1 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch
new file mode 100644
index 0000000000..720340d83b
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch
@@ -0,0 +1,102 @@
+From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 5 Oct 2023 12:19:45 +1000
+Subject: [PATCH] mi: reset the PointerWindows reference on screen switch
+PointerWindows[] keeps a reference to the last window our sprite
+entered - changes are usually handled by CheckMotion().
+If we switch between screens via XWarpPointer our
+dev->spriteInfo->sprite->win is set to the new screen's root window.
+If there's another window at the cursor location CheckMotion() will
+trigger the right enter/leave events later. If there is not, it skips
+that process and we never trigger LeaveWindow() - PointerWindows[] for
+the device still refers to the previous window.
+If that window is destroyed we have a dangling reference that will
+eventually cause a use-after-free bug when checking the window hierarchy
+later.
+To trigger this, we require:
+- two protocol screens
+- XWarpPointer to the other screen's root window
+- XDestroyWindow before entering any other window
+This is a niche bug so we hack around it by making sure we reset the
+PointerWindows[] entry so we cannot have a dangling pointer. This
+doesn't handle Enter/Leave events correctly but the previous code didn't
+either.
+CVE-2023-5380, ZDI-CAN-21608
+This vulnerability was discovered by:
+Sri working with Trend Micro Zero Day Initiative
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7]
+CVE: CVE-2023-5380
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ dix/enterleave.h   |  2 --
+ include/eventstr.h |  3 +++
+ mi/mipointer.c     | 17 +++++++++++++++--
+ 3 files changed, 18 insertions(+), 4 deletions(-)
+diff --git a/dix/enterleave.h b/dix/enterleave.h
+index 4b833d8..e8af924 100644
+--- a/dix/enterleave.h
+++ b/dix/enterleave.h
+@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
+ 
+ extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
+ 
+-extern void LeaveWindow(DeviceIntPtr dev);
+-
+ extern void CoreFocusEvent(DeviceIntPtr kbd,
+                            int type, int mode, int detail, WindowPtr pWin);
+ 
+diff --git a/include/eventstr.h b/include/eventstr.h
+index bf3b95f..2bae3b0 100644
+--- a/include/eventstr.h
+++ b/include/eventstr.h
+@@ -296,4 +296,7 @@ union _InternalEvent {
+ #endif
+ };
+ 
+extern void
+LeaveWindow(DeviceIntPtr dev);
+
+ #endif
+diff --git a/mi/mipointer.c b/mi/mipointer.c
+index 75be1ae..b12ae9b 100644
+--- a/mi/mipointer.c
+++ b/mi/mipointer.c
+@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
+ #ifdef PANORAMIX
+         && noPanoramiXExtension
+ #endif
+-        )
+-        UpdateSpriteForScreen(pDev, pScreen);
+        ) {
+            DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
+            /* Hack for CVE-2023-5380: if we're moving
+             * screens PointerWindows[] keeps referring to the
+             * old window. If that gets destroyed we have a UAF
+             * bug later. Only happens when jumping from a window
+             * to the root window on the other screen.
+             * Enter/Leave events are incorrect for that case but
+             * too niche to fix.
+             */
+            LeaveWindow(pDev);
+            if (master)
+                LeaveWindow(master);
+            UpdateSpriteForScreen(pDev, pScreen);
+    }
+ }
+ 
+ /**
+-- 
+2.25.1

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch new file mode 100644 index 0000000000..720340d83b --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch
@@ -0,0 +1,102 @@
	1	From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001
	2	From: Peter Hutterer <peter.hutterer@who-t.net>
	3	Date: Thu, 5 Oct 2023 12:19:45 +1000
	4	Subject: [PATCH] mi: reset the PointerWindows reference on screen switch
	5
	6	PointerWindows[] keeps a reference to the last window our sprite
	7	entered - changes are usually handled by CheckMotion().
	8
	9	If we switch between screens via XWarpPointer our
	10	dev->spriteInfo->sprite->win is set to the new screen's root window.
	11	If there's another window at the cursor location CheckMotion() will
	12	trigger the right enter/leave events later. If there is not, it skips
	13	that process and we never trigger LeaveWindow() - PointerWindows[] for
	14	the device still refers to the previous window.
	15
	16	If that window is destroyed we have a dangling reference that will
	17	eventually cause a use-after-free bug when checking the window hierarchy
	18	later.
	19
	20	To trigger this, we require:
	21	- two protocol screens
	22	- XWarpPointer to the other screen's root window
	23	- XDestroyWindow before entering any other window
	24
	25	This is a niche bug so we hack around it by making sure we reset the
	26	PointerWindows[] entry so we cannot have a dangling pointer. This
	27	doesn't handle Enter/Leave events correctly but the previous code didn't
	28	either.
	29
	30	CVE-2023-5380, ZDI-CAN-21608
	31
	32	This vulnerability was discovered by:
	33	Sri working with Trend Micro Zero Day Initiative
	34
	35	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
	36	Reviewed-by: Adam Jackson <ajax@redhat.com>
	37
	38	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7]
	39	CVE: CVE-2023-5380
	40	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	41	---
	42	dix/enterleave.h \| 2 --
	43	include/eventstr.h \| 3 +++
	44	mi/mipointer.c \| 17 +++++++++++++++--
	45	3 files changed, 18 insertions(+), 4 deletions(-)
	46
	47	diff --git a/dix/enterleave.h b/dix/enterleave.h
	48	index 4b833d8..e8af924 100644
	49	--- a/dix/enterleave.h
	50	+++ b/dix/enterleave.h
	51	@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
	52
	53	extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
	54
	55	-extern void LeaveWindow(DeviceIntPtr dev);
	56	-
	57	extern void CoreFocusEvent(DeviceIntPtr kbd,
	58	int type, int mode, int detail, WindowPtr pWin);
	59
	60	diff --git a/include/eventstr.h b/include/eventstr.h
	61	index bf3b95f..2bae3b0 100644
	62	--- a/include/eventstr.h
	63	+++ b/include/eventstr.h
	64	@@ -296,4 +296,7 @@ union _InternalEvent {
	65	#endif
	66	};
	67
	68	+extern void
	69	+LeaveWindow(DeviceIntPtr dev);
	70	+
	71	#endif
	72	diff --git a/mi/mipointer.c b/mi/mipointer.c
	73	index 75be1ae..b12ae9b 100644
	74	--- a/mi/mipointer.c
	75	+++ b/mi/mipointer.c
	76	@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
	77	#ifdef PANORAMIX
	78	&& noPanoramiXExtension
	79	#endif
	80	- )
	81	- UpdateSpriteForScreen(pDev, pScreen);
	82	+ ) {
	83	+ DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
	84	+ /* Hack for CVE-2023-5380: if we're moving
	85	+ * screens PointerWindows[] keeps referring to the
	86	+ * old window. If that gets destroyed we have a UAF
	87	+ * bug later. Only happens when jumping from a window
	88	+ * to the root window on the other screen.
	89	+ * Enter/Leave events are incorrect for that case but
	90	+ * too niche to fix.
	91	+ */
	92	+ LeaveWindow(pDev);
	93	+ if (master)
	94	+ LeaveWindow(master);
	95	+ UpdateSpriteForScreen(pDev, pScreen);
	96	+ }
	97	}
	98
	99	/**
	100	--
	101	2.25.1
	102