xserver-xorg: backport fix for CVE-2023-1393

(From OE-Core rev: dc2c777cab0230fc54e078d20d872aaa9287a8b9) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 7828f7026b4cd3ae97ebe5d849c09fabbc17272d) Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Ross Burton <ross.burton@arm.com> 2023-04-20 13:00:43 +0100
committer: Steve Sakoman <steve@sakoman.com> 2023-05-03 04:17:12 -1000
commit: 9971a61f08175918db43fab605d7725c3076a5ef (patch)
tree: ca62de64d607b4e5aea3fc1e98b23c21ab6f487d /meta
parent: 20e0e5ebfb4267d212a77ac414a53b0725c0e53e (diff)
download: poky-9971a61f08175918db43fab605d7725c3076a5ef.tar.gz
2 files changed, 48 insertions, 1 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch
new file mode 100644
index 0000000000..fc426daba5
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch
@@ -0,0 +1,46 @@
+From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 13 Mar 2023 11:08:47 +0100
+Subject: [PATCH] composite: Fix use-after-free of the COW
+ZDI-CAN-19866/CVE-2023-1393
+If a client explicitly destroys the compositor overlay window (aka COW),
+we would leave a dangling pointer to that window in the CompScreen
+structure, which will trigger a use-after-free later.
+Make sure to clear the CompScreen pointer to the COW when the latter gets
+destroyed explicitly by the client.
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+CVE: CVE-2023-1393
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ composite/compwindow.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/composite/compwindow.c b/composite/compwindow.c
+index 4e2494b86..b30da589e 100644
+--- a/composite/compwindow.c
+++ b/composite/compwindow.c
+@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
+     ret = (*pScreen->DestroyWindow) (pWin);
+     cs->DestroyWindow = pScreen->DestroyWindow;
+     pScreen->DestroyWindow = compDestroyWindow;
+
+    /* Did we just destroy the overlay window? */
+    if (pWin == cs->pOverlayWin)
+        cs->pOverlayWin = NULL;
+
+ /*    compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
+     return ret;
+ }
+-- 
+2.34.1
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb
index 212c7d39c2..f0771cc86e 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb
@@ -1,7 +1,8 @@
 require xserver-xorg.inc
 SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
-           file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
+            file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
+            file://0001-composite-Fix-use-after-free-of-the-COW.patch \
           "
 SRC_URI[sha256sum] = "d9c60b2dd0ec52326ca6ab20db0e490b1ff4f566f59ca742d6532e92795877bb"
author	Ross Burton <ross.burton@arm.com>	2023-04-20 13:00:43 +0100
committer	Steve Sakoman <steve@sakoman.com>	2023-05-03 04:17:12 -1000
commit	9971a61f08175918db43fab605d7725c3076a5ef (patch)
tree	ca62de64d607b4e5aea3fc1e98b23c21ab6f487d /meta
parent	20e0e5ebfb4267d212a77ac414a53b0725c0e53e (diff)
download	poky-9971a61f08175918db43fab605d7725c3076a5ef.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch new file mode 100644 index 0000000000..fc426daba5 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch
@@ -0,0 +1,46 @@
		1	From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Mon, 13 Mar 2023 11:08:47 +0100
		4	Subject: [PATCH] composite: Fix use-after-free of the COW
		5
		6	ZDI-CAN-19866/CVE-2023-1393
		7
		8	If a client explicitly destroys the compositor overlay window (aka COW),
		9	we would leave a dangling pointer to that window in the CompScreen
		10	structure, which will trigger a use-after-free later.
		11
		12	Make sure to clear the CompScreen pointer to the COW when the latter gets
		13	destroyed explicitly by the client.
		14
		15	This vulnerability was discovered by:
		16	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		17
		18	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		19	Reviewed-by: Adam Jackson <ajax@redhat.com>
		20
		21	CVE: CVE-2023-1393
		22	Upstream-Status: Backport
		23	Signed-off-by: Ross Burton <ross.burton@arm.com>
		24	---
		25	composite/compwindow.c \| 5 +++++
		26	1 file changed, 5 insertions(+)
		27
		28	diff --git a/composite/compwindow.c b/composite/compwindow.c
		29	index 4e2494b86..b30da589e 100644
		30	--- a/composite/compwindow.c
		31	+++ b/composite/compwindow.c
		32	@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
		33	ret = (*pScreen->DestroyWindow) (pWin);
		34	cs->DestroyWindow = pScreen->DestroyWindow;
		35	pScreen->DestroyWindow = compDestroyWindow;
		36	+
		37	+ /* Did we just destroy the overlay window? */
		38	+ if (pWin == cs->pOverlayWin)
		39	+ cs->pOverlayWin = NULL;
		40	+
		41	/* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
		42	return ret;
		43	}
		44	--
		45	2.34.1
		46


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb index 212c7d39c2..f0771cc86e 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb
@@ -1,7 +1,8 @@
1	require xserver-xorg.inc	1	require xserver-xorg.inc
2		2
3	SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \	3	SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
4	file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \	4	file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
		5	file://0001-composite-Fix-use-after-free-of-the-COW.patch \
5	"	6	"
6	SRC_URI[sha256sum] = "d9c60b2dd0ec52326ca6ab20db0e490b1ff4f566f59ca742d6532e92795877bb"	7	SRC_URI[sha256sum] = "d9c60b2dd0ec52326ca6ab20db0e490b1ff4f566f59ca742d6532e92795877bb"
7		8