xwayland: Fix CVE-2023-6377 CVE-2023-6478

(From OE-Core rev: 89974b7fa33f3e9d3e3a4df7ad219898fe400d3a) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2024-01-26 10:46:12 +0800
committer: Steve Sakoman <steve@sakoman.com> 2024-02-07 03:30:05 -1000
commit: ef5bd0511c0fde86f830f512a9a0dda41de792ee (patch)
tree: 33f8ffd2a275cdbfec923e5987c28e92fdeceb41
parent: ca885e47607e600add5b49e485835c7c4272084c (diff)
download: poky-ef5bd0511c0fde86f830f512a9a0dda41de792ee.tar.gz
3 files changed, 150 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6377.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6377.patch
new file mode 100644
index 0000000000..f650f495a3
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6377.patch
@@ -0,0 +1,82 @@
+CVE: CVE-2023-6377
+Upstream-Status: Backport [ https://gitlab.freedesktop.org/xorg/xserver/-/commit/19e9f199950aaa4b9b7696936d1b067475da999c ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+From 19e9f199950aaa4b9b7696936d1b067475da999c Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 28 Nov 2023 15:19:04 +1000
+Subject: [PATCH] Xi: allocate enough XkbActions for our buttons
+button->xkb_acts is supposed to be an array sufficiently large for all
+our buttons, not just a single XkbActions struct. Allocating
+insufficient memory here means when we memcpy() later in
+XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
+leading to the usual security ooopsiedaisies.
+CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+(cherry picked from commit 0c1a93d319558fe3ab2d94f51d174b4f93810afd)
+---
+ Xi/exevents.c | 12 ++++++------
+ dix/devices.c | 10 ++++++++++
+ 2 files changed, 16 insertions(+), 6 deletions(-)
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index dcd4efb3bc..54ea11a938 100644
+--- a/Xi/exevents.c
+++ b/Xi/exevents.c
+@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
+         }
+ 
+         if (from->button->xkb_acts) {
+-            if (!to->button->xkb_acts) {
+-                to->button->xkb_acts = calloc(1, sizeof(XkbAction));
+-                if (!to->button->xkb_acts)
+-                    FatalError("[Xi] not enough memory for xkb_acts.\n");
+-            }
+            size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
+            to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
+                                                   maxbuttons,
+                                                   sizeof(XkbAction));
+            memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
+             memcpy(to->button->xkb_acts, from->button->xkb_acts,
+-                   sizeof(XkbAction));
+                   from->button->numButtons * sizeof(XkbAction));
+         }
+         else {
+             free(to->button->xkb_acts);
+diff --git a/dix/devices.c b/dix/devices.c
+index 7150734a58..20fef16923 100644
+--- a/dix/devices.c
+++ b/dix/devices.c
+@@ -2530,6 +2530,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+ 
+     if (master->button && master->button->numButtons != maxbuttons) {
+         int i;
+        int last_num_buttons = master->button->numButtons;
+
+         DeviceChangedEvent event = {
+             .header = ET_Internal,
+             .type = ET_DeviceChanged,
+@@ -2540,6 +2542,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+         };
+ 
+         master->button->numButtons = maxbuttons;
+        if (last_num_buttons < maxbuttons) {
+            master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
+                                                       maxbuttons,
+                                                       sizeof(XkbAction));
+            memset(&master->button->xkb_acts[last_num_buttons],
+                   0,
+                   (maxbuttons - last_num_buttons) * sizeof(XkbAction));
+        }
+ 
+         memcpy(&event.buttons.names, master->button->labels, maxbuttons *
+                sizeof(Atom));
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6478.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6478.patch
new file mode 100644
index 0000000000..23fbc0e9e2
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6478.patch
@@ -0,0 +1,66 @@
+CVE: CVE-2023-6478
+Upstream-Status: Backport [ https://gitlab.freedesktop.org/xorg/xserver/-/commit/aaf854fb25541380cc38a221c15f0e8372f48872 ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+From aaf854fb25541380cc38a221c15f0e8372f48872 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 27 Nov 2023 16:27:49 +1000
+Subject: [PATCH] randr: avoid integer truncation in length check of
+ ProcRRChange*Property
+Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
+See also xserver@8f454b79 where this same bug was fixed for the core
+protocol and XI.
+This fixes an OOB read and the resulting information disclosure.
+Length calculation for the request was clipped to a 32-bit integer. With
+the correct stuff->nUnits value the expected request size was
+truncated, passing the REQUEST_FIXED_SIZE check.
+The server then proceeded with reading at least stuff->num_items bytes
+(depending on stuff->format) from the request and stuffing whatever it
+finds into the property. In the process it would also allocate at least
+stuff->nUnits bytes, i.e. 4GB.
+CVE-2023-6478, ZDI-CAN-22561
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+(cherry picked from commit 14f480010a93ff962fef66a16412fafff81ad632)
+---
+ randr/rrproperty.c         | 2 +-
+ randr/rrproviderproperty.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index 25469f57b2..c4fef8a1f6 100644
+--- a/randr/rrproperty.c
+++ b/randr/rrproperty.c
+@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
+     char format, mode;
+     unsigned long len;
+     int sizeInBytes;
+-    int totalSize;
+    uint64_t totalSize;
+     int err;
+ 
+     REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
+diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
+index b79c17f9bf..90c5a9a933 100644
+--- a/randr/rrproviderproperty.c
+++ b/randr/rrproviderproperty.c
+@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
+     char format, mode;
+     unsigned long len;
+     int sizeInBytes;
+-    int totalSize;
+    uint64_t totalSize;
+     int err;
+ 
+     REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
index 94797be8e0..e6e17d7da5 100644
--- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -11,6 +11,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=5df87950af51ac2c5822094553ea1880"
 SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
           file://CVE-2023-5367.patch \
+           file://CVE-2023-6377.patch \
+           file://CVE-2023-6478.patch \
 "
 SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
author	Lee Chee Yang <chee.yang.lee@intel.com>	2024-01-26 10:46:12 +0800
committer	Steve Sakoman <steve@sakoman.com>	2024-02-07 03:30:05 -1000
commit	ef5bd0511c0fde86f830f512a9a0dda41de792ee (patch)
tree	33f8ffd2a275cdbfec923e5987c28e92fdeceb41
parent	ca885e47607e600add5b49e485835c7c4272084c (diff)
download	poky-ef5bd0511c0fde86f830f512a9a0dda41de792ee.tar.gz

diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6377.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6377.patch new file mode 100644 index 0000000000..f650f495a3 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6377.patch
@@ -0,0 +1,82 @@
		1	CVE: CVE-2023-6377
		2	Upstream-Status: Backport [ https://gitlab.freedesktop.org/xorg/xserver/-/commit/19e9f199950aaa4b9b7696936d1b067475da999c ]
		3	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		4
		5
		6	From 19e9f199950aaa4b9b7696936d1b067475da999c Mon Sep 17 00:00:00 2001
		7	From: Peter Hutterer <peter.hutterer@who-t.net>
		8	Date: Tue, 28 Nov 2023 15:19:04 +1000
		9	Subject: [PATCH] Xi: allocate enough XkbActions for our buttons
		10
		11	button->xkb_acts is supposed to be an array sufficiently large for all
		12	our buttons, not just a single XkbActions struct. Allocating
		13	insufficient memory here means when we memcpy() later in
		14	XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
		15	leading to the usual security ooopsiedaisies.
		16
		17	CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
		18
		19	This vulnerability was discovered by:
		20	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		21
		22	(cherry picked from commit 0c1a93d319558fe3ab2d94f51d174b4f93810afd)
		23	---
		24	Xi/exevents.c \| 12 ++++++------
		25	dix/devices.c \| 10 ++++++++++
		26	2 files changed, 16 insertions(+), 6 deletions(-)
		27
		28	diff --git a/Xi/exevents.c b/Xi/exevents.c
		29	index dcd4efb3bc..54ea11a938 100644
		30	--- a/Xi/exevents.c
		31	+++ b/Xi/exevents.c
		32	@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
		33	}
		34
		35	if (from->button->xkb_acts) {
		36	- if (!to->button->xkb_acts) {
		37	- to->button->xkb_acts = calloc(1, sizeof(XkbAction));
		38	- if (!to->button->xkb_acts)
		39	- FatalError("[Xi] not enough memory for xkb_acts.\n");
		40	- }
		41	+ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
		42	+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
		43	+ maxbuttons,
		44	+ sizeof(XkbAction));
		45	+ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
		46	memcpy(to->button->xkb_acts, from->button->xkb_acts,
		47	- sizeof(XkbAction));
		48	+ from->button->numButtons * sizeof(XkbAction));
		49	}
		50	else {
		51	free(to->button->xkb_acts);
		52	diff --git a/dix/devices.c b/dix/devices.c
		53	index 7150734a58..20fef16923 100644
		54	--- a/dix/devices.c
		55	+++ b/dix/devices.c
		56	@@ -2530,6 +2530,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
		57
		58	if (master->button && master->button->numButtons != maxbuttons) {
		59	int i;
		60	+ int last_num_buttons = master->button->numButtons;
		61	+
		62	DeviceChangedEvent event = {
		63	.header = ET_Internal,
		64	.type = ET_DeviceChanged,
		65	@@ -2540,6 +2542,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
		66	};
		67
		68	master->button->numButtons = maxbuttons;
		69	+ if (last_num_buttons < maxbuttons) {
		70	+ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
		71	+ maxbuttons,
		72	+ sizeof(XkbAction));
		73	+ memset(&master->button->xkb_acts[last_num_buttons],
		74	+ 0,
		75	+ (maxbuttons - last_num_buttons) * sizeof(XkbAction));
		76	+ }
		77
		78	memcpy(&event.buttons.names, master->button->labels, maxbuttons *
		79	sizeof(Atom));
		80	--
		81	GitLab
		82


diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6478.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6478.patch new file mode 100644 index 0000000000..23fbc0e9e2 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6478.patch
@@ -0,0 +1,66 @@
		1	CVE: CVE-2023-6478
		2	Upstream-Status: Backport [ https://gitlab.freedesktop.org/xorg/xserver/-/commit/aaf854fb25541380cc38a221c15f0e8372f48872 ]
		3	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		4
		5
		6	From aaf854fb25541380cc38a221c15f0e8372f48872 Mon Sep 17 00:00:00 2001
		7	From: Peter Hutterer <peter.hutterer@who-t.net>
		8	Date: Mon, 27 Nov 2023 16:27:49 +1000
		9	Subject: [PATCH] randr: avoid integer truncation in length check of
		10	ProcRRChange*Property
		11
		12	Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
		13	See also xserver@8f454b79 where this same bug was fixed for the core
		14	protocol and XI.
		15
		16	This fixes an OOB read and the resulting information disclosure.
		17
		18	Length calculation for the request was clipped to a 32-bit integer. With
		19	the correct stuff->nUnits value the expected request size was
		20	truncated, passing the REQUEST_FIXED_SIZE check.
		21
		22	The server then proceeded with reading at least stuff->num_items bytes
		23	(depending on stuff->format) from the request and stuffing whatever it
		24	finds into the property. In the process it would also allocate at least
		25	stuff->nUnits bytes, i.e. 4GB.
		26
		27	CVE-2023-6478, ZDI-CAN-22561
		28
		29	This vulnerability was discovered by:
		30	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		31
		32	(cherry picked from commit 14f480010a93ff962fef66a16412fafff81ad632)
		33	---
		34	randr/rrproperty.c \| 2 +-
		35	randr/rrproviderproperty.c \| 2 +-
		36	2 files changed, 2 insertions(+), 2 deletions(-)
		37
		38	diff --git a/randr/rrproperty.c b/randr/rrproperty.c
		39	index 25469f57b2..c4fef8a1f6 100644
		40	--- a/randr/rrproperty.c
		41	+++ b/randr/rrproperty.c
		42	@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
		43	char format, mode;
		44	unsigned long len;
		45	int sizeInBytes;
		46	- int totalSize;
		47	+ uint64_t totalSize;
		48	int err;
		49
		50	REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
		51	diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
		52	index b79c17f9bf..90c5a9a933 100644
		53	--- a/randr/rrproviderproperty.c
		54	+++ b/randr/rrproviderproperty.c
		55	@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
		56	char format, mode;
		57	unsigned long len;
		58	int sizeInBytes;
		59	- int totalSize;
		60	+ uint64_t totalSize;
		61	int err;
		62
		63	REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
		64	--
		65	GitLab
		66


diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 94797be8e0..e6e17d7da5 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -11,6 +11,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=5df87950af51ac2c5822094553ea1880"
11		11
12	SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \	12	SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
13	file://CVE-2023-5367.patch \	13	file://CVE-2023-5367.patch \
		14	file://CVE-2023-6377.patch \
		15	file://CVE-2023-6478.patch \
14	"	16	"
15	SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"	17	SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
16		18