5 files changed, 252 insertions, 3 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 9f8a9c16b442..e98e84729fdc 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,6 +1,6 @@
 pkgbase = xorg-server-dev
 	pkgver = 1.19.3
-	pkgrel = 2
+	pkgrel = 3
 	url = https://xorg.freedesktop.org
 	arch = i686
 	arch = x86_64
@@ -60,6 +60,9 @@ pkgbase = xorg-server-dev
 	source = nvidia-add-modulepath-support.patch
 	source = xserver-autobind-hotplug.patch
 	source = modesetting-Set-correct-DRM-event-context-version.patch
+	source = CVE-2017-10971.patch
+	source = CVE-2017-10972.patch
+	source = bug99708.patch
 	source = xvfb-run
 	source = xvfb-run.1
 	sha256sums = 677a8166e03474719238dfe396ce673c4234735464d6dadf2959b600d20e5a98
@@ -67,6 +70,9 @@ pkgbase = xorg-server-dev
 	sha256sums = 914a8d775b708f836ae3f0eeca553da3872727a2e4262190f4d5c01241cb14e8
 	sha256sums = fcaf536e4fc307958923b58f2baf3d3102ad694efc28506f6f95a9e64483fa57
 	sha256sums = 831a70809e6bec766138d7a1c96643732df9a2c0c5f77ee44b47ce4be882e0af
+	sha256sums = 3950d5d64822b4a34ca0358389216eed25e159751006d674e7cb491aa3b54d0b
+	sha256sums = 700af48c541f613b376eb7a7e567d13c0eba7a835d0aaa9d4b0431ebdd9f397c
+	sha256sums = 67013743ba8ff1663b233f50fae88989d36504de83fca5f93af5623f2bef6920
 	sha256sums = ff0156309470fc1d378fd2e104338020a884295e285972cc88e250e031cc35b9
 	sha256sums = 2460adccd3362fefd4cdc5f1c70f332d7b578091fb9167bf88b5f91265bbd776
 
@@ -166,7 +172,7 @@ pkgname = xorg-server-common-dev
 	depends = xorg-xkbcomp
 	depends = xorg-setxkbmap
 	depends = xorg-fonts-misc
-	provides = xorg-server-common=1.19.3-2
+	provides = xorg-server-common=1.19.3-3
 	conflicts = xorg-server-common
 
 pkgname = xorg-server-devel-dev
diff --git a/CVE-2017-10971.patch b/CVE-2017-10971.patch
new file mode 100644
index 000000000000..2696033e58c2
--- /dev/null
+++ b/CVE-2017-10971.patch
@@ -0,0 +1,153 @@
+From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Wed, 24 May 2017 15:54:40 +0300
+Subject: dix: Disallow GenericEvent in SendEvent request.
+
+The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
+no less. Both ProcSendEvent and SProcSendEvent verify that the received data
+exactly match the request size. However nothing stops the client from passing
+in event with xEvent::type = GenericEvent and any value of
+xGenericEvent::length.
+
+In the case of ProcSendEvent, the event will be eventually passed to
+WriteEventsToClient which will see that it is Generic event and copy the
+arbitrary length from the receive buffer (and possibly past it) and send it to
+the other client. This allows clients to copy unitialized heap memory out of X
+server or to crash it.
+
+In case of SProcSendEvent, it will attempt to swap the incoming event by
+calling a swapping function from the EventSwapVector array. The swapped event
+is written to target buffer, which in this case is local xEvent variable. The
+xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
+expect that the target buffer has size matching the size of the source
+GenericEvent. This allows clients to cause stack buffer overflows.
+
+Signed-off-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+diff --git a/dix/events.c b/dix/events.c
+index 3e3a01e..d3a33ea 100644
+--- a/dix/events.c
++++ b/dix/events.c
+@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client)
+         client->errorValue = stuff->event.u.u.type;
+         return BadValue;
+     }
++    /* Generic events can have variable size, but SendEvent request holds
++       exactly 32B of event data. */
++    if (stuff->event.u.u.type == GenericEvent) {
++        client->errorValue = stuff->event.u.u.type;
++        return BadValue;
++    }
+     if (stuff->event.u.u.type == ClientMessage &&
+         stuff->event.u.u.detail != 8 &&
+         stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) {
+diff --git a/dix/swapreq.c b/dix/swapreq.c
+index 719e9b8..6785059 100644
+--- a/dix/swapreq.c
++++ b/dix/swapreq.c
+@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client)
+     swapl(&stuff->destination);
+     swapl(&stuff->eventMask);
+ 
++    /* Generic events can have variable size, but SendEvent request holds
++       exactly 32B of event data. */
++    if (stuff->event.u.u.type == GenericEvent) {
++        client->errorValue = stuff->event.u.u.type;
++        return BadValue;
++    }
++
+     /* Swap event */
+     proc = EventSwapVector[stuff->event.u.u.type & 0177];
+     if (!proc || proc == NotImplemented)        /* no swapping proc; invalid event type? */
+-- 
+cgit v0.10.2
+
+From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Wed, 24 May 2017 15:54:41 +0300
+Subject: Xi: Verify all events in ProcXSendExtensionEvent.
+
+The requirement is that events have type in range
+EXTENSION_EVENT_BASE..lastEvent, but it was tested
+only for first event of all.
+
+Signed-off-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 1cf118a..5e63bfc 100644
+--- a/Xi/sendexev.c
++++ b/Xi/sendexev.c
+@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client)
+ int
+ ProcXSendExtensionEvent(ClientPtr client)
+ {
+-    int ret;
++    int ret, i;
+     DeviceIntPtr dev;
+     xEvent *first;
+     XEventClass *list;
+@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client)
+     /* The client's event type must be one defined by an extension. */
+ 
+     first = ((xEvent *) &stuff[1]);
+-    if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
+-          (first->u.u.type < lastEvent))) {
+-        client->errorValue = first->u.u.type;
+-        return BadValue;
++    for (i = 0; i < stuff->num_events; i++) {
++        if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
++            (first[i].u.u.type < lastEvent))) {
++            client->errorValue = first[i].u.u.type;
++            return BadValue;
++        }
+     }
+ 
+     list = (XEventClass *) (first + stuff->num_events);
+-- 
+cgit v0.10.2
+
+From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Wed, 24 May 2017 15:54:42 +0300
+Subject: Xi: Do not try to swap GenericEvent.
+
+The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
+it is assuming that the event has fixed size and gives the swapping function
+xEvent-sized buffer.
+
+A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
+
+Signed-off-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 5e63bfc..5c2e0fc 100644
+--- a/Xi/sendexev.c
++++ b/Xi/sendexev.c
+@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client)
+ 
+     eventP = (xEvent *) &stuff[1];
+     for (i = 0; i < stuff->num_events; i++, eventP++) {
++        if (eventP->u.u.type == GenericEvent) {
++            client->errorValue = eventP->u.u.type;
++            return BadValue;
++        }
++
+         proc = EventSwapVector[eventP->u.u.type & 0177];
+-        if (proc == NotImplemented)     /* no swapping proc; invalid event type? */
++        /* no swapping proc; invalid event type? */
++        if (proc == NotImplemented) {
++            client->errorValue = eventP->u.u.type;
+             return BadValue;
++        }
+         (*proc) (eventP, &eventT);
+         *eventP = eventT;
+     }
+-- 
+cgit v0.10.2
+
diff --git a/CVE-2017-10972.patch b/CVE-2017-10972.patch
new file mode 100644
index 000000000000..f24e9c0ae688
--- /dev/null
+++ b/CVE-2017-10972.patch
@@ -0,0 +1,35 @@
+From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Wed, 24 May 2017 15:54:39 +0300
+Subject: Xi: Zero target buffer in SProcXSendExtensionEvent.
+
+Make sure that the xEvent eventT is initialized with zeros, the same way as
+in SProcSendEvent.
+
+Some event swapping functions do not overwrite all 32 bytes of xEvent
+structure, for example XSecurityAuthorizationRevoked. Two cooperating
+clients, one swapped and the other not, can send
+XSecurityAuthorizationRevoked event to each other to retrieve old stack data
+from X server. This can be potentialy misused to go around ASLR or
+stack-protector.
+
+Signed-off-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 11d8202..1cf118a 100644
+--- a/Xi/sendexev.c
++++ b/Xi/sendexev.c
+@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
+ {
+     CARD32 *p;
+     int i;
+-    xEvent eventT;
++    xEvent eventT = { .u.u.type = 0 };
+     xEvent *eventP;
+     EventSwapPtr proc;
+ 
+-- 
+cgit v0.10.2
+
diff --git a/PKGBUILD b/PKGBUILD
index e89504a3babf..c2ce2895ca46 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -4,7 +4,7 @@
 _pkgbase=xorg-server
 pkgname=('xorg-server-dev' 'xorg-server-xephyr-dev' 'xorg-server-xdmx-dev' 'xorg-server-xvfb-dev' 'xorg-server-xnest-dev' 'xorg-server-xwayland-dev' 'xorg-server-common-dev' 'xorg-server-devel-dev')
 pkgver=1.19.3 # https://lists.x.org/archives/xorg/2017-March/058662.html
-pkgrel=2 # https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/xorg-server&id=013fa1ab41b5a4f8ba9bd1072810daacc17644a4
+pkgrel=3 # https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/xorg-server&id=c24304917e61de5de15695065f8a9be89d77818c
 arch=('i686' 'x86_64')
 license=('custom')
 groups=('xorg')
@@ -20,6 +20,9 @@ source=(${url}/releases/individual/xserver/${_pkgbase}-${pkgver}.tar.bz2{,.sig}
         nvidia-add-modulepath-support.patch
         xserver-autobind-hotplug.patch
         modesetting-Set-correct-DRM-event-context-version.patch
+        CVE-2017-10971.patch
+        CVE-2017-10972.patch
+        bug99708.patch
         xvfb-run
         xvfb-run.1)
 validpgpkeys=('7B27A3F1A6E18CD9588B4AE8310180050905E40C'
@@ -30,6 +33,9 @@ sha256sums=('677a8166e03474719238dfe396ce673c4234735464d6dadf2959b600d20e5a98'
             '914a8d775b708f836ae3f0eeca553da3872727a2e4262190f4d5c01241cb14e8'
             'fcaf536e4fc307958923b58f2baf3d3102ad694efc28506f6f95a9e64483fa57'
             '831a70809e6bec766138d7a1c96643732df9a2c0c5f77ee44b47ce4be882e0af'
+            '3950d5d64822b4a34ca0358389216eed25e159751006d674e7cb491aa3b54d0b'
+            '700af48c541f613b376eb7a7e567d13c0eba7a835d0aaa9d4b0431ebdd9f397c'
+            '67013743ba8ff1663b233f50fae88989d36504de83fca5f93af5623f2bef6920'
             'ff0156309470fc1d378fd2e104338020a884295e285972cc88e250e031cc35b9'
             '2460adccd3362fefd4cdc5f1c70f332d7b578091fb9167bf88b5f91265bbd776')
 
@@ -45,11 +51,27 @@ prepare() {
   msg2 "merged in trunk"
   patch -Np1 -i ../modesetting-Set-correct-DRM-event-context-version.patch
 
+  msg2 "Security: CVE-2017-10971"
+  patch -Np1 -i ../CVE-2017-10971.patch
+
+  msg2 "Security: CVE-2017-10972"
+  patch -Np1 -i ../CVE-2017-10972.patch
+
+  msg2 "Fix Glamor lines: https://bugs.archlinux.org/task/53404"
+  patch -Np1 -i ../bug99708.patch
+
   msg2 "Starting autoreconf..."
   autoreconf -vfi
 }
 
 build() {
+  # Since pacman 5.0.2-2, hardened flags are now enabled in makepkg.conf
+  # With them, modules fail to load with undefined symbol.
+  # See https://bugs.archlinux.org/task/55102 / https://bugs.archlinux.org/task/54845
+  export CFLAGS=${CFLAGS/-fno-plt}
+  export CXXFLAGS=${CXXFLAGS/-fno-plt}
+  export LDFLAGS=${LDFLAGS/,-z,now}
+
   cd "${_pkgbase}-${pkgver}"
 
   msg2 "Starting ./configure..."
diff --git a/bug99708.patch b/bug99708.patch
new file mode 100644
index 000000000000..f9ab520be58c
--- /dev/null
+++ b/bug99708.patch
@@ -0,0 +1,33 @@
+From fe0b297420fc1de8a7fab28457d0864b3182e967 Mon Sep 17 00:00:00 2001
+From: Eric Anholt <eric@anholt.net>
+Date: Wed, 15 Mar 2017 17:51:46 -0700
+Subject: glamor: Fix dashed line rendering.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We were binding the screen pixmap as the dash and sampling its alpha,
+which is usually just 1.0 (no dashing at all).
+
+Please cherry-pick this to active stable branches.
+
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Reviewed-by: Keith Packard <keithp@keithp.com>
+Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
+
+diff --git a/glamor/glamor_dash.c b/glamor/glamor_dash.c
+index 78a4fa3..b53ce5c 100644
+--- a/glamor/glamor_dash.c
++++ b/glamor/glamor_dash.c
+@@ -147,7 +147,7 @@ glamor_dash_setup(DrawablePtr drawable, GCPtr gc)
+         goto bail;
+ 
+     dash_pixmap = glamor_get_dash_pixmap(gc);
+-    dash_priv = glamor_get_pixmap_private(pixmap);
++    dash_priv = glamor_get_pixmap_private(dash_pixmap);
+ 
+     if (!GLAMOR_PIXMAP_PRIV_HAS_FBO(dash_priv))
+         goto bail;
+-- 
+cgit v0.10.2
+