From 12be8636e7b4c9be49a437a3ec71ae60738bd813 Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Thu, 16 May 2024 09:05:34 +0200 Subject: [PATCH] xwayland 24.1.0 Resolves: https://issues.redhat.com/browse/RHEL-29911 --- ...-copy-paste-error-in-the-DeviceState.patch | 37 ------ ...sible-double-free-in-ProcRenderAddGl.patch | 75 ----------- ...ctedEvents-needs-to-use-unswapped-le.patch | 47 ------- ...GrabDevice-needs-to-use-unswapped-le.patch | 45 ------- ...unting-of-glyphs-during-ProcRenderAd.patch | 116 ------------------ sources | 2 +- xorg-x11-server-Xwayland-c89.patch | 43 ------- xorg-x11-server-Xwayland.spec | 26 ++-- 8 files changed, 8 insertions(+), 383 deletions(-) delete mode 100644 0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch delete mode 100644 0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch delete mode 100644 0002-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch delete mode 100644 0003-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch delete mode 100644 0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch delete mode 100644 xorg-x11-server-Xwayland-c89.patch diff --git a/0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch b/0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch deleted file mode 100644 index dff5d90..0000000 --- a/0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 4c8de123f04e80a1c14c64064ebcec5497d2ec4b Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Mon, 22 Jan 2024 14:22:12 +1000 -Subject: [PATCH xserver 1/4] dix: fix valuator copy/paste error in the - DeviceStateNotify event - -Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5 - -(cherry picked from commit 133e0d651c5d12bf01999d6289e84e224ba77adc) - -Part-of: ---- - dix/enterleave.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/dix/enterleave.c b/dix/enterleave.c -index 7b7ba1098..c1e6ac600 100644 ---- a/dix/enterleave.c -+++ b/dix/enterleave.c -@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, - ev->first_valuator = first; - switch (ev->num_valuators) { - case 6: -- ev->valuator2 = v->axisVal[first + 5]; -+ ev->valuator5 = v->axisVal[first + 5]; - case 5: -- ev->valuator2 = v->axisVal[first + 4]; -+ ev->valuator4 = v->axisVal[first + 4]; - case 4: -- ev->valuator2 = v->axisVal[first + 3]; -+ ev->valuator3 = v->axisVal[first + 3]; - case 3: - ev->valuator2 = v->axisVal[first + 2]; - case 2: --- -2.44.0 - diff --git a/0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch b/0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch deleted file mode 100644 index e7f2e63..0000000 --- a/0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch +++ /dev/null @@ -1,75 +0,0 @@ -From c3c2218ab797516e4d63a93a078d77c6ce872d03 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Fri, 5 Apr 2024 15:24:49 +0200 -Subject: [PATCH xserver] render: Avoid possible double-free in - ProcRenderAddGlyphs() - -ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and -then frees it using FreeGlyph() to decrease the reference count, after -AddGlyph() has increased it. - -AddGlyph() however may chose to reuse an existing glyph if it's already -in the glyphSet, and free the glyph that was given, in which case the -caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an -already freed glyph, as reported by ASan: - - READ of size 4 thread T0 - #0 in FreeGlyph xserver/render/glyph.c:252 - #1 in ProcRenderAddGlyphs xserver/render/render.c:1174 - #2 in Dispatch xserver/dix/dispatch.c:546 - #3 in dix_main xserver/dix/main.c:271 - #4 in main xserver/dix/stubmain.c:34 - #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 - #6 in __libc_start_main_impl ../csu/libc-start.c:360 - #7 (/usr/bin/Xwayland+0x44fe4) - Address is located 0 bytes inside of 64-byte region - freed by thread T0 here: - #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52 - #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538 - #2 in AddGlyph xserver/render/glyph.c:295 - #3 in ProcRenderAddGlyphs xserver/render/render.c:1173 - #4 in Dispatch xserver/dix/dispatch.c:546 - #5 in dix_main xserver/dix/main.c:271 - #6 in main xserver/dix/stubmain.c:34 - #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 - previously allocated by thread T0 here: - #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69 - #1 in AllocateGlyph xserver/render/glyph.c:355 - #2 in ProcRenderAddGlyphs xserver/render/render.c:1085 - #3 in Dispatch xserver/dix/dispatch.c:546 - #4 in dix_main xserver/dix/main.c:271 - #5 in main xserver/dix/stubmain.c:34 - #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 - SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph - -To avoid that, make sure not to free the given glyph in AddGlyph(). - -v2: Simplify the test using the boolean returned from AddGlyph() (Michel) -v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter) - -Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs -Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659 -Signed-off-by: Olivier Fourdan -(cherry picked from commit 337d8d48b618d4fc0168a7b978be4c3447650b04) - -Part-of: ---- - render/glyph.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/render/glyph.c b/render/glyph.c -index d5fc5f3c9..f5069d42f 100644 ---- a/render/glyph.c -+++ b/render/glyph.c -@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id) - gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature, - TRUE, glyph->sha1); - if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) { -- FreeGlyphPicture(glyph); -- dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH); - glyph = gr->glyph; - } - else if (gr->glyph != glyph) { --- -2.44.0 - diff --git a/0002-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch b/0002-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch deleted file mode 100644 index b433ebc..0000000 --- a/0002-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch +++ /dev/null @@ -1,47 +0,0 @@ -From bd16cc8368afc6959bebfb2b15cfdb93bcac6fee Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 22 Mar 2024 18:51:45 -0700 -Subject: [PATCH xserver 2/4] Xi: ProcXIGetSelectedEvents needs to use - unswapped length to send reply - -CVE-2024-31080 - -Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762 -Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.") -Signed-off-by: Alan Coopersmith -(cherry picked from commit 96798fc1967491c80a4d0c8d9e0a80586cb2152b) - -Part-of: ---- - Xi/xiselectev.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c -index edcb8a0d3..ac1494987 100644 ---- a/Xi/xiselectev.c -+++ b/Xi/xiselectev.c -@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client) - InputClientsPtr others = NULL; - xXIEventMask *evmask = NULL; - DeviceIntPtr dev; -+ uint32_t length; - - REQUEST(xXIGetSelectedEventsReq); - REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq); -@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client) - } - } - -+ /* save the value before SRepXIGetSelectedEvents swaps it */ -+ length = reply.length; - WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply); - - if (reply.num_masks) -- WriteToClient(client, reply.length * 4, buffer); -+ WriteToClient(client, length * 4, buffer); - - free(buffer); - return Success; --- -2.44.0 - diff --git a/0003-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch b/0003-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch deleted file mode 100644 index 1c76104..0000000 --- a/0003-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 672b26d1f8e1cbe67d289786e3ce887988052b64 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 22 Mar 2024 18:56:27 -0700 -Subject: [PATCH xserver 3/4] Xi: ProcXIPassiveGrabDevice needs to use - unswapped length to send reply - -CVE-2024-31081 - -Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.") -Signed-off-by: Alan Coopersmith -(cherry picked from commit 3e77295f888c67fc7645db5d0c00926a29ffecee) - -Part-of: ---- - Xi/xipassivegrab.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c -index c9ac2f855..896233bec 100644 ---- a/Xi/xipassivegrab.c -+++ b/Xi/xipassivegrab.c -@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client) - GrabParameters param; - void *tmp; - int mask_len; -+ uint32_t length; - - REQUEST(xXIPassiveGrabDeviceReq); - REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, -@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client) - } - } - -+ /* save the value before SRepXIPassiveGrabDevice swaps it */ -+ length = rep.length; - WriteReplyToClient(client, sizeof(rep), &rep); - if (rep.num_modifiers) -- WriteToClient(client, rep.length * 4, modifiers_failed); -+ WriteToClient(client, length * 4, modifiers_failed); - - out: - free(modifiers_failed); --- -2.44.0 - diff --git a/0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch b/0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch deleted file mode 100644 index de81895..0000000 --- a/0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 01941a831811c9fd47ffed5ea96375abeb20c9fc Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Tue, 30 Jan 2024 13:13:35 +1000 -Subject: [PATCH xserver 4/4] render: fix refcounting of glyphs during - ProcRenderAddGlyphs - -Previously, AllocateGlyph would return a new glyph with refcount=0 and a -re-used glyph would end up not changing the refcount at all. The -resulting glyph_new array would thus have multiple entries pointing to -the same non-refcounted glyphs. - -AddGlyph may free a glyph, resulting in a UAF when the same glyph -pointer is then later used. - -Fix this by returning a refcount of 1 for a new glyph and always -incrementing the refcount for a re-used glyph, followed by dropping that -refcount back down again when we're done with it. - -CVE-2024-31083, ZDI-CAN-22880 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -(backported from commit bdca6c3d1f5057eeb31609b1280fc93237b00c77) - -Part-of: ---- - render/glyph.c | 5 +++-- - render/glyphstr.h | 3 +++ - render/render.c | 15 +++++++++++---- - 3 files changed, 17 insertions(+), 6 deletions(-) - -diff --git a/render/glyph.c b/render/glyph.c -index f3ed9cf4c..d5fc5f3c9 100644 ---- a/render/glyph.c -+++ b/render/glyph.c -@@ -245,10 +245,11 @@ FreeGlyphPicture(GlyphPtr glyph) - } - } - --static void -+void - FreeGlyph(GlyphPtr glyph, int format) - { - CheckDuplicates(&globalGlyphs[format], "FreeGlyph"); -+ BUG_RETURN(glyph->refcnt == 0); - if (--glyph->refcnt == 0) { - GlyphRefPtr gr; - int i; -@@ -354,7 +355,7 @@ AllocateGlyph(xGlyphInfo * gi, int fdepth) - glyph = (GlyphPtr) malloc(size); - if (!glyph) - return 0; -- glyph->refcnt = 0; -+ glyph->refcnt = 1; - glyph->size = size + sizeof(xGlyphInfo); - glyph->info = *gi; - dixInitPrivates(glyph, (char *) glyph + head_size, PRIVATE_GLYPH); -diff --git a/render/glyphstr.h b/render/glyphstr.h -index 2f51bd244..fb6589d3e 100644 ---- a/render/glyphstr.h -+++ b/render/glyphstr.h -@@ -102,6 +102,9 @@ HashGlyph(xGlyphInfo * gi, - extern void - AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id); - -+extern void -+FreeGlyph(GlyphPtr glyph, int format); -+ - extern Bool - DeleteGlyph(GlyphSetPtr glyphSet, Glyph id); - -diff --git a/render/render.c b/render/render.c -index 456f156d4..5bc2a204b 100644 ---- a/render/render.c -+++ b/render/render.c -@@ -1076,6 +1076,7 @@ ProcRenderAddGlyphs(ClientPtr client) - - if (glyph_new->glyph && glyph_new->glyph != DeletedGlyph) { - glyph_new->found = TRUE; -+ ++glyph_new->glyph->refcnt; - } - else { - GlyphPtr glyph; -@@ -1168,8 +1169,10 @@ ProcRenderAddGlyphs(ClientPtr client) - err = BadAlloc; - goto bail; - } -- for (i = 0; i < nglyphs; i++) -+ for (i = 0; i < nglyphs; i++) { - AddGlyph(glyphSet, glyphs[i].glyph, glyphs[i].id); -+ FreeGlyph(glyphs[i].glyph, glyphSet->fdepth); -+ } - - if (glyphsBase != glyphsLocal) - free(glyphsBase); -@@ -1179,9 +1182,13 @@ ProcRenderAddGlyphs(ClientPtr client) - FreePicture((void *) pSrc, 0); - if (pSrcPix) - FreeScratchPixmapHeader(pSrcPix); -- for (i = 0; i < nglyphs; i++) -- if (glyphs[i].glyph && !glyphs[i].found) -- free(glyphs[i].glyph); -+ for (i = 0; i < nglyphs; i++) { -+ if (glyphs[i].glyph) { -+ --glyphs[i].glyph->refcnt; -+ if (!glyphs[i].found) -+ free(glyphs[i].glyph); -+ } -+ } - if (glyphsBase != glyphsLocal) - free(glyphsBase); - return err; --- -2.44.0 - diff --git a/sources b/sources index cd5a510..9d155b3 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (xwayland-23.2.4.tar.xz) = ac3ff208cbef5bbe4637c335cfda226489c93b0a3768f2f4fb0201c588485ede38262fbce77ef1425b3d2a0be61b6580df53341c7b95e6072c8b6371ad29d187 +SHA512 (xwayland-24.1.0.tar.xz) = 7592609ad112652cb870761f938f280802d7d3b4bbc82acc7bf741a763d862aa97bbbd7f78250c63a961d76be73fb55555832045514092d89e406839564f0003 diff --git a/xorg-x11-server-Xwayland-c89.patch b/xorg-x11-server-Xwayland-c89.patch deleted file mode 100644 index 3409c4e..0000000 --- a/xorg-x11-server-Xwayland-c89.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 134e7ca314294b00ab3aa05d4ac94e0902e6235f Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Mon, 29 Jan 2024 07:37:10 +0100 -Subject: [PATCH] Use correct pointer types on i386 -Content-type: text/plain - -And other 32-bit architectures, where uint32_t and CARD32 are not the -same type. Otherwise the build will fail with GCC 14. - -Submitted upstream: - ---- - hw/xwayland/xwayland-glamor.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/hw/xwayland/xwayland-glamor.c b/hw/xwayland/xwayland-glamor.c -index c6aa8eb..4b4fc44 100644 ---- a/hw/xwayland/xwayland-glamor.c -+++ b/hw/xwayland/xwayland-glamor.c -@@ -214,7 +214,7 @@ xwl_screen_get_main_dev(struct xwl_screen *xwl_screen) - - static Bool - xwl_get_formats(struct xwl_format *format_array, int format_array_len, -- uint32_t *num_formats, uint32_t **formats) -+ CARD32 *num_formats, CARD32 **formats) - { - *num_formats = 0; - *formats = NULL; -@@ -235,9 +235,9 @@ xwl_get_formats(struct xwl_format *format_array, int format_array_len, - - static Bool - xwl_get_formats_for_device(struct xwl_dmabuf_feedback *xwl_feedback, drmDevice *device, -- uint32_t *num_formats, uint32_t **formats) -+ CARD32 *num_formats, CARD32 **formats) - { -- uint32_t *ret = NULL; -+ CARD32 *ret = NULL; - uint32_t count = 0; - - /* go through all matching sets of tranches for the window's device */ --- -2.43.0 - diff --git a/xorg-x11-server-Xwayland.spec b/xorg-x11-server-Xwayland.spec index 903efe7..e05c8fc 100644 --- a/xorg-x11-server-Xwayland.spec +++ b/xorg-x11-server-Xwayland.spec @@ -8,8 +8,8 @@ Summary: Xwayland Name: xorg-x11-server-Xwayland -Version: 23.2.4 -Release: 4%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist} +Version: 24.1.0 +Release: 1%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist} URL: http://www.x.org %if 0%{?gitdate} @@ -17,20 +17,6 @@ Source0: https://gitlab.freedesktop.org/xorg/%{pkgname}/-/archive/%{commit}/%{ %else Source0: https://www.x.org/pub/individual/xserver/%{pkgname}-%{version}.tar.xz %endif -Patch1: xorg-x11-server-Xwayland-c89.patch - -# Security fixes -# Fix for copy/paste error in previous CVE fix -Patch101: 0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch -# Fix for CVE-2024-31080 -Patch102: 0002-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch -# Fix for CVE-2024-31081 -Patch103: 0003-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch -# Fix for CVE-2024-31083, ZDI-CAN-22880 -Patch104: 0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch -# Fix for the fix for CVE-2024-31083 -# https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659 -Patch105: 0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch License: MIT @@ -47,7 +33,7 @@ BuildRequires: wayland-devel BuildRequires: desktop-file-utils BuildRequires: pkgconfig(wayland-client) >= 1.21.0 -BuildRequires: pkgconfig(wayland-protocols) >= 1.30 +BuildRequires: pkgconfig(wayland-protocols) >= 1.34 BuildRequires: pkgconfig(wayland-eglstream-protocols) BuildRequires: pkgconfig(epoxy) >= 1.5.5 @@ -78,7 +64,7 @@ BuildRequires: pkgconfig(libxcvt) BuildRequires: pkgconfig(libdecor-0) >= 0.1.1 BuildRequires: pkgconfig(liboeffis-1.0) >= 1.0.0 BuildRequires: pkgconfig(libei-1.0) >= 1.0.0 -BuildRequires: xorg-x11-proto-devel >= 2023.2-1 +BuildRequires: xorg-x11-proto-devel >= 2024.1-1 BuildRequires: mesa-libGL-devel >= 9.2 BuildRequires: mesa-libEGL-devel @@ -118,7 +104,6 @@ necessary for developing Wayland compositors using Xwayland. %build %meson \ %{?gitdate:-Dxwayland=true -D{xorg,xnest,xvfb,udev}=false} \ - -Dxwayland_eglstream=true \ -Ddefault_font_path=%{default_font_path} \ -Dbuilder_string="Build ID: %{name} %{version}-%{release}" \ -Dxkb_output_dir=%{_localstatedir}/lib/xkb \ @@ -151,6 +136,9 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/*.desktop %{_libdir}/pkgconfig/xwayland.pc %changelog +* Wed May 15 2024 Olivier Fourdan - 24.1.0-1 +- xwayland 24.1.0 (RHEL-29911) + * Thu Apr 4 2024 Olivier Fourdan - 23.2.4-4 - CVE fix for: CVE-2024-31080, CVE-2024-31081, CVE-2024-31083