Fix for CVE-2023-5367

2023-10-25 12:37:58 +10:00 · 2023-10-25 12:37:58 +10:00 · eb2e681c7e
commit eb2e681c7e
parent 6274e62b44
3 changed files with 88 additions and 31 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,30 +1 @@
-/xserver-5429791.tar.gz
-/xwayland-21.0.99.901.tar.xz
-/xwayland-21.0.99.902.tar.xz
-/xwayland-21.1.0.tar.xz
-/xwayland-21.1.1.tar.xz
-/xwayland-21.1.1.901.tar.xz
-/xwayland-21.1.2.tar.xz
-/xwayland-21.1.2.901.tar.xz
-/xwayland-21.1.3.tar.xz
-/xwayland-21.1.4.tar.xz
-/xwayland-22.0.99.901.tar.xz
-/xwayland-22.0.99.902.tar.xz
-/xwayland-22.1.0.tar.xz
-/xwayland-22.1.1.tar.xz
-/xwayland-22.1.2.tar.xz
-/xwayland-22.1.3.tar.xz
-/xwayland-22.1.4.tar.xz
-/xwayland-22.1.5.tar.xz
-/xwayland-22.1.6.tar.xz
-/xwayland-22.1.7.tar.xz
-/xwayland-22.1.8.tar.xz
-/xwayland-23.0.99.901.tar.xz
-/xwayland-23.0.99.902.tar.xz
-/xwayland-23.1.0.tar.xz
-/xwayland-23.1.1.tar.xz
-/xwayland-23.1.2.tar.xz
-/xwayland-23.1.99.901.tar.xz
-/xwayland-23.1.99.902.tar.xz
-/xwayland-23.2.0.tar.xz
-/xwayland-23.2.1.tar.xz
+/xwayland-*.tar.xz
--- a/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
+++ b/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
@ -0,0 +1,81 @@
+From 1e8478455458e998dd366d2cd23d2aeab2bdeee5 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 3 Oct 2023 11:53:05 +1000
+Subject: [PATCH xserver] Xi/randr: fix handling of PropModeAppend/Prepend
+
+The handling of appending/prepending properties was incorrect, with at
+least two bugs: the property length was set to the length of the new
+part only, i.e. appending or prepending N elements to a property with P
+existing elements always resulted in the property having N elements
+instead of N + P.
+
+Second, when pre-pending a value to a property, the offset for the old
+values was incorrect, leaving the new property with potentially
+uninitalized values and/or resulting in OOB memory writes.
+For example, prepending a 3 element value to a 5 element property would
+result in this 8 value array:
+  [N, N, N, ?, ?, P, P, P ] P, P
+                            ^OOB write
+
+The XI2 code is a copy/paste of the RandR code, so the bug exists in
+both.
+
+CVE-2023-5367, ZDI-CAN-22153
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit 541ab2ecd41d4d8689e71855d93e492bc554719a)
+---
+ Xi/xiproperty.c    | 4 ++--
+ randr/rrproperty.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
+index 066ba21fba..d315f04d0e 100644
+--- a/Xi/xiproperty.c
+++ b/Xi/xiproperty.c
+@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
+                 XIDestroyDeviceProperty(prop);
+             return BadAlloc;
+         }
+-        new_value.size = len;
+        new_value.size = total_len;
+         new_value.type = type;
+         new_value.format = format;
+ 
+@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
+         case PropModePrepend:
+             new_data = new_value.data;
+             old_data = (void *) (((char *) new_value.data) +
+-                                  (prop_value->size * size_in_bytes));
+                                  (len * size_in_bytes));
+             break;
+         }
+         if (new_data)
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index c2fb9585c6..25469f57b2 100644
+--- a/randr/rrproperty.c
+++ b/randr/rrproperty.c
+@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
+                 RRDestroyOutputProperty(prop);
+             return BadAlloc;
+         }
+-        new_value.size = len;
+        new_value.size = total_len;
+         new_value.type = type;
+         new_value.format = format;
+ 
+@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
+         case PropModePrepend:
+             new_data = new_value.data;
+             old_data = (void *) (((char *) new_value.data) +
+-                                  (prop_value->size * size_in_bytes));
+                                  (len * size_in_bytes));
+             break;
+         }
+         if (new_data)
+-- 
+2.41.0
+
--- a/xorg-x11-server-Xwayland.spec
+++ b/xorg-x11-server-Xwayland.spec
@ -9,7 +9,7 @@
 Summary:   Xwayland
 Name:      xorg-x11-server-Xwayland
 Version:   23.2.1
-Release:   1%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist}
+Release:   2%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist}

 URL:       http://www.x.org
 %if 0%{?gitdate}
@ -18,6 +18,8 @@ Source0:   https://gitlab.freedesktop.org/xorg/%{pkgname}/-/archive/%{commit}/%{
 Source0:   https://www.x.org/pub/individual/xserver/%{pkgname}-%{version}.tar.xz
 %endif

+Patch01:   0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
+
 License:   MIT

 Requires: xorg-x11-server-common
@ -135,6 +137,9 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/*.desktop
 %{_libdir}/pkgconfig/xwayland.pc

 %changelog
+* Wed Oct 25 2023 Peter Hutterer <peter.hutterer@redhat.com> - 23.2.1-2
+- Fix for CVE-2023-5367
+
 * Wed Sep 20 2023 Olivier Fourdan <ofourdan@redhat.com> - 23.2.1-1
 - xwayland 23.2.1 - (#2239813)