Index: branches/2017Q4/x11-servers/xorg-nestserver/Makefile =================================================================== --- branches/2017Q4/x11-servers/xorg-nestserver/Makefile (revision 455865) +++ branches/2017Q4/x11-servers/xorg-nestserver/Makefile (revision 455866) @@ -1,36 +1,44 @@ # Created by: Eric Anholt # $FreeBSD$ PORTNAME= xorg-nestserver PORTVERSION= 1.19.1 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 2 COMMENT= Nesting X server from X.Org LICENSE= MIT MASTERDIR= ${.CURDIR}/../xorg-server DESCR= ${.CURDIR}/pkg-descr DISTINFO_FILE= ${.CURDIR}/distinfo PATCHDIR= ${.CURDIR}/files RUN_DEPENDS= xkeyboard-config>=2.5:x11/xkeyboard-config SLAVE_PORT= yes OPTIONS_EXCLUDE=DEVD HAL SUID USE_XORG= x11 xext xfont2 CONFIGURE_ARGS+=--enable-xnest --disable-dmx --disable-xephyr --disable-xvfb \ --disable-xwayland PLIST_FILES= bin/Xnest man/man1/Xnest.1.gz -EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-13721 \ - ${MASTERDIR}/files/patch-CVE-2017-13723 +EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-12176 \ + ${MASTERDIR}/files/patch-CVE-2017-12177 \ + ${MASTERDIR}/files/patch-CVE-2017-12178 \ + ${MASTERDIR}/files/patch-CVE-2017-12179 \ + ${MASTERDIR}/files/patch-CVE-2017-12183 \ + ${MASTERDIR}/files/patch-CVE-2017-1218x \ + ${MASTERDIR}/files/patch-CVE-2017-1218y \ + ${MASTERDIR}/files/patch-CVE-2017-13721 \ + ${MASTERDIR}/files/patch-CVE-2017-13723 \ + ${MASTERDIR}/files/patch-os_io.c do-install: cd ${WRKSRC}/hw/xnest; DESTDIR=${STAGEDIR} ${MAKE} install .include "${MASTERDIR}/Makefile" Index: branches/2017Q4/x11-servers/xorg-server/Makefile =================================================================== --- branches/2017Q4/x11-servers/xorg-server/Makefile (revision 455865) +++ branches/2017Q4/x11-servers/xorg-server/Makefile (revision 455866) @@ -1,137 +1,137 @@ # Created by: Eric Anholt # $FreeBSD$ PORTNAME?= xorg-server PORTVERSION?= 1.18.4 -PORTREVISION?= 4 +PORTREVISION?= 5 PORTEPOCH?= 1 CATEGORIES= x11-servers MASTER_SITES= XORG/individual/xserver DISTNAME= xorg-server-${PORTVERSION} MAINTAINER= x11@FreeBSD.org COMMENT?= X.Org X server and related programs LICENSE= MIT RUN_DEPENDS+= xkeyboard-config>=2.5:x11/xkeyboard-config \ xkbcomp:x11/xkbcomp XORG_CAT= xserver SLAVE_PORT?= no OPTIONS_SUB= yes OPTIONS_DEFINE= SUID OPTIONS_RADIO= CONF OPTIONS_RADIO_CONF= DEVD HAL DEVD_DESC= Use devd for autoconfiguration of input devices HAL_DESC= Use hald for autoconfiguration of input devices SUID_DESC= Install the Xorg server with setuid bit set OPTIONS_DEFAULT=DEVD SUID OPTIONS_EXCLUDE_sparc64= HAL .include USES= gmake libtool perl5 ssl tar:bzip2 USE_PERL5= build USE_GL+= gl USE_XORG+= bigreqsproto compositeproto damageproto dri2proto dri3proto \ fixesproto fontsproto glproto inputproto kbproto pixman \ presentproto randrproto recordproto renderproto \ resourceproto scrnsaverproto videoproto xau \ xcmiscproto xdmcp xextproto xf86driproto xfont \ xineramaproto xkbfile xproto xshmfence xtrans CONFIGURE_ARGS+=--without-doxygen --without-xmlto --without-fop \ --localstatedir=/var --with-shared-memory-dir=/tmp \ --disable-config-udev --disable-config-udev-kms \ --without-dtrace --enable-glamor INSTALL_TARGET= install-strip .if ${SLAVE_PORT} == "no" || ${PORTNAME} == "xephyr" || ${PORTNAME} == "xwayland" LIB_DEPENDS+= libdrm.so:graphics/libdrm \ libepoxy.so:graphics/libepoxy .else BUILD_DEPENDS+= libepoxy>0:graphics/libepoxy # only for configure .endif .if ${SLAVE_PORT} == "no" USE_GL+= gbm USE_XORG+= pciaccess xf86dgaproto xf86vidmodeproto CONFIGURE_ARGS+=--disable-dmx --disable-xephyr --disable-xnest --disable-xvfb \ --disable-xwayland SUB_FILES= pkg-install pkg-deinstall .else CONFIGURE_ARGS+=--disable-xorg # for slave ports we need to overwrite PLIST, so it doesn't overwrite # PLIST_FILES, with the masterport plist. PLIST= ${.CURDIR}/pkg-plist .endif .include .if ${SSL_DEFAULT} == base # The reason why I use this is cause openssl from base doesn't install a .pc file # and configure will fail trying to find it. Setting both of those variables to # a *non-empty* value by-passes the pkg-config check. CONFIGURE_ENV= SHA1_LIB="-L/usr/lib -lcrypto" SHA1_CFLAGS="-I/usr/include" .endif .if ${PORT_OPTIONS:MHAL} LIB_DEPENDS+= libhal.so:sysutils/hal CONFIGURE_ARGS+= --enable-config-hal .else CONFIGURE_ARGS+= --disable-config-hal .endif # We handle Xorg setuid in the plist. This allows to build xorg-server as a user. CONFIGURE_ARGS+=--disable-install-setuid .if ${ARCH} == "i386" || ${ARCH} == "amd64" LIB_DEPENDS+= libunwind.so:devel/libunwind .endif .if ${ARCH} == "sparc64" PLIST_SUB+= SPARC64="" .else PLIST_SUB+= SPARC64="@comment " .endif .if ${PORT_OPTIONS:MSUID} pre-everything:: @${ECHO_MSG} "By default, the X Server installs as a set-user-id root binary. When run by" @${ECHO_MSG} "a normal user, it checks arguments and environment as done in the x11/wrapper" @${ECHO_MSG} "port before handling them normally. If you are concerned about the security" @${ECHO_MSG} "of this, but still want to run an X Server (for example using xdm/kdm/gdm," @${ECHO_MSG} "which will still run the server as root), you can cancel the build and set" @${ECHO_MSG} "xorg-server_UNSET=SUID in /etc/make.conf." .endif post-patch: @${REINPLACE_CMD} 's/test.*-traditional.*;/true;/' \ ${WRKSRC}/configure # build libglx.so but don't install it yet. which is done in pre-install. @${REINPLACE_CMD} -e 's|@GLX_TRUE@GLXMODS =|@GLX_BOGUS@GLXMODS =|g' \ -e 's|^LTLIBRARIES = |LTLIBRARIES = libglx.la |g' \ ${WRKSRC}/hw/xfree86/dixmods/Makefile.in post-configure: .if ${PORT_OPTIONS:MDEVD} @${REINPLACE_CMD} -e 's|config\.c|config.c devd.c|g' \ -e 's|config\.lo|config.lo devd.lo|g' \ ${WRKSRC}/config/Makefile @${REINPLACE_CMD} -e 's|^/\* #undef CONFIG_UDEV \*/|#define CONFIG_DEVD 1|' \ ${WRKSRC}/include/dix-config.h .endif .if ${SLAVE_PORT} == "no" post-install: # The .xorg dir because else the xorg-server might not load the correct # libglx module. @${MKDIR} ${STAGEDIR}${PREFIX}/lib/xorg/modules/extensions/.xorg ${INSTALL_LIB} ${WRKSRC}/hw/xfree86/dixmods/.libs/libglx.so \ ${STAGEDIR}${PREFIX}/lib/xorg/modules/extensions/.xorg/ @${MKDIR} ${STAGEDIR}${PREFIX}/etc/X11/xorg.conf.d .endif # ! SLAVE_PORT .include Index: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12176 =================================================================== --- branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12176 (nonexistent) +++ branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12176 (revision 455866) @@ -0,0 +1,31 @@ +From 95f605b42d8bbb6bea2834a1abfc205981c5b803 Mon Sep 17 00:00:00 2001 +From: Nathan Kidd +Date: Fri, 9 Jan 2015 10:15:46 -0500 +Subject: Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176) + +Reviewed-by: Julien Cristau +Signed-off-by: Nathan Kidd +Signed-off-by: Julien Cristau +(cherry picked from commit b747da5e25be944337a9cd1415506fc06b70aa81) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index 0da431b..0fdfe11 100644 +--- dix/dispatch.c ++++ dix/dispatch.c +@@ -3703,7 +3703,12 @@ ProcEstablishConnection(ClientPtr client) + prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq); + auth_proto = (char *) prefix + sz_xConnClientPrefix; + auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto); +- if ((prefix->majorVersion != X_PROTOCOL) || ++ ++ if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix + ++ pad_to_int32(prefix->nbytesAuthProto) + ++ pad_to_int32(prefix->nbytesAuthString)) ++ reason = "Bad length"; ++ else if ((prefix->majorVersion != X_PROTOCOL) || + (prefix->minorVersion != X_PROTOCOL_REVISION)) + reason = "Protocol version mismatch"; + else +-- +cgit v0.10.2 + Property changes on: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12176 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12177 =================================================================== --- branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12177 (nonexistent) +++ branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12177 (revision 455866) @@ -0,0 +1,41 @@ +From cc41e5b581d287c56f8d7113a97a4882dcfdd696 Mon Sep 17 00:00:00 2001 +From: Nathan Kidd +Date: Fri, 9 Jan 2015 10:09:14 -0500 +Subject: dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo + (CVE-2017-12177) + +v2: Protect against integer overflow (Alan Coopersmith) + +Reviewed-by: Alan Coopersmith +Reviewed-by: Jeremy Huddleston Sequoia +Reviewed-by: Julien Cristau +Signed-off-by: Nathan Kidd +Signed-off-by: Julien Cristau +(cherry picked from commit 4ca68b878e851e2136c234f40a25008297d8d831) + +diff --git a/dbe/dbe.c b/dbe/dbe.c +index 23f7e16..f31766f 100644 +--- dbe/dbe.c ++++ dbe/dbe.c +@@ -574,6 +574,9 @@ ProcDbeGetVisualInfo(ClientPtr client) + XdbeScreenVisualInfo *pScrVisInfo; + + REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq); ++ if (stuff->n > UINT32_MAX / sizeof(CARD32)) ++ return BadLength; ++ REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32)); + + if (stuff->n > UINT32_MAX / sizeof(DrawablePtr)) + return BadAlloc; +@@ -924,7 +927,7 @@ SProcDbeSwapBuffers(ClientPtr client) + + swapl(&stuff->n); + if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec)) +- return BadAlloc; ++ return BadLength; + REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo)); + + if (stuff->n != 0) { +-- +cgit v0.10.2 + Property changes on: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12177 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12178 =================================================================== --- branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12178 (nonexistent) +++ branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12178 (revision 455866) @@ -0,0 +1,29 @@ +From 6c15122163a2d2615db7e998e8d436815a08dec6 Mon Sep 17 00:00:00 2001 +From: Nathan Kidd +Date: Wed, 24 Dec 2014 16:22:18 -0500 +Subject: Xi: fix wrong extra length check in ProcXIChangeHierarchy + (CVE-2017-12178) + +Reviewed-by: Alan Coopersmith +Reviewed-by: Jeremy Huddleston Sequoia +Reviewed-by: Julien Cristau +Signed-off-by: Nathan Kidd +Signed-off-by: Julien Cristau +(cherry picked from commit 859b08d523307eebde7724fd1a0789c44813e821) + +diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c +index f2b7785..7286eff 100644 +--- Xi/xichangehierarchy.c ++++ Xi/xichangehierarchy.c +@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client) + if (!stuff->num_changes) + return rc; + +- len = ((size_t)stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo); ++ len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq); + + any = (xXIAnyHierarchyChangeInfo *) &stuff[1]; + while (stuff->num_changes--) { +-- +cgit v0.10.2 + Property changes on: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12178 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12179 =================================================================== --- branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12179 (nonexistent) +++ branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12179 (revision 455866) @@ -0,0 +1,52 @@ +From c77cd08efcf386bcc5d8dfbd0427134b2b2d0888 Mon Sep 17 00:00:00 2001 +From: Nathan Kidd +Date: Fri, 9 Jan 2015 10:04:41 -0500 +Subject: Xi: integer overflow and unvalidated length in + (S)ProcXIBarrierReleasePointer + +[jcristau: originally this patch fixed the same issue as commit + 211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the + addition of these checks] + +This addresses CVE-2017-12179 + +Reviewed-by: Alan Coopersmith +Reviewed-by: Jeremy Huddleston Sequoia +Reviewed-by: Julien Cristau +Signed-off-by: Jeremy Huddleston Sequoia +Signed-off-by: Nathan Kidd +Signed-off-by: Julien Cristau +(cherry picked from commit d088e3c1286b548a58e62afdc70bb40981cdb9e8) + + +--- Xi/xibarriers.c.orig 2016-07-15 18:17:45.000000000 +0200 ++++ Xi/xibarriers.c 2017-10-13 18:26:09.226006000 +0200 +@@ -830,10 +830,15 @@ + REQUEST(xXIBarrierReleasePointerReq); + int i; + +- info = (xXIBarrierReleasePointerInfo*) &stuff[1]; +- + swaps(&stuff->length); ++ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); ++ + swapl(&stuff->num_barriers); ++ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo)) ++ return BadLength; ++ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo)); ++ ++ info = (xXIBarrierReleasePointerInfo*) &stuff[1]; + for (i = 0; i < stuff->num_barriers; i++, info++) { + swaps(&info->deviceid); + swapl(&info->barrier); +@@ -854,6 +859,10 @@ + + REQUEST(xXIBarrierReleasePointerReq); + REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); ++ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo)) ++ return BadLength; ++ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo)); ++ + + info = (xXIBarrierReleasePointerInfo*) &stuff[1]; + for (i = 0; i < stuff->num_barriers; i++, info++) { Property changes on: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12179 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12183 =================================================================== --- branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12183 (nonexistent) +++ branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12183 (revision 455866) @@ -0,0 +1,95 @@ +From 61502107a30d64f991784648c3228ebc6694a032 Mon Sep 17 00:00:00 2001 +From: Nathan Kidd +Date: Fri, 9 Jan 2015 11:43:05 -0500 +Subject: xfixes: unvalidated lengths (CVE-2017-12183) + +v2: Use before swap (Jeremy Huddleston Sequoia) + +v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith) + +Reviewed-by: Alan Coopersmith +Reviewed-by: Jeremy Huddleston Sequoia +Reviewed-by: Julien Cristau +Signed-off-by: Jeremy Huddleston Sequoia +Signed-off-by: Nathan Kidd +Signed-off-by: Julien Cristau +(cherry picked from commit 55caa8b08c84af2b50fbc936cf334a5a93dd7db5) + +diff --git a/xfixes/cursor.c b/xfixes/cursor.c +index f009a78..6e84d71 100644 +--- xfixes/cursor.c ++++ xfixes/cursor.c +@@ -281,6 +281,7 @@ int + SProcXFixesSelectCursorInput(ClientPtr client) + { + REQUEST(xXFixesSelectCursorInputReq); ++ REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq); + + swaps(&stuff->length); + swapl(&stuff->window); +@@ -414,7 +415,7 @@ ProcXFixesSetCursorName(ClientPtr client) + REQUEST(xXFixesSetCursorNameReq); + Atom atom; + +- REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq); ++ REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes); + VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess); + tchar = (char *) &stuff[1]; + atom = MakeAtom(tchar, stuff->nbytes, TRUE); +@@ -1007,6 +1008,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client) + int i; + CARD16 *in_devices = (CARD16 *) &stuff[1]; + ++ REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq); ++ + swaps(&stuff->length); + swaps(&stuff->num_devices); + REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); +diff --git a/xfixes/region.c b/xfixes/region.c +index dd74d7f..f300d2b 100644 +--- xfixes/region.c ++++ xfixes/region.c +@@ -359,6 +359,7 @@ ProcXFixesCopyRegion(ClientPtr client) + RegionPtr pSource, pDestination; + + REQUEST(xXFixesCopyRegionReq); ++ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq); + + VERIFY_REGION(pSource, stuff->source, client, DixReadAccess); + VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess); +@@ -375,7 +376,7 @@ SProcXFixesCopyRegion(ClientPtr client) + REQUEST(xXFixesCopyRegionReq); + + swaps(&stuff->length); +- REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq); ++ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq); + swapl(&stuff->source); + swapl(&stuff->destination); + return (*ProcXFixesVector[stuff->xfixesReqType]) (client); +diff --git a/xfixes/saveset.c b/xfixes/saveset.c +index eb3f658..aa365cf 100644 +--- xfixes/saveset.c ++++ xfixes/saveset.c +@@ -62,6 +62,7 @@ int + SProcXFixesChangeSaveSet(ClientPtr client) + { + REQUEST(xXFixesChangeSaveSetReq); ++ REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq); + + swaps(&stuff->length); + swapl(&stuff->window); +diff --git a/xfixes/xfixes.c b/xfixes/xfixes.c +index 8d1bd4c..8b45c53 100644 +--- xfixes/xfixes.c ++++ xfixes/xfixes.c +@@ -160,6 +160,7 @@ static int + SProcXFixesQueryVersion(ClientPtr client) + { + REQUEST(xXFixesQueryVersionReq); ++ REQUEST_SIZE_MATCH(xXFixesQueryVersionReq); + + swaps(&stuff->length); + swapl(&stuff->majorVersion); +-- +cgit v0.10.2 + Property changes on: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12183 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-1218x =================================================================== --- branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-1218x (nonexistent) +++ branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-1218x (revision 455866) @@ -0,0 +1,601 @@ +From d264da92f7f8129b8aad4f0114a6467fc38fc896 Mon Sep 17 00:00:00 2001 +From: Nathan Kidd +Date: Sun, 21 Dec 2014 01:10:03 -0500 +Subject: hw/xfree86: unvalidated lengths + +This addresses: +CVE-2017-12180 in XFree86-VidModeExtension +CVE-2017-12181 in XFree86-DGA +CVE-2017-12182 in XFree86-DRI + +Reviewed-by: Jeremy Huddleston Sequoia +Reviewed-by: Julien Cristau +Signed-off-by: Nathan Kidd +Signed-off-by: Julien Cristau +(cherry picked from commit 1b1d4c04695dced2463404174b50b3581dbd857b) + +diff --git a/Xext/vidmode.c b/Xext/vidmode.c +index ea3ad13..76055c8 100644 +--- Xext/vidmode.c ++++ Xext/vidmode.c +@@ -454,6 +454,20 @@ ProcVidModeAddModeLine(ClientPtr client) + DEBUG_P("XF86VidModeAddModeline"); + + ver = ClientMajorVersion(client); ++ ++ if (ver < 2) { ++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq)); ++ } ++ else { ++ REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq)); ++ } ++ + if (ver < 2) { + /* convert from old format */ + stuff = &newstuff; +@@ -501,18 +515,6 @@ ProcVidModeAddModeLine(ClientPtr client) + stuff->after_vsyncend, stuff->after_vtotal, + (unsigned long) stuff->after_flags); + +- if (ver < 2) { +- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq)); +- } +- else { +- REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq)); +- } + if (len != stuff->privsize) + return BadLength; + +@@ -622,6 +624,20 @@ ProcVidModeDeleteModeLine(ClientPtr client) + DEBUG_P("XF86VidModeDeleteModeline"); + + ver = ClientMajorVersion(client); ++ ++ if (ver < 2) { ++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq)); ++ } ++ else { ++ REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq)); ++ } ++ + if (ver < 2) { + /* convert from old format */ + stuff = &newstuff; +@@ -649,18 +665,6 @@ ProcVidModeDeleteModeLine(ClientPtr client) + stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal, + (unsigned long) stuff->flags); + +- if (ver < 2) { +- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq)); +- } +- else { +- REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq)); +- } + if (len != stuff->privsize) { + DebugF("req_len = %ld, sizeof(Req) = %d, privsize = %ld, " + "len = %d, length = %d\n", +@@ -744,6 +748,20 @@ ProcVidModeModModeLine(ClientPtr client) + DEBUG_P("XF86VidModeModModeline"); + + ver = ClientMajorVersion(client); ++ ++ if (ver < 2) { ++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq)); ++ } ++ else { ++ REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86VidModeModModeLineReq)); ++ } ++ + if (ver < 2) { + /* convert from old format */ + stuff = &newstuff; +@@ -768,18 +786,6 @@ ProcVidModeModModeLine(ClientPtr client) + stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, + stuff->vtotal, (unsigned long) stuff->flags); + +- if (ver < 2) { +- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq)); +- } +- else { +- REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86VidModeModModeLineReq)); +- } + if (len != stuff->privsize) + return BadLength; + +@@ -877,6 +883,19 @@ ProcVidModeValidateModeLine(ClientPtr client) + DEBUG_P("XF86VidModeValidateModeline"); + + ver = ClientMajorVersion(client); ++ ++ if (ver < 2) { ++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq); ++ len = client->req_len - ++ bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq)); ++ } ++ else { ++ REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq)); ++ } ++ + if (ver < 2) { + /* convert from old format */ + stuff = &newstuff; +@@ -905,17 +924,6 @@ ProcVidModeValidateModeLine(ClientPtr client) + stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal, + (unsigned long) stuff->flags); + +- if (ver < 2) { +- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq); +- len = client->req_len - +- bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq)); +- } +- else { +- REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq)); +- } + if (len != stuff->privsize) + return BadLength; + +@@ -1027,6 +1035,20 @@ ProcVidModeSwitchToMode(ClientPtr client) + DEBUG_P("XF86VidModeSwitchToMode"); + + ver = ClientMajorVersion(client); ++ ++ if (ver < 2) { ++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq)); ++ } ++ else { ++ REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq)); ++ } ++ + if (ver < 2) { + /* convert from old format */ + stuff = &newstuff; +@@ -1055,18 +1077,6 @@ ProcVidModeSwitchToMode(ClientPtr client) + stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal, + (unsigned long) stuff->flags); + +- if (ver < 2) { +- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq)); +- } +- else { +- REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq)); +- } + if (len != stuff->privsize) + return BadLength; + +@@ -1457,6 +1467,7 @@ ProcVidModeSetGammaRamp(ClientPtr client) + VidModePtr pVidMode; + + REQUEST(xXF86VidModeSetGammaRampReq); ++ REQUEST_AT_LEAST_SIZE(xXF86VidModeSetGammaRampReq); + + if (stuff->screen >= screenInfo.numScreens) + return BadValue; +diff --git a/hw/xfree86/common/xf86DGA.c b/hw/xfree86/common/xf86DGA.c +index c689dcb..039f38d 100644 +--- hw/xfree86/common/xf86DGA.c ++++ hw/xfree86/common/xf86DGA.c +@@ -1272,13 +1272,14 @@ ProcXDGAOpenFramebuffer(ClientPtr client) + char *deviceName; + int nameSize; + ++ REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (!DGAAvailable(stuff->screen)) + return DGAErrorBase + XF86DGANoDirectVideoMode; + +- REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -1305,14 +1306,14 @@ ProcXDGACloseFramebuffer(ClientPtr client) + { + REQUEST(xXDGACloseFramebufferReq); + ++ REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (!DGAAvailable(stuff->screen)) + return DGAErrorBase + XF86DGANoDirectVideoMode; + +- REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq); +- + DGACloseFramebuffer(stuff->screen); + + return Success; +@@ -1328,10 +1329,11 @@ ProcXDGAQueryModes(ClientPtr client) + xXDGAModeInfo info; + XDGAModePtr mode; + ++ REQUEST_SIZE_MATCH(xXDGAQueryModesReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + +- REQUEST_SIZE_MATCH(xXDGAQueryModesReq); + rep.type = X_Reply; + rep.length = 0; + rep.number = 0; +@@ -1443,11 +1445,12 @@ ProcXDGASetMode(ClientPtr client) + ClientPtr owner; + int size; + ++ REQUEST_SIZE_MATCH(xXDGASetModeReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + owner = DGA_GETCLIENT(stuff->screen); + +- REQUEST_SIZE_MATCH(xXDGASetModeReq); + rep.type = X_Reply; + rep.length = 0; + rep.offset = 0; +@@ -1533,14 +1536,14 @@ ProcXDGASetViewport(ClientPtr client) + { + REQUEST(xXDGASetViewportReq); + ++ REQUEST_SIZE_MATCH(xXDGASetViewportReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGASetViewportReq); +- + DGASetViewport(stuff->screen, stuff->x, stuff->y, stuff->flags); + + return Success; +@@ -1554,14 +1557,14 @@ ProcXDGAInstallColormap(ClientPtr client) + + REQUEST(xXDGAInstallColormapReq); + ++ REQUEST_SIZE_MATCH(xXDGAInstallColormapReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGAInstallColormapReq); +- + rc = dixLookupResourceByType((void **) &cmap, stuff->cmap, RT_COLORMAP, + client, DixInstallAccess); + if (rc != Success) +@@ -1575,14 +1578,14 @@ ProcXDGASelectInput(ClientPtr client) + { + REQUEST(xXDGASelectInputReq); + ++ REQUEST_SIZE_MATCH(xXDGASelectInputReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGASelectInputReq); +- + if (DGA_GETCLIENT(stuff->screen) == client) + DGASelectInput(stuff->screen, client, stuff->mask); + +@@ -1594,14 +1597,14 @@ ProcXDGAFillRectangle(ClientPtr client) + { + REQUEST(xXDGAFillRectangleReq); + ++ REQUEST_SIZE_MATCH(xXDGAFillRectangleReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGAFillRectangleReq); +- + if (Success != DGAFillRect(stuff->screen, stuff->x, stuff->y, + stuff->width, stuff->height, stuff->color)) + return BadMatch; +@@ -1614,14 +1617,14 @@ ProcXDGACopyArea(ClientPtr client) + { + REQUEST(xXDGACopyAreaReq); + ++ REQUEST_SIZE_MATCH(xXDGACopyAreaReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGACopyAreaReq); +- + if (Success != DGABlitRect(stuff->screen, stuff->srcx, stuff->srcy, + stuff->width, stuff->height, stuff->dstx, + stuff->dsty)) +@@ -1635,14 +1638,14 @@ ProcXDGACopyTransparentArea(ClientPtr client) + { + REQUEST(xXDGACopyTransparentAreaReq); + ++ REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq); +- + if (Success != DGABlitTransRect(stuff->screen, stuff->srcx, stuff->srcy, + stuff->width, stuff->height, stuff->dstx, + stuff->dsty, stuff->key)) +@@ -1657,13 +1660,14 @@ ProcXDGAGetViewportStatus(ClientPtr client) + REQUEST(xXDGAGetViewportStatusReq); + xXDGAGetViewportStatusReply rep; + ++ REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -1680,13 +1684,14 @@ ProcXDGASync(ClientPtr client) + REQUEST(xXDGASyncReq); + xXDGASyncReply rep; + ++ REQUEST_SIZE_MATCH(xXDGASyncReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGASyncReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -1725,13 +1730,14 @@ ProcXDGAChangePixmapMode(ClientPtr client) + xXDGAChangePixmapModeReply rep; + int x, y; + ++ REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -1755,14 +1761,14 @@ ProcXDGACreateColormap(ClientPtr client) + REQUEST(xXDGACreateColormapReq); + int result; + ++ REQUEST_SIZE_MATCH(xXDGACreateColormapReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGACreateColormapReq); +- + if (!stuff->mode) + return BadValue; + +@@ -1791,10 +1797,11 @@ ProcXF86DGAGetVideoLL(ClientPtr client) + int num, offset, flags; + char *name; + ++ REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + +- REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -1831,9 +1838,10 @@ ProcXF86DGADirectVideo(ClientPtr client) + + REQUEST(xXF86DGADirectVideoReq); + ++ REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; +- REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq); + + if (!DGAAvailable(stuff->screen)) + return DGAErrorBase + XF86DGANoDirectVideoMode; +@@ -1889,10 +1897,11 @@ ProcXF86DGAGetViewPortSize(ClientPtr client) + REQUEST(xXF86DGAGetViewPortSizeReq); + xXF86DGAGetViewPortSizeReply rep; + ++ REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + +- REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -1917,14 +1926,14 @@ ProcXF86DGASetViewPort(ClientPtr client) + { + REQUEST(xXF86DGASetViewPortReq); + ++ REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq); +- + if (!DGAAvailable(stuff->screen)) + return DGAErrorBase + XF86DGANoDirectVideoMode; + +@@ -1944,10 +1953,11 @@ ProcXF86DGAGetVidPage(ClientPtr client) + REQUEST(xXF86DGAGetVidPageReq); + xXF86DGAGetVidPageReply rep; + ++ REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + +- REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -1962,11 +1972,11 @@ ProcXF86DGASetVidPage(ClientPtr client) + { + REQUEST(xXF86DGASetVidPageReq); + ++ REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + +- REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq); +- + /* silently fail */ + + return Success; +@@ -1980,14 +1990,14 @@ ProcXF86DGAInstallColormap(ClientPtr client) + + REQUEST(xXF86DGAInstallColormapReq); + ++ REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq); +- + if (!DGAActive(stuff->screen)) + return DGAErrorBase + XF86DGADirectNotActivated; + +@@ -2008,10 +2018,11 @@ ProcXF86DGAQueryDirectVideo(ClientPtr client) + REQUEST(xXF86DGAQueryDirectVideoReq); + xXF86DGAQueryDirectVideoReply rep; + ++ REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + +- REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -2030,14 +2041,14 @@ ProcXF86DGAViewPortChanged(ClientPtr client) + REQUEST(xXF86DGAViewPortChangedReq); + xXF86DGAViewPortChangedReply rep; + ++ REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq); +- + if (!DGAActive(stuff->screen)) + return DGAErrorBase + XF86DGADirectNotActivated; + +diff --git a/hw/xfree86/dri/xf86dri.c b/hw/xfree86/dri/xf86dri.c +index 68f8b7e..65f368e 100644 +--- hw/xfree86/dri/xf86dri.c ++++ hw/xfree86/dri/xf86dri.c +@@ -570,6 +570,7 @@ static int + SProcXF86DRIQueryDirectRenderingCapable(register ClientPtr client) + { + REQUEST(xXF86DRIQueryDirectRenderingCapableReq); ++ REQUEST_SIZE_MATCH(xXF86DRIQueryDirectRenderingCapableReq); + swaps(&stuff->length); + swapl(&stuff->screen); + return ProcXF86DRIQueryDirectRenderingCapable(client); +-- +cgit v0.10.2 + Property changes on: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-1218x ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-1218y =================================================================== --- branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-1218y (nonexistent) +++ branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-1218y (revision 455866) @@ -0,0 +1,139 @@ +From c206f36a4b6ecf2555ab2291c349ab7d7d0b02f5 Mon Sep 17 00:00:00 2001 +From: Nathan Kidd +Date: Fri, 9 Jan 2015 09:57:23 -0500 +Subject: Unvalidated lengths + +v2: Add overflow check and remove unnecessary check (Julien Cristau) + +This addresses: +CVE-2017-12184 in XINERAMA +CVE-2017-12185 in MIT-SCREEN-SAVER +CVE-2017-12186 in X-Resource +CVE-2017-12187 in RENDER + +Reviewed-by: Jeremy Huddleston Sequoia +Reviewed-by: Julien Cristau +Signed-off-by: Nathan Kidd +Signed-off-by: Julien Cristau +(cherry picked from commit cad5a1050b7184d828aef9c1dd151c3ab649d37e) + +diff --git a/Xext/panoramiX.c b/Xext/panoramiX.c +index 209df29..844ea49 100644 +--- Xext/panoramiX.c ++++ Xext/panoramiX.c +@@ -988,10 +988,11 @@ ProcPanoramiXGetScreenSize(ClientPtr client) + xPanoramiXGetScreenSizeReply rep; + int rc; + ++ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq); ++ + if (stuff->screen >= PanoramiXNumScreens) + return BadMatch; + +- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq); + rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess); + if (rc != Success) + return rc; +diff --git a/Xext/saver.c b/Xext/saver.c +index 750b8b9..45ac4d2 100644 +--- Xext/saver.c ++++ Xext/saver.c +@@ -1185,6 +1185,8 @@ ProcScreenSaverUnsetAttributes(ClientPtr client) + PanoramiXRes *draw; + int rc, i; + ++ REQUEST_SIZE_MATCH(xScreenSaverUnsetAttributesReq); ++ + rc = dixLookupResourceByClass((void **) &draw, stuff->drawable, + XRC_DRAWABLE, client, DixWriteAccess); + if (rc != Success) +diff --git a/Xext/xres.c b/Xext/xres.c +index ae779df..bc54133 100644 +--- Xext/xres.c ++++ Xext/xres.c +@@ -947,6 +947,8 @@ ProcXResQueryResourceBytes (ClientPtr client) + ConstructResourceBytesCtx ctx; + + REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq); ++ if (stuff->numSpecs > UINT32_MAX / sizeof(ctx.specs[0])) ++ return BadLength; + REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq, + stuff->numSpecs * sizeof(ctx.specs[0])); + +@@ -1052,8 +1054,8 @@ SProcXResQueryResourceBytes (ClientPtr client) + int c; + xXResResourceIdSpec *specs = (void*) ((char*) stuff + sizeof(*stuff)); + +- swapl(&stuff->numSpecs); + REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq); ++ swapl(&stuff->numSpecs); + REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq, + stuff->numSpecs * sizeof(specs[0])); + +diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c +index 8a35b7b..4d412b8 100644 +--- Xext/xvdisp.c ++++ Xext/xvdisp.c +@@ -1493,12 +1493,14 @@ XineramaXvShmPutImage(ClientPtr client) + { + REQUEST(xvShmPutImageReq); + PanoramiXRes *draw, *gc, *port; +- Bool send_event = stuff->send_event; ++ Bool send_event; + Bool isRoot; + int result, i, x, y; + + REQUEST_SIZE_MATCH(xvShmPutImageReq); + ++ send_event = stuff->send_event; ++ + result = dixLookupResourceByClass((void **) &draw, stuff->drawable, + XRC_DRAWABLE, client, DixWriteAccess); + if (result != Success) +diff --git a/hw/dmx/dmxpict.c b/hw/dmx/dmxpict.c +index 1f1022e..63caec9 100644 +--- hw/dmx/dmxpict.c ++++ hw/dmx/dmxpict.c +@@ -716,6 +716,8 @@ dmxProcRenderSetPictureFilter(ClientPtr client) + filter = (char *) (stuff + 1); + params = (XFixed *) (filter + ((stuff->nbytes + 3) & ~3)); + nparams = ((XFixed *) stuff + client->req_len) - params; ++ if (nparams < 0) ++ return BadLength; + + XRenderSetPictureFilter(dmxScreen->beDisplay, + pPictPriv->pict, filter, params, nparams); +diff --git a/pseudoramiX/pseudoramiX.c b/pseudoramiX/pseudoramiX.c +index d8b2593..95f6e10 100644 +--- pseudoramiX/pseudoramiX.c ++++ pseudoramiX/pseudoramiX.c +@@ -297,10 +297,11 @@ ProcPseudoramiXGetScreenSize(ClientPtr client) + + TRACE; + ++ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq); ++ + if (stuff->screen >= pseudoramiXNumScreens) + return BadMatch; + +- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq); + rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess); + if (rc != Success) + return rc; +diff --git a/render/render.c b/render/render.c +index bfacaa0..3a41e33 100644 +--- render/render.c ++++ render/render.c +@@ -1757,6 +1757,9 @@ ProcRenderSetPictureFilter(ClientPtr client) + name = (char *) (stuff + 1); + params = (xFixed *) (name + pad_to_int32(stuff->nbytes)); + nparams = ((xFixed *) stuff + client->req_len) - params; ++ if (nparams < 0) ++ return BadLength; ++ + result = SetPictureFilter(pPicture, name, stuff->nbytes, params, nparams); + return result; + } +-- +cgit v0.10.2 + Property changes on: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-1218y ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2017Q4/x11-servers/xorg-server/files/patch-os_io.c =================================================================== --- branches/2017Q4/x11-servers/xorg-server/files/patch-os_io.c (nonexistent) +++ branches/2017Q4/x11-servers/xorg-server/files/patch-os_io.c (revision 455866) @@ -0,0 +1,34 @@ +From e751722a7b0c5b595794e60b054ade0b3f6cdb4d Mon Sep 17 00:00:00 2001 +From: Michal Srb +Date: Fri, 7 Jul 2017 17:04:03 +0200 +Subject: os: Make sure big requests have sufficient length. + +A client can send a big request where the 32B "length" field has value +0. When the big request header is removed and the length corrected, +the value will underflow to 0xFFFFFFFF. Functions processing the +request later will think that the client sent much more data and may +touch memory beyond the receive buffer. + +Signed-off-by: Eric Anholt +Reviewed-by: Peter Hutterer +(cherry picked from commit 9c23685009aa96f4b861dcc5d2e01dbee00c4dd9) + +diff --git a/os/io.c b/os/io.c +index f80580c..70f07f3 100644 +--- os/io.c ++++ os/io.c +@@ -441,6 +441,11 @@ ReadRequestFromClient(ClientPtr client) + if (!gotnow) + AvailableInput = oc; + if (move_header) { ++ if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) { ++ YieldControlDeath(); ++ return -1; ++ } ++ + request = (xReq *) oci->bufptr; + oci->bufptr += (sizeof(xBigReq) - sizeof(xReq)); + *(xReq *) oci->bufptr = *request; +-- +cgit v0.10.2 + Property changes on: branches/2017Q4/x11-servers/xorg-server/files/patch-os_io.c ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2017Q4/x11-servers/xorg-vfbserver/Makefile =================================================================== --- branches/2017Q4/x11-servers/xorg-vfbserver/Makefile (revision 455865) +++ branches/2017Q4/x11-servers/xorg-vfbserver/Makefile (revision 455866) @@ -1,34 +1,42 @@ # Created by: Eric Anholt # $FreeBSD$ PORTNAME= xorg-vfbserver PORTVERSION= 1.19.1 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 COMMENT= X virtual framebuffer server from X.Org LICENSE= MIT MASTERDIR= ${.CURDIR}/../xorg-server DESCR= ${.CURDIR}/pkg-descr DISTINFO_FILE= ${.CURDIR}/distinfo PATCHDIR= ${.CURDIR}/files SLAVE_PORT= yes OPTIONS_EXCLUDE=DEVD HAL SUID USE_XORG= xfont2 CONFIGURE_ARGS+=--enable-xvfb --disable-dmx --disable-xephyr --disable-xnest \ --disable-xwayland PLIST_FILES= bin/Xvfb man/man1/Xvfb.1.gz -EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-13721 \ - ${MASTERDIR}/files/patch-CVE-2017-13723 +EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-12176 \ + ${MASTERDIR}/files/patch-CVE-2017-12177 \ + ${MASTERDIR}/files/patch-CVE-2017-12178 \ + ${MASTERDIR}/files/patch-CVE-2017-12179 \ + ${MASTERDIR}/files/patch-CVE-2017-12183 \ + ${MASTERDIR}/files/patch-CVE-2017-1218x \ + ${MASTERDIR}/files/patch-CVE-2017-1218y \ + ${MASTERDIR}/files/patch-CVE-2017-13721 \ + ${MASTERDIR}/files/patch-CVE-2017-13723 \ + ${MASTERDIR}/files/patch-os_io.c do-install: cd ${WRKSRC}/hw/vfb; DESTDIR=${STAGEDIR} ${MAKE} install .include "${MASTERDIR}/Makefile" Index: branches/2017Q4/x11-servers/xwayland/Makefile =================================================================== --- branches/2017Q4/x11-servers/xwayland/Makefile (revision 455865) +++ branches/2017Q4/x11-servers/xwayland/Makefile (revision 455866) @@ -1,38 +1,46 @@ # $FreeBSD$ PORTNAME= xwayland PORTVERSION= 1.19.1 -PORTREVISION= 1 +PORTREVISION= 2 COMMENT= X Clients under Wayland LICENSE= MIT BUILD_DEPENDS= ${LOCALBASE}/libdata/pkgconfig/wayland-protocols.pc:graphics/wayland-protocols LIB_DEPENDS= libwayland-client.so:graphics/wayland \ libinput.so:x11/libinput MASTERDIR= ${.CURDIR}/../xorg-server DESCR= ${.CURDIR}/pkg-descr DISTINFO_FILE= ${.CURDIR}/distinfo PATCHDIR= ${.CURDIR}/files SLAVE_PORT= yes OPTIONS_EXCLUDE=DEVD HAL SUID USE_XORG= x11 xext xfont2 USE_GL+= egl gbm CONFIGURE_ARGS+= --disable-docs --disable-devel-docs \ --enable-xwayland --disable-xorg --disable-xvfb --disable-xnest \ --disable-xquartz --disable-xwin PLIST_FILES= bin/Xwayland -EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-13721 \ - ${MASTERDIR}/files/patch-CVE-2017-13723 +EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-12176 \ + ${MASTERDIR}/files/patch-CVE-2017-12177 \ + ${MASTERDIR}/files/patch-CVE-2017-12178 \ + ${MASTERDIR}/files/patch-CVE-2017-12179 \ + ${MASTERDIR}/files/patch-CVE-2017-12183 \ + ${MASTERDIR}/files/patch-CVE-2017-1218x \ + ${MASTERDIR}/files/patch-CVE-2017-1218y \ + ${MASTERDIR}/files/patch-CVE-2017-13721 \ + ${MASTERDIR}/files/patch-CVE-2017-13723 \ + ${MASTERDIR}/files/patch-os_io.c do-install: cd ${WRKSRC}/hw/xwayland; DESTDIR=${STAGEDIR} ${MAKE_CMD} install .include "${MASTERDIR}/Makefile" Index: branches/2017Q4 =================================================================== --- branches/2017Q4 (revision 455865) +++ branches/2017Q4 (revision 455866) Property changes on: branches/2017Q4 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r452027