packages/wayland
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!20 fix CVE-2021-3782

Browse Source 
From: @kerongw 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
This commit is contained in:
openeuler-ci-bot 2022-09-14 03:01:19 +00:00 committed by Gitee
commit 80283b5f9d
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 112 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
backport-CVE-2021-3782.patch Normal file
View File

@ -0,0 +1,106 @@
From b19488c7154b902354cb26a27f11415d7799b0b2 Mon Sep 17 00:00:00 2001
From: Derek Foreman <derek.foreman@collabora.com>
Date: Fri, 28 Jan 2022 13:18:37 -0600
Subject: [PATCH] util: Limit size of wl_map
Since server IDs are basically indistinguishable from really big client
IDs at many points in the source, it's theoretically possible to overflow
a map and either overflow server IDs into the client ID space, or grow
client IDs into the server ID space. This would currently take a massive
amount of RAM, but the definition of massive changes yearly.
Prevent this by placing a ridiculous but arbitrary upper bound on the
number of items we can put in a map: 0xF00000, somewhere over 15 million.
This should satisfy pathological clients without restriction, but stays
well clear of the 0xFF000000 transition point between server and client
IDs. It will still take an improbable amount of RAM to hit this, and a
client could still exhaust all RAM in this way, but our goal is to prevent
overflow and undefined behaviour.
Fixes #224
Signed-off-by: Derek Foreman <derek.foreman@collabora.com>
Conflict:NA
Reference:https://gitlab.freedesktop.org/wayland/wayland/-/commit/b19488c7154b902354cb26a27f11415d7799b0b2
---
src/wayland-private.h | 1 +
src/wayland-util.c | 25 +++++++++++++++++++++++--
2 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/src/wayland-private.h b/src/wayland-private.h
index 210451e..9274f1b 100644
--- a/src/wayland-private.h
+++ b/src/wayland-private.h
@@ -45,6 +45,7 @@
#define WL_MAP_SERVER_SIDE 0
#define WL_MAP_CLIENT_SIDE 1
#define WL_SERVER_ID_START 0xff000000
+#define WL_MAP_MAX_OBJECTS 0x00f00000
#define WL_CLOSURE_MAX_ARGS 20
struct wl_object {
diff --git a/src/wayland-util.c b/src/wayland-util.c
index c89a67b..997a2c7 100644
--- a/src/wayland-util.c
+++ b/src/wayland-util.c
@@ -197,6 +197,7 @@ wl_map_insert_new(struct wl_map *map, uint32_t flags, void *data)
union map_entry *start, *entry;
struct wl_array *entries;
uint32_t base;
+ uint32_t count;
if (map->side == WL_MAP_CLIENT_SIDE) {
entries = &map->client_entries;
@@ -217,10 +218,25 @@ wl_map_insert_new(struct wl_map *map, uint32_t flags, void *data)
start = entries->data;
}
+ /* wl_array only grows, so if we have too many objects at
+ * this point there's no way to clean up. We could be more
+ * pro-active about trying to avoid this allocation, but
+ * it doesn't really matter because at this point there is
+ * nothing to be done but disconnect the client and delete
+ * the whole array either way.
+ */
+ count = entry - start;
+ if (count > WL_MAP_MAX_OBJECTS) {
+ /* entry->data is freshly malloced garbage, so we'd
+ * better make it a NULL so wl_map_for_each doesn't
+ * dereference it later. */
+ entry->data = NULL;
+ return 0;
+ }
entry->data = data;
entry->next |= (flags & 0x1) << 1;
- return (entry - start) + base;
+ return count + base;
}
int
@@ -237,6 +253,9 @@ wl_map_insert_at(struct wl_map *map, uint32_t flags, uint32_t i, void *data)
i -= WL_SERVER_ID_START;
}
+ if (i > WL_MAP_MAX_OBJECTS)
+ return -1;
+
count = entries->size / sizeof *start;
if (count < i)
return -1;
@@ -271,8 +290,10 @@ wl_map_reserve_new(struct wl_map *map, uint32_t i)
i -= WL_SERVER_ID_START;
}
- count = entries->size / sizeof *start;
+ if (i > WL_MAP_MAX_OBJECTS)
+ return -1;
+ count = entries->size / sizeof *start;
if (count < i)
return -1;
--
2.33.0

7
wayland.spec
View File

@ -1,11 +1,13 @@
Name: wayland Name: wayland
Version: 1.20.0 Version: 1.20.0
Release: 5 Release: 6
Summary: Wayland Compositor Infrastructure Summary: Wayland Compositor Infrastructure
License: MIT License: MIT
URL: http://wayland.freedesktop.org/ URL: http://wayland.freedesktop.org/
Source0: http://wayland.freedesktop.org/releases/%{name}-%{version}.tar.xz Source0: http://wayland.freedesktop.org/releases/%{name}-%{version}.tar.xz
Patch6000: backport-CVE-2021-3782.patch
BuildRequires: gcc gcc-c++ docbook-style-xsl doxygen expat-devel BuildRequires: gcc gcc-c++ docbook-style-xsl doxygen expat-devel
BuildRequires: libxml2-devel libxslt pkgconfig(libffi) xmlto graphviz meson BuildRequires: libxml2-devel libxslt pkgconfig(libffi) xmlto graphviz meson
@ -91,6 +93,9 @@ developing applications that use %{name}.
%{_datadir}/doc/wayland/ %{_datadir}/doc/wayland/
%changelog %changelog
* Wed Sep 14 2022 wangkerong <wangkerong@h-partners.com> - 1.20.0-6
- fix CVE-2021-3782
* Wed Aug 03 2022 wangkerong <wangkerong@h-partners.com> - 1.20.0-5 * Wed Aug 03 2022 wangkerong <wangkerong@h-partners.com> - 1.20.0-5
- revert remove rpath - revert remove rpath