1 files changed, 113 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch
new file mode 100644
index 0000000000..7c8fbcc3ec
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch
@@ -0,0 +1,113 @@
+From 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 4 Jan 2024 10:01:24 +1000
+Subject: [PATCH] Xi: flush hierarchy events after adding/removing master
+ devices
+The `XISendDeviceHierarchyEvent()` function allocates space to store up
+to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`.
+If a device with a given ID was removed and a new device with the same
+ID added both in the same operation, the single device ID will lead to
+two info structures being written to `info`.
+Since this case can occur for every device ID at once, a total of two
+times `MAXDEVICES` info structures might be written to the allocation.
+To avoid it, once one add/remove master is processed, send out the
+device hierarchy event for the current state and continue. That event
+thus only ever has exactly one of either added/removed in it (and
+optionally slave attached/detached).
+CVE-2024-21885, ZDI-CAN-22744
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/4a5e9b1895627d40d26045bd0b7ef3dce503cbd1]
+CVE: CVE-2024-21885
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xi/xichangehierarchy.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
+index d2d985848d..72d00451e3 100644
+--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
+@@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client)
+     size_t len;                        /* length of data remaining in request */
+     int rc = Success;
+     int flags[MAXDEVICES] = { 0 };
+    enum {
+        NO_CHANGE,
+        FLUSH,
+        CHANGED,
+    } changes = NO_CHANGE;
+ 
+     REQUEST(xXIChangeHierarchyReq);
+     REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq);
+@@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client)
+             rc = add_master(client, c, flags);
+             if (rc != Success)
+                 goto unwind;
+-        }
+            changes = FLUSH;
+             break;
+        }
+         case XIRemoveMaster:
+         {
+             xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
+@@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client)
+             rc = remove_master(client, r, flags);
+             if (rc != Success)
+                 goto unwind;
+-        }
+            changes = FLUSH;
+             break;
+        }
+         case XIDetachSlave:
+         {
+             xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
+@@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client)
+             rc = detach_slave(client, c, flags);
+             if (rc != Success)
+                 goto unwind;
+-        }
+            changes = CHANGED;
+             break;
+        }
+         case XIAttachSlave:
+         {
+             xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
+@@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client)
+             rc = attach_slave(client, c, flags);
+             if (rc != Success)
+                 goto unwind;
+            changes = CHANGED;
+            break;
+         }
+        default:
+             break;
+         }
+ 
+        if (changes == FLUSH) {
+            XISendDeviceHierarchyEvent(flags);
+            memset(flags, 0, sizeof(flags));
+            changes = NO_CHANGE;
+        }
+
+         len -= any->length * 4;
+         any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
+     }
+ 
+  unwind:
+-
+-    XISendDeviceHierarchyEvent(flags);
+    if (changes != NO_CHANGE)
+        XISendDeviceHierarchyEvent(flags);
+     return rc;
+ }
+-- 
+GitLab

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch new file mode 100644 index 0000000000..7c8fbcc3ec --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch
@@ -0,0 +1,113 @@
	1	From 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Mon Sep 17 00:00:00 2001
	2	From: Peter Hutterer <peter.hutterer@who-t.net>
	3	Date: Thu, 4 Jan 2024 10:01:24 +1000
	4	Subject: [PATCH] Xi: flush hierarchy events after adding/removing master
	5	devices
	6
	7	The `XISendDeviceHierarchyEvent()` function allocates space to store up
	8	to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`.
	9
	10	If a device with a given ID was removed and a new device with the same
	11	ID added both in the same operation, the single device ID will lead to
	12	two info structures being written to `info`.
	13
	14	Since this case can occur for every device ID at once, a total of two
	15	times `MAXDEVICES` info structures might be written to the allocation.
	16
	17	To avoid it, once one add/remove master is processed, send out the
	18	device hierarchy event for the current state and continue. That event
	19	thus only ever has exactly one of either added/removed in it (and
	20	optionally slave attached/detached).
	21
	22	CVE-2024-21885, ZDI-CAN-22744
	23
	24	This vulnerability was discovered by:
	25	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
	26
	27	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/4a5e9b1895627d40d26045bd0b7ef3dce503cbd1]
	28	CVE: CVE-2024-21885
	29	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	30	---
	31	Xi/xichangehierarchy.c \| 27 ++++++++++++++++++++++-----
	32	1 file changed, 22 insertions(+), 5 deletions(-)
	33
	34	diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
	35	index d2d985848d..72d00451e3 100644
	36	--- a/Xi/xichangehierarchy.c
	37	+++ b/Xi/xichangehierarchy.c
	38	@@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client)
	39	size_t len; /* length of data remaining in request */
	40	int rc = Success;
	41	int flags[MAXDEVICES] = { 0 };
	42	+ enum {
	43	+ NO_CHANGE,
	44	+ FLUSH,
	45	+ CHANGED,
	46	+ } changes = NO_CHANGE;
	47
	48	REQUEST(xXIChangeHierarchyReq);
	49	REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq);
	50	@@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client)
	51	rc = add_master(client, c, flags);
	52	if (rc != Success)
	53	goto unwind;
	54	- }
	55	+ changes = FLUSH;
	56	break;
	57	+ }
	58	case XIRemoveMaster:
	59	{
	60	xXIRemoveMasterInfo r = (xXIRemoveMasterInfo ) any;
	61	@@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client)
	62	rc = remove_master(client, r, flags);
	63	if (rc != Success)
	64	goto unwind;
	65	- }
	66	+ changes = FLUSH;
	67	break;
	68	+ }
	69	case XIDetachSlave:
	70	{
	71	xXIDetachSlaveInfo c = (xXIDetachSlaveInfo ) any;
	72	@@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client)
	73	rc = detach_slave(client, c, flags);
	74	if (rc != Success)
	75	goto unwind;
	76	- }
	77	+ changes = CHANGED;
	78	break;
	79	+ }
	80	case XIAttachSlave:
	81	{
	82	xXIAttachSlaveInfo c = (xXIAttachSlaveInfo ) any;
	83	@@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client)
	84	rc = attach_slave(client, c, flags);
	85	if (rc != Success)
	86	goto unwind;
	87	+ changes = CHANGED;
	88	+ break;
	89	}
	90	+ default:
	91	break;
	92	}
	93
	94	+ if (changes == FLUSH) {
	95	+ XISendDeviceHierarchyEvent(flags);
	96	+ memset(flags, 0, sizeof(flags));
	97	+ changes = NO_CHANGE;
	98	+ }
	99	+
	100	len -= any->length * 4;
	101	any = (xXIAnyHierarchyChangeInfo ) ((char ) any + any->length * 4);
	102	}
	103
	104	unwind:
	105	-
	106	- XISendDeviceHierarchyEvent(flags);
	107	+ if (changes != NO_CHANGE)
	108	+ XISendDeviceHierarchyEvent(flags);
	109	return rc;
	110	}
	111	--
	112	GitLab
	113