diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2023-11-08 09:05:46 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-11-11 08:23:01 -1000 |
commit | b5686f826dc3cfa60dff4703e641f3ec177c3418 (patch) | |
tree | 91fc3c72212d37ebe0ec1a6de7e90426632e7810 | |
parent | 271877ff3915cb577eb5a586c782c576d20fa3f0 (diff) | |
download | poky-b5686f826dc3cfa60dff4703e641f3ec177c3418.tar.gz |
xserver-xorg: Fix for CVE-2023-5367 and CVE-2023-5380
Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7]
(From OE-Core rev: d7ecf2b605cef1ec5b3a9d253d4b46590a7c6891)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
3 files changed, 188 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch new file mode 100644 index 0000000000..508588481e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch | |||
@@ -0,0 +1,84 @@ | |||
1 | From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Tue, 3 Oct 2023 11:53:05 +1000 | ||
4 | Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend | ||
5 | |||
6 | The handling of appending/prepending properties was incorrect, with at | ||
7 | least two bugs: the property length was set to the length of the new | ||
8 | part only, i.e. appending or prepending N elements to a property with P | ||
9 | existing elements always resulted in the property having N elements | ||
10 | instead of N + P. | ||
11 | |||
12 | Second, when pre-pending a value to a property, the offset for the old | ||
13 | values was incorrect, leaving the new property with potentially | ||
14 | uninitalized values and/or resulting in OOB memory writes. | ||
15 | For example, prepending a 3 element value to a 5 element property would | ||
16 | result in this 8 value array: | ||
17 | [N, N, N, ?, ?, P, P, P ] P, P | ||
18 | ^OOB write | ||
19 | |||
20 | The XI2 code is a copy/paste of the RandR code, so the bug exists in | ||
21 | both. | ||
22 | |||
23 | CVE-2023-5367, ZDI-CAN-22153 | ||
24 | |||
25 | This vulnerability was discovered by: | ||
26 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
27 | |||
28 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
29 | |||
30 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a] | ||
31 | CVE: CVE-2023-5367 | ||
32 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
33 | --- | ||
34 | Xi/xiproperty.c | 4 ++-- | ||
35 | randr/rrproperty.c | 4 ++-- | ||
36 | 2 files changed, 4 insertions(+), 4 deletions(-) | ||
37 | |||
38 | diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c | ||
39 | index 066ba21fba..d315f04d0e 100644 | ||
40 | --- a/Xi/xiproperty.c | ||
41 | +++ b/Xi/xiproperty.c | ||
42 | @@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type, | ||
43 | XIDestroyDeviceProperty(prop); | ||
44 | return BadAlloc; | ||
45 | } | ||
46 | - new_value.size = len; | ||
47 | + new_value.size = total_len; | ||
48 | new_value.type = type; | ||
49 | new_value.format = format; | ||
50 | |||
51 | @@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type, | ||
52 | case PropModePrepend: | ||
53 | new_data = new_value.data; | ||
54 | old_data = (void *) (((char *) new_value.data) + | ||
55 | - (prop_value->size * size_in_bytes)); | ||
56 | + (len * size_in_bytes)); | ||
57 | break; | ||
58 | } | ||
59 | if (new_data) | ||
60 | diff --git a/randr/rrproperty.c b/randr/rrproperty.c | ||
61 | index c2fb9585c6..25469f57b2 100644 | ||
62 | --- a/randr/rrproperty.c | ||
63 | +++ b/randr/rrproperty.c | ||
64 | @@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type, | ||
65 | RRDestroyOutputProperty(prop); | ||
66 | return BadAlloc; | ||
67 | } | ||
68 | - new_value.size = len; | ||
69 | + new_value.size = total_len; | ||
70 | new_value.type = type; | ||
71 | new_value.format = format; | ||
72 | |||
73 | @@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type, | ||
74 | case PropModePrepend: | ||
75 | new_data = new_value.data; | ||
76 | old_data = (void *) (((char *) new_value.data) + | ||
77 | - (prop_value->size * size_in_bytes)); | ||
78 | + (len * size_in_bytes)); | ||
79 | break; | ||
80 | } | ||
81 | if (new_data) | ||
82 | -- | ||
83 | GitLab | ||
84 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch new file mode 100644 index 0000000000..57e2a5abdf --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch | |||
@@ -0,0 +1,102 @@ | |||
1 | From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Thu, 5 Oct 2023 12:19:45 +1000 | ||
4 | Subject: [PATCH] mi: reset the PointerWindows reference on screen switch | ||
5 | |||
6 | PointerWindows[] keeps a reference to the last window our sprite | ||
7 | entered - changes are usually handled by CheckMotion(). | ||
8 | |||
9 | If we switch between screens via XWarpPointer our | ||
10 | dev->spriteInfo->sprite->win is set to the new screen's root window. | ||
11 | If there's another window at the cursor location CheckMotion() will | ||
12 | trigger the right enter/leave events later. If there is not, it skips | ||
13 | that process and we never trigger LeaveWindow() - PointerWindows[] for | ||
14 | the device still refers to the previous window. | ||
15 | |||
16 | If that window is destroyed we have a dangling reference that will | ||
17 | eventually cause a use-after-free bug when checking the window hierarchy | ||
18 | later. | ||
19 | |||
20 | To trigger this, we require: | ||
21 | - two protocol screens | ||
22 | - XWarpPointer to the other screen's root window | ||
23 | - XDestroyWindow before entering any other window | ||
24 | |||
25 | This is a niche bug so we hack around it by making sure we reset the | ||
26 | PointerWindows[] entry so we cannot have a dangling pointer. This | ||
27 | doesn't handle Enter/Leave events correctly but the previous code didn't | ||
28 | either. | ||
29 | |||
30 | CVE-2023-5380, ZDI-CAN-21608 | ||
31 | |||
32 | This vulnerability was discovered by: | ||
33 | Sri working with Trend Micro Zero Day Initiative | ||
34 | |||
35 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
36 | Reviewed-by: Adam Jackson <ajax@redhat.com> | ||
37 | |||
38 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7] | ||
39 | CVE: CVE-2023-5380 | ||
40 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
41 | --- | ||
42 | dix/enterleave.h | 2 -- | ||
43 | include/eventstr.h | 3 +++ | ||
44 | mi/mipointer.c | 17 +++++++++++++++-- | ||
45 | 3 files changed, 18 insertions(+), 4 deletions(-) | ||
46 | |||
47 | diff --git a/dix/enterleave.h b/dix/enterleave.h | ||
48 | index 4b833d8a3b..e8af924c68 100644 | ||
49 | --- a/dix/enterleave.h | ||
50 | +++ b/dix/enterleave.h | ||
51 | @@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev, | ||
52 | |||
53 | extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode); | ||
54 | |||
55 | -extern void LeaveWindow(DeviceIntPtr dev); | ||
56 | - | ||
57 | extern void CoreFocusEvent(DeviceIntPtr kbd, | ||
58 | int type, int mode, int detail, WindowPtr pWin); | ||
59 | |||
60 | diff --git a/include/eventstr.h b/include/eventstr.h | ||
61 | index 93308f9b24..a9926eaeef 100644 | ||
62 | --- a/include/eventstr.h | ||
63 | +++ b/include/eventstr.h | ||
64 | @@ -335,4 +335,7 @@ union _InternalEvent { | ||
65 | GestureEvent gesture_event; | ||
66 | }; | ||
67 | |||
68 | +extern void | ||
69 | +LeaveWindow(DeviceIntPtr dev); | ||
70 | + | ||
71 | #endif | ||
72 | diff --git a/mi/mipointer.c b/mi/mipointer.c | ||
73 | index a638f25d4a..8cf0035140 100644 | ||
74 | --- a/mi/mipointer.c | ||
75 | +++ b/mi/mipointer.c | ||
76 | @@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y) | ||
77 | #ifdef PANORAMIX | ||
78 | && noPanoramiXExtension | ||
79 | #endif | ||
80 | - ) | ||
81 | - UpdateSpriteForScreen(pDev, pScreen); | ||
82 | + ) { | ||
83 | + DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER); | ||
84 | + /* Hack for CVE-2023-5380: if we're moving | ||
85 | + * screens PointerWindows[] keeps referring to the | ||
86 | + * old window. If that gets destroyed we have a UAF | ||
87 | + * bug later. Only happens when jumping from a window | ||
88 | + * to the root window on the other screen. | ||
89 | + * Enter/Leave events are incorrect for that case but | ||
90 | + * too niche to fix. | ||
91 | + */ | ||
92 | + LeaveWindow(pDev); | ||
93 | + if (master) | ||
94 | + LeaveWindow(master); | ||
95 | + UpdateSpriteForScreen(pDev, pScreen); | ||
96 | + } | ||
97 | } | ||
98 | |||
99 | /** | ||
100 | -- | ||
101 | GitLab | ||
102 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index 19db7ea434..63932b4e79 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb | |||
@@ -2,6 +2,8 @@ require xserver-xorg.inc | |||
2 | 2 | ||
3 | SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \ | 3 | SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \ |
4 | file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \ | 4 | file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \ |
5 | file://CVE-2023-5367.patch \ | ||
6 | file://CVE-2023-5380.patch \ | ||
5 | " | 7 | " |
6 | SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152" | 8 | SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152" |
7 | 9 | ||