Revert "xserver-xorg: backport fix for CVE-2023-1393"

This reverts commit dc2c777cab0230fc54e078d20d872aaa9287a8b9. Fixed in subsequent version bump (From OE-Core rev: 151149b590a9051a6de58115a6796ccf17894498) Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Steve Sakoman <steve@sakoman.com> 2023-05-09 04:10:34 -1000
committer: Steve Sakoman <steve@sakoman.com> 2023-05-12 04:04:52 -1000
commit: 2f06076f975f4dcafd10becc5b36e3df362293de (patch)
tree: f1745e9ec54460a1d0090ef24dabf1f90fee4d64 /meta
parent: 11e2400b24c71828a0cd9484343a86b266a88eec (diff)
download: poky-2f06076f975f4dcafd10becc5b36e3df362293de.tar.gz
2 files changed, 1 insertions, 48 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch
deleted file mode 100644
index fc426daba5..0000000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001
-From: Olivier Fourdan <ofourdan@redhat.com>
-Date: Mon, 13 Mar 2023 11:08:47 +0100
-Subject: [PATCH] composite: Fix use-after-free of the COW
-ZDI-CAN-19866/CVE-2023-1393
-If a client explicitly destroys the compositor overlay window (aka COW),
-we would leave a dangling pointer to that window in the CompScreen
-structure, which will trigger a use-after-free later.
-Make sure to clear the CompScreen pointer to the COW when the latter gets
-destroyed explicitly by the client.
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
-Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
-Reviewed-by: Adam Jackson <ajax@redhat.com>
-CVE: CVE-2023-1393
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
---
- composite/compwindow.c | 5 +++++
- 1 file changed, 5 insertions(+)
-diff --git a/composite/compwindow.c b/composite/compwindow.c
-index 4e2494b86..b30da589e 100644
--- a/composite/compwindow.c
-+++ b/composite/compwindow.c
-@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
-     ret = (*pScreen->DestroyWindow) (pWin);
-     cs->DestroyWindow = pScreen->DestroyWindow;
-     pScreen->DestroyWindow = compDestroyWindow;
-+
-+    /* Did we just destroy the overlay window? */
-+    if (pWin == cs->pOverlayWin)
-+        cs->pOverlayWin = NULL;
-+
- /*    compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
-     return ret;
- }
-- 
-2.34.1
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb
index f0771cc86e..212c7d39c2 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb
@@ -1,8 +1,7 @@
 require xserver-xorg.inc
 SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
-            file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
+           file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
-            file://0001-composite-Fix-use-after-free-of-the-COW.patch \
           "
 SRC_URI[sha256sum] = "d9c60b2dd0ec52326ca6ab20db0e490b1ff4f566f59ca742d6532e92795877bb"
author	Steve Sakoman <steve@sakoman.com>	2023-05-09 04:10:34 -1000
committer	Steve Sakoman <steve@sakoman.com>	2023-05-12 04:04:52 -1000
commit	2f06076f975f4dcafd10becc5b36e3df362293de (patch)
tree	f1745e9ec54460a1d0090ef24dabf1f90fee4d64 /meta
parent	11e2400b24c71828a0cd9484343a86b266a88eec (diff)
download	poky-2f06076f975f4dcafd10becc5b36e3df362293de.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch deleted file mode 100644 index fc426daba5..0000000000 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch +++ /dev/null
@@ -1,46 +0,0 @@
1	From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001
2	From: Olivier Fourdan <ofourdan@redhat.com>
3	Date: Mon, 13 Mar 2023 11:08:47 +0100
4	Subject: [PATCH] composite: Fix use-after-free of the COW
5
6	ZDI-CAN-19866/CVE-2023-1393
7
8	If a client explicitly destroys the compositor overlay window (aka COW),
9	we would leave a dangling pointer to that window in the CompScreen
10	structure, which will trigger a use-after-free later.
11
12	Make sure to clear the CompScreen pointer to the COW when the latter gets
13	destroyed explicitly by the client.
14
15	This vulnerability was discovered by:
16	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
17
18	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
19	Reviewed-by: Adam Jackson <ajax@redhat.com>
20
21	CVE: CVE-2023-1393
22	Upstream-Status: Backport
23	Signed-off-by: Ross Burton <ross.burton@arm.com>
24	---
25	composite/compwindow.c \| 5 +++++
26	1 file changed, 5 insertions(+)
27
28	diff --git a/composite/compwindow.c b/composite/compwindow.c
29	index 4e2494b86..b30da589e 100644
30	--- a/composite/compwindow.c
31	+++ b/composite/compwindow.c
32	@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
33	ret = (*pScreen->DestroyWindow) (pWin);
34	cs->DestroyWindow = pScreen->DestroyWindow;
35	pScreen->DestroyWindow = compDestroyWindow;
36	+
37	+ /* Did we just destroy the overlay window? */
38	+ if (pWin == cs->pOverlayWin)
39	+ cs->pOverlayWin = NULL;
40	+
41	/* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
42	return ret;
43	}
44	--
45	2.34.1
46


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb index f0771cc86e..212c7d39c2 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb
@@ -1,8 +1,7 @@
1	require xserver-xorg.inc	1	require xserver-xorg.inc
2		2
3	SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \	3	SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
4	file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \	4	file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
5	file://0001-composite-Fix-use-after-free-of-the-COW.patch \
6	"	5	"
7	SRC_URI[sha256sum] = "d9c60b2dd0ec52326ca6ab20db0e490b1ff4f566f59ca742d6532e92795877bb"	6	SRC_URI[sha256sum] = "d9c60b2dd0ec52326ca6ab20db0e490b1ff4f566f59ca742d6532e92795877bb"
8		7