diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch')
-rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch | 102 |
1 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch new file mode 100644 index 0000000000..720340d83b --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch | |||
@@ -0,0 +1,102 @@ | |||
1 | From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Thu, 5 Oct 2023 12:19:45 +1000 | ||
4 | Subject: [PATCH] mi: reset the PointerWindows reference on screen switch | ||
5 | |||
6 | PointerWindows[] keeps a reference to the last window our sprite | ||
7 | entered - changes are usually handled by CheckMotion(). | ||
8 | |||
9 | If we switch between screens via XWarpPointer our | ||
10 | dev->spriteInfo->sprite->win is set to the new screen's root window. | ||
11 | If there's another window at the cursor location CheckMotion() will | ||
12 | trigger the right enter/leave events later. If there is not, it skips | ||
13 | that process and we never trigger LeaveWindow() - PointerWindows[] for | ||
14 | the device still refers to the previous window. | ||
15 | |||
16 | If that window is destroyed we have a dangling reference that will | ||
17 | eventually cause a use-after-free bug when checking the window hierarchy | ||
18 | later. | ||
19 | |||
20 | To trigger this, we require: | ||
21 | - two protocol screens | ||
22 | - XWarpPointer to the other screen's root window | ||
23 | - XDestroyWindow before entering any other window | ||
24 | |||
25 | This is a niche bug so we hack around it by making sure we reset the | ||
26 | PointerWindows[] entry so we cannot have a dangling pointer. This | ||
27 | doesn't handle Enter/Leave events correctly but the previous code didn't | ||
28 | either. | ||
29 | |||
30 | CVE-2023-5380, ZDI-CAN-21608 | ||
31 | |||
32 | This vulnerability was discovered by: | ||
33 | Sri working with Trend Micro Zero Day Initiative | ||
34 | |||
35 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
36 | Reviewed-by: Adam Jackson <ajax@redhat.com> | ||
37 | |||
38 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7] | ||
39 | CVE: CVE-2023-5380 | ||
40 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
41 | --- | ||
42 | dix/enterleave.h | 2 -- | ||
43 | include/eventstr.h | 3 +++ | ||
44 | mi/mipointer.c | 17 +++++++++++++++-- | ||
45 | 3 files changed, 18 insertions(+), 4 deletions(-) | ||
46 | |||
47 | diff --git a/dix/enterleave.h b/dix/enterleave.h | ||
48 | index 4b833d8..e8af924 100644 | ||
49 | --- a/dix/enterleave.h | ||
50 | +++ b/dix/enterleave.h | ||
51 | @@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev, | ||
52 | |||
53 | extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode); | ||
54 | |||
55 | -extern void LeaveWindow(DeviceIntPtr dev); | ||
56 | - | ||
57 | extern void CoreFocusEvent(DeviceIntPtr kbd, | ||
58 | int type, int mode, int detail, WindowPtr pWin); | ||
59 | |||
60 | diff --git a/include/eventstr.h b/include/eventstr.h | ||
61 | index bf3b95f..2bae3b0 100644 | ||
62 | --- a/include/eventstr.h | ||
63 | +++ b/include/eventstr.h | ||
64 | @@ -296,4 +296,7 @@ union _InternalEvent { | ||
65 | #endif | ||
66 | }; | ||
67 | |||
68 | +extern void | ||
69 | +LeaveWindow(DeviceIntPtr dev); | ||
70 | + | ||
71 | #endif | ||
72 | diff --git a/mi/mipointer.c b/mi/mipointer.c | ||
73 | index 75be1ae..b12ae9b 100644 | ||
74 | --- a/mi/mipointer.c | ||
75 | +++ b/mi/mipointer.c | ||
76 | @@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y) | ||
77 | #ifdef PANORAMIX | ||
78 | && noPanoramiXExtension | ||
79 | #endif | ||
80 | - ) | ||
81 | - UpdateSpriteForScreen(pDev, pScreen); | ||
82 | + ) { | ||
83 | + DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER); | ||
84 | + /* Hack for CVE-2023-5380: if we're moving | ||
85 | + * screens PointerWindows[] keeps referring to the | ||
86 | + * old window. If that gets destroyed we have a UAF | ||
87 | + * bug later. Only happens when jumping from a window | ||
88 | + * to the root window on the other screen. | ||
89 | + * Enter/Leave events are incorrect for that case but | ||
90 | + * too niche to fix. | ||
91 | + */ | ||
92 | + LeaveWindow(pDev); | ||
93 | + if (master) | ||
94 | + LeaveWindow(master); | ||
95 | + UpdateSpriteForScreen(pDev, pScreen); | ||
96 | + } | ||
97 | } | ||
98 | |||
99 | /** | ||
100 | -- | ||
101 | 2.25.1 | ||
102 | |||