1 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch
new file mode 100644
index 0000000000..0bfff268e7
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch
@@ -0,0 +1,55 @@
+From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 14 Dec 2023 11:29:49 +1000
+Subject: [PATCH] dix: allocate enough space for logical button maps
+Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for
+each logical button currently down. Since buttons can be arbitrarily mapped
+to anything up to 255 make sure we have enough bits for the maximum mapping.
+CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3]
+CVE: CVE-2023-6816
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xi/xiquerypointer.c | 3 +--
+ dix/enterleave.c    | 5 +++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
+index 5b77b1a444..2b05ac5f39 100644
+--- a/Xi/xiquerypointer.c
+++ b/Xi/xiquerypointer.c
+@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client)
+     if (pDev->button) {
+         int i;
+ 
+-        rep.buttons_len =
+-            bytes_to_int32(bits_to_bytes(pDev->button->numButtons));
+        rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */
+         rep.length += rep.buttons_len;
+         buttons = calloc(rep.buttons_len, 4);
+         if (!buttons)
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index 867ec74363..ded8679d76 100644
+--- a/dix/enterleave.c
+++ b/dix/enterleave.c
+@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail,
+ 
+     mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);
+ 
+-    /* XI 2 event */
+-    btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;
+    /* XI 2 event contains the logical button map - maps are CARD8
+     * so we need 256 bits for the possibly maximum mapping */
+    btlen = (mouse->button) ? bits_to_bytes(256) : 0;
+     btlen = bytes_to_int32(btlen);
+     len = sizeof(xXIFocusInEvent) + btlen * 4;
+ 
+-- 
+GitLab

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch new file mode 100644 index 0000000000..0bfff268e7 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch
@@ -0,0 +1,55 @@
	1	From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001
	2	From: Peter Hutterer <peter.hutterer@who-t.net>
	3	Date: Thu, 14 Dec 2023 11:29:49 +1000
	4	Subject: [PATCH] dix: allocate enough space for logical button maps
	5
	6	Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for
	7	each logical button currently down. Since buttons can be arbitrarily mapped
	8	to anything up to 255 make sure we have enough bits for the maximum mapping.
	9
	10	CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665
	11
	12	This vulnerability was discovered by:
	13	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
	14
	15	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3]
	16	CVE: CVE-2023-6816
	17	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	18	---
	19	Xi/xiquerypointer.c \| 3 +--
	20	dix/enterleave.c \| 5 +++--
	21	2 files changed, 4 insertions(+), 4 deletions(-)
	22
	23	diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
	24	index 5b77b1a444..2b05ac5f39 100644
	25	--- a/Xi/xiquerypointer.c
	26	+++ b/Xi/xiquerypointer.c
	27	@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client)
	28	if (pDev->button) {
	29	int i;
	30
	31	- rep.buttons_len =
	32	- bytes_to_int32(bits_to_bytes(pDev->button->numButtons));
	33	+ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */
	34	rep.length += rep.buttons_len;
	35	buttons = calloc(rep.buttons_len, 4);
	36	if (!buttons)
	37	diff --git a/dix/enterleave.c b/dix/enterleave.c
	38	index 867ec74363..ded8679d76 100644
	39	--- a/dix/enterleave.c
	40	+++ b/dix/enterleave.c
	41	@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail,
	42
	43	mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);
	44
	45	- /* XI 2 event */
	46	- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;
	47	+ /* XI 2 event contains the logical button map - maps are CARD8
	48	+ * so we need 256 bits for the possibly maximum mapping */
	49	+ btlen = (mouse->button) ? bits_to_bytes(256) : 0;
	50	btlen = bytes_to_int32(btlen);
	51	len = sizeof(xXIFocusInEvent) + btlen * 4;
	52
	53	--
	54	GitLab
	55