xwayland: fix CVE-2023-6816 CVE-2024-0408/0409

fix CVE-2023-6816 CVE-2024-0408 CVE-2024-0409 (From OE-Core rev: e8feba36e09aefffcafcebc85ec75abb5b97b3eb) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2024-03-28 15:50:31 +0800
committer: Steve Sakoman <steve@sakoman.com> 2024-04-05 07:23:58 -0700
commit: 65e2df59905f6501898a7a24659a024119712f1f (patch)
tree: cafa267dc3ea5036efcf1e71d1a1124a2b1235eb
parent: cf1c9d3daaccb5909d19d1cf4baaa6a152e0e73a (diff)
download: poky-65e2df59905f6501898a7a24659a024119712f1f.tar.gz
4 files changed, 172 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6816.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6816.patch
new file mode 100644
index 0000000000..5c68bfb3c1
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6816.patch
@@ -0,0 +1,57 @@
+CVE: CVE-2023-6816
+Upstream-Status: Backport [ https://gitlab.freedesktop.org/xorg/xserver/-/commit/b5cb27032d3e486ba84a491e1420e85171c4c0a3 ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+From b5cb27032d3e486ba84a491e1420e85171c4c0a3 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 14 Dec 2023 11:29:49 +1000
+Subject: [PATCH] dix: allocate enough space for logical button maps
+Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for
+each logical button currently down. Since buttons can be arbitrarily mapped
+to anything up to 255 make sure we have enough bits for the maximum mapping.
+CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+(cherry picked from commit 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3)
+---
+ Xi/xiquerypointer.c | 3 +--
+ dix/enterleave.c    | 5 +++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
+index 5b77b1a444..2b05ac5f39 100644
+--- a/Xi/xiquerypointer.c
+++ b/Xi/xiquerypointer.c
+@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client)
+     if (pDev->button) {
+         int i;
+ 
+-        rep.buttons_len =
+-            bytes_to_int32(bits_to_bytes(pDev->button->numButtons));
+        rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */
+         rep.length += rep.buttons_len;
+         buttons = calloc(rep.buttons_len, 4);
+         if (!buttons)
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index 867ec74363..ded8679d76 100644
+--- a/dix/enterleave.c
+++ b/dix/enterleave.c
+@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail,
+ 
+     mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);
+ 
+-    /* XI 2 event */
+-    btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;
+    /* XI 2 event contains the logical button map - maps are CARD8
+     * so we need 256 bits for the possibly maximum mapping */
+    btlen = (mouse->button) ? bits_to_bytes(256) : 0;
+     btlen = bytes_to_int32(btlen);
+     len = sizeof(xXIFocusInEvent) + btlen * 4;
+ 
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0408.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0408.patch
new file mode 100644
index 0000000000..9063cd00b2
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0408.patch
@@ -0,0 +1,65 @@
+CVE: CVE-2024-0408
+Upstream-Status: Backport [ https://gitlab.freedesktop.org/xorg/xserver/-/commit/4093057b98bc5a178f130c9ba6b0b28385e24ae5 ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+From 4093057b98bc5a178f130c9ba6b0b28385e24ae5 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 6 Dec 2023 12:09:41 +0100
+Subject: [PATCH] glx: Call XACE hooks on the GLX buffer
+The XSELINUX code will label resources at creation by checking the
+access mode. When the access mode is DixCreateAccess, it will call the
+function to label the new resource SELinuxLabelResource().
+However, GLX buffers do not go through the XACE hooks when created,
+hence leaving the resource actually unlabeled.
+When, later, the client tries to create another resource using that
+drawable (like a GC for example), the XSELINUX code would try to use
+the security ID of that object which has never been labeled, get a NULL
+pointer and crash when checking whether the requested permissions are
+granted for subject security ID.
+To avoid the issue, make sure to call the XACE hooks when creating the
+GLX buffers.
+Credit goes to Donn Seeley <donn@xmission.com> for providing the patch.
+CVE-2024-0408
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit e5e8586a12a3ec915673edffa10dc8fe5e15dac3)
+---
+ glx/glxcmds.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+diff --git a/glx/glxcmds.c b/glx/glxcmds.c
+index fc26a2e345..1e46d0c723 100644
+--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
+@@ -48,6 +48,7 @@
+ #include "indirect_util.h"
+ #include "protocol-versions.h"
+ #include "glxvndabi.h"
+#include "xace.h"
+ 
+ static char GLXServerVendorName[] = "SGI";
+ 
+@@ -1392,6 +1393,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId,
+     if (!pPixmap)
+         return BadAlloc;
+ 
+    err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP,
+                   pPixmap, RT_NONE, NULL, DixCreateAccess);
+    if (err != Success) {
+        (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap);
+        return err;
+    }
+
+     /* Assign the pixmap the same id as the pbuffer and add it as a
+      * resource so it and the DRI2 drawable will be reclaimed when the
+      * pbuffer is destroyed. */
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0409.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0409.patch
new file mode 100644
index 0000000000..de3396a410
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0409.patch
@@ -0,0 +1,47 @@
+CVE: CVE-2024-0409
+Upstream-Status: Backport [ https://gitlab.freedesktop.org/xorg/xserver/-/commit/51be9e767a02cdc6a524dc895dcc81abb689d50b ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+From 51be9e767a02cdc6a524dc895dcc81abb689d50b Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 6 Dec 2023 11:51:56 +0100
+Subject: [PATCH] ephyr,xwayland: Use the proper private key for cursor
+The cursor in DIX is actually split in two parts, the cursor itself and
+the cursor bits, each with their own devPrivates.
+The cursor itself includes the cursor bits, meaning that the cursor bits
+devPrivates in within structure of the cursor.
+Both Xephyr and Xwayland were using the private key for the cursor bits
+to store the data for the cursor, and when using XSELINUX which comes
+with its own special devPrivates, the data stored in that cursor bits'
+devPrivates would interfere with the XSELINUX devPrivates data and the
+SELINUX security ID would point to some other unrelated data, causing a
+crash in the XSELINUX code when trying to (re)use the security ID.
+CVE-2024-0409
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7)
+---
+ hw/xwayland/xwayland-cursor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/hw/xwayland/xwayland-cursor.c b/hw/xwayland/xwayland-cursor.c
+index e3c1aaa50c..bd94b0cfbb 100644
+--- a/hw/xwayland/xwayland-cursor.c
+++ b/hw/xwayland/xwayland-cursor.c
+@@ -431,7 +431,7 @@ static miPointerScreenFuncRec xwl_pointer_screen_funcs = {
+ Bool
+ xwl_screen_init_cursor(struct xwl_screen *xwl_screen)
+ {
+-    if (!dixRegisterPrivateKey(&xwl_cursor_private_key, PRIVATE_CURSOR_BITS, 0))
+    if (!dixRegisterPrivateKey(&xwl_cursor_private_key, PRIVATE_CURSOR, 0))
+         return FALSE;
+ 
+     return miPointerInitialize(xwl_screen->screen,
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
index e6e17d7da5..133c65fbc3 100644
--- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -13,6 +13,9 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
           file://CVE-2023-5367.patch \
           file://CVE-2023-6377.patch \
           file://CVE-2023-6478.patch \
+           file://CVE-2023-6816.patch \
+           file://CVE-2024-0408.patch \
+           file://CVE-2024-0409.patch \
 "
 SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
author	Lee Chee Yang <chee.yang.lee@intel.com>	2024-03-28 15:50:31 +0800
committer	Steve Sakoman <steve@sakoman.com>	2024-04-05 07:23:58 -0700
commit	65e2df59905f6501898a7a24659a024119712f1f (patch)
tree	cafa267dc3ea5036efcf1e71d1a1124a2b1235eb
parent	cf1c9d3daaccb5909d19d1cf4baaa6a152e0e73a (diff)
download	poky-65e2df59905f6501898a7a24659a024119712f1f.tar.gz

diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6816.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6816.patch new file mode 100644 index 0000000000..5c68bfb3c1 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6816.patch
@@ -0,0 +1,57 @@
		1	CVE: CVE-2023-6816
		2	Upstream-Status: Backport [ https://gitlab.freedesktop.org/xorg/xserver/-/commit/b5cb27032d3e486ba84a491e1420e85171c4c0a3 ]
		3	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		4
		5	From b5cb27032d3e486ba84a491e1420e85171c4c0a3 Mon Sep 17 00:00:00 2001
		6	From: Peter Hutterer <peter.hutterer@who-t.net>
		7	Date: Thu, 14 Dec 2023 11:29:49 +1000
		8	Subject: [PATCH] dix: allocate enough space for logical button maps
		9
		10	Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for
		11	each logical button currently down. Since buttons can be arbitrarily mapped
		12	to anything up to 255 make sure we have enough bits for the maximum mapping.
		13
		14	CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665
		15
		16	This vulnerability was discovered by:
		17	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		18
		19	(cherry picked from commit 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3)
		20	---
		21	Xi/xiquerypointer.c \| 3 +--
		22	dix/enterleave.c \| 5 +++--
		23	2 files changed, 4 insertions(+), 4 deletions(-)
		24
		25	diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
		26	index 5b77b1a444..2b05ac5f39 100644
		27	--- a/Xi/xiquerypointer.c
		28	+++ b/Xi/xiquerypointer.c
		29	@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client)
		30	if (pDev->button) {
		31	int i;
		32
		33	- rep.buttons_len =
		34	- bytes_to_int32(bits_to_bytes(pDev->button->numButtons));
		35	+ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */
		36	rep.length += rep.buttons_len;
		37	buttons = calloc(rep.buttons_len, 4);
		38	if (!buttons)
		39	diff --git a/dix/enterleave.c b/dix/enterleave.c
		40	index 867ec74363..ded8679d76 100644
		41	--- a/dix/enterleave.c
		42	+++ b/dix/enterleave.c
		43	@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail,
		44
		45	mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);
		46
		47	- /* XI 2 event */
		48	- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;
		49	+ /* XI 2 event contains the logical button map - maps are CARD8
		50	+ * so we need 256 bits for the possibly maximum mapping */
		51	+ btlen = (mouse->button) ? bits_to_bytes(256) : 0;
		52	btlen = bytes_to_int32(btlen);
		53	len = sizeof(xXIFocusInEvent) + btlen * 4;
		54
		55	--
		56	GitLab
		57


diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0408.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0408.patch new file mode 100644 index 0000000000..9063cd00b2 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0408.patch
@@ -0,0 +1,65 @@
		1	CVE: CVE-2024-0408
		2	Upstream-Status: Backport [ https://gitlab.freedesktop.org/xorg/xserver/-/commit/4093057b98bc5a178f130c9ba6b0b28385e24ae5 ]
		3	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		4
		5	From 4093057b98bc5a178f130c9ba6b0b28385e24ae5 Mon Sep 17 00:00:00 2001
		6	From: Olivier Fourdan <ofourdan@redhat.com>
		7	Date: Wed, 6 Dec 2023 12:09:41 +0100
		8	Subject: [PATCH] glx: Call XACE hooks on the GLX buffer
		9
		10	The XSELINUX code will label resources at creation by checking the
		11	access mode. When the access mode is DixCreateAccess, it will call the
		12	function to label the new resource SELinuxLabelResource().
		13
		14	However, GLX buffers do not go through the XACE hooks when created,
		15	hence leaving the resource actually unlabeled.
		16
		17	When, later, the client tries to create another resource using that
		18	drawable (like a GC for example), the XSELINUX code would try to use
		19	the security ID of that object which has never been labeled, get a NULL
		20	pointer and crash when checking whether the requested permissions are
		21	granted for subject security ID.
		22
		23	To avoid the issue, make sure to call the XACE hooks when creating the
		24	GLX buffers.
		25
		26	Credit goes to Donn Seeley <donn@xmission.com> for providing the patch.
		27
		28	CVE-2024-0408
		29
		30	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		31	Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
		32	(cherry picked from commit e5e8586a12a3ec915673edffa10dc8fe5e15dac3)
		33	---
		34	glx/glxcmds.c \| 8 ++++++++
		35	1 file changed, 8 insertions(+)
		36
		37	diff --git a/glx/glxcmds.c b/glx/glxcmds.c
		38	index fc26a2e345..1e46d0c723 100644
		39	--- a/glx/glxcmds.c
		40	+++ b/glx/glxcmds.c
		41	@@ -48,6 +48,7 @@
		42	#include "indirect_util.h"
		43	#include "protocol-versions.h"
		44	#include "glxvndabi.h"
		45	+#include "xace.h"
		46
		47	static char GLXServerVendorName[] = "SGI";
		48
		49	@@ -1392,6 +1393,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId,
		50	if (!pPixmap)
		51	return BadAlloc;
		52
		53	+ err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP,
		54	+ pPixmap, RT_NONE, NULL, DixCreateAccess);
		55	+ if (err != Success) {
		56	+ (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap);
		57	+ return err;
		58	+ }
		59	+
		60	/* Assign the pixmap the same id as the pbuffer and add it as a
		61	* resource so it and the DRI2 drawable will be reclaimed when the
		62	* pbuffer is destroyed. */
		63	--
		64	GitLab
		65


diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0409.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0409.patch new file mode 100644 index 0000000000..de3396a410 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0409.patch
@@ -0,0 +1,47 @@
		1	CVE: CVE-2024-0409
		2	Upstream-Status: Backport [ https://gitlab.freedesktop.org/xorg/xserver/-/commit/51be9e767a02cdc6a524dc895dcc81abb689d50b ]
		3	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		4
		5	From 51be9e767a02cdc6a524dc895dcc81abb689d50b Mon Sep 17 00:00:00 2001
		6	From: Olivier Fourdan <ofourdan@redhat.com>
		7	Date: Wed, 6 Dec 2023 11:51:56 +0100
		8	Subject: [PATCH] ephyr,xwayland: Use the proper private key for cursor
		9
		10	The cursor in DIX is actually split in two parts, the cursor itself and
		11	the cursor bits, each with their own devPrivates.
		12
		13	The cursor itself includes the cursor bits, meaning that the cursor bits
		14	devPrivates in within structure of the cursor.
		15
		16	Both Xephyr and Xwayland were using the private key for the cursor bits
		17	to store the data for the cursor, and when using XSELINUX which comes
		18	with its own special devPrivates, the data stored in that cursor bits'
		19	devPrivates would interfere with the XSELINUX devPrivates data and the
		20	SELINUX security ID would point to some other unrelated data, causing a
		21	crash in the XSELINUX code when trying to (re)use the security ID.
		22
		23	CVE-2024-0409
		24
		25	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		26	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		27	(cherry picked from commit 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7)
		28	---
		29	hw/xwayland/xwayland-cursor.c \| 2 +-
		30	1 file changed, 1 insertion(+), 1 deletion(-)
		31
		32	diff --git a/hw/xwayland/xwayland-cursor.c b/hw/xwayland/xwayland-cursor.c
		33	index e3c1aaa50c..bd94b0cfbb 100644
		34	--- a/hw/xwayland/xwayland-cursor.c
		35	+++ b/hw/xwayland/xwayland-cursor.c
		36	@@ -431,7 +431,7 @@ static miPointerScreenFuncRec xwl_pointer_screen_funcs = {
		37	Bool
		38	xwl_screen_init_cursor(struct xwl_screen *xwl_screen)
		39	{
		40	- if (!dixRegisterPrivateKey(&xwl_cursor_private_key, PRIVATE_CURSOR_BITS, 0))
		41	+ if (!dixRegisterPrivateKey(&xwl_cursor_private_key, PRIVATE_CURSOR, 0))
		42	return FALSE;
		43
		44	return miPointerInitialize(xwl_screen->screen,
		45	--
		46	GitLab
		47


diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index e6e17d7da5..133c65fbc3 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -13,6 +13,9 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
13	file://CVE-2023-5367.patch \	13	file://CVE-2023-5367.patch \
14	file://CVE-2023-6377.patch \	14	file://CVE-2023-6377.patch \
15	file://CVE-2023-6478.patch \	15	file://CVE-2023-6478.patch \
		16	file://CVE-2023-6816.patch \
		17	file://CVE-2024-0408.patch \
		18	file://CVE-2024-0409.patch \
16	"	19	"
17	SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"	20	SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
18		21