xserver-xorg: Fix for CVE-2023-5367 and CVE-2023-5380

Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a & https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7] (From OE-Core rev: d7ecf2b605cef1ec5b3a9d253d4b46590a7c6891) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2023-11-08 09:05:46 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-11-11 08:23:01 -1000
commit: b5686f826dc3cfa60dff4703e641f3ec177c3418 (patch)
tree: 91fc3c72212d37ebe0ec1a6de7e90426632e7810
parent: 271877ff3915cb577eb5a586c782c576d20fa3f0 (diff)
download: poky-b5686f826dc3cfa60dff4703e641f3ec177c3418.tar.gz
3 files changed, 188 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
new file mode 100644
index 0000000000..508588481e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
@@ -0,0 +1,84 @@
+From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 3 Oct 2023 11:53:05 +1000
+Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend
+The handling of appending/prepending properties was incorrect, with at
+least two bugs: the property length was set to the length of the new
+part only, i.e. appending or prepending N elements to a property with P
+existing elements always resulted in the property having N elements
+instead of N + P.
+Second, when pre-pending a value to a property, the offset for the old
+values was incorrect, leaving the new property with potentially
+uninitalized values and/or resulting in OOB memory writes.
+For example, prepending a 3 element value to a 5 element property would
+result in this 8 value array:
+  [N, N, N, ?, ?, P, P, P ] P, P
+                            ^OOB write
+The XI2 code is a copy/paste of the RandR code, so the bug exists in
+both.
+CVE-2023-5367, ZDI-CAN-22153
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a]
+CVE: CVE-2023-5367
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xi/xiproperty.c    | 4 ++--
+ randr/rrproperty.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
+index 066ba21fba..d315f04d0e 100644
+--- a/Xi/xiproperty.c
+++ b/Xi/xiproperty.c
+@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
+                 XIDestroyDeviceProperty(prop);
+             return BadAlloc;
+         }
+-        new_value.size = len;
+        new_value.size = total_len;
+         new_value.type = type;
+         new_value.format = format;
+ 
+@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
+         case PropModePrepend:
+             new_data = new_value.data;
+             old_data = (void *) (((char *) new_value.data) +
+-                                  (prop_value->size * size_in_bytes));
+                                  (len * size_in_bytes));
+             break;
+         }
+         if (new_data)
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index c2fb9585c6..25469f57b2 100644
+--- a/randr/rrproperty.c
+++ b/randr/rrproperty.c
+@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
+                 RRDestroyOutputProperty(prop);
+             return BadAlloc;
+         }
+-        new_value.size = len;
+        new_value.size = total_len;
+         new_value.type = type;
+         new_value.format = format;
+ 
+@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
+         case PropModePrepend:
+             new_data = new_value.data;
+             old_data = (void *) (((char *) new_value.data) +
+-                                  (prop_value->size * size_in_bytes));
+                                  (len * size_in_bytes));
+             break;
+         }
+         if (new_data)
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch
new file mode 100644
index 0000000000..57e2a5abdf
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch
@@ -0,0 +1,102 @@
+From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 5 Oct 2023 12:19:45 +1000
+Subject: [PATCH] mi: reset the PointerWindows reference on screen switch
+PointerWindows[] keeps a reference to the last window our sprite
+entered - changes are usually handled by CheckMotion().
+If we switch between screens via XWarpPointer our
+dev->spriteInfo->sprite->win is set to the new screen's root window.
+If there's another window at the cursor location CheckMotion() will
+trigger the right enter/leave events later. If there is not, it skips
+that process and we never trigger LeaveWindow() - PointerWindows[] for
+the device still refers to the previous window.
+If that window is destroyed we have a dangling reference that will
+eventually cause a use-after-free bug when checking the window hierarchy
+later.
+To trigger this, we require:
+- two protocol screens
+- XWarpPointer to the other screen's root window
+- XDestroyWindow before entering any other window
+This is a niche bug so we hack around it by making sure we reset the
+PointerWindows[] entry so we cannot have a dangling pointer. This
+doesn't handle Enter/Leave events correctly but the previous code didn't
+either.
+CVE-2023-5380, ZDI-CAN-21608
+This vulnerability was discovered by:
+Sri working with Trend Micro Zero Day Initiative
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7]
+CVE: CVE-2023-5380
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ dix/enterleave.h   |  2 --
+ include/eventstr.h |  3 +++
+ mi/mipointer.c     | 17 +++++++++++++++--
+ 3 files changed, 18 insertions(+), 4 deletions(-)
+diff --git a/dix/enterleave.h b/dix/enterleave.h
+index 4b833d8a3b..e8af924c68 100644
+--- a/dix/enterleave.h
+++ b/dix/enterleave.h
+@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
+ 
+ extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
+ 
+-extern void LeaveWindow(DeviceIntPtr dev);
+-
+ extern void CoreFocusEvent(DeviceIntPtr kbd,
+                            int type, int mode, int detail, WindowPtr pWin);
+ 
+diff --git a/include/eventstr.h b/include/eventstr.h
+index 93308f9b24..a9926eaeef 100644
+--- a/include/eventstr.h
+++ b/include/eventstr.h
+@@ -335,4 +335,7 @@ union _InternalEvent {
+     GestureEvent gesture_event;
+ };
+ 
+extern void
+LeaveWindow(DeviceIntPtr dev);
+
+ #endif
+diff --git a/mi/mipointer.c b/mi/mipointer.c
+index a638f25d4a..8cf0035140 100644
+--- a/mi/mipointer.c
+++ b/mi/mipointer.c
+@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
+ #ifdef PANORAMIX
+         && noPanoramiXExtension
+ #endif
+-        )
+-        UpdateSpriteForScreen(pDev, pScreen);
+        ) {
+            DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
+            /* Hack for CVE-2023-5380: if we're moving
+             * screens PointerWindows[] keeps referring to the
+             * old window. If that gets destroyed we have a UAF
+             * bug later. Only happens when jumping from a window
+             * to the root window on the other screen.
+             * Enter/Leave events are incorrect for that case but
+             * too niche to fix.
+             */
+            LeaveWindow(pDev);
+            if (master)
+                LeaveWindow(master);
+            UpdateSpriteForScreen(pDev, pScreen);
+    }
+ }
+ 
+ /**
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
index 19db7ea434..63932b4e79 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -2,6 +2,8 @@ require xserver-xorg.inc
 SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
           file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
+           file://CVE-2023-5367.patch \
+           file://CVE-2023-5380.patch \
           "
 SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
author	Vijay Anusuri <vanusuri@mvista.com>	2023-11-08 09:05:46 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-11-11 08:23:01 -1000
commit	b5686f826dc3cfa60dff4703e641f3ec177c3418 (patch)
tree	91fc3c72212d37ebe0ec1a6de7e90426632e7810
parent	271877ff3915cb577eb5a586c782c576d20fa3f0 (diff)
download	poky-b5686f826dc3cfa60dff4703e641f3ec177c3418.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch new file mode 100644 index 0000000000..508588481e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
@@ -0,0 +1,84 @@
		1	From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001
		2	From: Peter Hutterer <peter.hutterer@who-t.net>
		3	Date: Tue, 3 Oct 2023 11:53:05 +1000
		4	Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend
		5
		6	The handling of appending/prepending properties was incorrect, with at
		7	least two bugs: the property length was set to the length of the new
		8	part only, i.e. appending or prepending N elements to a property with P
		9	existing elements always resulted in the property having N elements
		10	instead of N + P.
		11
		12	Second, when pre-pending a value to a property, the offset for the old
		13	values was incorrect, leaving the new property with potentially
		14	uninitalized values and/or resulting in OOB memory writes.
		15	For example, prepending a 3 element value to a 5 element property would
		16	result in this 8 value array:
		17	[N, N, N, ?, ?, P, P, P ] P, P
		18	^OOB write
		19
		20	The XI2 code is a copy/paste of the RandR code, so the bug exists in
		21	both.
		22
		23	CVE-2023-5367, ZDI-CAN-22153
		24
		25	This vulnerability was discovered by:
		26	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		27
		28	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
		29
		30	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a]
		31	CVE: CVE-2023-5367
		32	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		33	---
		34	Xi/xiproperty.c \| 4 ++--
		35	randr/rrproperty.c \| 4 ++--
		36	2 files changed, 4 insertions(+), 4 deletions(-)
		37
		38	diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
		39	index 066ba21fba..d315f04d0e 100644
		40	--- a/Xi/xiproperty.c
		41	+++ b/Xi/xiproperty.c
		42	@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
		43	XIDestroyDeviceProperty(prop);
		44	return BadAlloc;
		45	}
		46	- new_value.size = len;
		47	+ new_value.size = total_len;
		48	new_value.type = type;
		49	new_value.format = format;
		50
		51	@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
		52	case PropModePrepend:
		53	new_data = new_value.data;
		54	old_data = (void ) (((char ) new_value.data) +
		55	- (prop_value->size * size_in_bytes));
		56	+ (len * size_in_bytes));
		57	break;
		58	}
		59	if (new_data)
		60	diff --git a/randr/rrproperty.c b/randr/rrproperty.c
		61	index c2fb9585c6..25469f57b2 100644
		62	--- a/randr/rrproperty.c
		63	+++ b/randr/rrproperty.c
		64	@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
		65	RRDestroyOutputProperty(prop);
		66	return BadAlloc;
		67	}
		68	- new_value.size = len;
		69	+ new_value.size = total_len;
		70	new_value.type = type;
		71	new_value.format = format;
		72
		73	@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
		74	case PropModePrepend:
		75	new_data = new_value.data;
		76	old_data = (void ) (((char ) new_value.data) +
		77	- (prop_value->size * size_in_bytes));
		78	+ (len * size_in_bytes));
		79	break;
		80	}
		81	if (new_data)
		82	--
		83	GitLab
		84


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch new file mode 100644 index 0000000000..57e2a5abdf --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch
@@ -0,0 +1,102 @@
		1	From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001
		2	From: Peter Hutterer <peter.hutterer@who-t.net>
		3	Date: Thu, 5 Oct 2023 12:19:45 +1000
		4	Subject: [PATCH] mi: reset the PointerWindows reference on screen switch
		5
		6	PointerWindows[] keeps a reference to the last window our sprite
		7	entered - changes are usually handled by CheckMotion().
		8
		9	If we switch between screens via XWarpPointer our
		10	dev->spriteInfo->sprite->win is set to the new screen's root window.
		11	If there's another window at the cursor location CheckMotion() will
		12	trigger the right enter/leave events later. If there is not, it skips
		13	that process and we never trigger LeaveWindow() - PointerWindows[] for
		14	the device still refers to the previous window.
		15
		16	If that window is destroyed we have a dangling reference that will
		17	eventually cause a use-after-free bug when checking the window hierarchy
		18	later.
		19
		20	To trigger this, we require:
		21	- two protocol screens
		22	- XWarpPointer to the other screen's root window
		23	- XDestroyWindow before entering any other window
		24
		25	This is a niche bug so we hack around it by making sure we reset the
		26	PointerWindows[] entry so we cannot have a dangling pointer. This
		27	doesn't handle Enter/Leave events correctly but the previous code didn't
		28	either.
		29
		30	CVE-2023-5380, ZDI-CAN-21608
		31
		32	This vulnerability was discovered by:
		33	Sri working with Trend Micro Zero Day Initiative
		34
		35	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
		36	Reviewed-by: Adam Jackson <ajax@redhat.com>
		37
		38	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7]
		39	CVE: CVE-2023-5380
		40	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		41	---
		42	dix/enterleave.h \| 2 --
		43	include/eventstr.h \| 3 +++
		44	mi/mipointer.c \| 17 +++++++++++++++--
		45	3 files changed, 18 insertions(+), 4 deletions(-)
		46
		47	diff --git a/dix/enterleave.h b/dix/enterleave.h
		48	index 4b833d8a3b..e8af924c68 100644
		49	--- a/dix/enterleave.h
		50	+++ b/dix/enterleave.h
		51	@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
		52
		53	extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
		54
		55	-extern void LeaveWindow(DeviceIntPtr dev);
		56	-
		57	extern void CoreFocusEvent(DeviceIntPtr kbd,
		58	int type, int mode, int detail, WindowPtr pWin);
		59
		60	diff --git a/include/eventstr.h b/include/eventstr.h
		61	index 93308f9b24..a9926eaeef 100644
		62	--- a/include/eventstr.h
		63	+++ b/include/eventstr.h
		64	@@ -335,4 +335,7 @@ union _InternalEvent {
		65	GestureEvent gesture_event;
		66	};
		67
		68	+extern void
		69	+LeaveWindow(DeviceIntPtr dev);
		70	+
		71	#endif
		72	diff --git a/mi/mipointer.c b/mi/mipointer.c
		73	index a638f25d4a..8cf0035140 100644
		74	--- a/mi/mipointer.c
		75	+++ b/mi/mipointer.c
		76	@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
		77	#ifdef PANORAMIX
		78	&& noPanoramiXExtension
		79	#endif
		80	- )
		81	- UpdateSpriteForScreen(pDev, pScreen);
		82	+ ) {
		83	+ DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
		84	+ /* Hack for CVE-2023-5380: if we're moving
		85	+ * screens PointerWindows[] keeps referring to the
		86	+ * old window. If that gets destroyed we have a UAF
		87	+ * bug later. Only happens when jumping from a window
		88	+ * to the root window on the other screen.
		89	+ * Enter/Leave events are incorrect for that case but
		90	+ * too niche to fix.
		91	+ */
		92	+ LeaveWindow(pDev);
		93	+ if (master)
		94	+ LeaveWindow(master);
		95	+ UpdateSpriteForScreen(pDev, pScreen);
		96	+ }
		97	}
		98
		99	/**
		100	--
		101	GitLab
		102


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index 19db7ea434..63932b4e79 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -2,6 +2,8 @@ require xserver-xorg.inc
2		2
3	SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \	3	SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
4	file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \	4	file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
		5	file://CVE-2023-5367.patch \
		6	file://CVE-2023-5380.patch \
5	"	7	"
6	SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"	8	SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
7		9