diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-1.patch')
-rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-1.patch | 113 |
1 files changed, 0 insertions, 113 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-1.patch deleted file mode 100644 index 9a8e583e78..0000000000 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-1.patch +++ /dev/null | |||
@@ -1,113 +0,0 @@ | |||
1 | From 1953f460b9ad1a9cdf0fcce70f6ad3310b713d5f Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Thu, 12 Oct 2023 12:44:13 +1000 | ||
4 | Subject: [PATCH] fb: properly wrap/unwrap CloseScreen | ||
5 | |||
6 | fbCloseScreen assumes that it overrides miCloseScreen (which just | ||
7 | calls FreePixmap(screen->devPrivates)) and emulates that instead of | ||
8 | wrapping it. | ||
9 | |||
10 | This is a wrong assumption, we may have ShmCloseScreen in the mix too, | ||
11 | resulting in leaks (see below). Fix this by properly setting up the | ||
12 | CloseScreen wrapper. | ||
13 | |||
14 | This means we no longer need the manual DestroyPixmap call in | ||
15 | vfbCloseScreen, reverting d348ab06aae21c153ecbc3511aeafc8ab66d8303 | ||
16 | |||
17 | CVE-2023-5574, ZDI-CAN-21213 | ||
18 | |||
19 | This vulnerability was discovered by: | ||
20 | Sri working with Trend Micro Zero Day Initiative | ||
21 | |||
22 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
23 | Reviewed-by: Adam Jackson <ajax@redhat.com> | ||
24 | |||
25 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/1953f460b9ad1a9cdf0fcce70f6ad3310b713d5f] | ||
26 | CVE: CVE-2023-5574 | ||
27 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
28 | --- | ||
29 | fb/fb.h | 1 + | ||
30 | fb/fbscreen.c | 14 ++++++++++---- | ||
31 | hw/vfb/InitOutput.c | 7 ------- | ||
32 | 3 files changed, 11 insertions(+), 11 deletions(-) | ||
33 | |||
34 | diff --git a/fb/fb.h b/fb/fb.h | ||
35 | index d157b6956d..cd7bd05d21 100644 | ||
36 | --- a/fb/fb.h | ||
37 | +++ b/fb/fb.h | ||
38 | @@ -410,6 +410,7 @@ typedef struct { | ||
39 | #endif | ||
40 | DevPrivateKeyRec gcPrivateKeyRec; | ||
41 | DevPrivateKeyRec winPrivateKeyRec; | ||
42 | + CloseScreenProcPtr CloseScreen; | ||
43 | } FbScreenPrivRec, *FbScreenPrivPtr; | ||
44 | |||
45 | #define fbGetScreenPrivate(pScreen) ((FbScreenPrivPtr) \ | ||
46 | diff --git a/fb/fbscreen.c b/fb/fbscreen.c | ||
47 | index 4ab807ab50..c481033f98 100644 | ||
48 | --- a/fb/fbscreen.c | ||
49 | +++ b/fb/fbscreen.c | ||
50 | @@ -29,6 +29,7 @@ | ||
51 | Bool | ||
52 | fbCloseScreen(ScreenPtr pScreen) | ||
53 | { | ||
54 | + FbScreenPrivPtr screen_priv = fbGetScreenPrivate(pScreen); | ||
55 | int d; | ||
56 | DepthPtr depths = pScreen->allowedDepths; | ||
57 | |||
58 | @@ -37,9 +38,10 @@ fbCloseScreen(ScreenPtr pScreen) | ||
59 | free(depths[d].vids); | ||
60 | free(depths); | ||
61 | free(pScreen->visuals); | ||
62 | - if (pScreen->devPrivate) | ||
63 | - FreePixmap((PixmapPtr)pScreen->devPrivate); | ||
64 | - return TRUE; | ||
65 | + | ||
66 | + pScreen->CloseScreen = screen_priv->CloseScreen; | ||
67 | + | ||
68 | + return pScreen->CloseScreen(pScreen); | ||
69 | } | ||
70 | |||
71 | Bool | ||
72 | @@ -144,6 +146,7 @@ fbFinishScreenInit(ScreenPtr pScreen, void *pbits, int xsize, int ysize, | ||
73 | int dpix, int dpiy, int width, int bpp) | ||
74 | #endif | ||
75 | { | ||
76 | + FbScreenPrivPtr screen_priv; | ||
77 | VisualPtr visuals; | ||
78 | DepthPtr depths; | ||
79 | int nvisuals; | ||
80 | @@ -177,8 +180,11 @@ fbFinishScreenInit(ScreenPtr pScreen, void *pbits, int xsize, int ysize, | ||
81 | rootdepth, ndepths, depths, | ||
82 | defaultVisual, nvisuals, visuals)) | ||
83 | return FALSE; | ||
84 | - /* overwrite miCloseScreen with our own */ | ||
85 | + | ||
86 | + screen_priv = fbGetScreenPrivate(pScreen); | ||
87 | + screen_priv->CloseScreen = pScreen->CloseScreen; | ||
88 | pScreen->CloseScreen = fbCloseScreen; | ||
89 | + | ||
90 | return TRUE; | ||
91 | } | ||
92 | |||
93 | diff --git a/hw/vfb/InitOutput.c b/hw/vfb/InitOutput.c | ||
94 | index 48efb61b2f..076fb7defa 100644 | ||
95 | --- a/hw/vfb/InitOutput.c | ||
96 | +++ b/hw/vfb/InitOutput.c | ||
97 | @@ -720,13 +720,6 @@ vfbCloseScreen(ScreenPtr pScreen) | ||
98 | |||
99 | pScreen->CloseScreen = pvfb->closeScreen; | ||
100 | |||
101 | - /* | ||
102 | - * fb overwrites miCloseScreen, so do this here | ||
103 | - */ | ||
104 | - if (pScreen->devPrivate) | ||
105 | - (*pScreen->DestroyPixmap) (pScreen->devPrivate); | ||
106 | - pScreen->devPrivate = NULL; | ||
107 | - | ||
108 | return pScreen->CloseScreen(pScreen); | ||
109 | } | ||
110 | |||
111 | -- | ||
112 | GitLab | ||
113 | |||