From ff68e315a1df5053160369a8f968ae13825cbebb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= Date: Wed, 10 Apr 2024 10:07:14 +0200 Subject: [PATCH] Fix regression caused by the fix for CVE-2024-31083 Resolves: https://issues.redhat.com/browse/RHEL-30764 --- ...sible-double-free-in-ProcRenderAddGl.patch | 72 +++++++++++++++++++ xorg-x11-server.spec | 20 +++--- 2 files changed, 84 insertions(+), 8 deletions(-) create mode 100644 0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch diff --git a/0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch b/0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch new file mode 100644 index 0000000..549f90a --- /dev/null +++ b/0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch @@ -0,0 +1,72 @@ +From 337d8d48b618d4fc0168a7b978be4c3447650b04 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Fri, 5 Apr 2024 15:24:49 +0200 +Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs() + +ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and +then frees it using FreeGlyph() to decrease the reference count, after +AddGlyph() has increased it. + +AddGlyph() however may chose to reuse an existing glyph if it's already +in the glyphSet, and free the glyph that was given, in which case the +caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an +already freed glyph, as reported by ASan: + + READ of size 4 thread T0 + #0 in FreeGlyph xserver/render/glyph.c:252 + #1 in ProcRenderAddGlyphs xserver/render/render.c:1174 + #2 in Dispatch xserver/dix/dispatch.c:546 + #3 in dix_main xserver/dix/main.c:271 + #4 in main xserver/dix/stubmain.c:34 + #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + #6 in __libc_start_main_impl ../csu/libc-start.c:360 + #7 (/usr/bin/Xwayland+0x44fe4) + Address is located 0 bytes inside of 64-byte region + freed by thread T0 here: + #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52 + #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538 + #2 in AddGlyph xserver/render/glyph.c:295 + #3 in ProcRenderAddGlyphs xserver/render/render.c:1173 + #4 in Dispatch xserver/dix/dispatch.c:546 + #5 in dix_main xserver/dix/main.c:271 + #6 in main xserver/dix/stubmain.c:34 + #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + previously allocated by thread T0 here: + #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69 + #1 in AllocateGlyph xserver/render/glyph.c:355 + #2 in ProcRenderAddGlyphs xserver/render/render.c:1085 + #3 in Dispatch xserver/dix/dispatch.c:546 + #4 in dix_main xserver/dix/main.c:271 + #5 in main xserver/dix/stubmain.c:34 + #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph + +To avoid that, make sure not to free the given glyph in AddGlyph(). + +v2: Simplify the test using the boolean returned from AddGlyph() (Michel) +v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter) + +Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs +Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659 +Signed-off-by: Olivier Fourdan +Part-of: +--- + render/glyph.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/render/glyph.c b/render/glyph.c +index 13991f8a1..5fa7f3b5b 100644 +--- a/render/glyph.c ++++ b/render/glyph.c +@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id) + gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature, + TRUE, glyph->sha1); + if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) { +- FreeGlyphPicture(glyph); +- dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH); + glyph = gr->glyph; + } + else if (gr->glyph != glyph) { +-- +2.44.0 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index a89eb3f..42a7e05 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -42,7 +42,7 @@ Summary: X.Org X11 X server Name: xorg-x11-server Version: 1.20.11 -Release: 25%{?gitdate:.%{gitdate}}%{?dist} +Release: 26%{?gitdate:.%{gitdate}}%{?dist} URL: http://www.x.org License: MIT @@ -187,15 +187,16 @@ Patch10042: 0001-dix-Fix-use-after-free-in-input-device-shutdown.patch # Fix compilation error on i686 Patch10043: 0001-ephyr-Fix-incompatible-pointer-type-build-error.patch # Fix copy and paste error in CVE-2024-0229 -Patch1025: 0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch +Patch10044: 0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch # CVE-2024-31080 -Patch1026: 0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch +Patch10045: 0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch # CVE-2024-31081 -Patch1027: 0002-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch +Patch10046: 0002-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch # CVE-2024-31082 -Patch1028: 0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch +Patch10047: 0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch # CVE-2024-31083 -Patch1029: 0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch +Patch10048: 0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch +Patch10049: 0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch BuildRequires: make BuildRequires: systemtap-sdt-devel @@ -606,13 +607,16 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %changelog -* Thu Apr 04 2024 José Expósito - 1.20.4-25 +* Wed Apr 10 2024 José Expósito - 1.20.11-26 +- Fix regression caused by the fix for CVE-2024-31083 + +* Thu Apr 04 2024 José Expósito - 1.20.11-25 - CVE fix for: CVE-2024-31080, CVE-2024-31081, CVE-2024-31082 and CVE-2024-31083 - Add util-linux as a dependency of Xvfb - Fix compilation error on i686 -* Thu Jan 18 2024 José Expósito - 1.20.4-24 +* Thu Jan 18 2024 José Expósito - 1.20.11-24 - Fix use after free related to CVE-2024-21886 * Tue Jan 16 2024 José Expósito - 1.20.11-23