From 605f238e8be2d35c029b2525dc0c2132fc6039ef Mon Sep 17 00:00:00 2001 From: André Fabian Silva Delgado Date: Tue, 9 Jun 2015 23:10:37 -0300 Subject: xorg-server-1.17.1-6.parabola1: fix FS#45245 (https://bugs.archlinux.org/task/45245), FS#45229 (https://bugs.archlinux.org/task/45229), CVE-2015-3164 --- ...accelerated-valuators-to-the-ValuatorMask.patch | 210 ++++++++++++++ ...sdksyms.sh-Make-sdksyms.sh-work-with-gcc5.patch | 51 ++++ ...-hook-up-the-unaccelerated-valuator-masks.patch | 134 +++++++++ libre/xorg-server/PKGBUILD | 35 ++- libre/xorg-server/fix-CVE-2015-3164.patch | 311 +++++++++++++++++++++ 5 files changed, 731 insertions(+), 10 deletions(-) create mode 100644 libre/xorg-server/0001-dix-Add-unaccelerated-valuators-to-the-ValuatorMask.patch create mode 100644 libre/xorg-server/0001-sdksyms.sh-Make-sdksyms.sh-work-with-gcc5.patch create mode 100644 libre/xorg-server/0002-dix-hook-up-the-unaccelerated-valuator-masks.patch create mode 100644 libre/xorg-server/fix-CVE-2015-3164.patch diff --git a/libre/xorg-server/0001-dix-Add-unaccelerated-valuators-to-the-ValuatorMask.patch b/libre/xorg-server/0001-dix-Add-unaccelerated-valuators-to-the-ValuatorMask.patch new file mode 100644 index 000000000..86744f140 --- /dev/null +++ b/libre/xorg-server/0001-dix-Add-unaccelerated-valuators-to-the-ValuatorMask.patch @@ -0,0 +1,210 @@ +From e1a7f4bb5333b0271d29f785eb55f1c3273e626a Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 5 May 2015 14:18:54 +1000 +Subject: [PATCH] dix: Add unaccelerated valuators to the ValuatorMask + +Allows a mask to carry both accelerated and unaccelerated motion at the same +time. + +This is required for xf86-input-libinput where the pointer acceleration +happens in libinput already, but parts of the server, specifically raw events +and DGA rely on device-specific unaccelerated data. + +To ease integration add this as a second set to the ValuatorMask rather than +extending all APIs to carry a second, possibly NULL set of valuators. + +Note that a valuator mask should only be used in either accel/unaccel or +standard mode at any time. Switching requires either a valuator_mask_zero() +call or unsetting all valuators one-by-one. Trying to mix the two will produce +a warning. + +The server has a shortcut for changing a mask with the +valuator_mask_drop_unaccelerated() call. This saves us from having to loop +through all valuators on every event, we can just drop the bits we know we +don't want. + +Signed-off-by: Peter Hutterer +Reviewed-by: Hans de Goede +--- + dix/inpututils.c | 82 +++++++++++++++++++++++++++++++++++++++--- + hw/xfree86/common/xf86Module.h | 2 +- + include/input.h | 15 ++++++++ + include/inpututils.h | 2 ++ + 4 files changed, 95 insertions(+), 6 deletions(-) + +diff --git a/dix/inpututils.c b/dix/inpututils.c +index 5c2a32d..1363988 100644 +--- a/dix/inpututils.c ++++ b/dix/inpututils.c +@@ -505,11 +505,8 @@ valuator_mask_isset(const ValuatorMask *mask, int valuator) + return mask->last_bit >= valuator && BitIsOn(mask->mask, valuator); + } + +-/** +- * Set the valuator to the given floating-point data. +- */ +-void +-valuator_mask_set_double(ValuatorMask *mask, int valuator, double data) ++static inline void ++_valuator_mask_set_double(ValuatorMask *mask, int valuator, double data) + { + mask->last_bit = max(valuator, mask->last_bit); + SetBit(mask->mask, valuator); +@@ -517,6 +514,17 @@ valuator_mask_set_double(ValuatorMask *mask, int valuator, double data) + } + + /** ++ * Set the valuator to the given floating-point data. ++ */ ++void ++valuator_mask_set_double(ValuatorMask *mask, int valuator, double data) ++{ ++ BUG_WARN_MSG(mask->has_unaccelerated, ++ "Do not mix valuator types, zero mask first\n"); ++ _valuator_mask_set_double(mask, valuator, data); ++} ++ ++/** + * Set the valuator to the given integer data. + */ + void +@@ -594,11 +602,15 @@ valuator_mask_unset(ValuatorMask *mask, int valuator) + + ClearBit(mask->mask, valuator); + mask->valuators[valuator] = 0.0; ++ mask->unaccelerated[valuator] = 0.0; + + for (i = 0; i <= mask->last_bit; i++) + if (valuator_mask_isset(mask, i)) + lastbit = max(lastbit, i); + mask->last_bit = lastbit; ++ ++ if (mask->last_bit == -1) ++ mask->has_unaccelerated = FALSE; + } + } + +@@ -611,6 +623,66 @@ valuator_mask_copy(ValuatorMask *dest, const ValuatorMask *src) + valuator_mask_zero(dest); + } + ++Bool ++valuator_mask_has_unaccelerated(const ValuatorMask *mask) ++{ ++ return mask->has_unaccelerated; ++} ++ ++void ++valuator_mask_drop_unaccelerated(ValuatorMask *mask) ++{ ++ memset(mask->unaccelerated, 0, sizeof(mask->unaccelerated)); ++ mask->has_unaccelerated = FALSE; ++} ++ ++/** ++ * Set both accelerated and unaccelerated value for this mask. ++ */ ++void ++valuator_mask_set_unaccelerated(ValuatorMask *mask, ++ int valuator, ++ double accel, ++ double unaccel) ++{ ++ BUG_WARN_MSG(mask->last_bit != -1 && !mask->has_unaccelerated, ++ "Do not mix valuator types, zero mask first\n"); ++ _valuator_mask_set_double(mask, valuator, accel); ++ mask->has_unaccelerated = TRUE; ++ mask->unaccelerated[valuator] = unaccel; ++} ++ ++double ++valuator_mask_get_accelerated(const ValuatorMask *mask, ++ int valuator) ++{ ++ return valuator_mask_get_double(mask, valuator); ++} ++ ++double ++valuator_mask_get_unaccelerated(const ValuatorMask *mask, ++ int valuator) ++{ ++ return mask->unaccelerated[valuator]; ++} ++ ++Bool ++valuator_mask_fetch_unaccelerated(const ValuatorMask *mask, ++ int valuator, ++ double *accel, ++ double *unaccel) ++{ ++ if (valuator_mask_isset(mask, valuator)) { ++ if (accel) ++ *accel = valuator_mask_get_accelerated(mask, valuator); ++ if (unaccel) ++ *unaccel = valuator_mask_get_unaccelerated(mask, valuator); ++ return TRUE; ++ } ++ else ++ return FALSE; ++} ++ + int + CountBits(const uint8_t * mask, int len) + { +diff --git a/hw/xfree86/common/xf86Module.h b/hw/xfree86/common/xf86Module.h +index e68fe9c..6133641 100644 +--- a/hw/xfree86/common/xf86Module.h ++++ b/hw/xfree86/common/xf86Module.h +@@ -81,7 +81,7 @@ typedef enum { + */ + #define ABI_ANSIC_VERSION SET_ABI_VERSION(0, 4) + #define ABI_VIDEODRV_VERSION SET_ABI_VERSION(19, 0) +-#define ABI_XINPUT_VERSION SET_ABI_VERSION(21, 0) ++#define ABI_XINPUT_VERSION SET_ABI_VERSION(21, 1) + #define ABI_EXTENSION_VERSION SET_ABI_VERSION(9, 0) + #define ABI_FONT_VERSION SET_ABI_VERSION(0, 6) + +diff --git a/include/input.h b/include/input.h +index bf22dc7..0a4c4f7 100644 +--- a/include/input.h ++++ b/include/input.h +@@ -674,6 +674,21 @@ extern _X_EXPORT Bool valuator_mask_fetch(const ValuatorMask *mask, + extern _X_EXPORT Bool valuator_mask_fetch_double(const ValuatorMask *mask, + int valnum, double *val); + ++extern _X_EXPORT Bool valuator_mask_has_unaccelerated(const ValuatorMask *mask); ++extern _X_EXPORT void valuator_mask_set_unaccelerated(ValuatorMask *mask, ++ int valuator, ++ double accel, ++ double unaccel); ++extern _X_EXPORT double valuator_mask_get_accelerated(const ValuatorMask *mask, ++ int valuator); ++extern _X_EXPORT double valuator_mask_get_unaccelerated(const ValuatorMask *mask, ++ int valuator); ++extern _X_EXPORT Bool valuator_mask_fetch_unaccelerated(const ValuatorMask *mask, ++ int valuator, ++ double *accel, ++ double *unaccel); ++extern _X_HIDDEN void valuator_mask_drop_unaccelerated(ValuatorMask *mask); ++ + /* InputOption handling interface */ + extern _X_EXPORT InputOption *input_option_new(InputOption *list, + const char *key, +diff --git a/include/inpututils.h b/include/inpututils.h +index 53c96ba..4e90815 100644 +--- a/include/inpututils.h ++++ b/include/inpututils.h +@@ -36,8 +36,10 @@ extern Mask event_filters[MAXDEVICES][MAXEVENTS]; + + struct _ValuatorMask { + int8_t last_bit; /* highest bit set in mask */ ++ int8_t has_unaccelerated; + uint8_t mask[(MAX_VALUATORS + 7) / 8]; + double valuators[MAX_VALUATORS]; /* valuator data */ ++ double unaccelerated[MAX_VALUATORS]; /* valuator data */ + }; + + extern void verify_internal_event(const InternalEvent *ev); +-- +2.4.1 + diff --git a/libre/xorg-server/0001-sdksyms.sh-Make-sdksyms.sh-work-with-gcc5.patch b/libre/xorg-server/0001-sdksyms.sh-Make-sdksyms.sh-work-with-gcc5.patch new file mode 100644 index 000000000..0e0b20df6 --- /dev/null +++ b/libre/xorg-server/0001-sdksyms.sh-Make-sdksyms.sh-work-with-gcc5.patch @@ -0,0 +1,51 @@ +From 612eb45a2e7a0b35cc3790870e6d0cc42eb50c74 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 11 Feb 2015 16:26:40 +0100 +Subject: [PATCH] sdksyms.sh: Make sdksyms.sh work with gcc5. + +gcc5's cpp inserts patterns like this: + +extern + __attribute__((visibility("default"))) + int WaitForSomething(int * + ); + +This patch make sdksyms.sh work with this. Note my awk skills are weak, so +there likely is a better way to deal with this. + +Signed-off-by: Hans de Goede +--- + hw/xfree86/sdksyms.sh | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/hw/xfree86/sdksyms.sh b/hw/xfree86/sdksyms.sh +index 2305073..99b0cae 100755 +--- a/hw/xfree86/sdksyms.sh ++++ b/hw/xfree86/sdksyms.sh +@@ -350,6 +350,23 @@ BEGIN { + if (sdk) { + n = 3; + ++ # detect the following gcc5 cpp pattern and skip it: ++ # extern ++ # # 320 "../../include/os.h" 3 4 ++ # __attribute__((visibility("default"))) ++ # # 320 "../../include/os.h" ++ # Note in this case the "extern " or "extern void " always has ++ # a trailing space ++ if ($0 ~ "^extern.* $") { ++ getline; ++ getline; ++ getline; ++ getline; ++ n = 1; ++ while ($n == " ") ++ n++; ++ } ++ + # skip attribute, if any + while ($n ~ /^(__attribute__|__global)/ || + # skip modifiers, if any +-- +2.1.0 + diff --git a/libre/xorg-server/0002-dix-hook-up-the-unaccelerated-valuator-masks.patch b/libre/xorg-server/0002-dix-hook-up-the-unaccelerated-valuator-masks.patch new file mode 100644 index 000000000..6b8b1e5b5 --- /dev/null +++ b/libre/xorg-server/0002-dix-hook-up-the-unaccelerated-valuator-masks.patch @@ -0,0 +1,134 @@ +From 7504fbd2239257f1a00a1a15d02862eea81f167c Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 5 May 2015 14:48:41 +1000 +Subject: [PATCH] dix: hook up the unaccelerated valuator masks + +If present, access the unaccelerated valuator mask values for DGA and XI2 raw +events. + +Signed-off-by: Peter Hutterer +Reviewed-by: Hans de Goede +--- + dix/getevents.c | 31 ++++++++++++++++++++++--------- + hw/xfree86/common/xf86Xinput.c | 4 ++++ + 2 files changed, 26 insertions(+), 9 deletions(-) + +diff --git a/dix/getevents.c b/dix/getevents.c +index 6fb12c5..64bf76e 100644 +--- a/dix/getevents.c ++++ b/dix/getevents.c +@@ -213,14 +213,25 @@ init_raw(DeviceIntPtr dev, RawDeviceEvent *event, Time ms, int type, int detail) + } + + static void +-set_raw_valuators(RawDeviceEvent *event, ValuatorMask *mask, double *data) ++set_raw_valuators(RawDeviceEvent *event, ValuatorMask *mask, ++ BOOL use_unaccel, double *data) + { + int i; + ++ use_unaccel = use_unaccel && valuator_mask_has_unaccelerated(mask); ++ + for (i = 0; i < valuator_mask_size(mask); i++) { + if (valuator_mask_isset(mask, i)) { ++ double v; ++ + SetBit(event->valuators.mask, i); +- data[i] = valuator_mask_get_double(mask, i); ++ ++ if (use_unaccel) ++ v = valuator_mask_get_unaccelerated(mask, i); ++ else ++ v = valuator_mask_get_double(mask, i); ++ ++ data[i] = v; + } + } + } +@@ -1138,11 +1149,11 @@ GetKeyboardEvents(InternalEvent *events, DeviceIntPtr pDev, int type, + valuator_mask_copy(&mask, mask_in); + + init_raw(pDev, raw, ms, type, key_code); +- set_raw_valuators(raw, &mask, raw->valuators.data_raw); ++ set_raw_valuators(raw, &mask, TRUE, raw->valuators.data_raw); + + clipValuators(pDev, &mask); + +- set_raw_valuators(raw, &mask, raw->valuators.data); ++ set_raw_valuators(raw, &mask, FALSE, raw->valuators.data); + + event = &events->device_event; + init_device_event(event, pDev, ms); +@@ -1423,9 +1434,11 @@ fill_pointer_events(InternalEvent *events, DeviceIntPtr pDev, int type, + num_events++; + + init_raw(pDev, raw, ms, type, buttons); +- set_raw_valuators(raw, &mask, raw->valuators.data_raw); ++ set_raw_valuators(raw, &mask, TRUE, raw->valuators.data_raw); + } + ++ valuator_mask_drop_unaccelerated(&mask); ++ + /* valuators are in driver-native format (rel or abs) */ + + if (flags & POINTER_ABSOLUTE) { +@@ -1438,7 +1451,7 @@ fill_pointer_events(InternalEvent *events, DeviceIntPtr pDev, int type, + transformAbsolute(pDev, &mask); + clipAbsolute(pDev, &mask); + if ((flags & POINTER_NORAW) == 0 && raw) +- set_raw_valuators(raw, &mask, raw->valuators.data); ++ set_raw_valuators(raw, &mask, FALSE, raw->valuators.data); + } + else { + transformRelative(pDev, &mask); +@@ -1446,7 +1459,7 @@ fill_pointer_events(InternalEvent *events, DeviceIntPtr pDev, int type, + if (flags & POINTER_ACCELERATE) + accelPointer(pDev, &mask, ms); + if ((flags & POINTER_NORAW) == 0 && raw) +- set_raw_valuators(raw, &mask, raw->valuators.data); ++ set_raw_valuators(raw, &mask, FALSE, raw->valuators.data); + + moveRelative(pDev, flags, &mask); + } +@@ -1951,7 +1964,7 @@ GetTouchEvents(InternalEvent *events, DeviceIntPtr dev, uint32_t ddx_touchid, + events++; + num_events++; + init_raw(dev, raw, ms, type, client_id); +- set_raw_valuators(raw, &mask, raw->valuators.data_raw); ++ set_raw_valuators(raw, &mask, TRUE, raw->valuators.data_raw); + } + + event = &events->device_event; +@@ -2013,7 +2026,7 @@ GetTouchEvents(InternalEvent *events, DeviceIntPtr dev, uint32_t ddx_touchid, + screeny = dev->spriteInfo->sprite->hotPhys.y; + } + if (need_rawevent) +- set_raw_valuators(raw, &mask, raw->valuators.data); ++ set_raw_valuators(raw, &mask, FALSE, raw->valuators.data); + + /* Indirect device touch coordinates are not used for cursor positioning. + * They are merely informational, and are provided in device coordinates. +diff --git a/hw/xfree86/common/xf86Xinput.c b/hw/xfree86/common/xf86Xinput.c +index 1fb5b16..5ce4c71 100644 +--- a/hw/xfree86/common/xf86Xinput.c ++++ b/hw/xfree86/common/xf86Xinput.c +@@ -1137,12 +1137,16 @@ xf86CheckMotionEvent4DGA(DeviceIntPtr device, int is_absolute, + dx = valuator_mask_get(mask, 0); + if (is_absolute) + dx -= device->last.valuators[0]; ++ else if (valuator_mask_has_unaccelerated(mask)) ++ dx = valuator_mask_get_unaccelerated(mask, 0); + } + + if (valuator_mask_isset(mask, 1)) { + dy = valuator_mask_get(mask, 1); + if (is_absolute) + dy -= device->last.valuators[1]; ++ else if (valuator_mask_has_unaccelerated(mask)) ++ dy = valuator_mask_get_unaccelerated(mask, 1); + } + + if (DGAStealMotionEvent(device, idx, dx, dy)) +-- +2.4.1 + diff --git a/libre/xorg-server/PKGBUILD b/libre/xorg-server/PKGBUILD index 1c1c62690..a539ebbd4 100644 --- a/libre/xorg-server/PKGBUILD +++ b/libre/xorg-server/PKGBUILD @@ -1,12 +1,12 @@ -# $Id: PKGBUILD 236527 2015-04-14 10:41:30Z lcarlier $ -# Maintainer: AndyRTR -# Maintainer: Jan de Groot -# Maintainer (Parabola): Márcio Silva +# $Id: PKGBUILD 240425 2015-06-08 19:29:45Z lcarlier $ +# Maintainer (Arch): AndyRTR +# Maintainer (Arch): Jan de Groot +# Maintainer: Márcio Silva pkgbase=xorg-server pkgname=('xorg-server') pkgver=1.17.1 -pkgrel=5.parabola1 # build first with 0.1 and then rebuild it after xf86-input-evdev rebuild +pkgrel=6.parabola1 # build first with 0.1 and then rebuild it after xf86-input-evdev rebuild arch=('i686' 'x86_64' 'mips64el') license=('custom') url="http://xorg.freedesktop.org" @@ -23,7 +23,11 @@ source=(${url}/releases/individual/xserver/${pkgbase}-${pkgver}.tar.bz2{,.sig} os-access-fix-regression-in-server-interpreted-auth.patch v2-xserver-Fix-a-crash-with-XDMCP-error-handler.patch 0001-int10-Fix-error-check-for-pci_device_map_legacy.patch - 0001-mi-Partial-pie-slice-filled-arcs-may-need-more-space.patch) + 0001-mi-Partial-pie-slice-filled-arcs-may-need-more-space.patch + 0001-sdksyms.sh-Make-sdksyms.sh-work-with-gcc5.patch + 0001-dix-Add-unaccelerated-valuators-to-the-ValuatorMask.patch + 0002-dix-hook-up-the-unaccelerated-valuator-masks.patch + fix-CVE-2015-3164.patch) validpgpkeys=('7B27A3F1A6E18CD9588B4AE8310180050905E40C' 'C383B778255613DFDB409D91DB221A6900000011') sha256sums=('2bf8e9f6f0a710dec1d2472467bff1f4e247cb6dcd76eb469aafdc8a2d7db2ab' @@ -33,18 +37,29 @@ sha256sums=('2bf8e9f6f0a710dec1d2472467bff1f4e247cb6dcd76eb469aafdc8a2d7db2ab' '8a9d76eecf8795ca645fb1ce261733965578e953f6606153ce001a0e15d036e8' 'a73e33644682d9f430db987c192da0f7193907af50539669ebd59614a5ebd0f9' '2ea82cdbd695f21c935710847913ed58e22d3d5c0c18c96175a4a6cc1142c071' - 'ca89cc013844c5b50abfde4cc5e852ecdf4368f8b069ffd069a7100843c46e90') + 'ca89cc013844c5b50abfde4cc5e852ecdf4368f8b069ffd069a7100843c46e90' + 'b4a4fbddebfa614d1a97e77dde98748682ee331fbf7be394480050670d6203aa' + '3dc795002b8763a7d29db94f0af200131da9ce5ffc233bfd8916060f83a8fad7' + '416a1422eed71efcebb1d893de74e7f27e408323a56c4df003db37f5673b3f96' + 'bc6ac3e686e16f0357fd3b939c1c1f2845fdb444d5ec9c8c37fb69167cc54a28') prepare() { cd "${pkgbase}-${pkgver}" - # fix FS#43884, not yet upstream + # fix FS#43884, merged upstream patch -Np1 -i ../os-access-fix-regression-in-server-interpreted-auth.patch - # partially fix FS#43867, not yet upstream + # partially fix FS#43867, merged upstream patch -Np1 -i ../v2-xserver-Fix-a-crash-with-XDMCP-error-handler.patch # fix FS#43924, merged upstream patch -Np1 -i ../0001-int10-Fix-error-check-for-pci_device_map_legacy.patch # fix FS#43937, merged upstream patch -Np1 -i ../0001-mi-Partial-pie-slice-filled-arcs-may-need-more-space.patch + # fix FS#45245, merged upstream + patch -Np1 -i ../0001-sdksyms.sh-Make-sdksyms.sh-work-with-gcc5.patch + # fix FS#45229, merged upstream + patch -Np1 -i ../0001-dix-Add-unaccelerated-valuators-to-the-ValuatorMask.patch + patch -Np1 -i ../0002-dix-hook-up-the-unaccelerated-valuator-masks.patch + # fix CVE-2015-3164, merged upstream + patch -Np1 -i ../fix-CVE-2015-3164.patch # fix os name: #Build Operating System = OSNAME="--kernel-name --kernel-release --machine" OSVENDOR="" @@ -124,7 +139,7 @@ package_xorg-server() { depends=(libepoxy libxdmcp libxfont libpciaccess libdrm pixman libgcrypt libxau "xorg-server-common=$pkgver" xf86-input-evdev libxshmfence libgl) # see xorg-server-*/hw/xfree86/common/xf86Module.h for ABI versions - we provide major numbers that drivers can depend on # and /usr/lib/pkgconfig/xorg-server.pc in xorg-server-devel pkg - provides=('X-ABI-VIDEODRV_VERSION=19' 'X-ABI-XINPUT_VERSION=21' 'X-ABI-EXTENSION_VERSION=9.0' 'x-server') + provides=('X-ABI-VIDEODRV_VERSION=19' 'X-ABI-XINPUT_VERSION=21.1' 'X-ABI-EXTENSION_VERSION=9.0' 'x-server') groups=('xorg') conflicts=('nvidia-utils' 'glamor-egl' 'xf86-video-modesetting' "${pkgbase}-libre" "${pkgbase}-parabola") replaces=('nvidia-utils' 'glamor-egl' 'xf86-video-modesetting' "${pkgbase}-libre" "${pkgbase}-parabola") diff --git a/libre/xorg-server/fix-CVE-2015-3164.patch b/libre/xorg-server/fix-CVE-2015-3164.patch new file mode 100644 index 000000000..e2ee12973 --- /dev/null +++ b/libre/xorg-server/fix-CVE-2015-3164.patch @@ -0,0 +1,311 @@ +From c4534a38b68aa07fb82318040dc8154fb48a9588 Mon Sep 17 00:00:00 2001 +From: Ray Strode +Date: Tue, 5 May 2015 16:43:42 -0400 +Subject: xwayland: Enable access control on open sockets [CVE-2015-3164 1/3] + +Xwayland currently allows wide-open access to the X sockets +it listens on, ignoring Xauth access control. + +This commit makes sure to enable access control on the sockets, +so one user can't snoop on another user's X-over-wayland +applications. + +Signed-off-by: Ray Strode +Reviewed-by: Daniel Stone +Reviewed-by: Alan Coopersmith +Signed-off-by: Keith Packard + +diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c +index 7e8d667..c5bee77 100644 +--- a/hw/xwayland/xwayland.c ++++ b/hw/xwayland/xwayland.c +@@ -483,7 +483,7 @@ listen_on_fds(struct xwl_screen *xwl_screen) + int i; + + for (i = 0; i < xwl_screen->listen_fd_count; i++) +- ListenOnOpenFD(xwl_screen->listen_fds[i], TRUE); ++ ListenOnOpenFD(xwl_screen->listen_fds[i], FALSE); + } + + static void +-- +cgit v0.10.2 +From 4b4b9086d02b80549981d205fb1f495edc373538 Mon Sep 17 00:00:00 2001 +From: Ray Strode +Date: Tue, 5 May 2015 16:43:43 -0400 +Subject: os: support new implicit local user access mode [CVE-2015-3164 2/3] + +If the X server is started without a '-auth' argument, then +it gets started wide open to all local users on the system. + +This isn't a great default access model, but changing it in +Xorg at this point would break backward compatibility. + +Xwayland, on the other hand is new, and much more targeted +in scope. It could, in theory, be changed to allow the much +more secure default of a "user who started X server can connect +clients to that server." + +This commit paves the way for that change, by adding a mechanism +for DDXs to opt-in to that behavior. They merely need to call + +LocalAccessScopeUser() + +in their init functions. + +A subsequent commit will add that call for Xwayland. + +Signed-off-by: Ray Strode +Reviewed-by: Daniel Stone +Reviewed-by: Alan Coopersmith +Signed-off-by: Keith Packard + +diff --git a/include/os.h b/include/os.h +index 6638c84..b2b96c8 100644 +--- a/include/os.h ++++ b/include/os.h +@@ -431,11 +431,28 @@ extern _X_EXPORT void + ResetHosts(const char *display); + + extern _X_EXPORT void ++EnableLocalAccess(void); ++ ++extern _X_EXPORT void ++DisableLocalAccess(void); ++ ++extern _X_EXPORT void + EnableLocalHost(void); + + extern _X_EXPORT void + DisableLocalHost(void); + ++#ifndef NO_LOCAL_CLIENT_CRED ++extern _X_EXPORT void ++EnableLocalUser(void); ++ ++extern _X_EXPORT void ++DisableLocalUser(void); ++ ++extern _X_EXPORT void ++LocalAccessScopeUser(void); ++#endif ++ + extern _X_EXPORT void + AccessUsingXdmcp(void); + +diff --git a/os/access.c b/os/access.c +index 8fa028e..75e7a69 100644 +--- a/os/access.c ++++ b/os/access.c +@@ -102,6 +102,10 @@ SOFTWARE. + #include + #include + ++#ifndef NO_LOCAL_CLIENT_CRED ++#include ++#endif ++ + #if defined(TCPCONN) || defined(STREAMSCONN) + #include + #endif /* TCPCONN || STREAMSCONN */ +@@ -225,6 +229,13 @@ static int LocalHostEnabled = FALSE; + static int LocalHostRequested = FALSE; + static int UsingXdmcp = FALSE; + ++static enum { ++ LOCAL_ACCESS_SCOPE_HOST = 0, ++#ifndef NO_LOCAL_CLIENT_CRED ++ LOCAL_ACCESS_SCOPE_USER, ++#endif ++} LocalAccessScope; ++ + /* FamilyServerInterpreted implementation */ + static Bool siAddrMatch(int family, void *addr, int len, HOST * host, + ClientPtr client); +@@ -237,6 +248,21 @@ static void siTypesInitialize(void); + */ + + void ++EnableLocalAccess(void) ++{ ++ switch (LocalAccessScope) { ++ case LOCAL_ACCESS_SCOPE_HOST: ++ EnableLocalHost(); ++ break; ++#ifndef NO_LOCAL_CLIENT_CRED ++ case LOCAL_ACCESS_SCOPE_USER: ++ EnableLocalUser(); ++ break; ++#endif ++ } ++} ++ ++void + EnableLocalHost(void) + { + if (!UsingXdmcp) { +@@ -249,6 +275,21 @@ EnableLocalHost(void) + * called when authorization is enabled to keep us secure + */ + void ++DisableLocalAccess(void) ++{ ++ switch (LocalAccessScope) { ++ case LOCAL_ACCESS_SCOPE_HOST: ++ DisableLocalHost(); ++ break; ++#ifndef NO_LOCAL_CLIENT_CRED ++ case LOCAL_ACCESS_SCOPE_USER: ++ DisableLocalUser(); ++ break; ++#endif ++ } ++} ++ ++void + DisableLocalHost(void) + { + HOST *self; +@@ -262,6 +303,74 @@ DisableLocalHost(void) + } + } + ++#ifndef NO_LOCAL_CLIENT_CRED ++static int GetLocalUserAddr(char **addr) ++{ ++ static const char *type = "localuser"; ++ static const char delimiter = '\0'; ++ static const char *value; ++ struct passwd *pw; ++ int length = -1; ++ ++ pw = getpwuid(getuid()); ++ ++ if (pw == NULL || pw->pw_name == NULL) ++ goto out; ++ ++ value = pw->pw_name; ++ ++ length = asprintf(addr, "%s%c%s", type, delimiter, value); ++ ++ if (length == -1) { ++ goto out; ++ } ++ ++ /* Trailing NUL */ ++ length++; ++ ++out: ++ return length; ++} ++ ++void ++EnableLocalUser(void) ++{ ++ char *addr = NULL; ++ int length = -1; ++ ++ length = GetLocalUserAddr(&addr); ++ ++ if (length == -1) ++ return; ++ ++ NewHost(FamilyServerInterpreted, addr, length, TRUE); ++ ++ free(addr); ++} ++ ++void ++DisableLocalUser(void) ++{ ++ char *addr = NULL; ++ int length = -1; ++ ++ length = GetLocalUserAddr(&addr); ++ ++ if (length == -1) ++ return; ++ ++ RemoveHost(NULL, FamilyServerInterpreted, length, addr); ++ ++ free(addr); ++} ++ ++void ++LocalAccessScopeUser(void) ++{ ++ LocalAccessScope = LOCAL_ACCESS_SCOPE_USER; ++} ++#endif ++ + /* + * called at init time when XDMCP will be used; xdmcp always + * adds local hosts manually when needed +diff --git a/os/auth.c b/os/auth.c +index 5fcb538..7da6fc6 100644 +--- a/os/auth.c ++++ b/os/auth.c +@@ -181,11 +181,11 @@ CheckAuthorization(unsigned int name_length, + + /* + * If the authorization file has at least one entry for this server, +- * disable local host access. (loadauth > 0) ++ * disable local access. (loadauth > 0) + * + * If there are zero entries (either initially or when the + * authorization file is later reloaded), or if a valid +- * authorization file was never loaded, enable local host access. ++ * authorization file was never loaded, enable local access. + * (loadauth == 0 || !loaded) + * + * If the authorization file was loaded initially (with valid +@@ -194,11 +194,11 @@ CheckAuthorization(unsigned int name_length, + */ + + if (loadauth > 0) { +- DisableLocalHost(); /* got at least one */ ++ DisableLocalAccess(); /* got at least one */ + loaded = TRUE; + } + else if (loadauth == 0 || !loaded) +- EnableLocalHost(); ++ EnableLocalAccess(); + } + if (name_length) { + for (i = 0; i < NUM_AUTHORIZATION; i++) { +-- +cgit v0.10.2 +From 76636ac12f2d1dbdf7be08222f80e7505d53c451 Mon Sep 17 00:00:00 2001 +From: Ray Strode +Date: Tue, 5 May 2015 16:43:44 -0400 +Subject: xwayland: default to local user if no xauth file given. + [CVE-2015-3164 3/3] + +Right now if "-auth" isn't passed on the command line, we let +any user on the system connect to the Xwayland server. + +That's clearly suboptimal, given Xwayland is generally designed +to be used by one user at a time. + +This commit changes the behavior, so only the user who started the +X server can connect clients to it. + +Signed-off-by: Ray Strode +Reviewed-by: Daniel Stone +Reviewed-by: Alan Coopersmith +Signed-off-by: Keith Packard + +diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c +index c5bee77..bc92beb 100644 +--- a/hw/xwayland/xwayland.c ++++ b/hw/xwayland/xwayland.c +@@ -702,4 +702,6 @@ InitOutput(ScreenInfo * screen_info, int argc, char **argv) + if (AddScreen(xwl_screen_init, argc, argv) == -1) { + FatalError("Couldn't add screen\n"); + } ++ ++ LocalAccessScopeUser(); + } +-- +cgit v0.10.2 + -- cgit v1.2.3-54-g00ecf