diff options
author | Lee Chee Yang <chee.yang.lee@intel.com> | 2024-03-28 15:50:31 +0800 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-04-05 07:23:58 -0700 |
commit | 65e2df59905f6501898a7a24659a024119712f1f (patch) | |
tree | cafa267dc3ea5036efcf1e71d1a1124a2b1235eb | |
parent | cf1c9d3daaccb5909d19d1cf4baaa6a152e0e73a (diff) | |
download | poky-65e2df59905f6501898a7a24659a024119712f1f.tar.gz |
xwayland: fix CVE-2023-6816 CVE-2024-0408/0409
fix CVE-2023-6816 CVE-2024-0408 CVE-2024-0409
(From OE-Core rev: e8feba36e09aefffcafcebc85ec75abb5b97b3eb)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
4 files changed, 172 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6816.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6816.patch new file mode 100644 index 0000000000..5c68bfb3c1 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6816.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | CVE: CVE-2023-6816 | ||
2 | Upstream-Status: Backport [ https://gitlab.freedesktop.org/xorg/xserver/-/commit/b5cb27032d3e486ba84a491e1420e85171c4c0a3 ] | ||
3 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
4 | |||
5 | From b5cb27032d3e486ba84a491e1420e85171c4c0a3 Mon Sep 17 00:00:00 2001 | ||
6 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
7 | Date: Thu, 14 Dec 2023 11:29:49 +1000 | ||
8 | Subject: [PATCH] dix: allocate enough space for logical button maps | ||
9 | |||
10 | Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for | ||
11 | each logical button currently down. Since buttons can be arbitrarily mapped | ||
12 | to anything up to 255 make sure we have enough bits for the maximum mapping. | ||
13 | |||
14 | CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665 | ||
15 | |||
16 | This vulnerability was discovered by: | ||
17 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
18 | |||
19 | (cherry picked from commit 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3) | ||
20 | --- | ||
21 | Xi/xiquerypointer.c | 3 +-- | ||
22 | dix/enterleave.c | 5 +++-- | ||
23 | 2 files changed, 4 insertions(+), 4 deletions(-) | ||
24 | |||
25 | diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c | ||
26 | index 5b77b1a444..2b05ac5f39 100644 | ||
27 | --- a/Xi/xiquerypointer.c | ||
28 | +++ b/Xi/xiquerypointer.c | ||
29 | @@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client) | ||
30 | if (pDev->button) { | ||
31 | int i; | ||
32 | |||
33 | - rep.buttons_len = | ||
34 | - bytes_to_int32(bits_to_bytes(pDev->button->numButtons)); | ||
35 | + rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */ | ||
36 | rep.length += rep.buttons_len; | ||
37 | buttons = calloc(rep.buttons_len, 4); | ||
38 | if (!buttons) | ||
39 | diff --git a/dix/enterleave.c b/dix/enterleave.c | ||
40 | index 867ec74363..ded8679d76 100644 | ||
41 | --- a/dix/enterleave.c | ||
42 | +++ b/dix/enterleave.c | ||
43 | @@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail, | ||
44 | |||
45 | mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER); | ||
46 | |||
47 | - /* XI 2 event */ | ||
48 | - btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0; | ||
49 | + /* XI 2 event contains the logical button map - maps are CARD8 | ||
50 | + * so we need 256 bits for the possibly maximum mapping */ | ||
51 | + btlen = (mouse->button) ? bits_to_bytes(256) : 0; | ||
52 | btlen = bytes_to_int32(btlen); | ||
53 | len = sizeof(xXIFocusInEvent) + btlen * 4; | ||
54 | |||
55 | -- | ||
56 | GitLab | ||
57 | |||
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0408.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0408.patch new file mode 100644 index 0000000000..9063cd00b2 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0408.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | CVE: CVE-2024-0408 | ||
2 | Upstream-Status: Backport [ https://gitlab.freedesktop.org/xorg/xserver/-/commit/4093057b98bc5a178f130c9ba6b0b28385e24ae5 ] | ||
3 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
4 | |||
5 | From 4093057b98bc5a178f130c9ba6b0b28385e24ae5 Mon Sep 17 00:00:00 2001 | ||
6 | From: Olivier Fourdan <ofourdan@redhat.com> | ||
7 | Date: Wed, 6 Dec 2023 12:09:41 +0100 | ||
8 | Subject: [PATCH] glx: Call XACE hooks on the GLX buffer | ||
9 | |||
10 | The XSELINUX code will label resources at creation by checking the | ||
11 | access mode. When the access mode is DixCreateAccess, it will call the | ||
12 | function to label the new resource SELinuxLabelResource(). | ||
13 | |||
14 | However, GLX buffers do not go through the XACE hooks when created, | ||
15 | hence leaving the resource actually unlabeled. | ||
16 | |||
17 | When, later, the client tries to create another resource using that | ||
18 | drawable (like a GC for example), the XSELINUX code would try to use | ||
19 | the security ID of that object which has never been labeled, get a NULL | ||
20 | pointer and crash when checking whether the requested permissions are | ||
21 | granted for subject security ID. | ||
22 | |||
23 | To avoid the issue, make sure to call the XACE hooks when creating the | ||
24 | GLX buffers. | ||
25 | |||
26 | Credit goes to Donn Seeley <donn@xmission.com> for providing the patch. | ||
27 | |||
28 | CVE-2024-0408 | ||
29 | |||
30 | Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> | ||
31 | Acked-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
32 | (cherry picked from commit e5e8586a12a3ec915673edffa10dc8fe5e15dac3) | ||
33 | --- | ||
34 | glx/glxcmds.c | 8 ++++++++ | ||
35 | 1 file changed, 8 insertions(+) | ||
36 | |||
37 | diff --git a/glx/glxcmds.c b/glx/glxcmds.c | ||
38 | index fc26a2e345..1e46d0c723 100644 | ||
39 | --- a/glx/glxcmds.c | ||
40 | +++ b/glx/glxcmds.c | ||
41 | @@ -48,6 +48,7 @@ | ||
42 | #include "indirect_util.h" | ||
43 | #include "protocol-versions.h" | ||
44 | #include "glxvndabi.h" | ||
45 | +#include "xace.h" | ||
46 | |||
47 | static char GLXServerVendorName[] = "SGI"; | ||
48 | |||
49 | @@ -1392,6 +1393,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId, | ||
50 | if (!pPixmap) | ||
51 | return BadAlloc; | ||
52 | |||
53 | + err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP, | ||
54 | + pPixmap, RT_NONE, NULL, DixCreateAccess); | ||
55 | + if (err != Success) { | ||
56 | + (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap); | ||
57 | + return err; | ||
58 | + } | ||
59 | + | ||
60 | /* Assign the pixmap the same id as the pbuffer and add it as a | ||
61 | * resource so it and the DRI2 drawable will be reclaimed when the | ||
62 | * pbuffer is destroyed. */ | ||
63 | -- | ||
64 | GitLab | ||
65 | |||
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0409.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0409.patch new file mode 100644 index 0000000000..de3396a410 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0409.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | CVE: CVE-2024-0409 | ||
2 | Upstream-Status: Backport [ https://gitlab.freedesktop.org/xorg/xserver/-/commit/51be9e767a02cdc6a524dc895dcc81abb689d50b ] | ||
3 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
4 | |||
5 | From 51be9e767a02cdc6a524dc895dcc81abb689d50b Mon Sep 17 00:00:00 2001 | ||
6 | From: Olivier Fourdan <ofourdan@redhat.com> | ||
7 | Date: Wed, 6 Dec 2023 11:51:56 +0100 | ||
8 | Subject: [PATCH] ephyr,xwayland: Use the proper private key for cursor | ||
9 | |||
10 | The cursor in DIX is actually split in two parts, the cursor itself and | ||
11 | the cursor bits, each with their own devPrivates. | ||
12 | |||
13 | The cursor itself includes the cursor bits, meaning that the cursor bits | ||
14 | devPrivates in within structure of the cursor. | ||
15 | |||
16 | Both Xephyr and Xwayland were using the private key for the cursor bits | ||
17 | to store the data for the cursor, and when using XSELINUX which comes | ||
18 | with its own special devPrivates, the data stored in that cursor bits' | ||
19 | devPrivates would interfere with the XSELINUX devPrivates data and the | ||
20 | SELINUX security ID would point to some other unrelated data, causing a | ||
21 | crash in the XSELINUX code when trying to (re)use the security ID. | ||
22 | |||
23 | CVE-2024-0409 | ||
24 | |||
25 | Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> | ||
26 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
27 | (cherry picked from commit 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7) | ||
28 | --- | ||
29 | hw/xwayland/xwayland-cursor.c | 2 +- | ||
30 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
31 | |||
32 | diff --git a/hw/xwayland/xwayland-cursor.c b/hw/xwayland/xwayland-cursor.c | ||
33 | index e3c1aaa50c..bd94b0cfbb 100644 | ||
34 | --- a/hw/xwayland/xwayland-cursor.c | ||
35 | +++ b/hw/xwayland/xwayland-cursor.c | ||
36 | @@ -431,7 +431,7 @@ static miPointerScreenFuncRec xwl_pointer_screen_funcs = { | ||
37 | Bool | ||
38 | xwl_screen_init_cursor(struct xwl_screen *xwl_screen) | ||
39 | { | ||
40 | - if (!dixRegisterPrivateKey(&xwl_cursor_private_key, PRIVATE_CURSOR_BITS, 0)) | ||
41 | + if (!dixRegisterPrivateKey(&xwl_cursor_private_key, PRIVATE_CURSOR, 0)) | ||
42 | return FALSE; | ||
43 | |||
44 | return miPointerInitialize(xwl_screen->screen, | ||
45 | -- | ||
46 | GitLab | ||
47 | |||
diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index e6e17d7da5..133c65fbc3 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb | |||
@@ -13,6 +13,9 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ | |||
13 | file://CVE-2023-5367.patch \ | 13 | file://CVE-2023-5367.patch \ |
14 | file://CVE-2023-6377.patch \ | 14 | file://CVE-2023-6377.patch \ |
15 | file://CVE-2023-6478.patch \ | 15 | file://CVE-2023-6478.patch \ |
16 | file://CVE-2023-6816.patch \ | ||
17 | file://CVE-2024-0408.patch \ | ||
18 | file://CVE-2024-0409.patch \ | ||
16 | " | 19 | " |
17 | SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" | 20 | SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" |
18 | 21 | ||