From 8ff69ede010797417ec53cb0dddbf1cd435af149 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 15 May 2024 09:09:27 +0000 Subject: [PATCH] Import from AlmaLinux stable repository --- ...te-enough-XkbActions-for-our-buttons.patch | 77 +++++++ ...x-handling-of-PropModeAppend-Prepend.patch | 80 +++++++ ...posite-Fix-use-after-free-of-the-COW.patch | 42 ++++ ...-after-free-in-input-device-shutdown.patch | 77 +++++++ ...enough-space-for-logical-button-maps.patch | 51 ++++ ...n-config-value-field-from-bool-to-bo.patch | 153 ++++++++++++ ...resentConfigureNotify-event-for-dest.patch | 105 +++++++++ ...ger-truncation-in-length-check-of-Pr.patch | 61 +++++ ...ficient-xEvents-for-our-DeviceStateN.patch | 84 +++++++ ...nterWindows-reference-on-screen-swit.patch | 99 ++++++++ ...-DeviceStateNotify-event-calculation.patch | 217 ++++++++++++++++++ ...-a-new-ButtonClass-set-the-number-of.patch | 37 +++ ...hy-events-after-adding-removing-mast.patch | 109 +++++++++ ...linked-list-pointer-during-recursion.patch | 70 ++++++ ...ng-a-master-float-disabled-slaved-de.patch | 53 +++++ ...lx-Call-XACE-hooks-on-the-GLX-buffer.patch | 60 +++++ ...se-the-proper-private-key-for-cursor.patch | 56 +++++ SPECS/xorg-x11-server.spec | 66 +++++- 18 files changed, 1496 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch create mode 100644 SOURCES/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch create mode 100644 SOURCES/0001-composite-Fix-use-after-free-of-the-COW.patch create mode 100644 SOURCES/0001-dix-Fix-use-after-free-in-input-device-shutdown.patch create mode 100644 SOURCES/0001-dix-allocate-enough-space-for-logical-button-maps.patch create mode 100644 SOURCES/0001-hw-Rename-boolean-config-value-field-from-bool-to-bo.patch create mode 100644 SOURCES/0001-present-Send-a-PresentConfigureNotify-event-for-dest.patch create mode 100644 SOURCES/0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch create mode 100644 SOURCES/0002-dix-Allocate-sufficient-xEvents-for-our-DeviceStateN.patch create mode 100644 SOURCES/0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch create mode 100644 SOURCES/0003-dix-fix-DeviceStateNotify-event-calculation.patch create mode 100644 SOURCES/0004-Xi-when-creating-a-new-ButtonClass-set-the-number-of.patch create mode 100644 SOURCES/0005-Xi-flush-hierarchy-events-after-adding-removing-mast.patch create mode 100644 SOURCES/0006-Xi-do-not-keep-linked-list-pointer-during-recursion.patch create mode 100644 SOURCES/0007-dix-when-disabling-a-master-float-disabled-slaved-de.patch create mode 100644 SOURCES/0008-glx-Call-XACE-hooks-on-the-GLX-buffer.patch create mode 100644 SOURCES/0009-ephyr-xwayland-Use-the-proper-private-key-for-cursor.patch diff --git a/SOURCES/0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch b/SOURCES/0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch new file mode 100644 index 0000000..11236a1 --- /dev/null +++ b/SOURCES/0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch @@ -0,0 +1,77 @@ +From a7bda3080d2b44eae668cdcec7a93095385b9652 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 28 Nov 2023 15:19:04 +1000 +Subject: [PATCH xserver] Xi: allocate enough XkbActions for our buttons + +button->xkb_acts is supposed to be an array sufficiently large for all +our buttons, not just a single XkbActions struct. Allocating +insufficient memory here means when we memcpy() later in +XkbSetDeviceInfo we write into memory that wasn't ours to begin with, +leading to the usual security ooopsiedaisies. + +CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +(cherry picked from commit 0c1a93d319558fe3ab2d94f51d174b4f93810afd) +--- + Xi/exevents.c | 12 ++++++------ + dix/devices.c | 10 ++++++++++ + 2 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/Xi/exevents.c b/Xi/exevents.c +index dcd4efb3bc..54ea11a938 100644 +--- a/Xi/exevents.c ++++ b/Xi/exevents.c +@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) + } + + if (from->button->xkb_acts) { +- if (!to->button->xkb_acts) { +- to->button->xkb_acts = calloc(1, sizeof(XkbAction)); +- if (!to->button->xkb_acts) +- FatalError("[Xi] not enough memory for xkb_acts.\n"); +- } ++ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons); ++ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts, ++ maxbuttons, ++ sizeof(XkbAction)); ++ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction)); + memcpy(to->button->xkb_acts, from->button->xkb_acts, +- sizeof(XkbAction)); ++ from->button->numButtons * sizeof(XkbAction)); + } + else { + free(to->button->xkb_acts); +diff --git a/dix/devices.c b/dix/devices.c +index 5bf956ead4..15e46a9a5f 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -2525,6 +2525,8 @@ RecalculateMasterButtons(DeviceIntPtr slave) + + if (master->button && master->button->numButtons != maxbuttons) { + int i; ++ int last_num_buttons = master->button->numButtons; ++ + DeviceChangedEvent event = { + .header = ET_Internal, + .type = ET_DeviceChanged, +@@ -2535,6 +2537,14 @@ RecalculateMasterButtons(DeviceIntPtr slave) + }; + + master->button->numButtons = maxbuttons; ++ if (last_num_buttons < maxbuttons) { ++ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts, ++ maxbuttons, ++ sizeof(XkbAction)); ++ memset(&master->button->xkb_acts[last_num_buttons], ++ 0, ++ (maxbuttons - last_num_buttons) * sizeof(XkbAction)); ++ } + + memcpy(&event.buttons.names, master->button->labels, maxbuttons * + sizeof(Atom)); +-- +2.43.0 + diff --git a/SOURCES/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch b/SOURCES/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch new file mode 100644 index 0000000..99625dd --- /dev/null +++ b/SOURCES/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch @@ -0,0 +1,80 @@ +From a31ba141824a7649e11f0ef7673718ce559d6337 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 3 Oct 2023 11:53:05 +1000 +Subject: [PATCH xserver 1/4] Xi/randr: fix handling of PropModeAppend/Prepend + +The handling of appending/prepending properties was incorrect, with at +least two bugs: the property length was set to the length of the new +part only, i.e. appending or prepending N elements to a property with P +existing elements always resulted in the property having N elements +instead of N + P. + +Second, when pre-pending a value to a property, the offset for the old +values was incorrect, leaving the new property with potentially +uninitalized values and/or resulting in OOB memory writes. +For example, prepending a 3 element value to a 5 element property would +result in this 8 value array: + [N, N, N, ?, ?, P, P, P ] P, P + ^OOB write + +The XI2 code is a copy/paste of the RandR code, so the bug exists in +both. + +CVE-2023-5367, ZDI-CAN-22153 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer +--- + Xi/xiproperty.c | 4 ++-- + randr/rrproperty.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c +index 6ec419e870..563c4f31a5 100644 +--- a/Xi/xiproperty.c ++++ b/Xi/xiproperty.c +@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type, + XIDestroyDeviceProperty(prop); + return BadAlloc; + } +- new_value.size = len; ++ new_value.size = total_len; + new_value.type = type; + new_value.format = format; + +@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type, + case PropModePrepend: + new_data = new_value.data; + old_data = (void *) (((char *) new_value.data) + +- (prop_value->size * size_in_bytes)); ++ (len * size_in_bytes)); + break; + } + if (new_data) +diff --git a/randr/rrproperty.c b/randr/rrproperty.c +index c2fb9585c6..25469f57b2 100644 +--- a/randr/rrproperty.c ++++ b/randr/rrproperty.c +@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type, + RRDestroyOutputProperty(prop); + return BadAlloc; + } +- new_value.size = len; ++ new_value.size = total_len; + new_value.type = type; + new_value.format = format; + +@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type, + case PropModePrepend: + new_data = new_value.data; + old_data = (void *) (((char *) new_value.data) + +- (prop_value->size * size_in_bytes)); ++ (len * size_in_bytes)); + break; + } + if (new_data) +-- +2.41.0 + diff --git a/SOURCES/0001-composite-Fix-use-after-free-of-the-COW.patch b/SOURCES/0001-composite-Fix-use-after-free-of-the-COW.patch new file mode 100644 index 0000000..bb21d7e --- /dev/null +++ b/SOURCES/0001-composite-Fix-use-after-free-of-the-COW.patch @@ -0,0 +1,42 @@ +From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 13 Mar 2023 11:08:47 +0100 +Subject: [PATCH xserver] composite: Fix use-after-free of the COW + +ZDI-CAN-19866/CVE-2023-1393 + +If a client explicitly destroys the compositor overlay window (aka COW), +we would leave a dangling pointer to that window in the CompScreen +structure, which will trigger a use-after-free later. + +Make sure to clear the CompScreen pointer to the COW when the latter gets +destroyed explicitly by the client. + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Adam Jackson +--- + composite/compwindow.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/composite/compwindow.c b/composite/compwindow.c +index 4e2494b86..b30da589e 100644 +--- a/composite/compwindow.c ++++ b/composite/compwindow.c +@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin) + ret = (*pScreen->DestroyWindow) (pWin); + cs->DestroyWindow = pScreen->DestroyWindow; + pScreen->DestroyWindow = compDestroyWindow; ++ ++ /* Did we just destroy the overlay window? */ ++ if (pWin == cs->pOverlayWin) ++ cs->pOverlayWin = NULL; ++ + /* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/ + return ret; + } +-- +2.40.0 + diff --git a/SOURCES/0001-dix-Fix-use-after-free-in-input-device-shutdown.patch b/SOURCES/0001-dix-Fix-use-after-free-in-input-device-shutdown.patch new file mode 100644 index 0000000..c2d723f --- /dev/null +++ b/SOURCES/0001-dix-Fix-use-after-free-in-input-device-shutdown.patch @@ -0,0 +1,77 @@ +From 1801fe0ac3926882d47d7e1ad6c0518a2cdffd41 Mon Sep 17 00:00:00 2001 +From: Povilas Kanapickas +Date: Sun, 19 Dec 2021 18:11:07 +0200 +Subject: [PATCH] dix: Fix use after free in input device shutdown + +This fixes access to freed heap memory via dev->master. E.g. when +running BarrierNotify.ReceivesNotifyEvents/7 test from +xorg-integration-tests: + +==24736==ERROR: AddressSanitizer: heap-use-after-free on address +0x619000065020 at pc 0x55c450e2b9cf bp 0x7fffc532fd20 sp 0x7fffc532fd10 +READ of size 4 at 0x619000065020 thread T0 + #0 0x55c450e2b9ce in GetMaster ../../../dix/devices.c:2722 + #1 0x55c450e9d035 in IsFloating ../../../dix/events.c:346 + #2 0x55c4513209c6 in GetDeviceUse ../../../Xi/xiquerydevice.c:525 +../../../Xi/xichangehierarchy.c:95 + #4 0x55c450e3455c in RemoveDevice ../../../dix/devices.c:1204 +../../../hw/xfree86/common/xf86Xinput.c:1142 + #6 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038 + #7 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068 + #8 0x55c450e837ef in dix_main ../../../dix/main.c:302 + #9 0x55c4517a8d93 in main ../../../dix/stubmain.c:34 +(/lib/x86_64-linux-gnu/libc.so.6+0x28564) + #11 0x55c450d0113d in _start (/usr/lib/xorg/Xorg+0x117713d) + +0x619000065020 is located 160 bytes inside of 912-byte region +[0x619000064f80,0x619000065310) +freed by thread T0 here: +(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf) + #1 0x55c450e19f1c in CloseDevice ../../../dix/devices.c:1014 + #2 0x55c450e343a4 in RemoveDevice ../../../dix/devices.c:1186 +../../../hw/xfree86/common/xf86Xinput.c:1142 + #4 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038 + #5 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068 + #6 0x55c450e837ef in dix_main ../../../dix/main.c:302 + #7 0x55c4517a8d93 in main ../../../dix/stubmain.c:34 +(/lib/x86_64-linux-gnu/libc.so.6+0x28564) + +previously allocated by thread T0 here: +(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6) + #1 0x55c450e1c57b in AddInputDevice ../../../dix/devices.c:259 + #2 0x55c450e34840 in AllocDevicePair ../../../dix/devices.c:2755 + #3 0x55c45130318f in add_master ../../../Xi/xichangehierarchy.c:152 +../../../Xi/xichangehierarchy.c:465 + #5 0x55c4512cb9f5 in ProcIDispatch ../../../Xi/extinit.c:390 + #6 0x55c450e6a92b in Dispatch ../../../dix/dispatch.c:551 + #7 0x55c450e834b7 in dix_main ../../../dix/main.c:272 + #8 0x55c4517a8d93 in main ../../../dix/stubmain.c:34 +(/lib/x86_64-linux-gnu/libc.so.6+0x28564) + +The problem is caused by dev->master being not reset when disabling the +device, which then causes dangling pointer when the master device itself +is being deleted when exiting whole server. + +Note that RecalculateMasterButtons() requires dev->master to be still +valid, so we can reset it only at the end of function. + +Signed-off-by: Povilas Kanapickas +--- + dix/devices.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/dix/devices.c b/dix/devices.c +index e62c34c55..5f9ce1678 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -520,6 +520,7 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) + } + + RecalculateMasterButtons(dev); ++ dev->master = NULL; + + return TRUE; + } +-- +2.43.0 + diff --git a/SOURCES/0001-dix-allocate-enough-space-for-logical-button-maps.patch b/SOURCES/0001-dix-allocate-enough-space-for-logical-button-maps.patch new file mode 100644 index 0000000..e11eb0e --- /dev/null +++ b/SOURCES/0001-dix-allocate-enough-space-for-logical-button-maps.patch @@ -0,0 +1,51 @@ +From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Thu, 14 Dec 2023 11:29:49 +1000 +Subject: [PATCH 1/9] dix: allocate enough space for logical button maps + +Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for +each logical button currently down. Since buttons can be arbitrarily mapped +to anything up to 255 make sure we have enough bits for the maximum mapping. + +CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative +--- + Xi/xiquerypointer.c | 3 +-- + dix/enterleave.c | 5 +++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c +index 5b77b1a44..2b05ac5f3 100644 +--- a/Xi/xiquerypointer.c ++++ b/Xi/xiquerypointer.c +@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client) + if (pDev->button) { + int i; + +- rep.buttons_len = +- bytes_to_int32(bits_to_bytes(pDev->button->numButtons)); ++ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */ + rep.length += rep.buttons_len; + buttons = calloc(rep.buttons_len, 4); + if (!buttons) +diff --git a/dix/enterleave.c b/dix/enterleave.c +index 867ec7436..ded8679d7 100644 +--- a/dix/enterleave.c ++++ b/dix/enterleave.c +@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail, + + mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER); + +- /* XI 2 event */ +- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0; ++ /* XI 2 event contains the logical button map - maps are CARD8 ++ * so we need 256 bits for the possibly maximum mapping */ ++ btlen = (mouse->button) ? bits_to_bytes(256) : 0; + btlen = bytes_to_int32(btlen); + len = sizeof(xXIFocusInEvent) + btlen * 4; + +-- +2.43.0 + diff --git a/SOURCES/0001-hw-Rename-boolean-config-value-field-from-bool-to-bo.patch b/SOURCES/0001-hw-Rename-boolean-config-value-field-from-bool-to-bo.patch new file mode 100644 index 0000000..441c17d --- /dev/null +++ b/SOURCES/0001-hw-Rename-boolean-config-value-field-from-bool-to-bo.patch @@ -0,0 +1,153 @@ +From 454b3a826edb5fc6d0fea3a9cfd1a5e8fc568747 Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Mon, 22 Jul 2019 13:51:06 -0400 +Subject: [PATCH] hw: Rename boolean config value field from bool to boolean + +"bool" conflicts with C++ (meh) and stdbool.h (ngh alright fine). This +is a driver-visible change and will likely break the build for mach64, +but it can be fixed by simply using xf86ReturnOptValBool like every +other driver. + +Signed-off-by: Adam Jackson +--- + hw/xfree86/common/xf86Opt.h | 2 +- + hw/xfree86/common/xf86Option.c | 10 +++++----- + hw/xwin/winconfig.c | 22 +++++++++++----------- + hw/xwin/winconfig.h | 2 +- + 4 files changed, 18 insertions(+), 18 deletions(-) + +diff --git a/hw/xfree86/common/xf86Opt.h b/hw/xfree86/common/xf86Opt.h +index 3be2a0fc7..3046fbd41 100644 +--- a/hw/xfree86/common/xf86Opt.h ++++ b/hw/xfree86/common/xf86Opt.h +@@ -41,7 +41,7 @@ typedef union { + unsigned long num; + const char *str; + double realnum; +- Bool bool; ++ Bool boolean; + OptFrequency freq; + } ValueUnion; + +diff --git a/hw/xfree86/common/xf86Option.c b/hw/xfree86/common/xf86Option.c +index 06973bca3..ca538cc57 100644 +--- a/hw/xfree86/common/xf86Option.c ++++ b/hw/xfree86/common/xf86Option.c +@@ -213,7 +213,7 @@ LookupBoolOption(XF86OptionPtr optlist, const char *name, int deflt, + o.name = name; + o.type = OPTV_BOOLEAN; + if (ParseOptionValue(-1, optlist, &o, markUsed)) +- deflt = o.value.bool; ++ deflt = o.value.boolean; + return deflt; + } + +@@ -474,7 +474,7 @@ xf86ShowUnusedOptions(int scrnIndex, XF86OptionPtr opt) + static Bool + GetBoolValue(OptionInfoPtr p, const char *s) + { +- return xf86getBoolValue(&p->value.bool, s); ++ return xf86getBoolValue(&p->value.boolean, s); + } + + static Bool +@@ -678,7 +678,7 @@ ParseOptionValue(int scrnIndex, XF86OptionPtr options, OptionInfoPtr p, + if (markUsed) + xf86MarkOptionUsedByName(options, newn); + if (GetBoolValue(&opt, s)) { +- p->value.bool = !opt.value.bool; ++ p->value.boolean = !opt.value.boolean; + p->found = TRUE; + } + else { +@@ -869,7 +869,7 @@ xf86GetOptValBool(const OptionInfoRec * table, int token, Bool *value) + + p = xf86TokenToOptinfo(table, token); + if (p && p->found) { +- *value = p->value.bool; ++ *value = p->value.boolean; + return TRUE; + } + else +@@ -883,7 +883,7 @@ xf86ReturnOptValBool(const OptionInfoRec * table, int token, Bool def) + + p = xf86TokenToOptinfo(table, token); + if (p && p->found) { +- return p->value.bool; ++ return p->value.boolean; + } + else + return def; +diff --git a/hw/xwin/winconfig.c b/hw/xwin/winconfig.c +index 31894d2fb..646d69006 100644 +--- a/hw/xwin/winconfig.c ++++ b/hw/xwin/winconfig.c +@@ -623,7 +623,7 @@ winSetBoolOption(void *optlist, const char *name, int deflt) + o.name = name; + o.type = OPTV_BOOLEAN; + if (ParseOptionValue(-1, optlist, &o)) +- deflt = o.value.bool; ++ deflt = o.value.boolean; + return deflt; + } + +@@ -918,7 +918,7 @@ ParseOptionValue(int scrnIndex, void *options, OptionInfoPtr p) + } + if ((s = winFindOptionValue(options, newn)) != NULL) { + if (GetBoolValue(&opt, s)) { +- p->value.bool = !opt.value.bool; ++ p->value.boolean = !opt.value.boolean; + p->found = TRUE; + } + else { +@@ -968,25 +968,25 @@ static Bool + GetBoolValue(OptionInfoPtr p, const char *s) + { + if (*s == 0) { +- p->value.bool = TRUE; ++ p->value.boolean = TRUE; + } + else { + if (winNameCompare(s, "1") == 0) +- p->value.bool = TRUE; ++ p->value.boolean = TRUE; + else if (winNameCompare(s, "on") == 0) +- p->value.bool = TRUE; ++ p->value.boolean = TRUE; + else if (winNameCompare(s, "true") == 0) +- p->value.bool = TRUE; ++ p->value.boolean = TRUE; + else if (winNameCompare(s, "yes") == 0) +- p->value.bool = TRUE; ++ p->value.boolean = TRUE; + else if (winNameCompare(s, "0") == 0) +- p->value.bool = FALSE; ++ p->value.boolean = FALSE; + else if (winNameCompare(s, "off") == 0) +- p->value.bool = FALSE; ++ p->value.boolean = FALSE; + else if (winNameCompare(s, "false") == 0) +- p->value.bool = FALSE; ++ p->value.boolean = FALSE; + else if (winNameCompare(s, "no") == 0) +- p->value.bool = FALSE; ++ p->value.boolean = FALSE; + } + return TRUE; + } +diff --git a/hw/xwin/winconfig.h b/hw/xwin/winconfig.h +index f079368c7..bd1f59650 100644 +--- a/hw/xwin/winconfig.h ++++ b/hw/xwin/winconfig.h +@@ -199,7 +199,7 @@ typedef union { + unsigned long num; + char *str; + double realnum; +- Bool bool; ++ Bool boolean; + OptFrequency freq; + } ValueUnion; + +-- +2.43.0 + diff --git a/SOURCES/0001-present-Send-a-PresentConfigureNotify-event-for-dest.patch b/SOURCES/0001-present-Send-a-PresentConfigureNotify-event-for-dest.patch new file mode 100644 index 0000000..d9eea48 --- /dev/null +++ b/SOURCES/0001-present-Send-a-PresentConfigureNotify-event-for-dest.patch @@ -0,0 +1,105 @@ +From b98fc07d3442a289c6bef82df50dd0a2d01de71a Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Thu, 2 Feb 2023 12:26:27 -0500 +Subject: [PATCH xserver] present: Send a PresentConfigureNotify event for + destroyed windows +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This enables fixing a deadlock case on the client side, where the client +ends up blocked waiting for a Present event that will never come because +the window was destroyed. The new PresentWindowDestroyed flag allows the +client to avoid blocking indefinitely. + +Signed-off-by: Adam Jackson +See-also: https://gitlab.freedesktop.org/mesa/mesa/-/issues/116 +See-also: https://gitlab.freedesktop.org/mesa/mesa/-/issues/6685 +Reviewed-by: Michel Dänzer +(cherry picked from commit 462b06033e66a32308d940eb5fc47f5e4c914dc0) +--- + present/present_event.c | 5 +++-- + present/present_priv.h | 7 ++++++- + present/present_screen.c | 11 ++++++++++- + 3 files changed, 19 insertions(+), 4 deletions(-) + +diff --git a/present/present_event.c b/present/present_event.c +index 435b26b70..849732dc8 100644 +--- a/present/present_event.c ++++ b/present/present_event.c +@@ -102,7 +102,8 @@ present_event_swap(xGenericEvent *from, xGenericEvent *to) + } + + void +-present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw, WindowPtr sibling) ++present_send_config_notify(WindowPtr window, int x, int y, int w, int h, ++ int bw, WindowPtr sibling, CARD32 flags) + { + present_window_priv_ptr window_priv = present_window_priv(window); + +@@ -122,7 +123,7 @@ present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw, + .off_y = 0, + .pixmap_width = w, + .pixmap_height = h, +- .pixmap_flags = 0 ++ .pixmap_flags = flags + }; + present_event_ptr event; + +diff --git a/present/present_priv.h b/present/present_priv.h +index 6ebd009a2..4ad729864 100644 +--- a/present/present_priv.h ++++ b/present/present_priv.h +@@ -43,6 +43,11 @@ + #define DebugPresent(x) + #endif + ++/* XXX this belongs in presentproto */ ++#ifndef PresentWindowDestroyed ++#define PresentWindowDestroyed (1 << 0) ++#endif ++ + extern int present_request; + + extern DevPrivateKeyRec present_screen_private_key; +@@ -307,7 +312,7 @@ void + present_free_events(WindowPtr window); + + void +-present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw, WindowPtr sibling); ++present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw, WindowPtr sibling, CARD32 flags); + + void + present_send_complete_notify(WindowPtr window, CARD8 kind, CARD8 mode, CARD32 serial, uint64_t ust, uint64_t msc); +diff --git a/present/present_screen.c b/present/present_screen.c +index 15684eda4..2c29aafd2 100644 +--- a/present/present_screen.c ++++ b/present/present_screen.c +@@ -93,6 +93,15 @@ present_destroy_window(WindowPtr window) + present_screen_priv_ptr screen_priv = present_screen_priv(screen); + present_window_priv_ptr window_priv = present_window_priv(window); + ++ present_send_config_notify(window, ++ window->drawable.x, ++ window->drawable.y, ++ window->drawable.width, ++ window->drawable.height, ++ window->borderWidth, ++ window->nextSib, ++ PresentWindowDestroyed); ++ + if (window_priv) { + present_clear_window_notifies(window); + present_free_events(window); +@@ -123,7 +132,7 @@ present_config_notify(WindowPtr window, + ScreenPtr screen = window->drawable.pScreen; + present_screen_priv_ptr screen_priv = present_screen_priv(screen); + +- present_send_config_notify(window, x, y, w, h, bw, sibling); ++ present_send_config_notify(window, x, y, w, h, bw, sibling, 0); + + unwrap(screen_priv, screen, ConfigNotify); + if (screen->ConfigNotify) +-- +2.40.0 + diff --git a/SOURCES/0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch b/SOURCES/0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch new file mode 100644 index 0000000..d88a8d5 --- /dev/null +++ b/SOURCES/0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch @@ -0,0 +1,61 @@ +From 58e83c683950ac9e253ab05dd7a13a8368b70a3c Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 27 Nov 2023 16:27:49 +1000 +Subject: [PATCH xserver] randr: avoid integer truncation in length check of + ProcRRChange*Property + +Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty. +See also xserver@8f454b79 where this same bug was fixed for the core +protocol and XI. + +This fixes an OOB read and the resulting information disclosure. + +Length calculation for the request was clipped to a 32-bit integer. With +the correct stuff->nUnits value the expected request size was +truncated, passing the REQUEST_FIXED_SIZE check. + +The server then proceeded with reading at least stuff->num_items bytes +(depending on stuff->format) from the request and stuffing whatever it +finds into the property. In the process it would also allocate at least +stuff->nUnits bytes, i.e. 4GB. + +CVE-2023-6478, ZDI-CAN-22561 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +(cherry picked from commit 14f480010a93ff962fef66a16412fafff81ad632) +--- + randr/rrproperty.c | 2 +- + randr/rrproviderproperty.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/randr/rrproperty.c b/randr/rrproperty.c +index 25469f57b2..c4fef8a1f6 100644 +--- a/randr/rrproperty.c ++++ b/randr/rrproperty.c +@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client) + char format, mode; + unsigned long len; + int sizeInBytes; +- int totalSize; ++ uint64_t totalSize; + int err; + + REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq); +diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c +index b79c17f9bf..90c5a9a933 100644 +--- a/randr/rrproviderproperty.c ++++ b/randr/rrproviderproperty.c +@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client) + char format, mode; + unsigned long len; + int sizeInBytes; +- int totalSize; ++ uint64_t totalSize; + int err; + + REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq); +-- +2.43.0 + diff --git a/SOURCES/0002-dix-Allocate-sufficient-xEvents-for-our-DeviceStateN.patch b/SOURCES/0002-dix-Allocate-sufficient-xEvents-for-our-DeviceStateN.patch new file mode 100644 index 0000000..21c5622 --- /dev/null +++ b/SOURCES/0002-dix-Allocate-sufficient-xEvents-for-our-DeviceStateN.patch @@ -0,0 +1,84 @@ +From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 18 Dec 2023 14:27:50 +1000 +Subject: [PATCH 2/9] dix: Allocate sufficient xEvents for our + DeviceStateNotify + +If a device has both a button class and a key class and numButtons is +zero, we can get an OOB write due to event under-allocation. + +This function seems to assume a device has either keys or buttons, not +both. It has two virtually identical code paths, both of which assume +they're applying to the first event in the sequence. + +A device with both a key and button class triggered a logic bug - only +one xEvent was allocated but the deviceStateNotify pointer was pushed on +once per type. So effectively this logic code: + + int count = 1; + if (button && nbuttons > 32) count++; + if (key && nbuttons > 0) count++; + if (key && nkeys > 32) count++; // this is basically always true + // count is at 2 for our keys + zero button device + + ev = alloc(count * sizeof(xEvent)); + FixDeviceStateNotify(ev); + if (button) + FixDeviceStateNotify(ev++); + if (key) + FixDeviceStateNotify(ev++); // santa drops into the wrong chimney here + +If the device has more than 3 valuators, the OOB is pushed back - we're +off by one so it will happen when the last deviceValuator event is +written instead. + +Fix this by allocating the maximum number of events we may allocate. +Note that the current behavior is not protocol-correct anyway, this +patch fixes only the allocation issue. + +Note that this issue does not trigger if the device has at least one +button. While the server does not prevent a button class with zero +buttons, it is very unlikely. + +CVE-2024-0229, ZDI-CAN-22678 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative +--- + dix/enterleave.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/dix/enterleave.c b/dix/enterleave.c +index ded8679d7..17964b00a 100644 +--- a/dix/enterleave.c ++++ b/dix/enterleave.c +@@ -675,7 +675,8 @@ static void + DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + { + int evcount = 1; +- deviceStateNotify *ev, *sev; ++ deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3]; ++ deviceStateNotify *ev; + deviceKeyStateNotify *kev; + deviceButtonStateNotify *bev; + +@@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + } + } + +- sev = ev = xallocarray(evcount, sizeof(xEvent)); ++ ev = sev; + FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first); + + if (b != NULL) { +@@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + + DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount, + DeviceStateNotifyMask, NullGrab); +- free(sev); + } + + void +-- +2.43.0 + diff --git a/SOURCES/0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch b/SOURCES/0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch new file mode 100644 index 0000000..cbe9804 --- /dev/null +++ b/SOURCES/0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch @@ -0,0 +1,99 @@ +From 004f461c440cb6611eefb48fbbb4fa53a6d49f80 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Thu, 5 Oct 2023 12:19:45 +1000 +Subject: [PATCH xserver 2/4] mi: reset the PointerWindows reference on screen + switch + +PointerWindows[] keeps a reference to the last window our sprite +entered - changes are usually handled by CheckMotion(). + +If we switch between screens via XWarpPointer our +dev->spriteInfo->sprite->win is set to the new screen's root window. +If there's another window at the cursor location CheckMotion() will +trigger the right enter/leave events later. If there is not, it skips +that process and we never trigger LeaveWindow() - PointerWindows[] for +the device still refers to the previous window. + +If that window is destroyed we have a dangling reference that will +eventually cause a use-after-free bug when checking the window hierarchy +later. + +To trigger this, we require: +- two protocol screens +- XWarpPointer to the other screen's root window +- XDestroyWindow before entering any other window + +This is a niche bug so we hack around it by making sure we reset the +PointerWindows[] entry so we cannot have a dangling pointer. This +doesn't handle Enter/Leave events correctly but the previous code didn't +either. + +CVE-2023-5380, ZDI-CAN-21608 + +This vulnerability was discovered by: +Sri working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer +Reviewed-by: Adam Jackson +--- + dix/enterleave.h | 2 -- + include/eventstr.h | 3 +++ + mi/mipointer.c | 17 +++++++++++++++-- + 3 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/dix/enterleave.h b/dix/enterleave.h +index 4b833d8a3b..e8af924c68 100644 +--- a/dix/enterleave.h ++++ b/dix/enterleave.h +@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev, + + extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode); + +-extern void LeaveWindow(DeviceIntPtr dev); +- + extern void CoreFocusEvent(DeviceIntPtr kbd, + int type, int mode, int detail, WindowPtr pWin); + +diff --git a/include/eventstr.h b/include/eventstr.h +index bf3b95fe4a..2bae3b0767 100644 +--- a/include/eventstr.h ++++ b/include/eventstr.h +@@ -296,4 +296,7 @@ union _InternalEvent { + #endif + }; + ++extern void ++LeaveWindow(DeviceIntPtr dev); ++ + #endif +diff --git a/mi/mipointer.c b/mi/mipointer.c +index 75be1aeeb8..b12ae9be1d 100644 +--- a/mi/mipointer.c ++++ b/mi/mipointer.c +@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y) + #ifdef PANORAMIX + && noPanoramiXExtension + #endif +- ) +- UpdateSpriteForScreen(pDev, pScreen); ++ ) { ++ DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER); ++ /* Hack for CVE-2023-5380: if we're moving ++ * screens PointerWindows[] keeps referring to the ++ * old window. If that gets destroyed we have a UAF ++ * bug later. Only happens when jumping from a window ++ * to the root window on the other screen. ++ * Enter/Leave events are incorrect for that case but ++ * too niche to fix. ++ */ ++ LeaveWindow(pDev); ++ if (master) ++ LeaveWindow(master); ++ UpdateSpriteForScreen(pDev, pScreen); ++ } + } + + /** +-- +2.41.0 + diff --git a/SOURCES/0003-dix-fix-DeviceStateNotify-event-calculation.patch b/SOURCES/0003-dix-fix-DeviceStateNotify-event-calculation.patch new file mode 100644 index 0000000..2fe2f8e --- /dev/null +++ b/SOURCES/0003-dix-fix-DeviceStateNotify-event-calculation.patch @@ -0,0 +1,217 @@ +From 219c54b8a3337456ce5270ded6a67bcde53553d5 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 18 Dec 2023 12:26:20 +1000 +Subject: [PATCH 3/9] dix: fix DeviceStateNotify event calculation + +The previous code only made sense if one considers buttons and keys to +be mutually exclusive on a device. That is not necessarily true, causing +a number of issues. + +This function allocates and fills in the number of xEvents we need to +send the device state down the wire. This is split across multiple +32-byte devices including one deviceStateNotify event and optional +deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple) +deviceValuator events. + +The previous behavior would instead compose a sequence +of [state, buttonstate, state, keystate, valuator...]. This is not +protocol correct, and on top of that made the code extremely convoluted. + +Fix this by streamlining: add both button and key into the deviceStateNotify +and then append the key state and button state, followed by the +valuators. Finally, the deviceValuator events contain up to 6 valuators +per event but we only ever sent through 3 at a time. Let's double that +troughput. + +CVE-2024-0229, ZDI-CAN-22678 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative +--- + dix/enterleave.c | 121 ++++++++++++++++++++--------------------------- + 1 file changed, 52 insertions(+), 69 deletions(-) + +diff --git a/dix/enterleave.c b/dix/enterleave.c +index 17964b00a..7b7ba1098 100644 +--- a/dix/enterleave.c ++++ b/dix/enterleave.c +@@ -615,9 +615,15 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, + + ev->type = DeviceValuator; + ev->deviceid = dev->id; +- ev->num_valuators = nval < 3 ? nval : 3; ++ ev->num_valuators = nval < 6 ? nval : 6; + ev->first_valuator = first; + switch (ev->num_valuators) { ++ case 6: ++ ev->valuator2 = v->axisVal[first + 5]; ++ case 5: ++ ev->valuator2 = v->axisVal[first + 4]; ++ case 4: ++ ev->valuator2 = v->axisVal[first + 3]; + case 3: + ev->valuator2 = v->axisVal[first + 2]; + case 2: +@@ -626,7 +632,6 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, + ev->valuator0 = v->axisVal[first]; + break; + } +- first += ev->num_valuators; + } + + static void +@@ -646,7 +651,7 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k, + ev->num_buttons = b->numButtons; + memcpy((char *) ev->buttons, (char *) b->down, 4); + } +- else if (k) { ++ if (k) { + ev->classes_reported |= (1 << KeyClass); + ev->num_keys = k->xkbInfo->desc->max_key_code - + k->xkbInfo->desc->min_key_code; +@@ -670,15 +675,26 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k, + } + } + +- ++/** ++ * The device state notify event is split across multiple 32-byte events. ++ * The first one contains the first 32 button state bits, the first 32 ++ * key state bits, and the first 3 valuator values. ++ * ++ * If a device has more than that, the server sends out: ++ * - one deviceButtonStateNotify for buttons 32 and above ++ * - one deviceKeyStateNotify for keys 32 and above ++ * - one deviceValuator event per 6 valuators above valuator 4 ++ * ++ * All events but the last one have the deviceid binary ORed with MORE_EVENTS, ++ */ + static void + DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + { ++ /* deviceStateNotify, deviceKeyStateNotify, deviceButtonStateNotify ++ * and one deviceValuator for each 6 valuators */ ++ deviceStateNotify sev[3 + (MAX_VALUATORS + 6)/6]; + int evcount = 1; +- deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3]; +- deviceStateNotify *ev; +- deviceKeyStateNotify *kev; +- deviceButtonStateNotify *bev; ++ deviceStateNotify *ev = sev; + + KeyClassPtr k; + ButtonClassPtr b; +@@ -691,82 +707,49 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + + if ((b = dev->button) != NULL) { + nbuttons = b->numButtons; +- if (nbuttons > 32) ++ if (nbuttons > 32) /* first 32 are encoded in deviceStateNotify */ + evcount++; + } + if ((k = dev->key) != NULL) { + nkeys = k->xkbInfo->desc->max_key_code - k->xkbInfo->desc->min_key_code; +- if (nkeys > 32) ++ if (nkeys > 32) /* first 32 are encoded in deviceStateNotify */ + evcount++; +- if (nbuttons > 0) { +- evcount++; +- } + } + if ((v = dev->valuator) != NULL) { + nval = v->numAxes; +- +- if (nval > 3) +- evcount++; +- if (nval > 6) { +- if (!(k && b)) +- evcount++; +- if (nval > 9) +- evcount += ((nval - 7) / 3); +- } ++ /* first three are encoded in deviceStateNotify, then ++ * it's 6 per deviceValuator event */ ++ evcount += ((nval - 3) + 6)/6; + } + +- ev = sev; +- FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first); +- +- if (b != NULL) { +- FixDeviceStateNotify(dev, ev++, NULL, b, v, first); +- first += 3; +- nval -= 3; +- if (nbuttons > 32) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- bev = (deviceButtonStateNotify *) ev++; +- bev->type = DeviceButtonStateNotify; +- bev->deviceid = dev->id; +- memcpy((char *) &bev->buttons[4], (char *) &b->down[4], +- DOWN_LENGTH - 4); +- } +- if (nval > 0) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); +- first += 3; +- nval -= 3; +- } ++ BUG_RETURN(evcount <= ARRAY_SIZE(sev)); ++ ++ FixDeviceStateNotify(dev, ev, k, b, v, first); ++ ++ if (b != NULL && nbuttons > 32) { ++ deviceButtonStateNotify *bev = (deviceButtonStateNotify *) ++ev; ++ (ev - 1)->deviceid |= MORE_EVENTS; ++ bev->type = DeviceButtonStateNotify; ++ bev->deviceid = dev->id; ++ memcpy((char *) &bev->buttons[4], (char *) &b->down[4], ++ DOWN_LENGTH - 4); + } + +- if (k != NULL) { +- FixDeviceStateNotify(dev, ev++, k, NULL, v, first); +- first += 3; +- nval -= 3; +- if (nkeys > 32) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- kev = (deviceKeyStateNotify *) ev++; +- kev->type = DeviceKeyStateNotify; +- kev->deviceid = dev->id; +- memmove((char *) &kev->keys[0], (char *) &k->down[4], 28); +- } +- if (nval > 0) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); +- first += 3; +- nval -= 3; +- } ++ if (k != NULL && nkeys > 32) { ++ deviceKeyStateNotify *kev = (deviceKeyStateNotify *) ++ev; ++ (ev - 1)->deviceid |= MORE_EVENTS; ++ kev->type = DeviceKeyStateNotify; ++ kev->deviceid = dev->id; ++ memmove((char *) &kev->keys[0], (char *) &k->down[4], 28); + } + ++ first = 3; ++ nval -= 3; + while (nval > 0) { +- FixDeviceStateNotify(dev, ev++, NULL, NULL, v, first); +- first += 3; +- nval -= 3; +- if (nval > 0) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); +- first += 3; +- nval -= 3; +- } ++ ev->deviceid |= MORE_EVENTS; ++ FixDeviceValuator(dev, (deviceValuator *) ++ev, v, first); ++ first += 6; ++ nval -= 6; + } + + DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount, +-- +2.43.0 + diff --git a/SOURCES/0004-Xi-when-creating-a-new-ButtonClass-set-the-number-of.patch b/SOURCES/0004-Xi-when-creating-a-new-ButtonClass-set-the-number-of.patch new file mode 100644 index 0000000..dbe90ce --- /dev/null +++ b/SOURCES/0004-Xi-when-creating-a-new-ButtonClass-set-the-number-of.patch @@ -0,0 +1,37 @@ +From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Thu, 21 Dec 2023 13:48:10 +1000 +Subject: [PATCH 4/9] Xi: when creating a new ButtonClass, set the number of + buttons + +There's a racy sequence where a master device may copy the button class +from the slave, without ever initializing numButtons. This leads to a +device with zero buttons but a button class which is invalid. + +Let's copy the numButtons value from the source - by definition if we +don't have a button class yet we do not have any other slave devices +with more than this number of buttons anyway. + +CVE-2024-0229, ZDI-CAN-22678 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative +--- + Xi/exevents.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Xi/exevents.c b/Xi/exevents.c +index 54ea11a93..e16171468 100644 +--- a/Xi/exevents.c ++++ b/Xi/exevents.c +@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) + to->button = calloc(1, sizeof(ButtonClassRec)); + if (!to->button) + FatalError("[Xi] no memory for class shift.\n"); ++ to->button->numButtons = from->button->numButtons; + } + else + classes->button = NULL; +-- +2.43.0 + diff --git a/SOURCES/0005-Xi-flush-hierarchy-events-after-adding-removing-mast.patch b/SOURCES/0005-Xi-flush-hierarchy-events-after-adding-removing-mast.patch new file mode 100644 index 0000000..6a21b3c --- /dev/null +++ b/SOURCES/0005-Xi-flush-hierarchy-events-after-adding-removing-mast.patch @@ -0,0 +1,109 @@ +From 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Thu, 4 Jan 2024 10:01:24 +1000 +Subject: [PATCH 5/9] Xi: flush hierarchy events after adding/removing master + devices + +The `XISendDeviceHierarchyEvent()` function allocates space to store up +to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`. + +If a device with a given ID was removed and a new device with the same +ID added both in the same operation, the single device ID will lead to +two info structures being written to `info`. + +Since this case can occur for every device ID at once, a total of two +times `MAXDEVICES` info structures might be written to the allocation. + +To avoid it, once one add/remove master is processed, send out the +device hierarchy event for the current state and continue. That event +thus only ever has exactly one of either added/removed in it (and +optionally slave attached/detached). + +CVE-2024-21885, ZDI-CAN-22744 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative +--- + Xi/xichangehierarchy.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c +index d2d985848..72d00451e 100644 +--- a/Xi/xichangehierarchy.c ++++ b/Xi/xichangehierarchy.c +@@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client) + size_t len; /* length of data remaining in request */ + int rc = Success; + int flags[MAXDEVICES] = { 0 }; ++ enum { ++ NO_CHANGE, ++ FLUSH, ++ CHANGED, ++ } changes = NO_CHANGE; + + REQUEST(xXIChangeHierarchyReq); + REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq); +@@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = add_master(client, c, flags); + if (rc != Success) + goto unwind; +- } ++ changes = FLUSH; + break; ++ } + case XIRemoveMaster: + { + xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any; +@@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = remove_master(client, r, flags); + if (rc != Success) + goto unwind; +- } ++ changes = FLUSH; + break; ++ } + case XIDetachSlave: + { + xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any; +@@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = detach_slave(client, c, flags); + if (rc != Success) + goto unwind; +- } ++ changes = CHANGED; + break; ++ } + case XIAttachSlave: + { + xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any; +@@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = attach_slave(client, c, flags); + if (rc != Success) + goto unwind; ++ changes = CHANGED; ++ break; + } ++ default: + break; + } + ++ if (changes == FLUSH) { ++ XISendDeviceHierarchyEvent(flags); ++ memset(flags, 0, sizeof(flags)); ++ changes = NO_CHANGE; ++ } ++ + len -= any->length * 4; + any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4); + } + + unwind: +- +- XISendDeviceHierarchyEvent(flags); ++ if (changes != NO_CHANGE) ++ XISendDeviceHierarchyEvent(flags); + return rc; + } +-- +2.43.0 + diff --git a/SOURCES/0006-Xi-do-not-keep-linked-list-pointer-during-recursion.patch b/SOURCES/0006-Xi-do-not-keep-linked-list-pointer-during-recursion.patch new file mode 100644 index 0000000..3174635 --- /dev/null +++ b/SOURCES/0006-Xi-do-not-keep-linked-list-pointer-during-recursion.patch @@ -0,0 +1,70 @@ +From bc1fdbe46559dd947674375946bbef54dd0ce36b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Fri, 22 Dec 2023 18:28:31 +0100 +Subject: [PATCH 6/9] Xi: do not keep linked list pointer during recursion + +The `DisableDevice()` function is called whenever an enabled device +is disabled and it moves the device from the `inputInfo.devices` linked +list to the `inputInfo.off_devices` linked list. + +However, its link/unlink operation has an issue during the recursive +call to `DisableDevice()` due to the `prev` pointer pointing to a +removed device. + +This issue leads to a length mismatch between the total number of +devices and the number of device in the list, leading to a heap +overflow and, possibly, to local privilege escalation. + +Simplify the code that checked whether the device passed to +`DisableDevice()` was in `inputInfo.devices` or not and find the +previous device after the recursion. + +CVE-2024-21886, ZDI-CAN-22840 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative +--- + dix/devices.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/dix/devices.c b/dix/devices.c +index dca98c8d1..389d28a23 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) + { + DeviceIntPtr *prev, other; + BOOL enabled; ++ BOOL dev_in_devices_list = FALSE; + int flags[MAXDEVICES] = { 0 }; + + if (!dev->enabled) + return TRUE; + +- for (prev = &inputInfo.devices; +- *prev && (*prev != dev); prev = &(*prev)->next); +- if (*prev != dev) ++ for (other = inputInfo.devices; other; other = other->next) { ++ if (other == dev) { ++ dev_in_devices_list = TRUE; ++ break; ++ } ++ } ++ ++ if (!dev_in_devices_list) + return FALSE; + + TouchEndPhysicallyActiveTouches(dev); +@@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) + LeaveWindow(dev); + SetFocusOut(dev); + ++ for (prev = &inputInfo.devices; ++ *prev && (*prev != dev); prev = &(*prev)->next); ++ + *prev = dev->next; + dev->next = inputInfo.off_devices; + inputInfo.off_devices = dev; +-- +2.43.0 + diff --git a/SOURCES/0007-dix-when-disabling-a-master-float-disabled-slaved-de.patch b/SOURCES/0007-dix-when-disabling-a-master-float-disabled-slaved-de.patch new file mode 100644 index 0000000..32a326a --- /dev/null +++ b/SOURCES/0007-dix-when-disabling-a-master-float-disabled-slaved-de.patch @@ -0,0 +1,53 @@ +From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Fri, 5 Jan 2024 09:40:27 +1000 +Subject: [PATCH 7/9] dix: when disabling a master, float disabled slaved + devices too + +Disabling a master device floats all slave devices but we didn't do this +to already-disabled slave devices. As a result those devices kept their +reference to the master device resulting in access to already freed +memory if the master device was removed before the corresponding slave +device. + +And to match this behavior, also forcibly reset that pointer during +CloseDownDevices(). + +Related to CVE-2024-21886, ZDI-CAN-22840 +--- + dix/devices.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/dix/devices.c b/dix/devices.c +index 389d28a23..84a6406d1 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) + flags[other->id] |= XISlaveDetached; + } + } ++ ++ for (other = inputInfo.off_devices; other; other = other->next) { ++ if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) { ++ AttachDevice(NULL, other, NULL); ++ flags[other->id] |= XISlaveDetached; ++ } ++ } + } + else { + for (other = inputInfo.devices; other; other = other->next) { +@@ -1088,6 +1095,11 @@ CloseDownDevices(void) + dev->master = NULL; + } + ++ for (dev = inputInfo.off_devices; dev; dev = dev->next) { ++ if (!IsMaster(dev) && !IsFloating(dev)) ++ dev->master = NULL; ++ } ++ + CloseDeviceList(&inputInfo.devices); + CloseDeviceList(&inputInfo.off_devices); + +-- +2.43.0 + diff --git a/SOURCES/0008-glx-Call-XACE-hooks-on-the-GLX-buffer.patch b/SOURCES/0008-glx-Call-XACE-hooks-on-the-GLX-buffer.patch new file mode 100644 index 0000000..0e9e4a0 --- /dev/null +++ b/SOURCES/0008-glx-Call-XACE-hooks-on-the-GLX-buffer.patch @@ -0,0 +1,60 @@ +From e5e8586a12a3ec915673edffa10dc8fe5e15dac3 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 6 Dec 2023 12:09:41 +0100 +Subject: [PATCH 8/9] glx: Call XACE hooks on the GLX buffer + +The XSELINUX code will label resources at creation by checking the +access mode. When the access mode is DixCreateAccess, it will call the +function to label the new resource SELinuxLabelResource(). + +However, GLX buffers do not go through the XACE hooks when created, +hence leaving the resource actually unlabeled. + +When, later, the client tries to create another resource using that +drawable (like a GC for example), the XSELINUX code would try to use +the security ID of that object which has never been labeled, get a NULL +pointer and crash when checking whether the requested permissions are +granted for subject security ID. + +To avoid the issue, make sure to call the XACE hooks when creating the +GLX buffers. + +Credit goes to Donn Seeley for providing the patch. + +CVE-2024-0408 + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +--- + glx/glxcmds.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/glx/glxcmds.c b/glx/glxcmds.c +index fc26a2e34..1e46d0c72 100644 +--- a/glx/glxcmds.c ++++ b/glx/glxcmds.c +@@ -48,6 +48,7 @@ + #include "indirect_util.h" + #include "protocol-versions.h" + #include "glxvndabi.h" ++#include "xace.h" + + static char GLXServerVendorName[] = "SGI"; + +@@ -1392,6 +1393,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId, + if (!pPixmap) + return BadAlloc; + ++ err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP, ++ pPixmap, RT_NONE, NULL, DixCreateAccess); ++ if (err != Success) { ++ (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap); ++ return err; ++ } ++ + /* Assign the pixmap the same id as the pbuffer and add it as a + * resource so it and the DRI2 drawable will be reclaimed when the + * pbuffer is destroyed. */ +-- +2.43.0 + diff --git a/SOURCES/0009-ephyr-xwayland-Use-the-proper-private-key-for-cursor.patch b/SOURCES/0009-ephyr-xwayland-Use-the-proper-private-key-for-cursor.patch new file mode 100644 index 0000000..5fa80fd --- /dev/null +++ b/SOURCES/0009-ephyr-xwayland-Use-the-proper-private-key-for-cursor.patch @@ -0,0 +1,56 @@ +From 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 6 Dec 2023 11:51:56 +0100 +Subject: [PATCH 9/9] ephyr,xwayland: Use the proper private key for cursor + +The cursor in DIX is actually split in two parts, the cursor itself and +the cursor bits, each with their own devPrivates. + +The cursor itself includes the cursor bits, meaning that the cursor bits +devPrivates in within structure of the cursor. + +Both Xephyr and Xwayland were using the private key for the cursor bits +to store the data for the cursor, and when using XSELINUX which comes +with its own special devPrivates, the data stored in that cursor bits' +devPrivates would interfere with the XSELINUX devPrivates data and the +SELINUX security ID would point to some other unrelated data, causing a +crash in the XSELINUX code when trying to (re)use the security ID. + +CVE-2024-0409 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +--- + hw/kdrive/ephyr/ephyrcursor.c | 2 +- + hw/xwayland/xwayland-cursor.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/kdrive/ephyr/ephyrcursor.c b/hw/kdrive/ephyr/ephyrcursor.c +index f991899c5..3f192d034 100644 +--- a/hw/kdrive/ephyr/ephyrcursor.c ++++ b/hw/kdrive/ephyr/ephyrcursor.c +@@ -246,7 +246,7 @@ miPointerSpriteFuncRec EphyrPointerSpriteFuncs = { + Bool + ephyrCursorInit(ScreenPtr screen) + { +- if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR_BITS, ++ if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR, + sizeof(ephyrCursorRec))) + return FALSE; + +diff --git a/hw/xwayland/xwayland-cursor.c b/hw/xwayland/xwayland-cursor.c +index e3c1aaa50..bd94b0cfb 100644 +--- a/hw/xwayland/xwayland-cursor.c ++++ b/hw/xwayland/xwayland-cursor.c +@@ -431,7 +431,7 @@ static miPointerScreenFuncRec xwl_pointer_screen_funcs = { + Bool + xwl_screen_init_cursor(struct xwl_screen *xwl_screen) + { +- if (!dixRegisterPrivateKey(&xwl_cursor_private_key, PRIVATE_CURSOR_BITS, 0)) ++ if (!dixRegisterPrivateKey(&xwl_cursor_private_key, PRIVATE_CURSOR, 0)) + return FALSE; + + return miPointerInitialize(xwl_screen->screen, +-- +2.43.0 + diff --git a/SPECS/xorg-x11-server.spec b/SPECS/xorg-x11-server.spec index f7892c4..8f77499 100644 --- a/SPECS/xorg-x11-server.spec +++ b/SPECS/xorg-x11-server.spec @@ -42,7 +42,7 @@ Summary: X.Org X11 X server Name: xorg-x11-server Version: 1.20.11 -Release: 17%{?gitdate:.%{gitdate}}%{?dist} +Release: 24%{?gitdate:.%{gitdate}}%{?dist} URL: http://www.x.org License: MIT @@ -119,6 +119,7 @@ Patch112: 0001-present-Check-for-NULL-to-prevent-crash.patch # Fix a regression with hybrid gfx and NVIDIA proprietary driver # https://bugzilla.redhat.com/show_bug.cgi?id=2052605 Patch113: 0001-modesetting-Fix-msSharePixmapBacking-Segfault-Regres.patch +Patch114: 0001-present-Send-a-PresentConfigureNotify-event-for-dest.patch # CVE-2021-4011 Patch10009: 0001-record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch @@ -154,6 +155,35 @@ Patch10024: 0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch Patch10025: 0008-Xext-fix-invalid-event-type-mask-in-XTestSwapFakeInp.patch # CVE-2023-0494 Patch10026: 0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch +# CVE-2023-1393 +Patch10027: 0001-composite-Fix-use-after-free-of-the-COW.patch +# CVE-2023-5367 +Patch10028: 0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch +# CVE-2023-5380 +Patch10029: 0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch +# CVE-2023-6377 +Patch10030: 0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch +# CVE-2023-6478 +Patch10031: 0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch +# CVE-2023-6816 +Patch10032: 0001-dix-allocate-enough-space-for-logical-button-maps.patch +# CVE-2024-0229 +Patch10033: 0002-dix-Allocate-sufficient-xEvents-for-our-DeviceStateN.patch +Patch10034: 0003-dix-fix-DeviceStateNotify-event-calculation.patch +Patch10035: 0004-Xi-when-creating-a-new-ButtonClass-set-the-number-of.patch +# CVE-2024-21885 +Patch10036: 0005-Xi-flush-hierarchy-events-after-adding-removing-mast.patch +# CVE-2024-21886 +Patch10037: 0006-Xi-do-not-keep-linked-list-pointer-during-recursion.patch +Patch10038: 0007-dix-when-disabling-a-master-float-disabled-slaved-de.patch +# CVE-2024-0408 +Patch10039: 0008-glx-Call-XACE-hooks-on-the-GLX-buffer.patch +# CVE-2024-0409 +Patch10040: 0009-ephyr-xwayland-Use-the-proper-private-key-for-cursor.patch +# Fix compilation error +Patch10041: 0001-hw-Rename-boolean-config-value-field-from-bool-to-bo.patch +# Related to CVE-2024-21886 +Patch10042: 0001-dix-Fix-use-after-free-in-input-device-shutdown.patch BuildRequires: make BuildRequires: systemtap-sdt-devel @@ -563,6 +593,40 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %changelog +* Thu Jan 18 2024 José Expósito - 1.20.4-24 +- Fix use after free related to CVE-2024-21886 + +* Tue Jan 16 2024 José Expósito - 1.20.11-23 +- CVE fix for: CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886, + CVE-2024-0408 and CVE-2024-0409 + Resolves: https://issues.redhat.com/browse/RHEL-21203 + Resolves: https://issues.redhat.com/browse/RHEL-20531 + Resolves: https://issues.redhat.com/browse/RHEL-20380 + Resolves: https://issues.redhat.com/browse/RHEL-20386 + Resolves: https://issues.redhat.com/browse/RHEL-21193 + Resolves: https://issues.redhat.com/browse/RHEL-21200 + +* Thu Dec 14 2023 José Expósito - 1.20.11-22 +- CVE fix for: CVE-2023-6377, CVE-2023-6478 + Resolves: https://issues.redhat.com/browse/RHEL-18322 + Resolves: https://issues.redhat.com/browse/RHEL-18329 + +* Wed Oct 25 2023 José Expósito - 1.20.11-20 +- CVE fix for: CVE-2023-5380 + Resolves: https://issues.redhat.com/browse/RHEL-14062 + +* Wed Oct 25 2023 José Expósito - 1.20.11-20 +- CVE fix for: CVE-2023-5367 + Resolves: https://issues.redhat.com/browse/RHEL-13430 + +* Tue Jun 6 2023 Olivier Fourdan - 1.20.11-19 +- Backport fix for a deadlock with DRI3 + Resolves: rhbz#2192550 + +* Fri Mar 31 2023 Olivier Fourdan - 1.20.11-18 +- CVE fix for: CVE-2023-1393 + Resolves: rhbz#2180297 + * Tue Feb 21 2023 Olivier Fourdan - 1.20.11-17 - Fix xvfb-run script with --listen-tcp Resolves: rhbz#2172116