From 25b764f1bd7b2953e934338104199b1a7d6d7298 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= Date: Thu, 14 Dec 2023 12:52:05 +0100 Subject: [PATCH] CVE fix for: CVE-2023-6377, CVE-2023-6478 Resolves: https://issues.redhat.com/browse/RHEL-18322 Resolves: https://issues.redhat.com/browse/RHEL-18329 --- ...te-enough-XkbActions-for-our-buttons.patch | 77 +++++++++++++++++++ ...ger-truncation-in-length-check-of-Pr.patch | 61 +++++++++++++++ xorg-x11-server.spec | 11 ++- 3 files changed, 148 insertions(+), 1 deletion(-) create mode 100644 0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch create mode 100644 0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch diff --git a/0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch b/0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch new file mode 100644 index 0000000..11236a1 --- /dev/null +++ b/0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch @@ -0,0 +1,77 @@ +From a7bda3080d2b44eae668cdcec7a93095385b9652 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 28 Nov 2023 15:19:04 +1000 +Subject: [PATCH xserver] Xi: allocate enough XkbActions for our buttons + +button->xkb_acts is supposed to be an array sufficiently large for all +our buttons, not just a single XkbActions struct. Allocating +insufficient memory here means when we memcpy() later in +XkbSetDeviceInfo we write into memory that wasn't ours to begin with, +leading to the usual security ooopsiedaisies. + +CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +(cherry picked from commit 0c1a93d319558fe3ab2d94f51d174b4f93810afd) +--- + Xi/exevents.c | 12 ++++++------ + dix/devices.c | 10 ++++++++++ + 2 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/Xi/exevents.c b/Xi/exevents.c +index dcd4efb3bc..54ea11a938 100644 +--- a/Xi/exevents.c ++++ b/Xi/exevents.c +@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) + } + + if (from->button->xkb_acts) { +- if (!to->button->xkb_acts) { +- to->button->xkb_acts = calloc(1, sizeof(XkbAction)); +- if (!to->button->xkb_acts) +- FatalError("[Xi] not enough memory for xkb_acts.\n"); +- } ++ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons); ++ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts, ++ maxbuttons, ++ sizeof(XkbAction)); ++ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction)); + memcpy(to->button->xkb_acts, from->button->xkb_acts, +- sizeof(XkbAction)); ++ from->button->numButtons * sizeof(XkbAction)); + } + else { + free(to->button->xkb_acts); +diff --git a/dix/devices.c b/dix/devices.c +index 5bf956ead4..15e46a9a5f 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -2525,6 +2525,8 @@ RecalculateMasterButtons(DeviceIntPtr slave) + + if (master->button && master->button->numButtons != maxbuttons) { + int i; ++ int last_num_buttons = master->button->numButtons; ++ + DeviceChangedEvent event = { + .header = ET_Internal, + .type = ET_DeviceChanged, +@@ -2535,6 +2537,14 @@ RecalculateMasterButtons(DeviceIntPtr slave) + }; + + master->button->numButtons = maxbuttons; ++ if (last_num_buttons < maxbuttons) { ++ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts, ++ maxbuttons, ++ sizeof(XkbAction)); ++ memset(&master->button->xkb_acts[last_num_buttons], ++ 0, ++ (maxbuttons - last_num_buttons) * sizeof(XkbAction)); ++ } + + memcpy(&event.buttons.names, master->button->labels, maxbuttons * + sizeof(Atom)); +-- +2.43.0 + diff --git a/0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch b/0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch new file mode 100644 index 0000000..d88a8d5 --- /dev/null +++ b/0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch @@ -0,0 +1,61 @@ +From 58e83c683950ac9e253ab05dd7a13a8368b70a3c Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 27 Nov 2023 16:27:49 +1000 +Subject: [PATCH xserver] randr: avoid integer truncation in length check of + ProcRRChange*Property + +Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty. +See also xserver@8f454b79 where this same bug was fixed for the core +protocol and XI. + +This fixes an OOB read and the resulting information disclosure. + +Length calculation for the request was clipped to a 32-bit integer. With +the correct stuff->nUnits value the expected request size was +truncated, passing the REQUEST_FIXED_SIZE check. + +The server then proceeded with reading at least stuff->num_items bytes +(depending on stuff->format) from the request and stuffing whatever it +finds into the property. In the process it would also allocate at least +stuff->nUnits bytes, i.e. 4GB. + +CVE-2023-6478, ZDI-CAN-22561 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +(cherry picked from commit 14f480010a93ff962fef66a16412fafff81ad632) +--- + randr/rrproperty.c | 2 +- + randr/rrproviderproperty.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/randr/rrproperty.c b/randr/rrproperty.c +index 25469f57b2..c4fef8a1f6 100644 +--- a/randr/rrproperty.c ++++ b/randr/rrproperty.c +@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client) + char format, mode; + unsigned long len; + int sizeInBytes; +- int totalSize; ++ uint64_t totalSize; + int err; + + REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq); +diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c +index b79c17f9bf..90c5a9a933 100644 +--- a/randr/rrproviderproperty.c ++++ b/randr/rrproviderproperty.c +@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client) + char format, mode; + unsigned long len; + int sizeInBytes; +- int totalSize; ++ uint64_t totalSize; + int err; + + REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq); +-- +2.43.0 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index c9eb176..cee4ada 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -42,7 +42,7 @@ Summary: X.Org X11 X server Name: xorg-x11-server Version: 1.20.11 -Release: 21%{?gitdate:.%{gitdate}}%{?dist} +Release: 22%{?gitdate:.%{gitdate}}%{?dist} URL: http://www.x.org License: MIT @@ -161,6 +161,10 @@ Patch10027: 0001-composite-Fix-use-after-free-of-the-COW.patch Patch10028: 0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch # CVE-2023-5380 Patch10029: 0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch +# CVE-2023-6377 +Patch10030: 0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch +# CVE-2023-6478 +Patch10031: 0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch BuildRequires: make BuildRequires: systemtap-sdt-devel @@ -570,6 +574,11 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %changelog +* Thu Dec 14 2023 José Expósito - 1.20.11-22 +- CVE fix for: CVE-2023-6377, CVE-2023-6478 + Resolves: https://issues.redhat.com/browse/RHEL-18322 + Resolves: https://issues.redhat.com/browse/RHEL-18329 + * Wed Oct 25 2023 José Expósito - 1.20.11-20 - CVE fix for: CVE-2023-5380 Resolves: https://issues.redhat.com/browse/RHEL-14062