CVE fix for: CVE-2023-6377, CVE-2023-6478

CVE fix for: CVE-2023-5380
Resolves: https://issues.redhat.com/browse/RHEL-14062
2024-01-17 06:59:53 +00:00 · 2023-10-25 12:44:19 +02:00
5 changed files with 254 additions and 1 deletions
--- a/.xorg-x11-server.metadata
+++ b/.xorg-x11-server.metadata
@ -0,0 +1 @@
+86ae4add5719e6026a569f5559d51e8707171d5d xorg-server-1.20.11.tar.bz2
--- a/0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch
+++ b/0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch
@ -0,0 +1,77 @@
+From a7bda3080d2b44eae668cdcec7a93095385b9652 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 28 Nov 2023 15:19:04 +1000
+Subject: [PATCH xserver] Xi: allocate enough XkbActions for our buttons
+
+button->xkb_acts is supposed to be an array sufficiently large for all
+our buttons, not just a single XkbActions struct. Allocating
+insufficient memory here means when we memcpy() later in
+XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
+leading to the usual security ooopsiedaisies.
+
+CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+(cherry picked from commit 0c1a93d319558fe3ab2d94f51d174b4f93810afd)
+---
+ Xi/exevents.c | 12 ++++++------
+ dix/devices.c | 10 ++++++++++
+ 2 files changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index dcd4efb3bc..54ea11a938 100644
+--- a/Xi/exevents.c
+++ b/Xi/exevents.c
+@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
+         }
+ 
+         if (from->button->xkb_acts) {
+-            if (!to->button->xkb_acts) {
+-                to->button->xkb_acts = calloc(1, sizeof(XkbAction));
+-                if (!to->button->xkb_acts)
+-                    FatalError("[Xi] not enough memory for xkb_acts.\n");
+-            }
+            size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
+            to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
+                                                   maxbuttons,
+                                                   sizeof(XkbAction));
+            memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
+             memcpy(to->button->xkb_acts, from->button->xkb_acts,
+-                   sizeof(XkbAction));
+                   from->button->numButtons * sizeof(XkbAction));
+         }
+         else {
+             free(to->button->xkb_acts);
+diff --git a/dix/devices.c b/dix/devices.c
+index 5bf956ead4..15e46a9a5f 100644
+--- a/dix/devices.c
+++ b/dix/devices.c
+@@ -2525,6 +2525,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+ 
+     if (master->button && master->button->numButtons != maxbuttons) {
+         int i;
+        int last_num_buttons = master->button->numButtons;
+
+         DeviceChangedEvent event = {
+             .header = ET_Internal,
+             .type = ET_DeviceChanged,
+@@ -2535,6 +2537,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+         };
+ 
+         master->button->numButtons = maxbuttons;
+        if (last_num_buttons < maxbuttons) {
+            master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
+                                                       maxbuttons,
+                                                       sizeof(XkbAction));
+            memset(&master->button->xkb_acts[last_num_buttons],
+                   0,
+                   (maxbuttons - last_num_buttons) * sizeof(XkbAction));
+        }
+ 
+         memcpy(&event.buttons.names, master->button->labels, maxbuttons *
+                sizeof(Atom));
+-- 
+2.43.0
+
--- a/0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
+++ b/0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
@ -0,0 +1,61 @@
+From 58e83c683950ac9e253ab05dd7a13a8368b70a3c Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 27 Nov 2023 16:27:49 +1000
+Subject: [PATCH xserver] randr: avoid integer truncation in length check of
+ ProcRRChange*Property
+
+Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
+See also xserver@8f454b79 where this same bug was fixed for the core
+protocol and XI.
+
+This fixes an OOB read and the resulting information disclosure.
+
+Length calculation for the request was clipped to a 32-bit integer. With
+the correct stuff->nUnits value the expected request size was
+truncated, passing the REQUEST_FIXED_SIZE check.
+
+The server then proceeded with reading at least stuff->num_items bytes
+(depending on stuff->format) from the request and stuffing whatever it
+finds into the property. In the process it would also allocate at least
+stuff->nUnits bytes, i.e. 4GB.
+
+CVE-2023-6478, ZDI-CAN-22561
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+(cherry picked from commit 14f480010a93ff962fef66a16412fafff81ad632)
+---
+ randr/rrproperty.c         | 2 +-
+ randr/rrproviderproperty.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index 25469f57b2..c4fef8a1f6 100644
+--- a/randr/rrproperty.c
+++ b/randr/rrproperty.c
+@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
+     char format, mode;
+     unsigned long len;
+     int sizeInBytes;
+-    int totalSize;
+    uint64_t totalSize;
+     int err;
+ 
+     REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
+diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
+index b79c17f9bf..90c5a9a933 100644
+--- a/randr/rrproviderproperty.c
+++ b/randr/rrproviderproperty.c
+@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
+     char format, mode;
+     unsigned long len;
+     int sizeInBytes;
+-    int totalSize;
+    uint64_t totalSize;
+     int err;
+ 
+     REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
+-- 
+2.43.0
+
--- a/0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch
+++ b/0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch
@ -0,0 +1,99 @@
+From 004f461c440cb6611eefb48fbbb4fa53a6d49f80 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 5 Oct 2023 12:19:45 +1000
+Subject: [PATCH xserver 2/4] mi: reset the PointerWindows reference on screen
+ switch
+
+PointerWindows[] keeps a reference to the last window our sprite
+entered - changes are usually handled by CheckMotion().
+
+If we switch between screens via XWarpPointer our
+dev->spriteInfo->sprite->win is set to the new screen's root window.
+If there's another window at the cursor location CheckMotion() will
+trigger the right enter/leave events later. If there is not, it skips
+that process and we never trigger LeaveWindow() - PointerWindows[] for
+the device still refers to the previous window.
+
+If that window is destroyed we have a dangling reference that will
+eventually cause a use-after-free bug when checking the window hierarchy
+later.
+
+To trigger this, we require:
+- two protocol screens
+- XWarpPointer to the other screen's root window
+- XDestroyWindow before entering any other window
+
+This is a niche bug so we hack around it by making sure we reset the
+PointerWindows[] entry so we cannot have a dangling pointer. This
+doesn't handle Enter/Leave events correctly but the previous code didn't
+either.
+
+CVE-2023-5380, ZDI-CAN-21608
+
+This vulnerability was discovered by:
+Sri working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+---
+ dix/enterleave.h   |  2 --
+ include/eventstr.h |  3 +++
+ mi/mipointer.c     | 17 +++++++++++++++--
+ 3 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/dix/enterleave.h b/dix/enterleave.h
+index 4b833d8a3b..e8af924c68 100644
+--- a/dix/enterleave.h
+++ b/dix/enterleave.h
+@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
+ 
+ extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
+ 
+-extern void LeaveWindow(DeviceIntPtr dev);
+-
+ extern void CoreFocusEvent(DeviceIntPtr kbd,
+                            int type, int mode, int detail, WindowPtr pWin);
+ 
+diff --git a/include/eventstr.h b/include/eventstr.h
+index bf3b95fe4a..2bae3b0767 100644
+--- a/include/eventstr.h
+++ b/include/eventstr.h
+@@ -296,4 +296,7 @@ union _InternalEvent {
+ #endif
+ };
+ 
+extern void
+LeaveWindow(DeviceIntPtr dev);
+
+ #endif
+diff --git a/mi/mipointer.c b/mi/mipointer.c
+index 75be1aeeb8..b12ae9be1d 100644
+--- a/mi/mipointer.c
+++ b/mi/mipointer.c
+@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
+ #ifdef PANORAMIX
+         && noPanoramiXExtension
+ #endif
+-        )
+-        UpdateSpriteForScreen(pDev, pScreen);
+        ) {
+            DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
+            /* Hack for CVE-2023-5380: if we're moving
+             * screens PointerWindows[] keeps referring to the
+             * old window. If that gets destroyed we have a UAF
+             * bug later. Only happens when jumping from a window
+             * to the root window on the other screen.
+             * Enter/Leave events are incorrect for that case but
+             * too niche to fix.
+             */
+            LeaveWindow(pDev);
+            if (master)
+                LeaveWindow(master);
+            UpdateSpriteForScreen(pDev, pScreen);
+    }
+ }
+ 
+ /**
+-- 
+2.41.0
+
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -42,7 +42,7 @@
 Summary:   X.Org X11 X server
 Name:      xorg-x11-server
 Version:   1.20.11
-Release:   20%{?gitdate:.%{gitdate}}%{?dist}
+Release:   22%{?gitdate:.%{gitdate}}%{?dist}
 URL:       http://www.x.org
 License:   MIT

@ -159,6 +159,12 @@ Patch10026: 0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch
 Patch10027: 0001-composite-Fix-use-after-free-of-the-COW.patch
 # CVE-2023-5367
 Patch10028: 0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
+# CVE-2023-5380
+Patch10029: 0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch
+# CVE-2023-6377
+Patch10030: 0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch
+# CVE-2023-6478
+Patch10031: 0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch

 BuildRequires: make
 BuildRequires: systemtap-sdt-devel
@ -568,6 +574,15 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete


 %changelog
+* Thu Dec 14 2023 José Expósito <jexposit@redhat.com> - 1.20.11-22
+- CVE fix for: CVE-2023-6377, CVE-2023-6478
+  Resolves: https://issues.redhat.com/browse/RHEL-18322
+  Resolves: https://issues.redhat.com/browse/RHEL-18329
+
+* Wed Oct 25 2023 José Expósito <jexposit@redhat.com> - 1.20.11-20
+- CVE fix for: CVE-2023-5380
+  Resolves: https://issues.redhat.com/browse/RHEL-14062
+
 * Wed Oct 25 2023 José Expósito <jexposit@redhat.com> - 1.20.11-20
 - CVE fix for: CVE-2023-5367
  Resolves: https://issues.redhat.com/browse/RHEL-13430
Author	SHA1	Message	Date
José Expósito	16df700d4a	CVE fix for: CVE-2023-6377, CVE-2023-6478	2024-01-17 06:59:53 +00:00
José Expósito	67925c02b4	CVE fix for: CVE-2023-5380 Resolves: https://issues.redhat.com/browse/RHEL-14062	2023-10-25 12:44:19 +02:00
				`@ -0,0 +1 @@`
				`86ae4add5719e6026a569f5559d51e8707171d5d xorg-server-1.20.11.tar.bz2`