xserver-xorg: Fix for CVE-2023-5574

Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/1953f460b9ad1a9cdf0fcce70f6ad3310b713d5f & https://gitlab.freedesktop.org/xorg/xserver/-/commit/b6fe3f924aecac6d6e311673511ce61aa2f7a81f & https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab2c58ba4719fc31c19c7829b06bdba8a88bd586] (From OE-Core rev: 9291d7e7aca8ff93d036770e4fb42901c3ea1d60) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Vijay Anusuri <vanusuri@mvista.com> 2023-11-06 21:04:23 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-11-08 11:00:09 +0000
commit: a193c0224a4100f2e75bfff40b0832758affeb45 (patch)
tree: a00ae88887cedac9de81d8aa573c13d68bd52af5 /meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-3.patch
parent: 1c135f1d7af041167555fe1a368b56799bb89cf9 (diff)
download: poky-a193c0224a4100f2e75bfff40b0832758affeb45.tar.gz
1 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-3.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-3.patch
new file mode 100644
index 0000000000..47c247ef0c
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-3.patch
@@ -0,0 +1,54 @@
+From ab2c58ba4719fc31c19c7829b06bdba8a88bd586 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 24 Oct 2023 12:09:36 +1000
+Subject: [PATCH] dix: always initialize pScreen->CloseScreen
+CloseScreen is wrapped by the various modules, many of which do not
+check if they're the last ones unwrapping. This is fine if the order of
+those modules never changes but when it does we might get a NULL-pointer
+dereference by some naive code doing a
+   pScreen->CloseScreen = priv->CloseScreen;
+   free(priv);
+   return (*pScreen->CloseScreen)(pScreen);
+To avoid this set it to a default function that just returns TRUE that's
+guaranteed to be the last one.
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab2c58ba4719fc31c19c7829b06bdba8a88bd586]
+CVE: CVE-2023-5574
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ dix/dispatch.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+diff --git a/dix/dispatch.c b/dix/dispatch.c
+index eaac39b7c9..cd092fd409 100644
+--- a/dix/dispatch.c
+++ b/dix/dispatch.c
+@@ -3890,6 +3890,12 @@ static int indexForScanlinePad[65] = {
+     3                           /* 64 bits per scanline pad unit */
+ };
+ 
+static Bool
+DefaultCloseScreen(ScreenPtr screen)
+{
+    return TRUE;
+}
+
+ /*
+        grow the array of screenRecs if necessary.
+        call the device-supplied initialization procedure
+@@ -3949,6 +3955,9 @@ static int init_screen(ScreenPtr pScreen, int i, Bool gpu)
+             PixmapWidthPaddingInfo[depth].notPower2 = 0;
+         }
+     }
+
+    pScreen->CloseScreen = DefaultCloseScreen;
+
+     return 0;
+ }
+ 
+-- 
+GitLab
author	Vijay Anusuri <vanusuri@mvista.com>	2023-11-06 21:04:23 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-11-08 11:00:09 +0000
commit	a193c0224a4100f2e75bfff40b0832758affeb45 (patch)
tree	a00ae88887cedac9de81d8aa573c13d68bd52af5 /meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-3.patch
parent	1c135f1d7af041167555fe1a368b56799bb89cf9 (diff)
download	poky-a193c0224a4100f2e75bfff40b0832758affeb45.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-3.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-3.patch new file mode 100644 index 0000000000..47c247ef0c --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-3.patch
@@ -0,0 +1,54 @@
	1	From ab2c58ba4719fc31c19c7829b06bdba8a88bd586 Mon Sep 17 00:00:00 2001
	2	From: Peter Hutterer <peter.hutterer@who-t.net>
	3	Date: Tue, 24 Oct 2023 12:09:36 +1000
	4	Subject: [PATCH] dix: always initialize pScreen->CloseScreen
	5
	6	CloseScreen is wrapped by the various modules, many of which do not
	7	check if they're the last ones unwrapping. This is fine if the order of
	8	those modules never changes but when it does we might get a NULL-pointer
	9	dereference by some naive code doing a
	10
	11	pScreen->CloseScreen = priv->CloseScreen;
	12	free(priv);
	13	return (*pScreen->CloseScreen)(pScreen);
	14
	15	To avoid this set it to a default function that just returns TRUE that's
	16	guaranteed to be the last one.
	17
	18	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab2c58ba4719fc31c19c7829b06bdba8a88bd586]
	19	CVE: CVE-2023-5574
	20	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	21	---
	22	dix/dispatch.c \| 9 +++++++++
	23	1 file changed, 9 insertions(+)
	24
	25	diff --git a/dix/dispatch.c b/dix/dispatch.c
	26	index eaac39b7c9..cd092fd409 100644
	27	--- a/dix/dispatch.c
	28	+++ b/dix/dispatch.c
	29	@@ -3890,6 +3890,12 @@ static int indexForScanlinePad[65] = {
	30	3 /* 64 bits per scanline pad unit */
	31	};
	32
	33	+static Bool
	34	+DefaultCloseScreen(ScreenPtr screen)
	35	+{
	36	+ return TRUE;
	37	+}
	38	+
	39	/*
	40	grow the array of screenRecs if necessary.
	41	call the device-supplied initialization procedure
	42	@@ -3949,6 +3955,9 @@ static int init_screen(ScreenPtr pScreen, int i, Bool gpu)
	43	PixmapWidthPaddingInfo[depth].notPower2 = 0;
	44	}
	45	}
	46	+
	47	+ pScreen->CloseScreen = DefaultCloseScreen;
	48	+
	49	return 0;
	50	}
	51
	52	--
	53	GitLab
	54