Commit Graph

6283 Commits

Author SHA1 Message Date
matthieu
f51fea01a3 MFC: Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176) 2017-10-14 09:35:14 +00:00
matthieu
186982901a MFC: dbe: Unvalidated variable-length request in
ProcDbeGetVisualInfo (CVE-2017-12177)

v2: Protect against integer overflow (Alan Coopersmith)
2017-10-14 09:33:48 +00:00
matthieu
394a8aee54 MFC: Xi: fix wrong extra length check in ProcXIChangeHierarchy
(CVE-2017-12178)
2017-10-14 09:32:30 +00:00
matthieu
74d10c412f MFC: Xi: integer overflow and unvalidated length in
(S)ProcXIBarrierReleasePointer

[jcristau: originally this patch fixed the same issue as commit
211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the
addition of these checks]

This addresses CVE-2017-12179
2017-10-14 09:30:50 +00:00
matthieu
792e23cc09 MFC: Xi: Test exact size of XIBarrierReleasePointer
Otherwise a client can send any value of num_barriers and cause
reading or swapping of values on heap behind the receive buffer.
2017-10-14 09:29:01 +00:00
matthieu
515a707d86 MFC: hw/xfree86: unvalidated lengths
This addresses:
CVE-2017-12180 in XFree86-VidModeExtension
CVE-2017-12181 in XFree86-DGA
CVE-2017-12182 in XFree86-DRI
2017-10-14 09:24:30 +00:00
matthieu
d62483048a MFC: xfixes: unvalidated lengths (CVE-2017-12183)
v2: Use before swap (Jeremy Huddleston Sequoia)
v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)
2017-10-14 09:22:49 +00:00
matthieu
3b3c79f0b0 MFC: Unvalidated lengths
v2: Add overflow check and remove unnecessary check (Julien Cristau)

This addresses:
CVE-2017-12184 in XINERAMA
CVE-2017-12185 in MIT-SCREEN-SAVER
CVE-2017-12186 in X-Resource
CVE-2017-12187 in RENDER
2017-10-14 09:20:42 +00:00
matthieu
fe08a081d8 MFC: os: Make sure big requests have sufficient length.
A client can send a big request where the 32B "length" field has value
0. When the big request header is removed and the length corrected,
the value will underflow to 0xFFFFFFFF.  Functions processing the
request later will think that the client sent much more data and may
touch memory beyond the receive buffer.
2017-10-14 09:17:40 +00:00
matthieu
9b9efb1bdf MFC: xkb: Handle xkb formated string output safely (CVE-2017-13723)
Generating strings for XKB data used a single shared static buffer,
which offered several opportunities for errors. Use a ring of
resizable buffers instead, to avoid problems when strings end up
longer than anticipated.
2017-10-14 09:15:11 +00:00
matthieu
fd77a34918 MFC: xkb: Escape non-printable characters correctly
XkbStringText escapes non-printable characters using octal numbers.
Such escape sequence would be at most 5 characters long ("\0123"), so
it reserves 5 bytes in the buffer. Due to char->unsigned int
conversion, it would print much longer string for negative numbers.
2017-10-14 09:12:44 +00:00
matthieu
2f2a50b99b MFC: Xext/shm: Validate shmseg resource id (CVE-2017-13721)
Otherwise it can belong to a non-existing client and abort X server with
FatalError "client not in use", or overwrite existing segment of another
existing client.
2017-10-14 09:06:06 +00:00
matthieu
7e1ada6240 MFC: pcfGetProperties: Check string boundaries (CVE-2017-13722)
Without the checks a malformed PCF file can cause the library to make
atom from random heap memory that was behind the `strings` buffer.
This may crash the process or leak information.
2017-10-14 09:03:00 +00:00
matthieu
dadc83bba7 MFC: Check for end of string in PatternMatch (CVE-2017-13720)
If a pattern contains '?' character, any character in the string is skipped,
even if it is '\0'. The rest of the matching then reads invalid memory.
2017-10-14 09:02:08 +00:00
matthieu
ca5563feca Remove xdm. Unhooked since more than 6 months. 2017-10-12 19:32:43 +00:00
matthieu
08a235a628 chown before chmod
This prevents a malicious user logging out from calling
chmod while still owning /dev/console and thus by-passing
the '622' mode that is set here.

Issue reported by Tim Chase. Thanks.


Merged from xdm upstreams
2017-10-04 18:28:59 +00:00
matthieu
c6ab499027 Force Intel Ironlake chipsets to use the xf86-video-intel driver.
stsp@ reported that modesetting(4) has been reported unreliable
on his laptop, while intel(4) works.

XXXX to be removed after 6.2 to figure out and fix the issue.

ok kettenis@, also discussed briefly with deraadt@ during EuroBSDCon.
2017-09-25 15:05:57 +00:00
matthieu
b11b21f03a updates 2017-09-17 10:54:40 +00:00
okan
b853354218 Case matters for menu matching on executables; from ben@lloyd.im. 2017-09-06 14:15:13 +00:00
deraadt
5150e677a9 backout hard-coded behaviour change which was not discussed, in
particular no justification for why the current behaviour is wrong
2017-09-05 17:48:07 +00:00
dcoppa
44401622e1 amend comment 2017-08-30 07:59:00 +00:00
dcoppa
7055fe14e7 Use 'unix:0' for the DISPLAY environment variable
ok matthieu@
2017-08-30 07:48:56 +00:00
anton
12dfb02fe0 Fix error check according to the secure idiom described in the snprintf(3)
manual.

ok dcoppa@
2017-08-29 08:50:37 +00:00
dcoppa
7069c249d5 When xinit starts an X server that listens only on UNIX socket,
prefer DISPLAY=unix:0 rather than DISPLAY=:0.
This will prevent applications from ever falling back to TCP if the
UNIX socket connection fails (such as when the X server crashes).

joint work with tb@
cluebat and ok matthieu@
2017-08-28 15:13:11 +00:00
jsg
e96db7b009 update 2017-08-26 17:08:40 +00:00
jsg
ad2ad70ae1 Revert to Mesa 13.0.6 to hopefully address rendering issues a handful of
people have reported with xpdf/fvwm on ivy bridge with modesetting driver.
2017-08-26 16:59:17 +00:00
jsg
754e2ec1d4 Make disabling regenerating source files provided in Mesa distfiles that
require python/bison a configure flag instead of the previous way of
testing whether python was found (which shouldn't be the case in
xenocara even with ports packages installed).

This is required when timestamps change on files causing targets to be
invoked that will break if python and bison aren't available and found
in path by the configure script.
2017-08-26 05:58:10 +00:00
matthieu
1711398f5e Missing dot breaks semantic markup. from Klemens Nanni. Thanks. 2017-08-22 06:54:08 +00:00
jsg
9756fc3fb4 sync 2017-08-21 14:34:19 +00:00
matthieu
26a8646efb add pledge. ok tb@ 2017-08-20 16:43:25 +00:00
matthieu
83cf67e9fb Close stdio before entering main loop. ok tb@ 2017-08-20 16:42:21 +00:00
matthieu
b9ed073e62 update 2017-08-19 10:12:38 +00:00
matthieu
fdce463043 Update to fontconfig 2.12.4. No API change. 2017-08-19 10:11:04 +00:00
matthieu
03a8a8ee13 xdm -> xenodm. From Kemmens Nanni. Thanks. 2017-08-19 09:12:13 +00:00
deraadt
3d1f4a5a35 sync 2017-08-16 09:51:07 +00:00
jsg
c97e30df70 regen 2017-08-14 11:21:30 +00:00
jsg
46c4fa732b cope with cvs import changing timestamps which caused make rules that
invoke python to attempt to run and fail
2017-08-14 11:17:43 +00:00
jsg
9a7755e9f5 update 2017-08-14 10:04:25 +00:00
jsg
a35683fd86 sync 2017-08-14 10:00:55 +00:00
jsg
36c1bd020e Merge Mesa 17.1.6 2017-08-14 09:57:57 +00:00
jsg
6526d3319e Import Mesa 17.1.6 2017-08-14 09:30:06 +00:00
matthieu
b8da768ee9 Disable SSE optimizations on i386/amd64 for SlowBcopy.
It is supposed to be slow, and when such instructions are used to copy
data from/to mapped video memory, some hypervisors (e.g. KVM,
Microsoft Hyper-V) can generate SIGILL or SIGBUS exceptions, causing
Xorg to crash.

Bug report to OpenBSD by Max Parmer, fix from FreeBSD (Dimitry Andric)
via kettenis@

ok kettenis@
2017-08-07 19:17:56 +00:00
kettenis
38475bb3b2 Create on OpenBSD-specific version of listPossibleVideoDrivers() that takes
care of autoconfiguration based on the information returned by the
WSDISPLAYIO_GTYPE ioctl of the console FD.  This should fix selection of
wsfb on loongson and sgi when using a non-KMS kernel driver.

ok matthieu@, jsg@
2017-08-07 12:30:34 +00:00
jasper
dc1b9a9b21 update 2017-08-07 07:03:44 +00:00
jsg
ead429dea9 update 2017-08-05 14:29:27 +00:00
jsg
1a7fdf6cc4 sync 2017-08-05 14:27:02 +00:00
jsg
e188ddf96e Merge libdrm 2.4.82 2017-08-05 14:21:16 +00:00
jsg
fb01c3ceed Import libdrm 2.4.82 2017-08-05 14:15:15 +00:00
robert
06a1409c9f check for typeof() and define HAVE_TYPEOF if available so that we use
the proper implementation of __container_of from xorg's list.h

ok kettenis@
2017-07-27 15:24:55 +00:00
matthieu
e1e9d732f3 Stop abusing cpp as generic macro processor in the build system.
ok naddy@
2017-07-26 21:14:54 +00:00