + proc = EventSwapVector[stuff->event.u.u.type & 0177]; + if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */ +-- +cgit v1.1 + +From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001 +From: Michal Srb +Date: Wed, 24 May 2017 15:54:41 +0300 +Subject: Xi: Verify all events in ProcXSendExtensionEvent. + +The requirement is that events have type in range +EXTENSION_EVENT_BASE..lastEvent, but it was tested +only for first event of all. + +Signed-off-by: Michal Srb +Reviewed-by: Peter Hutterer +Signed-off-by: Peter Hutterer +--- + Xi/sendexev.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 1cf118a..5e63bfc 100644 +--- Xi/sendexev.c ++++ Xi/sendexev.c +@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client) + int + ProcXSendExtensionEvent(ClientPtr client) + { +- int ret; ++ int ret, i; + DeviceIntPtr dev; + xEvent *first; + XEventClass *list; +@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client) + /* The client's event type must be one defined by an extension. */ + + first = ((xEvent *) &stuff[1]); +- if (!((EXTENSION_EVENT_BASE <= first->u.u.type) && +- (first->u.u.type < lastEvent))) { +- client->errorValue = first->u.u.type; +- return BadValue; ++ for (i = 0; i < stuff->num_events; i++) { ++ if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) && ++ (first[i].u.u.type < lastEvent))) { ++ client->errorValue = first[i].u.u.type; ++ return BadValue; ++ } + } + + list = (XEventClass *) (first + stuff->num_events); +-- +cgit v1.1 + +From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001 +From: Michal Srb +Date: Wed, 24 May 2017 15:54:42 +0300 +Subject: Xi: Do not try to swap GenericEvent. + +The SProcXSendExtensionEvent must not attempt to swap GenericEvent because +it is assuming that the event has fixed size and gives the swapping function +xEvent-sized buffer. + +A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway. + +Signed-off-by: Michal Srb +Reviewed-by: Peter Hutterer +Signed-off-by: Peter Hutterer +--- + Xi/sendexev.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 5e63bfc..5c2e0fc 100644 +--- Xi/sendexev.c ++++ Xi/sendexev.c +@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client) + + eventP = (xEvent *) &stuff[1]; + for (i = 0; i < stuff->num_events; i++, eventP++) { ++ if (eventP->u.u.type == GenericEvent) { ++ client->errorValue = eventP->u.u.type; ++ return BadValue; ++ } ++ + proc = EventSwapVector[eventP->u.u.type & 0177]; +- if (proc == NotImplemented) /* no swapping proc; invalid event type? */ ++ /* no swapping proc; invalid event type? */ ++ if (proc == NotImplemented) { ++ client->errorValue = eventP->u.u.type; + return BadValue; ++ } + (*proc) (eventP, &eventT); + *eventP = eventT; + } +-- +cgit v1.1 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2017-10972 b/x11-servers/xorg-server/files/patch-CVE-2017-10972 new file mode 100644 index 000000000000..444d0d2c5d2a --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2017-10972 @@ -0,0 +1,38 @@ +From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001 +From: Michal Srb +Date: Wed, 24 May 2017 15:54:39 +0300 +Subject: Xi: Zero target buffer in SProcXSendExtensionEvent. + +Make sure that the xEvent eventT is initialized with zeros, the same way as +in SProcSendEvent. + +Some event swapping functions do not overwrite all 32 bytes of xEvent +structure, for example XSecurityAuthorizationRevoked. Two cooperating +clients, one swapped and the other not, can send +XSecurityAuthorizationRevoked event to each other to retrieve old stack data +from X server. This can be potentialy misused to go around ASLR or +stack-protector. + +Signed-off-by: Michal Srb +Reviewed-by: Peter Hutterer +Signed-off-by: Peter Hutterer +--- + Xi/sendexev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 11d8202..1cf118a 100644 +--- Xi/sendexev.c ++++ Xi/sendexev.c +@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client) + { + CARD32 *p; + int i; +- xEvent eventT; ++ xEvent eventT = { .u.u.type = 0 }; + xEvent *eventP; + EventSwapPtr proc; + +-- +cgit v1.1 +