import UBI libX11-1.6.8-8.el8

2024-05-22 13:37:22 +00:00 · 2024-05-22 13:37:22 +00:00 · 520922b5b7
commit 520922b5b7
parent 13630dd6d2
7 changed files with 439 additions and 1 deletions
--- a/SOURCES/0001-Avoid-recursing-through-_XError-due-to-sequence-adju.patch
+++ b/SOURCES/0001-Avoid-recursing-through-_XError-due-to-sequence-adju.patch
@ -0,0 +1,166 @@
 From 8c92ef59890c6d6e2be456658d3b9c145eda8629 Mon Sep 17 00:00:00 2001
 From: Keith Packard <keithp@keithp.com>
 Date: Sat, 7 Nov 2020 22:22:47 -0800
 Subject: [PATCH libX11] Avoid recursing through _XError due to sequence
 adjustment
 This patch is based on research done by Dmitry Osipenko to uncover the
 cause of a large class of Xlib lockups.
 _XError must unlock and re-lock the display around the call to the
 user error handler function. When re-locking the display, two
 functions are called to ensure that the display is ready to generate a request:
    _XIDHandler(dpy);
    _XSeqSyncFunction(dpy);
 The first ensures that there is at least one XID available to use
 (possibly calling _xcb_generate_id to do so). The second makes sure a
 reply is received at least every 65535 requests to keep sequence
 numbers in sync (possibly generating a GetInputFocus request and
 synchronously awaiting the reply).
 If the second of these does generate a GetInputFocus request and wait
 for the reply, then a pending error will cause recursion into _XError,
 which deadlocks the display.
 One seemingly easy fix is to have _XError avoid those calls by
 invoking InternalLockDisplay instead of LockDisplay. That function
 does everything that LockDisplay does *except* call those final two
 functions which may end up receiving an error.
 However, that doesn't protect the system from applications which call
 some legal Xlib function from within their error handler. Any Xlib
 function which cannot generate protocol or wait for events is valid,
 including many which invoke LockDisplay.
 What we need to do is make LockDisplay skip these two function calls
 precisely when it is called from within the _XError context for the
 same display.
 This patch accomplishes this by creating a list of threads in the
 display which are in _XError, and then having LockDisplay check the
 current thread against those list elements.
 Inspired-by: Dmitry Osipenko <digetx@gmail.com>
 Signed-off-by: Keith Packard <keithp@keithp.com>
 Tested-by: Dmitry Osipenko <digetx@gmail.com>
 Reviewed-by: Dmitry Osipenko <digetx@gmail.com>
 (cherry picked from commit 30ccef3a48029bf4fc31d4abda2d2778d0ad6277)
 ---
 include/X11/Xlibint.h |  2 ++
 src/OpenDis.c         |  1 +
 src/XlibInt.c         | 10 ++++++++++
 src/locking.c         | 12 ++++++++++++
 src/locking.h         | 12 ++++++++++++
 5 files changed, 37 insertions(+)
 diff --git a/include/X11/Xlibint.h b/include/X11/Xlibint.h
 index 6b95bcf7..09078e3f 100644
 --- a/include/X11/Xlibint.h
 +++ b/include/X11/Xlibint.h
@@ -202,6 +202,8 @@ struct _XDisplay
 	unsigned long last_request_read_upper32bit;
 	unsigned long request_upper32bit;
 #endif
 +
 +	struct _XErrorThreadInfo *error_threads;
 };
 #define XAllocIDs(dpy,ids,n) (*(dpy)->idlist_alloc)(dpy,ids,n)
 diff --git a/src/OpenDis.c b/src/OpenDis.c
 index 82723578..85901168 100644
 --- a/src/OpenDis.c
 +++ b/src/OpenDis.c
@@ -201,6 +201,7 @@ XOpenDisplay (
 	X_DPY_SET_LAST_REQUEST_READ(dpy, 0);
 	dpy->default_screen = iscreen;  /* Value returned by ConnectDisplay */
 	dpy->last_req = (char *)&_dummy_request;
 +	dpy->error_threads = NULL;
 	/* Initialize the display lock */
 	if (InitDisplayLock(dpy) != 0) {
 diff --git a/src/XlibInt.c b/src/XlibInt.c
 index 4e45e62b..8771b791 100644
 --- a/src/XlibInt.c
 +++ b/src/XlibInt.c
@@ -1482,6 +1482,11 @@ int _XError (
     if (_XErrorFunction != NULL) {
 	int rtn_val;
 #ifdef XTHREADS
 +	struct _XErrorThreadInfo thread_info = {
 +		.error_thread = xthread_self(),
 +		.next = dpy->error_threads
 +	}, **prev;
 +	dpy->error_threads = &thread_info;
 	if (dpy->lock)
 	    (*dpy->lock->user_lock_display)(dpy);
 	UnlockDisplay(dpy);
@@ -1491,6 +1496,11 @@ int _XError (
 	LockDisplay(dpy);
 	if (dpy->lock)
 	    (*dpy->lock->user_unlock_display)(dpy);
 +
 +	/* unlink thread_info from the list */
 +	for (prev = &dpy->error_threads; *prev != &thread_info; prev = &(*prev)->next)
 +		;
 +	*prev = thread_info.next;
 #endif
 	return rtn_val;
     } else {
 diff --git a/src/locking.c b/src/locking.c
 index 9f4fe067..bcadc857 100644
 --- a/src/locking.c
 +++ b/src/locking.c
@@ -453,6 +453,9 @@ static void _XLockDisplay(
     XTHREADS_FILE_LINE_ARGS
     )
 {
 +#ifdef XTHREADS
 +    struct _XErrorThreadInfo *ti;
 +#endif
 #ifdef XTHREADS_WARN
     _XLockDisplayWarn(dpy, file, line);
 #else
@@ -460,6 +463,15 @@ static void _XLockDisplay(
 #endif
     if (dpy->lock->locking_level > 0)
 	_XDisplayLockWait(dpy);
 +#ifdef XTHREADS
 +    /*
 +     * Skip the two function calls below which may generate requests
 +     * when LockDisplay is called from within _XError.
 +     */
 +    for (ti = dpy->error_threads; ti; ti = ti->next)
 +	    if (ti->error_thread == xthread_self())
 +		    return;
 +#endif
     _XIDHandler(dpy);
     _XSeqSyncFunction(dpy);
 }
 diff --git a/src/locking.h b/src/locking.h
 index 5251a60c..59fc866e 100644
 --- a/src/locking.h
 +++ b/src/locking.h
@@ -149,6 +149,18 @@ typedef struct _LockInfoRec {
 	xmutex_t	lock;
 } LockInfoRec;
 +/* A list of threads currently invoking error handlers on this display
 + * LockDisplay operates differently for these threads, avoiding
 + * generating any requests or reading any events as that can cause
 + * recursion into the error handling code, which will deadlock the
 + * thread.
 + */
 +struct _XErrorThreadInfo
 +{
 +    struct _XErrorThreadInfo *next;
 +    xthread_t error_thread;
 +};
 +
 /* XOpenDis.c */
 extern int (*_XInitDisplayLock_fn)(Display *dpy);
 extern void (*_XFreeDisplayLock_fn)(Display *dpy);
 -- 
 2.43.0
--- a/SOURCES/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch
+++ b/SOURCES/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch
@ -0,0 +1,58 @@
 From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Sun, 17 Sep 2023 14:19:40 -0700
 Subject: [PATCH] CVE-2023-43785: out-of-bounds memory access in
 _XkbReadKeySyms()
 Make sure we allocate enough memory in the first place, and
 also handle error returns from _XkbReadBufferCopyKeySyms() when
 it detects out-of-bounds issues.
 Reported-by: Gregory James DUCK <gjduck@gmail.com>
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 src/xkb/XKBGetMap.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)
 diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
 index 2891d21e..31199e4a 100644
 --- a/src/xkb/XKBGetMap.c
 +++ b/src/xkb/XKBGetMap.c
@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
             if (offset + newMap->nSyms >= map->size_syms) {
                 register int sz;
 -                sz = map->size_syms + 128;
 +                sz = offset + newMap->nSyms;
 +                sz = ((sz + (unsigned) 128) / 128) * 128;
                 _XkbResizeArray(map->syms, map->size_syms, sz, KeySym);
                 if (map->syms == NULL) {
                     map->size_syms = 0;
@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
                 map->size_syms = sz;
             }
             if (newMap->nSyms > 0) {
 -                _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
 -                                          newMap->nSyms);
 +                if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
 +                                              newMap->nSyms) == 0)
 +                    return BadLength;
                 offset += newMap->nSyms;
             }
             else {
@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
             newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp);
             if (newSyms == NULL)
                 return BadAlloc;
 -            if (newMap->nSyms > 0)
 -                _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms);
 +            if (newMap->nSyms > 0) {
 +                if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0)
 +                    return BadLength;
 +            }
             else
                 newSyms[0] = NoSymbol;
             oldMap->kt_index[0] = newMap->ktIndex[0];
 -- 
 2.41.0
--- a/SOURCES/0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch
+++ b/SOURCES/0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch
@ -0,0 +1,37 @@
 From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Thu, 7 Sep 2023 15:54:30 -0700
 Subject: [PATCH 1/3] CVE-2023-43786: stack exhaustion from infinite recursion
 in PutSubImage()
 When splitting a single line of pixels into chunks to send to the
 X server, be sure to take into account the number of bits per pixel,
 so we don't just loop forever trying to send more pixels than fit in
 the given request size and not breaking them down into a small enough
 chunk to fix.
 Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 src/PutImage.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/src/PutImage.c b/src/PutImage.c
 index 857ee916..a6db7b42 100644
 --- a/src/PutImage.c
 +++ b/src/PutImage.c
@@ -914,8 +914,9 @@ PutSubImage (
 		    req_width, req_height - SubImageHeight,
 		    dest_bits_per_pixel, dest_scanline_pad);
     } else {
 -	int SubImageWidth = (((Available << 3) / dest_scanline_pad)
 -				* dest_scanline_pad) - left_pad;
 +	int SubImageWidth = ((((Available << 3) / dest_scanline_pad)
 +                              * dest_scanline_pad) - left_pad)
 +                              / dest_bits_per_pixel;
 	PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y,
 		    (unsigned int) SubImageWidth, 1,
 -- 
 2.41.0
--- a/SOURCES/0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch
+++ b/SOURCES/0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch
@ -0,0 +1,59 @@
 From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001
 From: Yair Mizrahi <yairm@jfrog.com>
 Date: Thu, 7 Sep 2023 16:15:32 -0700
 Subject: [PATCH] CVE-2023-43787: Integer overflow in XCreateImage() leading to
 a heap overflow
 When the format is `Pixmap` it calculates the size of the image data as:
    ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
 There is no validation on the `width` of the image, and so this
 calculation exceeds the capacity of a 4-byte integer, causing an overflow.
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 src/ImUtil.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)
 diff --git a/src/ImUtil.c b/src/ImUtil.c
 index 36f08a03..fbfad33e 100644
 --- a/src/ImUtil.c
 +++ b/src/ImUtil.c
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
 #include <X11/Xlibint.h>
 #include <X11/Xutil.h>
 #include <stdio.h>
 +#include <limits.h>
 #include "ImUtil.h"
 static int _XDestroyImage(XImage *);
@@ -361,13 +362,22 @@ XImage *XCreateImage (
 	/*
 	 * compute per line accelerator.
 	 */
 -	{
 -	if (format == ZPixmap)
 +	if (format == ZPixmap) {
 +	    if ((INT_MAX / bits_per_pixel) < width) {
 +		Xfree(image);
 +		return NULL;
 +	    }
 +
 	    min_bytes_per_line =
 -	       ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
 -	else
 +		ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
 +	} else {
 +	    if ((INT_MAX - offset) < width) {
 +		Xfree(image);
 +		return NULL;
 +	    }
 +
 	    min_bytes_per_line =
 -	        ROUNDUP((width + offset), image->bitmap_pad);
 +		ROUNDUP((width + offset), image->bitmap_pad);
 	}
 	if (image_bytes_per_line == 0) {
 	    image->bytes_per_line = min_bytes_per_line;
 -- 
 2.41.0
--- a/SOURCES/0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch
+++ b/SOURCES/0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch
@ -0,0 +1,41 @@
 From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Thu, 7 Sep 2023 15:55:04 -0700
 Subject: [PATCH 2/3] XPutImage: clip images to maximum height & width allowed
 by protocol
 The PutImage request specifies height & width of the image as CARD16
 (unsigned 16-bit integer), same as the maximum dimensions of an X11
 Drawable, which the image is being copied to.
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 src/PutImage.c | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/src/PutImage.c b/src/PutImage.c
 index a6db7b42..ba411e36 100644
 --- a/src/PutImage.c
 +++ b/src/PutImage.c
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
 #include "Xlibint.h"
 #include "Xutil.h"
 #include <stdio.h>
 +#include <limits.h>
 #include "Cr.h"
 #include "ImUtil.h"
 #include "reallocarray.h"
@@ -962,6 +963,10 @@ XPutImage (
 	height = image->height - req_yoffset;
     if ((width <= 0) || (height <= 0))
 	return 0;
 +    if (width > USHRT_MAX)
 +        width = USHRT_MAX;
 +    if (height > USHRT_MAX)
 +        height = USHRT_MAX;
     if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) {
 	dest_bits_per_pixel = 1;
 -- 
 2.41.0
--- a/SOURCES/0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch
+++ b/SOURCES/0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch
@ -0,0 +1,47 @@
 From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Thu, 7 Sep 2023 16:12:27 -0700
 Subject: [PATCH 3/3] XCreatePixmap: trigger BadValue error for out-of-range
 dimensions
 The CreatePixmap request specifies height & width of the image as CARD16
 (unsigned 16-bit integer), so if either is larger than that, set it to 0
 so the X server returns a BadValue error as the protocol requires.
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 src/CrPixmap.c | 11 +++++++++++
 1 file changed, 11 insertions(+)
 diff --git a/src/CrPixmap.c b/src/CrPixmap.c
 index cdf31207..3cb2ca6d 100644
 --- a/src/CrPixmap.c
 +++ b/src/CrPixmap.c
@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
 #include <config.h>
 #endif
 #include "Xlibint.h"
 +#include <limits.h>
 #ifdef USE_DYNAMIC_XCURSOR
 void
@@ -47,6 +48,16 @@ Pixmap XCreatePixmap (
     Pixmap pid;
     register xCreatePixmapReq *req;
 +    /*
 +     * Force a BadValue X Error if the requested dimensions are larger
 +     * than the X11 protocol has room for, since that's how callers expect
 +     * to get notified of errors.
 +     */
 +    if (width > USHRT_MAX)
 +        width = 0;
 +    if (height > USHRT_MAX)
 +        height = 0;
 +
     LockDisplay(dpy);
     GetReq(CreatePixmap, req);
     req->drawable = d;
 -- 
 2.41.0
--- a/SPECS/libX11.spec
+++ b/SPECS/libX11.spec
@ -5,7 +5,7 @@
 Summary: Core X11 protocol client library
 Name: libX11
 Version: 1.6.8
-Release: 6%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
+Release: 8%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
 License: MIT
 Group: System Environment/Libraries
 URL: http://www.x.org
@ -28,6 +28,20 @@ Patch6: CVE-2021-31535.patch
 # CVE-2023-3138
 Patch7: 0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
 # CVE-2023-43785
 Patch8: 0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch
 # CVE-2023-43786
 Patch9: 0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch
 Patch10: 0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch
 Patch11: 0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch
 # CVE-2023-43787
 Patch12: 0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch
 # RHEL-23452
 Patch13: 0001-Avoid-recursing-through-_XError-due-to-sequence-adju.patch
 BuildRequires: xorg-x11-util-macros >= 1.11
 BuildRequires: pkgconfig(xproto) >= 7.0.15
 BuildRequires: xorg-x11-xtrans-devel >= 1.0.3-4
@ -73,6 +87,12 @@ libX11/libxcb interoperability library
 %patch5 -p1 -b .fix-an-integer-overflow-in-init_om
 %patch6 -p1 -b .cve-2021-31535
 %patch7 -p1 -b .cve-2023-3138
 %patch8 -p1 -b .cve-2023-43785
 %patch9 -p1 -b .cve-2023-43786
 %patch10 -p1 -b .xputimage-clip-images-to-maximum-height-width-allowe
 %patch11 -p1 -b .xcreatepixmap-trigger-badvalue-error-for-out-of-rang
 %patch12 -p1 -b .cve-2023-43787
 %patch13 -p1 -b .rhel-23452
 %build
 autoreconf -v --install --force
@ -137,6 +157,16 @@ make %{?_smp_mflags} check
 %{_mandir}/man5/*.5*
 %changelog
 * Tue Jan 30 2024 Olivier Fourdan <ofourdan@redhat.com> - 1.6.8-8
 - Backport fix for Xlib lockups due to recursive XError (RHEL-23452)
 * Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 1.6.8-7
 - Fix CVE-2023-43785: out-of-bounds memory access in _XkbReadKeySyms()
 - Fix CVE-2023-43786: stack exhaustion from infinite recursion in
  PutSubImage()
 - Fix CVE-2023-43787: integer overflow in XCreateImage() leading to
  a heap overflow
 * Wed Jul 05 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.6.8-6
 - CVE fix for: CVE-2023-3138
  Resolve: rhbz#2213762