CVE fix for: CVE-2023-5380
Resolves: https://issues.redhat.com/browse/RHEL-14060
This commit is contained in:
parent
d3391bc734
commit
ede9b58457
@ -0,0 +1,99 @@
|
||||
From 004f461c440cb6611eefb48fbbb4fa53a6d49f80 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Thu, 5 Oct 2023 12:19:45 +1000
|
||||
Subject: [PATCH xserver 2/4] mi: reset the PointerWindows reference on screen
|
||||
switch
|
||||
|
||||
PointerWindows[] keeps a reference to the last window our sprite
|
||||
entered - changes are usually handled by CheckMotion().
|
||||
|
||||
If we switch between screens via XWarpPointer our
|
||||
dev->spriteInfo->sprite->win is set to the new screen's root window.
|
||||
If there's another window at the cursor location CheckMotion() will
|
||||
trigger the right enter/leave events later. If there is not, it skips
|
||||
that process and we never trigger LeaveWindow() - PointerWindows[] for
|
||||
the device still refers to the previous window.
|
||||
|
||||
If that window is destroyed we have a dangling reference that will
|
||||
eventually cause a use-after-free bug when checking the window hierarchy
|
||||
later.
|
||||
|
||||
To trigger this, we require:
|
||||
- two protocol screens
|
||||
- XWarpPointer to the other screen's root window
|
||||
- XDestroyWindow before entering any other window
|
||||
|
||||
This is a niche bug so we hack around it by making sure we reset the
|
||||
PointerWindows[] entry so we cannot have a dangling pointer. This
|
||||
doesn't handle Enter/Leave events correctly but the previous code didn't
|
||||
either.
|
||||
|
||||
CVE-2023-5380, ZDI-CAN-21608
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Sri working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Reviewed-by: Adam Jackson <ajax@redhat.com>
|
||||
---
|
||||
dix/enterleave.h | 2 --
|
||||
include/eventstr.h | 3 +++
|
||||
mi/mipointer.c | 17 +++++++++++++++--
|
||||
3 files changed, 18 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/dix/enterleave.h b/dix/enterleave.h
|
||||
index 4b833d8a3b..e8af924c68 100644
|
||||
--- a/dix/enterleave.h
|
||||
+++ b/dix/enterleave.h
|
||||
@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
|
||||
|
||||
extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
|
||||
|
||||
-extern void LeaveWindow(DeviceIntPtr dev);
|
||||
-
|
||||
extern void CoreFocusEvent(DeviceIntPtr kbd,
|
||||
int type, int mode, int detail, WindowPtr pWin);
|
||||
|
||||
diff --git a/include/eventstr.h b/include/eventstr.h
|
||||
index bf3b95fe4a..2bae3b0767 100644
|
||||
--- a/include/eventstr.h
|
||||
+++ b/include/eventstr.h
|
||||
@@ -296,4 +296,7 @@ union _InternalEvent {
|
||||
#endif
|
||||
};
|
||||
|
||||
+extern void
|
||||
+LeaveWindow(DeviceIntPtr dev);
|
||||
+
|
||||
#endif
|
||||
diff --git a/mi/mipointer.c b/mi/mipointer.c
|
||||
index 75be1aeeb8..b12ae9be1d 100644
|
||||
--- a/mi/mipointer.c
|
||||
+++ b/mi/mipointer.c
|
||||
@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
|
||||
#ifdef PANORAMIX
|
||||
&& noPanoramiXExtension
|
||||
#endif
|
||||
- )
|
||||
- UpdateSpriteForScreen(pDev, pScreen);
|
||||
+ ) {
|
||||
+ DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
|
||||
+ /* Hack for CVE-2023-5380: if we're moving
|
||||
+ * screens PointerWindows[] keeps referring to the
|
||||
+ * old window. If that gets destroyed we have a UAF
|
||||
+ * bug later. Only happens when jumping from a window
|
||||
+ * to the root window on the other screen.
|
||||
+ * Enter/Leave events are incorrect for that case but
|
||||
+ * too niche to fix.
|
||||
+ */
|
||||
+ LeaveWindow(pDev);
|
||||
+ if (master)
|
||||
+ LeaveWindow(master);
|
||||
+ UpdateSpriteForScreen(pDev, pScreen);
|
||||
+ }
|
||||
}
|
||||
|
||||
/**
|
||||
--
|
||||
2.41.0
|
||||
|
@ -46,7 +46,7 @@
|
||||
Summary: X.Org X11 X server
|
||||
Name: xorg-x11-server
|
||||
Version: 1.20.11
|
||||
Release: 18%{?gitdate:.%{gitdate}}%{?dist}
|
||||
Release: 19%{?gitdate:.%{gitdate}}%{?dist}
|
||||
URL: http://www.x.org
|
||||
License: MIT
|
||||
Group: User Interface/X
|
||||
@ -150,6 +150,8 @@ Patch10026: 0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch
|
||||
Patch10027: 0001-composite-Fix-use-after-free-of-the-COW.patch
|
||||
# CVE-2023-5367
|
||||
Patch10028: 0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
|
||||
# CVE-2023-5380
|
||||
Patch10029: 0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: systemtap-sdt-devel
|
||||
@ -577,6 +579,10 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Oct 25 2023 José Expósito <jexposit@redhat.com> - 1.20.11-19
|
||||
- CVE fix for: CVE-2023-5380
|
||||
Resolves: https://issues.redhat.com/browse/RHEL-14060
|
||||
|
||||
* Wed Oct 25 2023 José Expósito <jexposit@redhat.com> - 1.20.11-18
|
||||
- CVE fix for: CVE-2023-5367
|
||||
Resolves: https://issues.redhat.com/browse/RHEL-13430
|
||||
|
Loading…
Reference in New Issue
Block a user