CVE fix for: CVE-2023-6377, CVE-2023-6478

This commit is contained in:
José Expósito 2023-12-14 12:52:05 +01:00 committed by root
parent 67925c02b4
commit 16df700d4a
4 changed files with 149 additions and 1 deletions

View File

@ -0,0 +1 @@
86ae4add5719e6026a569f5559d51e8707171d5d xorg-server-1.20.11.tar.bz2

View File

@ -0,0 +1,77 @@
From a7bda3080d2b44eae668cdcec7a93095385b9652 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 28 Nov 2023 15:19:04 +1000
Subject: [PATCH xserver] Xi: allocate enough XkbActions for our buttons
button->xkb_acts is supposed to be an array sufficiently large for all
our buttons, not just a single XkbActions struct. Allocating
insufficient memory here means when we memcpy() later in
XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
leading to the usual security ooopsiedaisies.
CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
(cherry picked from commit 0c1a93d319558fe3ab2d94f51d174b4f93810afd)
---
Xi/exevents.c | 12 ++++++------
dix/devices.c | 10 ++++++++++
2 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/Xi/exevents.c b/Xi/exevents.c
index dcd4efb3bc..54ea11a938 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
}
if (from->button->xkb_acts) {
- if (!to->button->xkb_acts) {
- to->button->xkb_acts = calloc(1, sizeof(XkbAction));
- if (!to->button->xkb_acts)
- FatalError("[Xi] not enough memory for xkb_acts.\n");
- }
+ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
+ maxbuttons,
+ sizeof(XkbAction));
+ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
memcpy(to->button->xkb_acts, from->button->xkb_acts,
- sizeof(XkbAction));
+ from->button->numButtons * sizeof(XkbAction));
}
else {
free(to->button->xkb_acts);
diff --git a/dix/devices.c b/dix/devices.c
index 5bf956ead4..15e46a9a5f 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -2525,6 +2525,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
if (master->button && master->button->numButtons != maxbuttons) {
int i;
+ int last_num_buttons = master->button->numButtons;
+
DeviceChangedEvent event = {
.header = ET_Internal,
.type = ET_DeviceChanged,
@@ -2535,6 +2537,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
};
master->button->numButtons = maxbuttons;
+ if (last_num_buttons < maxbuttons) {
+ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
+ maxbuttons,
+ sizeof(XkbAction));
+ memset(&master->button->xkb_acts[last_num_buttons],
+ 0,
+ (maxbuttons - last_num_buttons) * sizeof(XkbAction));
+ }
memcpy(&event.buttons.names, master->button->labels, maxbuttons *
sizeof(Atom));
--
2.43.0

View File

@ -0,0 +1,61 @@
From 58e83c683950ac9e253ab05dd7a13a8368b70a3c Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 27 Nov 2023 16:27:49 +1000
Subject: [PATCH xserver] randr: avoid integer truncation in length check of
ProcRRChange*Property
Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
See also xserver@8f454b79 where this same bug was fixed for the core
protocol and XI.
This fixes an OOB read and the resulting information disclosure.
Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->nUnits value the expected request size was
truncated, passing the REQUEST_FIXED_SIZE check.
The server then proceeded with reading at least stuff->num_items bytes
(depending on stuff->format) from the request and stuffing whatever it
finds into the property. In the process it would also allocate at least
stuff->nUnits bytes, i.e. 4GB.
CVE-2023-6478, ZDI-CAN-22561
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
(cherry picked from commit 14f480010a93ff962fef66a16412fafff81ad632)
---
randr/rrproperty.c | 2 +-
randr/rrproviderproperty.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/randr/rrproperty.c b/randr/rrproperty.c
index 25469f57b2..c4fef8a1f6 100644
--- a/randr/rrproperty.c
+++ b/randr/rrproperty.c
@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
char format, mode;
unsigned long len;
int sizeInBytes;
- int totalSize;
+ uint64_t totalSize;
int err;
REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
index b79c17f9bf..90c5a9a933 100644
--- a/randr/rrproviderproperty.c
+++ b/randr/rrproviderproperty.c
@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
char format, mode;
unsigned long len;
int sizeInBytes;
- int totalSize;
+ uint64_t totalSize;
int err;
REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
--
2.43.0

View File

@ -42,7 +42,7 @@
Summary: X.Org X11 X server
Name: xorg-x11-server
Version: 1.20.11
Release: 21%{?gitdate:.%{gitdate}}%{?dist}
Release: 22%{?gitdate:.%{gitdate}}%{?dist}
URL: http://www.x.org
License: MIT
@ -161,6 +161,10 @@ Patch10027: 0001-composite-Fix-use-after-free-of-the-COW.patch
Patch10028: 0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
# CVE-2023-5380
Patch10029: 0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch
# CVE-2023-6377
Patch10030: 0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch
# CVE-2023-6478
Patch10031: 0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
BuildRequires: make
BuildRequires: systemtap-sdt-devel
@ -570,6 +574,11 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
%changelog
* Thu Dec 14 2023 José Expósito <jexposit@redhat.com> - 1.20.11-22
- CVE fix for: CVE-2023-6377, CVE-2023-6478
Resolves: https://issues.redhat.com/browse/RHEL-18322
Resolves: https://issues.redhat.com/browse/RHEL-18329
* Wed Oct 25 2023 José Expósito <jexposit@redhat.com> - 1.20.11-20
- CVE fix for: CVE-2023-5380
Resolves: https://issues.redhat.com/browse/RHEL-14062