guibuilder_pel7ppc64lebuilder0
5 years ago
8 changed files with 481 additions and 47 deletions
@ -0,0 +1,53 @@
@@ -0,0 +1,53 @@
|
||||
From 2fda7c57e7ebe210cf5e2bb051a0a9271f85e80a Mon Sep 17 00:00:00 2001 |
||||
From: Matthieu Herrb <matthieu@herrb.eu> |
||||
Date: Mon, 22 Oct 2018 14:33:25 -0400 |
||||
Subject: [PATCH xserver] Disable -logfile and -modulepath when running with |
||||
elevated privileges |
||||
|
||||
An unprivileged user was able to overwrite arbitrary files |
||||
in directories in which it is able to chdir, potentially |
||||
leading to privilege elevation. |
||||
|
||||
CVE-2018-14665 |
||||
|
||||
An unprivileded user was able to load arbitrary modules |
||||
from user controlled directories, leading to privilege |
||||
elevation. |
||||
|
||||
CVE-2018-XXXXX |
||||
|
||||
Issues reported by Narendra Shinde |
||||
|
||||
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> |
||||
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> |
||||
--- |
||||
hw/xfree86/common/xf86Init.c | 8 ++++++-- |
||||
1 file changed, 6 insertions(+), 2 deletions(-) |
||||
|
||||
diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c |
||||
index 6c25eda739..0f57efa863 100644 |
||||
--- a/hw/xfree86/common/xf86Init.c |
||||
+++ b/hw/xfree86/common/xf86Init.c |
||||
@@ -935,14 +935,18 @@ ddxProcessArgument(int argc, char **argv, int i) |
||||
/* First the options that are not allowed with elevated privileges */ |
||||
if (!strcmp(argv[i], "-modulepath")) { |
||||
CHECK_FOR_REQUIRED_ARGUMENT(); |
||||
- xf86CheckPrivs(argv[i], argv[i + 1]); |
||||
+ if (xf86PrivsElevated()) |
||||
+ FatalError("\nInvalid argument -modulepath " |
||||
+ "with elevated privileges\n"); |
||||
xf86ModulePath = argv[i + 1]; |
||||
xf86ModPathFrom = X_CMDLINE; |
||||
return 2; |
||||
} |
||||
if (!strcmp(argv[i], "-logfile")) { |
||||
CHECK_FOR_REQUIRED_ARGUMENT(); |
||||
- xf86CheckPrivs(argv[i], argv[i + 1]); |
||||
+ if (xf86PrivsElevated()) |
||||
+ FatalError("\nInvalid argument -logfile " |
||||
+ "with elevated privileges\n"); |
||||
xf86LogFile = argv[i + 1]; |
||||
xf86LogFileFrom = X_CMDLINE; |
||||
return 2; |
||||
-- |
||||
2.19.0 |
@ -0,0 +1,30 @@
@@ -0,0 +1,30 @@
|
||||
From e50c85f4ebf559a3bac4817b41074c43d4691779 Mon Sep 17 00:00:00 2001 |
||||
From: Eric Anholt <eric@anholt.net> |
||||
Date: Fri, 26 Oct 2018 17:47:30 -0700 |
||||
Subject: [PATCH xserver] Fix segfault on probing a non-PCI platform device on |
||||
a system with PCI. |
||||
|
||||
Some Broadcom set-top-box boards have PCI busses, but the GPU is still |
||||
probed through DT. We would dereference a null busid here in that |
||||
case. |
||||
|
||||
Signed-off-by: Eric Anholt <eric@anholt.net> |
||||
--- |
||||
hw/xfree86/common/xf86platformBus.c | 2 +- |
||||
1 file changed, 1 insertion(+), 1 deletion(-) |
||||
|
||||
diff --git a/hw/xfree86/common/xf86platformBus.c b/hw/xfree86/common/xf86platformBus.c |
||||
index cef47da03d..dadbac6c8f 100644 |
||||
--- a/hw/xfree86/common/xf86platformBus.c |
||||
+++ b/hw/xfree86/common/xf86platformBus.c |
||||
@@ -289,7 +289,7 @@ xf86platformProbe(void) |
||||
for (i = 0; i < xf86_num_platform_devices; i++) { |
||||
char *busid = xf86_platform_odev_attributes(i)->busid; |
||||
|
||||
- if (pci && (strncmp(busid, "pci:", 4) == 0)) { |
||||
+ if (pci && busid && (strncmp(busid, "pci:", 4) == 0)) { |
||||
platform_find_pci_info(&xf86_platform_devices[i], busid); |
||||
} |
||||
|
||||
-- |
||||
2.21.0 |
@ -0,0 +1,44 @@
@@ -0,0 +1,44 @@
|
||||
From b6e18eb57f3dd104704d0a5ec3d2f051645b9068 Mon Sep 17 00:00:00 2001 |
||||
From: Adam Jackson <ajax@redhat.com> |
||||
Date: Wed, 19 Jun 2019 14:23:56 -0400 |
||||
Subject: [PATCH xserver] linux: Fix platform device PCI detection for complex |
||||
bus topologies |
||||
|
||||
Suppose you're in a Hyper-V guest and are trying to use PCI passthrough. |
||||
The ID_PATH that udev will construct for that looks something like |
||||
"acpi-VMBUS:00-pci-b8c8:00:00.0", and obviously looking for "pci-" in |
||||
the first four characters of that is going to not work. |
||||
|
||||
Instead, strstr. I suppose it's possible you could have _multiple_ PCI |
||||
buses in the path, in which case you'd want strrstr, if that were a |
||||
thing. |
||||
--- |
||||
config/udev.c | 6 +++--- |
||||
1 file changed, 3 insertions(+), 3 deletions(-) |
||||
|
||||
diff --git a/config/udev.c b/config/udev.c |
||||
index 314acba6ce..6e11aa3b88 100644 |
||||
--- a/config/udev.c |
||||
+++ b/config/udev.c |
||||
@@ -474,7 +474,7 @@ config_udev_odev_setup_attribs(struct udev_device *udev_device, const char *path |
||||
config_odev_probe_proc_ptr probe_callback) |
||||
{ |
||||
struct OdevAttributes *attribs = config_odev_allocate_attributes(); |
||||
- const char *value; |
||||
+ const char *value, *str; |
||||
|
||||
attribs->path = XNFstrdup(path); |
||||
attribs->syspath = XNFstrdup(syspath); |
||||
@@ -482,8 +482,8 @@ config_udev_odev_setup_attribs(struct udev_device *udev_device, const char *path |
||||
attribs->minor = minor; |
||||
|
||||
value = udev_device_get_property_value(udev_device, "ID_PATH"); |
||||
- if (value && !strncmp(value, "pci-", 4)) { |
||||
- attribs->busid = XNFstrdup(value); |
||||
+ if (value && (str = strstr(value, "pci-"))) { |
||||
+ attribs->busid = XNFstrdup(str); |
||||
attribs->busid[3] = ':'; |
||||
} |
||||
|
||||
-- |
||||
2.21.0 |
@ -0,0 +1,51 @@
@@ -0,0 +1,51 @@
|
||||
From a22a81a0de76b96b01f32f59fd2a4b4af675d9b1 Mon Sep 17 00:00:00 2001 |
||||
From: Adam Jackson <ajax@redhat.com> |
||||
Date: Fri, 5 Oct 2018 15:12:18 -0400 |
||||
Subject: [PATCH] modesetting: Hide atomic behind Option "Atomic" "[boolean]" |
||||
|
||||
You can turn it on if the kernel driver supports it and you ask for it |
||||
explicitly, but right now it's too fragile. |
||||
|
||||
Signed-off-by: Adam Jackson <ajax@redhat.com> |
||||
--- |
||||
hw/xfree86/drivers/modesetting/driver.c | 5 ++++- |
||||
hw/xfree86/drivers/modesetting/driver.h | 1 + |
||||
2 files changed, 5 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c |
||||
index 24311c1..4fc62e4 100644 |
||||
--- a/hw/xfree86/drivers/modesetting/driver.c |
||||
+++ b/hw/xfree86/drivers/modesetting/driver.c |
||||
@@ -131,6 +131,7 @@ static const OptionInfoRec Options[] = { |
||||
{OPTION_PAGEFLIP, "PageFlip", OPTV_BOOLEAN, {0}, FALSE}, |
||||
{OPTION_ZAPHOD_HEADS, "ZaphodHeads", OPTV_STRING, {0}, FALSE}, |
||||
{OPTION_DOUBLE_SHADOW, "DoubleShadow", OPTV_BOOLEAN, {0}, FALSE}, |
||||
+ {OPTION_ATOMIC, "Atomic", OPTV_BOOLEAN, {0}, FALSE}, |
||||
{-1, NULL, OPTV_NONE, {0}, FALSE} |
||||
}; |
||||
|
||||
@@ -1061,7 +1062,9 @@ PreInit(ScrnInfoPtr pScrn, int flags) |
||||
} |
||||
|
||||
ret = drmSetClientCap(ms->fd, DRM_CLIENT_CAP_ATOMIC, 1); |
||||
- ms->atomic_modeset = (ret == 0); |
||||
+ if ((ms->atomic_modeset = (ret == 0))) |
||||
+ ms->atomic_modeset = xf86ReturnOptValBool(ms->drmmode.Options, |
||||
+ OPTION_ATOMIC, FALSE); |
||||
|
||||
ms->kms_has_modifiers = FALSE; |
||||
ret = drmGetCap(ms->fd, DRM_CAP_ADDFB2_MODIFIERS, &value); |
||||
diff --git a/hw/xfree86/drivers/modesetting/driver.h b/hw/xfree86/drivers/modesetting/driver.h |
||||
index c8db4b8..46ba78a 100644 |
||||
--- a/hw/xfree86/drivers/modesetting/driver.h |
||||
+++ b/hw/xfree86/drivers/modesetting/driver.h |
||||
@@ -51,6 +51,7 @@ typedef enum { |
||||
OPTION_PAGEFLIP, |
||||
OPTION_ZAPHOD_HEADS, |
||||
OPTION_DOUBLE_SHADOW, |
||||
+ OPTION_ATOMIC, |
||||
} modesettingOpts; |
||||
|
||||
typedef struct |
||||
-- |
||||
2.19.0 |
@ -0,0 +1,26 @@
@@ -0,0 +1,26 @@
|
||||
From 13118f3052e870c3cef6260235b489a288df5a59 Mon Sep 17 00:00:00 2001 |
||||
From: Adam Jackson <ajax@redhat.com> |
||||
Date: Tue, 9 Oct 2018 12:28:48 -0400 |
||||
Subject: [PATCH xserver] xfree86: LeaveVT from xf86CrtcCloseScreen |
||||
|
||||
Signed-off-by: Adam Jackson <ajax@redhat.com> |
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> |
||||
--- |
||||
hw/xfree86/modes/xf86Crtc.c | 2 ++ |
||||
1 file changed, 2 insertions(+) |
||||
|
||||
diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c |
||||
index 686cb51..710a41d 100644 |
||||
--- a/hw/xfree86/modes/xf86Crtc.c |
||||
+++ b/hw/xfree86/modes/xf86Crtc.c |
||||
@@ -776,6 +776,8 @@ xf86CrtcCloseScreen(ScreenPtr screen) |
||||
crtc->randr_crtc = NULL; |
||||
} |
||||
|
||||
+ scrn->LeaveVT(scrn); |
||||
+ |
||||
screen->CloseScreen = config->CloseScreen; |
||||
|
||||
xf86RotateCloseScreen(screen); |
||||
-- |
||||
2.19.1 |
@ -0,0 +1,135 @@
@@ -0,0 +1,135 @@
|
||||
From ff91c696ff8f5f56da40e107cb5c321539758a81 Mon Sep 17 00:00:00 2001 |
||||
From: Michal Srb <msrb@suse.com> |
||||
Date: Tue, 16 Oct 2018 09:32:13 +0200 |
||||
Subject: [PATCH xserver] xfree86: Only switch to original VT if it is active. |
||||
|
||||
If the X server is terminated while its VT is not active, it should |
||||
not change the current VT. |
||||
|
||||
v2: Query current state in xf86CloseConsole using VT_GETSTATE instead of |
||||
keeping track in xf86VTEnter/xf86VTLeave/etc. |
||||
--- |
||||
hw/xfree86/os-support/linux/lnx_init.c | 16 +++++++++++++--- |
||||
1 file changed, 13 insertions(+), 3 deletions(-) |
||||
|
||||
diff --git a/hw/xfree86/os-support/linux/lnx_init.c b/hw/xfree86/os-support/linux/lnx_init.c |
||||
index 039dc4a4d..358d89f0f 100644 |
||||
--- a/hw/xfree86/os-support/linux/lnx_init.c |
||||
+++ b/hw/xfree86/os-support/linux/lnx_init.c |
||||
@@ -272,101 +272,111 @@ xf86OpenConsole(void) |
||||
xf86SetConsoleHandler(drain_console, NULL); |
||||
} |
||||
|
||||
nTty = tty_attr; |
||||
nTty.c_iflag = (IGNPAR | IGNBRK) & (~PARMRK) & (~ISTRIP); |
||||
nTty.c_oflag = 0; |
||||
nTty.c_cflag = CREAD | CS8; |
||||
nTty.c_lflag = 0; |
||||
nTty.c_cc[VTIME] = 0; |
||||
nTty.c_cc[VMIN] = 1; |
||||
cfsetispeed(&nTty, 9600); |
||||
cfsetospeed(&nTty, 9600); |
||||
tcsetattr(xf86Info.consoleFd, TCSANOW, &nTty); |
||||
} |
||||
} |
||||
else { /* serverGeneration != 1 */ |
||||
if (!xf86Info.ShareVTs && xf86Info.autoVTSwitch) { |
||||
/* now get the VT */ |
||||
if (!switch_to(xf86Info.vtno, "xf86OpenConsole")) |
||||
FatalError("xf86OpenConsole: Switching VT failed\n"); |
||||
} |
||||
} |
||||
} |
||||
|
||||
#pragma GCC diagnostic pop |
||||
|
||||
void |
||||
xf86CloseConsole(void) |
||||
{ |
||||
struct vt_mode VT; |
||||
+ struct vt_stat vts; |
||||
int ret; |
||||
|
||||
if (xf86Info.ShareVTs) { |
||||
close(xf86Info.consoleFd); |
||||
return; |
||||
} |
||||
|
||||
/* |
||||
* unregister the drain_console handler |
||||
* - what to do if someone else changed it in the meantime? |
||||
*/ |
||||
xf86SetConsoleHandler(NULL, NULL); |
||||
|
||||
/* Back to text mode ... */ |
||||
SYSCALL(ret = ioctl(xf86Info.consoleFd, KDSETMODE, KD_TEXT)); |
||||
if (ret < 0) |
||||
xf86Msg(X_WARNING, "xf86CloseConsole: KDSETMODE failed: %s\n", |
||||
strerror(errno)); |
||||
|
||||
SYSCALL(ioctl(xf86Info.consoleFd, KDSKBMODE, tty_mode)); |
||||
tcsetattr(xf86Info.consoleFd, TCSANOW, &tty_attr); |
||||
|
||||
SYSCALL(ret = ioctl(xf86Info.consoleFd, VT_GETMODE, &VT)); |
||||
if (ret < 0) |
||||
xf86Msg(X_WARNING, "xf86CloseConsole: VT_GETMODE failed: %s\n", |
||||
strerror(errno)); |
||||
else { |
||||
/* set dflt vt handling */ |
||||
VT.mode = VT_AUTO; |
||||
SYSCALL(ret = ioctl(xf86Info.consoleFd, VT_SETMODE, &VT)); |
||||
if (ret < 0) |
||||
xf86Msg(X_WARNING, "xf86CloseConsole: VT_SETMODE failed: %s\n", |
||||
strerror(errno)); |
||||
} |
||||
|
||||
if (xf86Info.autoVTSwitch) { |
||||
/* |
||||
- * Perform a switch back to the active VT when we were started |
||||
- */ |
||||
+ * Perform a switch back to the active VT when we were started if our |
||||
+ * vt is active now. |
||||
+ */ |
||||
if (activeVT >= 0) { |
||||
- switch_to(activeVT, "xf86CloseConsole"); |
||||
+ SYSCALL(ret = ioctl(xf86Info.consoleFd, VT_GETSTATE, &vts)); |
||||
+ if (ret < 0) { |
||||
+ xf86Msg(X_WARNING, "xf86OpenConsole: VT_GETSTATE failed: %s\n", |
||||
+ strerror(errno)); |
||||
+ } else { |
||||
+ if (vts.v_active == xf86Info.vtno) { |
||||
+ switch_to(activeVT, "xf86CloseConsole"); |
||||
+ } |
||||
+ } |
||||
activeVT = -1; |
||||
} |
||||
} |
||||
close(xf86Info.consoleFd); /* make the vt-manager happy */ |
||||
} |
||||
|
||||
#define CHECK_FOR_REQUIRED_ARGUMENT() \ |
||||
if (((i + 1) >= argc) || (!argv[i + 1])) { \ |
||||
ErrorF("Required argument to %s not specified\n", argv[i]); \ |
||||
UseMsg(); \ |
||||
FatalError("Required argument to %s not specified\n", argv[i]); \ |
||||
} |
||||
|
||||
int |
||||
xf86ProcessArgument(int argc, char *argv[], int i) |
||||
{ |
||||
/* |
||||
* Keep server from detaching from controlling tty. This is useful |
||||
* when debugging (so the server can receive keyboard signals. |
||||
*/ |
||||
if (!strcmp(argv[i], "-keeptty")) { |
||||
KeepTty = TRUE; |
||||
return 1; |
||||
} |
||||
|
||||
if ((argv[i][0] == 'v') && (argv[i][1] == 't')) { |
||||
if (sscanf(argv[i], "vt%2d", &xf86Info.vtno) == 0) { |
||||
UseMsg(); |
||||
xf86Info.vtno = -1; |
||||
return 0; |
||||
-- |
||||
2.21.0 |
Loading…
Reference in new issue