guibuilder_pel7ppc64lebuilder0
5 years ago
8 changed files with 481 additions and 47 deletions
@ -0,0 +1,53 @@ |
|||||||
|
From 2fda7c57e7ebe210cf5e2bb051a0a9271f85e80a Mon Sep 17 00:00:00 2001 |
||||||
|
From: Matthieu Herrb <matthieu@herrb.eu> |
||||||
|
Date: Mon, 22 Oct 2018 14:33:25 -0400 |
||||||
|
Subject: [PATCH xserver] Disable -logfile and -modulepath when running with |
||||||
|
elevated privileges |
||||||
|
|
||||||
|
An unprivileged user was able to overwrite arbitrary files |
||||||
|
in directories in which it is able to chdir, potentially |
||||||
|
leading to privilege elevation. |
||||||
|
|
||||||
|
CVE-2018-14665 |
||||||
|
|
||||||
|
An unprivileded user was able to load arbitrary modules |
||||||
|
from user controlled directories, leading to privilege |
||||||
|
elevation. |
||||||
|
|
||||||
|
CVE-2018-XXXXX |
||||||
|
|
||||||
|
Issues reported by Narendra Shinde |
||||||
|
|
||||||
|
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> |
||||||
|
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> |
||||||
|
--- |
||||||
|
hw/xfree86/common/xf86Init.c | 8 ++++++-- |
||||||
|
1 file changed, 6 insertions(+), 2 deletions(-) |
||||||
|
|
||||||
|
diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c |
||||||
|
index 6c25eda739..0f57efa863 100644 |
||||||
|
--- a/hw/xfree86/common/xf86Init.c |
||||||
|
+++ b/hw/xfree86/common/xf86Init.c |
||||||
|
@@ -935,14 +935,18 @@ ddxProcessArgument(int argc, char **argv, int i) |
||||||
|
/* First the options that are not allowed with elevated privileges */ |
||||||
|
if (!strcmp(argv[i], "-modulepath")) { |
||||||
|
CHECK_FOR_REQUIRED_ARGUMENT(); |
||||||
|
- xf86CheckPrivs(argv[i], argv[i + 1]); |
||||||
|
+ if (xf86PrivsElevated()) |
||||||
|
+ FatalError("\nInvalid argument -modulepath " |
||||||
|
+ "with elevated privileges\n"); |
||||||
|
xf86ModulePath = argv[i + 1]; |
||||||
|
xf86ModPathFrom = X_CMDLINE; |
||||||
|
return 2; |
||||||
|
} |
||||||
|
if (!strcmp(argv[i], "-logfile")) { |
||||||
|
CHECK_FOR_REQUIRED_ARGUMENT(); |
||||||
|
- xf86CheckPrivs(argv[i], argv[i + 1]); |
||||||
|
+ if (xf86PrivsElevated()) |
||||||
|
+ FatalError("\nInvalid argument -logfile " |
||||||
|
+ "with elevated privileges\n"); |
||||||
|
xf86LogFile = argv[i + 1]; |
||||||
|
xf86LogFileFrom = X_CMDLINE; |
||||||
|
return 2; |
||||||
|
-- |
||||||
|
2.19.0 |
@ -0,0 +1,30 @@ |
|||||||
|
From e50c85f4ebf559a3bac4817b41074c43d4691779 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Eric Anholt <eric@anholt.net> |
||||||
|
Date: Fri, 26 Oct 2018 17:47:30 -0700 |
||||||
|
Subject: [PATCH xserver] Fix segfault on probing a non-PCI platform device on |
||||||
|
a system with PCI. |
||||||
|
|
||||||
|
Some Broadcom set-top-box boards have PCI busses, but the GPU is still |
||||||
|
probed through DT. We would dereference a null busid here in that |
||||||
|
case. |
||||||
|
|
||||||
|
Signed-off-by: Eric Anholt <eric@anholt.net> |
||||||
|
--- |
||||||
|
hw/xfree86/common/xf86platformBus.c | 2 +- |
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/hw/xfree86/common/xf86platformBus.c b/hw/xfree86/common/xf86platformBus.c |
||||||
|
index cef47da03d..dadbac6c8f 100644 |
||||||
|
--- a/hw/xfree86/common/xf86platformBus.c |
||||||
|
+++ b/hw/xfree86/common/xf86platformBus.c |
||||||
|
@@ -289,7 +289,7 @@ xf86platformProbe(void) |
||||||
|
for (i = 0; i < xf86_num_platform_devices; i++) { |
||||||
|
char *busid = xf86_platform_odev_attributes(i)->busid; |
||||||
|
|
||||||
|
- if (pci && (strncmp(busid, "pci:", 4) == 0)) { |
||||||
|
+ if (pci && busid && (strncmp(busid, "pci:", 4) == 0)) { |
||||||
|
platform_find_pci_info(&xf86_platform_devices[i], busid); |
||||||
|
} |
||||||
|
|
||||||
|
-- |
||||||
|
2.21.0 |
@ -0,0 +1,44 @@ |
|||||||
|
From b6e18eb57f3dd104704d0a5ec3d2f051645b9068 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Adam Jackson <ajax@redhat.com> |
||||||
|
Date: Wed, 19 Jun 2019 14:23:56 -0400 |
||||||
|
Subject: [PATCH xserver] linux: Fix platform device PCI detection for complex |
||||||
|
bus topologies |
||||||
|
|
||||||
|
Suppose you're in a Hyper-V guest and are trying to use PCI passthrough. |
||||||
|
The ID_PATH that udev will construct for that looks something like |
||||||
|
"acpi-VMBUS:00-pci-b8c8:00:00.0", and obviously looking for "pci-" in |
||||||
|
the first four characters of that is going to not work. |
||||||
|
|
||||||
|
Instead, strstr. I suppose it's possible you could have _multiple_ PCI |
||||||
|
buses in the path, in which case you'd want strrstr, if that were a |
||||||
|
thing. |
||||||
|
--- |
||||||
|
config/udev.c | 6 +++--- |
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-) |
||||||
|
|
||||||
|
diff --git a/config/udev.c b/config/udev.c |
||||||
|
index 314acba6ce..6e11aa3b88 100644 |
||||||
|
--- a/config/udev.c |
||||||
|
+++ b/config/udev.c |
||||||
|
@@ -474,7 +474,7 @@ config_udev_odev_setup_attribs(struct udev_device *udev_device, const char *path |
||||||
|
config_odev_probe_proc_ptr probe_callback) |
||||||
|
{ |
||||||
|
struct OdevAttributes *attribs = config_odev_allocate_attributes(); |
||||||
|
- const char *value; |
||||||
|
+ const char *value, *str; |
||||||
|
|
||||||
|
attribs->path = XNFstrdup(path); |
||||||
|
attribs->syspath = XNFstrdup(syspath); |
||||||
|
@@ -482,8 +482,8 @@ config_udev_odev_setup_attribs(struct udev_device *udev_device, const char *path |
||||||
|
attribs->minor = minor; |
||||||
|
|
||||||
|
value = udev_device_get_property_value(udev_device, "ID_PATH"); |
||||||
|
- if (value && !strncmp(value, "pci-", 4)) { |
||||||
|
- attribs->busid = XNFstrdup(value); |
||||||
|
+ if (value && (str = strstr(value, "pci-"))) { |
||||||
|
+ attribs->busid = XNFstrdup(str); |
||||||
|
attribs->busid[3] = ':'; |
||||||
|
} |
||||||
|
|
||||||
|
-- |
||||||
|
2.21.0 |
@ -0,0 +1,51 @@ |
|||||||
|
From a22a81a0de76b96b01f32f59fd2a4b4af675d9b1 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Adam Jackson <ajax@redhat.com> |
||||||
|
Date: Fri, 5 Oct 2018 15:12:18 -0400 |
||||||
|
Subject: [PATCH] modesetting: Hide atomic behind Option "Atomic" "[boolean]" |
||||||
|
|
||||||
|
You can turn it on if the kernel driver supports it and you ask for it |
||||||
|
explicitly, but right now it's too fragile. |
||||||
|
|
||||||
|
Signed-off-by: Adam Jackson <ajax@redhat.com> |
||||||
|
--- |
||||||
|
hw/xfree86/drivers/modesetting/driver.c | 5 ++++- |
||||||
|
hw/xfree86/drivers/modesetting/driver.h | 1 + |
||||||
|
2 files changed, 5 insertions(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c |
||||||
|
index 24311c1..4fc62e4 100644 |
||||||
|
--- a/hw/xfree86/drivers/modesetting/driver.c |
||||||
|
+++ b/hw/xfree86/drivers/modesetting/driver.c |
||||||
|
@@ -131,6 +131,7 @@ static const OptionInfoRec Options[] = { |
||||||
|
{OPTION_PAGEFLIP, "PageFlip", OPTV_BOOLEAN, {0}, FALSE}, |
||||||
|
{OPTION_ZAPHOD_HEADS, "ZaphodHeads", OPTV_STRING, {0}, FALSE}, |
||||||
|
{OPTION_DOUBLE_SHADOW, "DoubleShadow", OPTV_BOOLEAN, {0}, FALSE}, |
||||||
|
+ {OPTION_ATOMIC, "Atomic", OPTV_BOOLEAN, {0}, FALSE}, |
||||||
|
{-1, NULL, OPTV_NONE, {0}, FALSE} |
||||||
|
}; |
||||||
|
|
||||||
|
@@ -1061,7 +1062,9 @@ PreInit(ScrnInfoPtr pScrn, int flags) |
||||||
|
} |
||||||
|
|
||||||
|
ret = drmSetClientCap(ms->fd, DRM_CLIENT_CAP_ATOMIC, 1); |
||||||
|
- ms->atomic_modeset = (ret == 0); |
||||||
|
+ if ((ms->atomic_modeset = (ret == 0))) |
||||||
|
+ ms->atomic_modeset = xf86ReturnOptValBool(ms->drmmode.Options, |
||||||
|
+ OPTION_ATOMIC, FALSE); |
||||||
|
|
||||||
|
ms->kms_has_modifiers = FALSE; |
||||||
|
ret = drmGetCap(ms->fd, DRM_CAP_ADDFB2_MODIFIERS, &value); |
||||||
|
diff --git a/hw/xfree86/drivers/modesetting/driver.h b/hw/xfree86/drivers/modesetting/driver.h |
||||||
|
index c8db4b8..46ba78a 100644 |
||||||
|
--- a/hw/xfree86/drivers/modesetting/driver.h |
||||||
|
+++ b/hw/xfree86/drivers/modesetting/driver.h |
||||||
|
@@ -51,6 +51,7 @@ typedef enum { |
||||||
|
OPTION_PAGEFLIP, |
||||||
|
OPTION_ZAPHOD_HEADS, |
||||||
|
OPTION_DOUBLE_SHADOW, |
||||||
|
+ OPTION_ATOMIC, |
||||||
|
} modesettingOpts; |
||||||
|
|
||||||
|
typedef struct |
||||||
|
-- |
||||||
|
2.19.0 |
@ -0,0 +1,26 @@ |
|||||||
|
From 13118f3052e870c3cef6260235b489a288df5a59 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Adam Jackson <ajax@redhat.com> |
||||||
|
Date: Tue, 9 Oct 2018 12:28:48 -0400 |
||||||
|
Subject: [PATCH xserver] xfree86: LeaveVT from xf86CrtcCloseScreen |
||||||
|
|
||||||
|
Signed-off-by: Adam Jackson <ajax@redhat.com> |
||||||
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> |
||||||
|
--- |
||||||
|
hw/xfree86/modes/xf86Crtc.c | 2 ++ |
||||||
|
1 file changed, 2 insertions(+) |
||||||
|
|
||||||
|
diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c |
||||||
|
index 686cb51..710a41d 100644 |
||||||
|
--- a/hw/xfree86/modes/xf86Crtc.c |
||||||
|
+++ b/hw/xfree86/modes/xf86Crtc.c |
||||||
|
@@ -776,6 +776,8 @@ xf86CrtcCloseScreen(ScreenPtr screen) |
||||||
|
crtc->randr_crtc = NULL; |
||||||
|
} |
||||||
|
|
||||||
|
+ scrn->LeaveVT(scrn); |
||||||
|
+ |
||||||
|
screen->CloseScreen = config->CloseScreen; |
||||||
|
|
||||||
|
xf86RotateCloseScreen(screen); |
||||||
|
-- |
||||||
|
2.19.1 |
@ -0,0 +1,135 @@ |
|||||||
|
From ff91c696ff8f5f56da40e107cb5c321539758a81 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Michal Srb <msrb@suse.com> |
||||||
|
Date: Tue, 16 Oct 2018 09:32:13 +0200 |
||||||
|
Subject: [PATCH xserver] xfree86: Only switch to original VT if it is active. |
||||||
|
|
||||||
|
If the X server is terminated while its VT is not active, it should |
||||||
|
not change the current VT. |
||||||
|
|
||||||
|
v2: Query current state in xf86CloseConsole using VT_GETSTATE instead of |
||||||
|
keeping track in xf86VTEnter/xf86VTLeave/etc. |
||||||
|
--- |
||||||
|
hw/xfree86/os-support/linux/lnx_init.c | 16 +++++++++++++--- |
||||||
|
1 file changed, 13 insertions(+), 3 deletions(-) |
||||||
|
|
||||||
|
diff --git a/hw/xfree86/os-support/linux/lnx_init.c b/hw/xfree86/os-support/linux/lnx_init.c |
||||||
|
index 039dc4a4d..358d89f0f 100644 |
||||||
|
--- a/hw/xfree86/os-support/linux/lnx_init.c |
||||||
|
+++ b/hw/xfree86/os-support/linux/lnx_init.c |
||||||
|
@@ -272,101 +272,111 @@ xf86OpenConsole(void) |
||||||
|
xf86SetConsoleHandler(drain_console, NULL); |
||||||
|
} |
||||||
|
|
||||||
|
nTty = tty_attr; |
||||||
|
nTty.c_iflag = (IGNPAR | IGNBRK) & (~PARMRK) & (~ISTRIP); |
||||||
|
nTty.c_oflag = 0; |
||||||
|
nTty.c_cflag = CREAD | CS8; |
||||||
|
nTty.c_lflag = 0; |
||||||
|
nTty.c_cc[VTIME] = 0; |
||||||
|
nTty.c_cc[VMIN] = 1; |
||||||
|
cfsetispeed(&nTty, 9600); |
||||||
|
cfsetospeed(&nTty, 9600); |
||||||
|
tcsetattr(xf86Info.consoleFd, TCSANOW, &nTty); |
||||||
|
} |
||||||
|
} |
||||||
|
else { /* serverGeneration != 1 */ |
||||||
|
if (!xf86Info.ShareVTs && xf86Info.autoVTSwitch) { |
||||||
|
/* now get the VT */ |
||||||
|
if (!switch_to(xf86Info.vtno, "xf86OpenConsole")) |
||||||
|
FatalError("xf86OpenConsole: Switching VT failed\n"); |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
#pragma GCC diagnostic pop |
||||||
|
|
||||||
|
void |
||||||
|
xf86CloseConsole(void) |
||||||
|
{ |
||||||
|
struct vt_mode VT; |
||||||
|
+ struct vt_stat vts; |
||||||
|
int ret; |
||||||
|
|
||||||
|
if (xf86Info.ShareVTs) { |
||||||
|
close(xf86Info.consoleFd); |
||||||
|
return; |
||||||
|
} |
||||||
|
|
||||||
|
/* |
||||||
|
* unregister the drain_console handler |
||||||
|
* - what to do if someone else changed it in the meantime? |
||||||
|
*/ |
||||||
|
xf86SetConsoleHandler(NULL, NULL); |
||||||
|
|
||||||
|
/* Back to text mode ... */ |
||||||
|
SYSCALL(ret = ioctl(xf86Info.consoleFd, KDSETMODE, KD_TEXT)); |
||||||
|
if (ret < 0) |
||||||
|
xf86Msg(X_WARNING, "xf86CloseConsole: KDSETMODE failed: %s\n", |
||||||
|
strerror(errno)); |
||||||
|
|
||||||
|
SYSCALL(ioctl(xf86Info.consoleFd, KDSKBMODE, tty_mode)); |
||||||
|
tcsetattr(xf86Info.consoleFd, TCSANOW, &tty_attr); |
||||||
|
|
||||||
|
SYSCALL(ret = ioctl(xf86Info.consoleFd, VT_GETMODE, &VT)); |
||||||
|
if (ret < 0) |
||||||
|
xf86Msg(X_WARNING, "xf86CloseConsole: VT_GETMODE failed: %s\n", |
||||||
|
strerror(errno)); |
||||||
|
else { |
||||||
|
/* set dflt vt handling */ |
||||||
|
VT.mode = VT_AUTO; |
||||||
|
SYSCALL(ret = ioctl(xf86Info.consoleFd, VT_SETMODE, &VT)); |
||||||
|
if (ret < 0) |
||||||
|
xf86Msg(X_WARNING, "xf86CloseConsole: VT_SETMODE failed: %s\n", |
||||||
|
strerror(errno)); |
||||||
|
} |
||||||
|
|
||||||
|
if (xf86Info.autoVTSwitch) { |
||||||
|
/* |
||||||
|
- * Perform a switch back to the active VT when we were started |
||||||
|
- */ |
||||||
|
+ * Perform a switch back to the active VT when we were started if our |
||||||
|
+ * vt is active now. |
||||||
|
+ */ |
||||||
|
if (activeVT >= 0) { |
||||||
|
- switch_to(activeVT, "xf86CloseConsole"); |
||||||
|
+ SYSCALL(ret = ioctl(xf86Info.consoleFd, VT_GETSTATE, &vts)); |
||||||
|
+ if (ret < 0) { |
||||||
|
+ xf86Msg(X_WARNING, "xf86OpenConsole: VT_GETSTATE failed: %s\n", |
||||||
|
+ strerror(errno)); |
||||||
|
+ } else { |
||||||
|
+ if (vts.v_active == xf86Info.vtno) { |
||||||
|
+ switch_to(activeVT, "xf86CloseConsole"); |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
activeVT = -1; |
||||||
|
} |
||||||
|
} |
||||||
|
close(xf86Info.consoleFd); /* make the vt-manager happy */ |
||||||
|
} |
||||||
|
|
||||||
|
#define CHECK_FOR_REQUIRED_ARGUMENT() \ |
||||||
|
if (((i + 1) >= argc) || (!argv[i + 1])) { \ |
||||||
|
ErrorF("Required argument to %s not specified\n", argv[i]); \ |
||||||
|
UseMsg(); \ |
||||||
|
FatalError("Required argument to %s not specified\n", argv[i]); \ |
||||||
|
} |
||||||
|
|
||||||
|
int |
||||||
|
xf86ProcessArgument(int argc, char *argv[], int i) |
||||||
|
{ |
||||||
|
/* |
||||||
|
* Keep server from detaching from controlling tty. This is useful |
||||||
|
* when debugging (so the server can receive keyboard signals. |
||||||
|
*/ |
||||||
|
if (!strcmp(argv[i], "-keeptty")) { |
||||||
|
KeepTty = TRUE; |
||||||
|
return 1; |
||||||
|
} |
||||||
|
|
||||||
|
if ((argv[i][0] == 'v') && (argv[i][1] == 't')) { |
||||||
|
if (sscanf(argv[i], "vt%2d", &xf86Info.vtno) == 0) { |
||||||
|
UseMsg(); |
||||||
|
xf86Info.vtno = -1; |
||||||
|
return 0; |
||||||
|
-- |
||||||
|
2.21.0 |
Loading…
Reference in new issue