xserver-xorg: Fix for CVE-2023-6377 and CVE-2023-6478

Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd & https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632] (From OE-Core rev: f5eff24d386215e5b5aee5c3261f5602b47c7f02) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2024-01-10 08:36:57 +0530
committer: Steve Sakoman <steve@sakoman.com> 2024-01-21 08:33:19 -1000
commit: 0948746aac0197b97fd4b6063a30b1bcda2c6436 (patch)
tree: 7193d7aaf8ca05df19077fdb7a3d18cf09ba3988
parent: 5c5aa47adb05bb966711e5ead98333a53c07ab1d (diff)
download: poky-0948746aac0197b97fd4b6063a30b1bcda2c6436.tar.gz
3 files changed, 144 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch
new file mode 100644
index 0000000000..0abd5914fa
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch
@@ -0,0 +1,79 @@
+From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 28 Nov 2023 15:19:04 +1000
+Subject: [PATCH] Xi: allocate enough XkbActions for our buttons
+button->xkb_acts is supposed to be an array sufficiently large for all
+our buttons, not just a single XkbActions struct. Allocating
+insufficient memory here means when we memcpy() later in
+XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
+leading to the usual security ooopsiedaisies.
+CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd]
+CVE: CVE-2023-6377
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xi/exevents.c | 12 ++++++------
+ dix/devices.c | 10 ++++++++++
+ 2 files changed, 16 insertions(+), 6 deletions(-)
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index dcd4efb3bc..54ea11a938 100644
+--- a/Xi/exevents.c
+++ b/Xi/exevents.c
+@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
+         }
+ 
+         if (from->button->xkb_acts) {
+-            if (!to->button->xkb_acts) {
+-                to->button->xkb_acts = calloc(1, sizeof(XkbAction));
+-                if (!to->button->xkb_acts)
+-                    FatalError("[Xi] not enough memory for xkb_acts.\n");
+-            }
+            size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
+            to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
+                                                   maxbuttons,
+                                                   sizeof(XkbAction));
+            memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
+             memcpy(to->button->xkb_acts, from->button->xkb_acts,
+-                   sizeof(XkbAction));
+                   from->button->numButtons * sizeof(XkbAction));
+         }
+         else {
+             free(to->button->xkb_acts);
+diff --git a/dix/devices.c b/dix/devices.c
+index b063128df0..3f3224d626 100644
+--- a/dix/devices.c
+++ b/dix/devices.c
+@@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+ 
+     if (master->button && master->button->numButtons != maxbuttons) {
+         int i;
+        int last_num_buttons = master->button->numButtons;
+
+         DeviceChangedEvent event = {
+             .header = ET_Internal,
+             .type = ET_DeviceChanged,
+@@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+         };
+ 
+         master->button->numButtons = maxbuttons;
+        if (last_num_buttons < maxbuttons) {
+            master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
+                                                       maxbuttons,
+                                                       sizeof(XkbAction));
+            memset(&master->button->xkb_acts[last_num_buttons],
+                   0,
+                   (maxbuttons - last_num_buttons) * sizeof(XkbAction));
+        }
+ 
+         memcpy(&event.buttons.names, master->button->labels, maxbuttons *
+                sizeof(Atom));
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch
new file mode 100644
index 0000000000..6392eae3f8
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch
@@ -0,0 +1,63 @@
+From 14f480010a93ff962fef66a16412fafff81ad632 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 27 Nov 2023 16:27:49 +1000
+Subject: [PATCH] randr: avoid integer truncation in length check of
+ ProcRRChange*Property
+Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
+See also xserver@8f454b79 where this same bug was fixed for the core
+protocol and XI.
+This fixes an OOB read and the resulting information disclosure.
+Length calculation for the request was clipped to a 32-bit integer. With
+the correct stuff->nUnits value the expected request size was
+truncated, passing the REQUEST_FIXED_SIZE check.
+The server then proceeded with reading at least stuff->num_items bytes
+(depending on stuff->format) from the request and stuffing whatever it
+finds into the property. In the process it would also allocate at least
+stuff->nUnits bytes, i.e. 4GB.
+CVE-2023-6478, ZDI-CAN-22561
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632]
+CVE: CVE-2023-6478
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ randr/rrproperty.c         | 2 +-
+ randr/rrproviderproperty.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index 25469f57b2..c4fef8a1f6 100644
+--- a/randr/rrproperty.c
+++ b/randr/rrproperty.c
+@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
+     char format, mode;
+     unsigned long len;
+     int sizeInBytes;
+-    int totalSize;
+    uint64_t totalSize;
+     int err;
+ 
+     REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
+diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
+index b79c17f9bf..90c5a9a933 100644
+--- a/randr/rrproviderproperty.c
+++ b/randr/rrproviderproperty.c
+@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
+     char format, mode;
+     unsigned long len;
+     int sizeInBytes;
+-    int totalSize;
+    uint64_t totalSize;
+     int err;
+ 
+     REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
index eaff93bd09..4fdf3a0ec3 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
@@ -18,6 +18,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
           file://CVE-2023-1393.patch \
           file://CVE-2023-5367.patch \
           file://CVE-2023-5380.patch \
+           file://CVE-2023-6377.patch \
+           file://CVE-2023-6478.patch \
 "
 SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"
 SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"
author	Vijay Anusuri <vanusuri@mvista.com>	2024-01-10 08:36:57 +0530
committer	Steve Sakoman <steve@sakoman.com>	2024-01-21 08:33:19 -1000
commit	0948746aac0197b97fd4b6063a30b1bcda2c6436 (patch)
tree	7193d7aaf8ca05df19077fdb7a3d18cf09ba3988
parent	5c5aa47adb05bb966711e5ead98333a53c07ab1d (diff)
download	poky-0948746aac0197b97fd4b6063a30b1bcda2c6436.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch new file mode 100644 index 0000000000..0abd5914fa --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch
@@ -0,0 +1,79 @@
		1	From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001
		2	From: Peter Hutterer <peter.hutterer@who-t.net>
		3	Date: Tue, 28 Nov 2023 15:19:04 +1000
		4	Subject: [PATCH] Xi: allocate enough XkbActions for our buttons
		5
		6	button->xkb_acts is supposed to be an array sufficiently large for all
		7	our buttons, not just a single XkbActions struct. Allocating
		8	insufficient memory here means when we memcpy() later in
		9	XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
		10	leading to the usual security ooopsiedaisies.
		11
		12	CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
		13
		14	This vulnerability was discovered by:
		15	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		16
		17	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd]
		18	CVE: CVE-2023-6377
		19	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		20	---
		21	Xi/exevents.c \| 12 ++++++------
		22	dix/devices.c \| 10 ++++++++++
		23	2 files changed, 16 insertions(+), 6 deletions(-)
		24
		25	diff --git a/Xi/exevents.c b/Xi/exevents.c
		26	index dcd4efb3bc..54ea11a938 100644
		27	--- a/Xi/exevents.c
		28	+++ b/Xi/exevents.c
		29	@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
		30	}
		31
		32	if (from->button->xkb_acts) {
		33	- if (!to->button->xkb_acts) {
		34	- to->button->xkb_acts = calloc(1, sizeof(XkbAction));
		35	- if (!to->button->xkb_acts)
		36	- FatalError("[Xi] not enough memory for xkb_acts.\n");
		37	- }
		38	+ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
		39	+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
		40	+ maxbuttons,
		41	+ sizeof(XkbAction));
		42	+ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
		43	memcpy(to->button->xkb_acts, from->button->xkb_acts,
		44	- sizeof(XkbAction));
		45	+ from->button->numButtons * sizeof(XkbAction));
		46	}
		47	else {
		48	free(to->button->xkb_acts);
		49	diff --git a/dix/devices.c b/dix/devices.c
		50	index b063128df0..3f3224d626 100644
		51	--- a/dix/devices.c
		52	+++ b/dix/devices.c
		53	@@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
		54
		55	if (master->button && master->button->numButtons != maxbuttons) {
		56	int i;
		57	+ int last_num_buttons = master->button->numButtons;
		58	+
		59	DeviceChangedEvent event = {
		60	.header = ET_Internal,
		61	.type = ET_DeviceChanged,
		62	@@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
		63	};
		64
		65	master->button->numButtons = maxbuttons;
		66	+ if (last_num_buttons < maxbuttons) {
		67	+ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
		68	+ maxbuttons,
		69	+ sizeof(XkbAction));
		70	+ memset(&master->button->xkb_acts[last_num_buttons],
		71	+ 0,
		72	+ (maxbuttons - last_num_buttons) * sizeof(XkbAction));
		73	+ }
		74
		75	memcpy(&event.buttons.names, master->button->labels, maxbuttons *
		76	sizeof(Atom));
		77	--
		78	GitLab
		79


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch new file mode 100644 index 0000000000..6392eae3f8 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch
@@ -0,0 +1,63 @@
		1	From 14f480010a93ff962fef66a16412fafff81ad632 Mon Sep 17 00:00:00 2001
		2	From: Peter Hutterer <peter.hutterer@who-t.net>
		3	Date: Mon, 27 Nov 2023 16:27:49 +1000
		4	Subject: [PATCH] randr: avoid integer truncation in length check of
		5	ProcRRChange*Property
		6
		7	Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
		8	See also xserver@8f454b79 where this same bug was fixed for the core
		9	protocol and XI.
		10
		11	This fixes an OOB read and the resulting information disclosure.
		12
		13	Length calculation for the request was clipped to a 32-bit integer. With
		14	the correct stuff->nUnits value the expected request size was
		15	truncated, passing the REQUEST_FIXED_SIZE check.
		16
		17	The server then proceeded with reading at least stuff->num_items bytes
		18	(depending on stuff->format) from the request and stuffing whatever it
		19	finds into the property. In the process it would also allocate at least
		20	stuff->nUnits bytes, i.e. 4GB.
		21
		22	CVE-2023-6478, ZDI-CAN-22561
		23
		24	This vulnerability was discovered by:
		25	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		26
		27	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632]
		28	CVE: CVE-2023-6478
		29	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		30	---
		31	randr/rrproperty.c \| 2 +-
		32	randr/rrproviderproperty.c \| 2 +-
		33	2 files changed, 2 insertions(+), 2 deletions(-)
		34
		35	diff --git a/randr/rrproperty.c b/randr/rrproperty.c
		36	index 25469f57b2..c4fef8a1f6 100644
		37	--- a/randr/rrproperty.c
		38	+++ b/randr/rrproperty.c
		39	@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
		40	char format, mode;
		41	unsigned long len;
		42	int sizeInBytes;
		43	- int totalSize;
		44	+ uint64_t totalSize;
		45	int err;
		46
		47	REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
		48	diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
		49	index b79c17f9bf..90c5a9a933 100644
		50	--- a/randr/rrproviderproperty.c
		51	+++ b/randr/rrproviderproperty.c
		52	@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
		53	char format, mode;
		54	unsigned long len;
		55	int sizeInBytes;
		56	- int totalSize;
		57	+ uint64_t totalSize;
		58	int err;
		59
		60	REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
		61	--
		62	GitLab
		63


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb index eaff93bd09..4fdf3a0ec3 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
@@ -18,6 +18,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
18	file://CVE-2023-1393.patch \	18	file://CVE-2023-1393.patch \
19	file://CVE-2023-5367.patch \	19	file://CVE-2023-5367.patch \
20	file://CVE-2023-5380.patch \	20	file://CVE-2023-5380.patch \
		21	file://CVE-2023-6377.patch \
		22	file://CVE-2023-6478.patch \
21	"	23	"
22	SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"	24	SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"
23	SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"	25	SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"