import CS xorg-x11-server-Xwayland-21.1.3-12.el8

2023-09-27 14:23:38 +00:00 · 2023-09-27 14:23:38 +00:00 · dfa1bf0d78
parent d43c7c6d4d
commit dfa1bf0d78
3 changed files with 158 additions and 1 deletions
--- a/SOURCES/0001-composite-Fix-use-after-free-of-the-COW.patch
+++ b/SOURCES/0001-composite-Fix-use-after-free-of-the-COW.patch
@ -0,0 +1,42 @@
+From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 13 Mar 2023 11:08:47 +0100
+Subject: [PATCH xserver] composite: Fix use-after-free of the COW
+
+ZDI-CAN-19866/CVE-2023-1393
+
+If a client explicitly destroys the compositor overlay window (aka COW),
+we would leave a dangling pointer to that window in the CompScreen
+structure, which will trigger a use-after-free later.
+
+Make sure to clear the CompScreen pointer to the COW when the latter gets
+destroyed explicitly by the client.
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+---
+ composite/compwindow.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/composite/compwindow.c b/composite/compwindow.c
+index 4e2494b86..b30da589e 100644
+--- a/composite/compwindow.c
+++ b/composite/compwindow.c
+@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
+     ret = (*pScreen->DestroyWindow) (pWin);
+     cs->DestroyWindow = pScreen->DestroyWindow;
+     pScreen->DestroyWindow = compDestroyWindow;
+
+    /* Did we just destroy the overlay window? */
+    if (pWin == cs->pOverlayWin)
+        cs->pOverlayWin = NULL;
+
+ /*    compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
+     return ret;
+ }
+-- 
+2.40.0
+
--- a/SOURCES/0001-present-Send-a-PresentConfigureNotify-event-for-dest.patch
+++ b/SOURCES/0001-present-Send-a-PresentConfigureNotify-event-for-dest.patch
@ -0,0 +1,105 @@
+From b98fc07d3442a289c6bef82df50dd0a2d01de71a Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Thu, 2 Feb 2023 12:26:27 -0500
+Subject: [PATCH xserver] present: Send a PresentConfigureNotify event for
+ destroyed windows
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This enables fixing a deadlock case on the client side, where the client
+ends up blocked waiting for a Present event that will never come because
+the window was destroyed. The new PresentWindowDestroyed flag allows the
+client to avoid blocking indefinitely.
+
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+See-also: https://gitlab.freedesktop.org/mesa/mesa/-/issues/116
+See-also: https://gitlab.freedesktop.org/mesa/mesa/-/issues/6685
+Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
+(cherry picked from commit 462b06033e66a32308d940eb5fc47f5e4c914dc0)
+---
+ present/present_event.c  |  5 +++--
+ present/present_priv.h   |  7 ++++++-
+ present/present_screen.c | 11 ++++++++++-
+ 3 files changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/present/present_event.c b/present/present_event.c
+index 435b26b70..849732dc8 100644
+--- a/present/present_event.c
+++ b/present/present_event.c
+@@ -102,7 +102,8 @@ present_event_swap(xGenericEvent *from, xGenericEvent *to)
+ }
+ 
+ void
+-present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw, WindowPtr sibling)
+present_send_config_notify(WindowPtr window, int x, int y, int w, int h,
+                           int bw, WindowPtr sibling, CARD32 flags)
+ {
+     present_window_priv_ptr window_priv = present_window_priv(window);
+ 
+@@ -122,7 +123,7 @@ present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw,
+             .off_y = 0,
+             .pixmap_width = w,
+             .pixmap_height = h,
+-            .pixmap_flags = 0
+            .pixmap_flags = flags
+         };
+         present_event_ptr event;
+ 
+diff --git a/present/present_priv.h b/present/present_priv.h
+index 6ebd009a2..4ad729864 100644
+--- a/present/present_priv.h
+++ b/present/present_priv.h
+@@ -43,6 +43,11 @@
+ #define DebugPresent(x)
+ #endif
+ 
+/* XXX this belongs in presentproto */
+#ifndef PresentWindowDestroyed
+#define PresentWindowDestroyed (1 << 0)
+#endif
+
+ extern int present_request;
+ 
+ extern DevPrivateKeyRec present_screen_private_key;
+@@ -307,7 +312,7 @@ void
+ present_free_events(WindowPtr window);
+ 
+ void
+-present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw, WindowPtr sibling);
+present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw, WindowPtr sibling, CARD32 flags);
+ 
+ void
+ present_send_complete_notify(WindowPtr window, CARD8 kind, CARD8 mode, CARD32 serial, uint64_t ust, uint64_t msc);
+diff --git a/present/present_screen.c b/present/present_screen.c
+index 15684eda4..2c29aafd2 100644
+--- a/present/present_screen.c
+++ b/present/present_screen.c
+@@ -93,6 +93,15 @@ present_destroy_window(WindowPtr window)
+     present_screen_priv_ptr screen_priv = present_screen_priv(screen);
+     present_window_priv_ptr window_priv = present_window_priv(window);
+ 
+    present_send_config_notify(window,
+                               window->drawable.x,
+                               window->drawable.y,
+                               window->drawable.width,
+                               window->drawable.height,
+                               window->borderWidth,
+                               window->nextSib,
+                               PresentWindowDestroyed);
+
+     if (window_priv) {
+         present_clear_window_notifies(window);
+         present_free_events(window);
+@@ -123,7 +132,7 @@ present_config_notify(WindowPtr window,
+     ScreenPtr screen = window->drawable.pScreen;
+     present_screen_priv_ptr screen_priv = present_screen_priv(screen);
+ 
+-    present_send_config_notify(window, x, y, w, h, bw, sibling);
+    present_send_config_notify(window, x, y, w, h, bw, sibling, 0);
+ 
+     unwrap(screen_priv, screen, ConfigNotify);
+     if (screen->ConfigNotify)
+-- 
+2.40.0
+
--- a/SPECS/xorg-x11-server-Xwayland.spec
+++ b/SPECS/xorg-x11-server-Xwayland.spec
@ -9,7 +9,7 @@
 Summary:   Xwayland
 Name:      xorg-x11-server-Xwayland
 Version:   21.1.3
-Release:   10%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist}
+Release:   12%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist}

 URL:       http://www.x.org
 %if 0%{?gitdate}
@ -22,6 +22,7 @@ Patch1: 0001-xwayland-eglstream-Demote-EGLstream-device-warning.patch
 Patch2: 0002-xwayland-glamor-Change-errors-to-verbose-messages.patch
 Patch3: 0003-xwayland-glamor-Log-backend-selected-for-debug.patch
 Patch4: 0004-xwayland-eglstream-Prefer-EGLstream-if-available.patch
+Patch5: 0001-present-Send-a-PresentConfigureNotify-event-for-dest.patch

 # CVE-2021-4011
 Patch10001: 0001-record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch
@ -57,6 +58,8 @@ Patch10024: 0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch
 Patch10025: 0008-Xext-fix-invalid-event-type-mask-in-XTestSwapFakeInp.patch
 # CVE-2023-0494
 Patch10026: 0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch
+# CVE-2023-1393
+Patch10027: 0001-composite-Fix-use-after-free-of-the-COW.patch

 License:   MIT

@ -164,6 +167,13 @@ rm -Rf $RPM_BUILD_ROOT%{_localstatedir}/lib/xkb
 %{_libdir}/pkgconfig/xwayland.pc

 %changelog
+* Tue Jun 13 2023 Olivier Fourdan <ofourdan@redhat.com> - 21.1.3-12
+- Backport fix for a deadlock with DRI3
+  Resolves: rhbz#2212831
+
+* Fri Mar 31 2023 Olivier Fourdan <ofourdan@redhat.com> - 21.1.3-11
+- Fix CVE-2023-1393 (#2180298)
+
 * Tue Feb  7 2023 Olivier Fourdan <ofourdan@redhat.com> - 21.1.3-10
 - Fix CVE-2023-0494 (#2166972)