diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2023-11-08 08:42:11 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-11-17 06:00:32 -1000 |
commit | 01cabaea0406c4b041b45ce811408dd854bb6a79 (patch) | |
tree | 7bbb935afff55faad866692f6ca002a8324ed8c1 | |
parent | 72c7bacfd367378e979d7800e655f6b445733e60 (diff) | |
download | poky-01cabaea0406c4b041b45ce811408dd854bb6a79.tar.gz |
xserver-xorg: Fix for CVE-2023-5367 and CVE-2023-5380
Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7]
(From OE-Core rev: 41b87e7493f7b50ba0ddad941d37ef4a24a749d8)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
3 files changed, 188 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch new file mode 100644 index 0000000000..508588481e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch | |||
@@ -0,0 +1,84 @@ | |||
1 | From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Tue, 3 Oct 2023 11:53:05 +1000 | ||
4 | Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend | ||
5 | |||
6 | The handling of appending/prepending properties was incorrect, with at | ||
7 | least two bugs: the property length was set to the length of the new | ||
8 | part only, i.e. appending or prepending N elements to a property with P | ||
9 | existing elements always resulted in the property having N elements | ||
10 | instead of N + P. | ||
11 | |||
12 | Second, when pre-pending a value to a property, the offset for the old | ||
13 | values was incorrect, leaving the new property with potentially | ||
14 | uninitalized values and/or resulting in OOB memory writes. | ||
15 | For example, prepending a 3 element value to a 5 element property would | ||
16 | result in this 8 value array: | ||
17 | [N, N, N, ?, ?, P, P, P ] P, P | ||
18 | ^OOB write | ||
19 | |||
20 | The XI2 code is a copy/paste of the RandR code, so the bug exists in | ||
21 | both. | ||
22 | |||
23 | CVE-2023-5367, ZDI-CAN-22153 | ||
24 | |||
25 | This vulnerability was discovered by: | ||
26 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
27 | |||
28 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
29 | |||
30 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a] | ||
31 | CVE: CVE-2023-5367 | ||
32 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
33 | --- | ||
34 | Xi/xiproperty.c | 4 ++-- | ||
35 | randr/rrproperty.c | 4 ++-- | ||
36 | 2 files changed, 4 insertions(+), 4 deletions(-) | ||
37 | |||
38 | diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c | ||
39 | index 066ba21fba..d315f04d0e 100644 | ||
40 | --- a/Xi/xiproperty.c | ||
41 | +++ b/Xi/xiproperty.c | ||
42 | @@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type, | ||
43 | XIDestroyDeviceProperty(prop); | ||
44 | return BadAlloc; | ||
45 | } | ||
46 | - new_value.size = len; | ||
47 | + new_value.size = total_len; | ||
48 | new_value.type = type; | ||
49 | new_value.format = format; | ||
50 | |||
51 | @@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type, | ||
52 | case PropModePrepend: | ||
53 | new_data = new_value.data; | ||
54 | old_data = (void *) (((char *) new_value.data) + | ||
55 | - (prop_value->size * size_in_bytes)); | ||
56 | + (len * size_in_bytes)); | ||
57 | break; | ||
58 | } | ||
59 | if (new_data) | ||
60 | diff --git a/randr/rrproperty.c b/randr/rrproperty.c | ||
61 | index c2fb9585c6..25469f57b2 100644 | ||
62 | --- a/randr/rrproperty.c | ||
63 | +++ b/randr/rrproperty.c | ||
64 | @@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type, | ||
65 | RRDestroyOutputProperty(prop); | ||
66 | return BadAlloc; | ||
67 | } | ||
68 | - new_value.size = len; | ||
69 | + new_value.size = total_len; | ||
70 | new_value.type = type; | ||
71 | new_value.format = format; | ||
72 | |||
73 | @@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type, | ||
74 | case PropModePrepend: | ||
75 | new_data = new_value.data; | ||
76 | old_data = (void *) (((char *) new_value.data) + | ||
77 | - (prop_value->size * size_in_bytes)); | ||
78 | + (len * size_in_bytes)); | ||
79 | break; | ||
80 | } | ||
81 | if (new_data) | ||
82 | -- | ||
83 | GitLab | ||
84 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch new file mode 100644 index 0000000000..720340d83b --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch | |||
@@ -0,0 +1,102 @@ | |||
1 | From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Thu, 5 Oct 2023 12:19:45 +1000 | ||
4 | Subject: [PATCH] mi: reset the PointerWindows reference on screen switch | ||
5 | |||
6 | PointerWindows[] keeps a reference to the last window our sprite | ||
7 | entered - changes are usually handled by CheckMotion(). | ||
8 | |||
9 | If we switch between screens via XWarpPointer our | ||
10 | dev->spriteInfo->sprite->win is set to the new screen's root window. | ||
11 | If there's another window at the cursor location CheckMotion() will | ||
12 | trigger the right enter/leave events later. If there is not, it skips | ||
13 | that process and we never trigger LeaveWindow() - PointerWindows[] for | ||
14 | the device still refers to the previous window. | ||
15 | |||
16 | If that window is destroyed we have a dangling reference that will | ||
17 | eventually cause a use-after-free bug when checking the window hierarchy | ||
18 | later. | ||
19 | |||
20 | To trigger this, we require: | ||
21 | - two protocol screens | ||
22 | - XWarpPointer to the other screen's root window | ||
23 | - XDestroyWindow before entering any other window | ||
24 | |||
25 | This is a niche bug so we hack around it by making sure we reset the | ||
26 | PointerWindows[] entry so we cannot have a dangling pointer. This | ||
27 | doesn't handle Enter/Leave events correctly but the previous code didn't | ||
28 | either. | ||
29 | |||
30 | CVE-2023-5380, ZDI-CAN-21608 | ||
31 | |||
32 | This vulnerability was discovered by: | ||
33 | Sri working with Trend Micro Zero Day Initiative | ||
34 | |||
35 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
36 | Reviewed-by: Adam Jackson <ajax@redhat.com> | ||
37 | |||
38 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7] | ||
39 | CVE: CVE-2023-5380 | ||
40 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
41 | --- | ||
42 | dix/enterleave.h | 2 -- | ||
43 | include/eventstr.h | 3 +++ | ||
44 | mi/mipointer.c | 17 +++++++++++++++-- | ||
45 | 3 files changed, 18 insertions(+), 4 deletions(-) | ||
46 | |||
47 | diff --git a/dix/enterleave.h b/dix/enterleave.h | ||
48 | index 4b833d8..e8af924 100644 | ||
49 | --- a/dix/enterleave.h | ||
50 | +++ b/dix/enterleave.h | ||
51 | @@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev, | ||
52 | |||
53 | extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode); | ||
54 | |||
55 | -extern void LeaveWindow(DeviceIntPtr dev); | ||
56 | - | ||
57 | extern void CoreFocusEvent(DeviceIntPtr kbd, | ||
58 | int type, int mode, int detail, WindowPtr pWin); | ||
59 | |||
60 | diff --git a/include/eventstr.h b/include/eventstr.h | ||
61 | index bf3b95f..2bae3b0 100644 | ||
62 | --- a/include/eventstr.h | ||
63 | +++ b/include/eventstr.h | ||
64 | @@ -296,4 +296,7 @@ union _InternalEvent { | ||
65 | #endif | ||
66 | }; | ||
67 | |||
68 | +extern void | ||
69 | +LeaveWindow(DeviceIntPtr dev); | ||
70 | + | ||
71 | #endif | ||
72 | diff --git a/mi/mipointer.c b/mi/mipointer.c | ||
73 | index 75be1ae..b12ae9b 100644 | ||
74 | --- a/mi/mipointer.c | ||
75 | +++ b/mi/mipointer.c | ||
76 | @@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y) | ||
77 | #ifdef PANORAMIX | ||
78 | && noPanoramiXExtension | ||
79 | #endif | ||
80 | - ) | ||
81 | - UpdateSpriteForScreen(pDev, pScreen); | ||
82 | + ) { | ||
83 | + DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER); | ||
84 | + /* Hack for CVE-2023-5380: if we're moving | ||
85 | + * screens PointerWindows[] keeps referring to the | ||
86 | + * old window. If that gets destroyed we have a UAF | ||
87 | + * bug later. Only happens when jumping from a window | ||
88 | + * to the root window on the other screen. | ||
89 | + * Enter/Leave events are incorrect for that case but | ||
90 | + * too niche to fix. | ||
91 | + */ | ||
92 | + LeaveWindow(pDev); | ||
93 | + if (master) | ||
94 | + LeaveWindow(master); | ||
95 | + UpdateSpriteForScreen(pDev, pScreen); | ||
96 | + } | ||
97 | } | ||
98 | |||
99 | /** | ||
100 | -- | ||
101 | 2.25.1 | ||
102 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb index 5c604fa86e..eaff93bd09 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb | |||
@@ -16,6 +16,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat | |||
16 | file://CVE-2022-46344.patch \ | 16 | file://CVE-2022-46344.patch \ |
17 | file://CVE-2023-0494.patch \ | 17 | file://CVE-2023-0494.patch \ |
18 | file://CVE-2023-1393.patch \ | 18 | file://CVE-2023-1393.patch \ |
19 | file://CVE-2023-5367.patch \ | ||
20 | file://CVE-2023-5380.patch \ | ||
19 | " | 21 | " |
20 | SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf" | 22 | SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf" |
21 | SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066" | 23 | SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066" |