nx-libs/nx-X11/programs/Xserver/GL, branch pr/render-cve-fixes NXv3 (redistributed) https://cgit.arctica-project.org/nx-libs/atom?h=pr%2Frender-cve-fixes 2015-04-22T04:22:37+00:00 library clean-up: Don't build and link libXfont.a anymore. Use system's libXfont shared library and link dynamically. 2015-04-22T04:22:37+00:00 Mike Gabriel mike.gabriel@das-netzwerkteam.de 2015-04-14T07:24:55+00:00 urn:sha1:70b77a0fc329e2e205a596a738c7307d354e7b1c glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8] (V3) 2015-02-14T15:14:32+00:00 Adam Jackson ajax@redhat.com 2014-11-10T17:13:48+00:00 urn:sha1:1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau) v3: RHEL5 backport v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com> glx: Length checking for RenderLarge requests (v2) [CVE-2014-8098 3/8] (v3) 2015-02-14T15:14:32+00:00 Adam Jackson ajax@redhat.com 2014-11-10T17:13:43+00:00 urn:sha1:9c558f9ca2c0d4e34fa71dff272ed1c39c22cd9d This is a half-measure until we start passing request length into the varsize function, but it's better than the nothing we had before. v2: Verify that there's at least a large render header's worth of dataBytes (Julien Cristau) v3: backport to RHEL5 v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com> fixup swap glx: Length checking for non-generated single requests (v2) [CVE-2014-8098 7/8] 2015-02-14T15:14:32+00:00 Adam Jackson ajax@redhat.com 2014-11-10T17:13:47+00:00 urn:sha1:8931066077a04999d973932e04da577bd6906c82 v2: Fix single versus vendor-private length checking for ARB_imaging subset extensions. (Julien Cristau) v3: Fix single versus vendor-private length checking for ARB_imaging subset extensions. (Julien Cristau) v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com> fix safe_Add glx: Top-level length checking for swapped VendorPrivate requests [CVE-2014-8098 4/8] 2015-02-14T15:14:32+00:00 Adam Jackson ajax@redhat.com 2014-11-10T17:13:44+00:00 urn:sha1:ad29acd7697e18333e164b1746f61c5a9e29a436 v2: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com> glx: Integer overflow protection for non-generated render requests (v3) [CVE-2014-8093 5/6] 2015-02-14T15:14:32+00:00 Adam Jackson ajax@redhat.com 2014-11-10T17:13:42+00:00 urn:sha1:ddb1235bc621d06bf28309be70c173ae06131edf v2: Fix constants in __glXMap2fReqSize (Michal Srb) Validate w/h/d for proxy targets too (Keith Packard) v3: Fix Map[12]Size to correctly reject order == 0 (Julien Cristau) v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com> glx: Length checking for GLXRender requests (v2) [CVE-2014-8098 2/8] (v3) 2015-02-14T15:14:32+00:00 Julien Cristau jcristau@debian.org 2014-11-10T17:13:41+00:00 urn:sha1:78b38a8a37e6105360c82a710ef62c92643ea4c1 v2: Remove can't-happen comparison for cmdlen < 0 (Michal Srb) v3: backport to RHEL5 hit old paths v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com> glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6] (v4) 2015-02-14T15:14:32+00:00 Adam Jackson ajax@redhat.com 2014-11-10T17:13:40+00:00 urn:sha1:1a9f23118787be611b6db51e4eac864c43c702d9 These are paranoid about integer overflow, and will return -1 if their operation would overflow a (signed) integer or if either argument is negative. Note that RenderLarge requests are sized with a uint32_t so in principle this could be sketchy there, but dix limits bigreqs to 128M so you shouldn't ever notice, and honestly if you're sending more than 2G of rendering commands you're already doing something very wrong. v2: Use INT_MAX for consistency with the rest of the server (jcristau) v3: Reject negative arguments (anholt) v4: RHEL5: add limits.h, use inline v5: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com> glx: Additional paranoia in __glXGetAnswerBuffer / __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6] 2015-02-14T15:14:32+00:00 Adam Jackson ajax@redhat.com 2014-11-10T17:13:38+00:00 urn:sha1:d0fcbc8a6ca82df82c410d0f8f9062b05fa5ec8d If the computed reply size is negative, something went wrong, treat it as an error. v2: Be more careful about size_t being unsigned (Matthieu Herrb) v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith) v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com> glx: Be more strict about rejecting invalid image sizes [CVE-2014-8093 2/6] 2015-02-14T15:14:32+00:00 Adam Jackson ajax@redhat.com 2014-11-10T17:13:37+00:00 urn:sha1:cdf0c3e65670c797a4fd0617d44d2bdff4011815 Before this we'd just clamp the image size to 0, which was just hideously stupid; if the parameters were such that they'd overflow an integer, you'd allocate a small buffer, then pass huge values into (say) ReadPixels, and now you're scribbling over arbitrary server memory. v2: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>