Backport fix for a deadlock with DRI3

0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch

@@ -1,80 +0,0 @@
-From a31ba141824a7649e11f0ef7673718ce559d6337 Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Tue, 3 Oct 2023 11:53:05 +1000
-Subject: [PATCH xserver 1/4] Xi/randr: fix handling of PropModeAppend/Prepend
-
-The handling of appending/prepending properties was incorrect, with at
-least two bugs: the property length was set to the length of the new
-part only, i.e. appending or prepending N elements to a property with P
-existing elements always resulted in the property having N elements
-instead of N + P.
-
-Second, when pre-pending a value to a property, the offset for the old
-values was incorrect, leaving the new property with potentially
-uninitalized values and/or resulting in OOB memory writes.
-For example, prepending a 3 element value to a 5 element property would
-result in this 8 value array:
-  [N, N, N, ?, ?, P, P, P ] P, P
-                            ^OOB write
-
-The XI2 code is a copy/paste of the RandR code, so the bug exists in
-both.
-
-CVE-2023-5367, ZDI-CAN-22153
-
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
-
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
----
- Xi/xiproperty.c    | 4 ++--
- randr/rrproperty.c | 4 ++--
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
-index 6ec419e870..563c4f31a5 100644
---- a/Xi/xiproperty.c
-+++ b/Xi/xiproperty.c
-@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
-                 XIDestroyDeviceProperty(prop);
-             return BadAlloc;
-         }
--        new_value.size = len;
-+        new_value.size = total_len;
-         new_value.type = type;
-         new_value.format = format;
- 
-@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
-         case PropModePrepend:
-             new_data = new_value.data;
-             old_data = (void *) (((char *) new_value.data) +
--                                  (prop_value->size * size_in_bytes));
-+                                  (len * size_in_bytes));
-             break;
-         }
-         if (new_data)
-diff --git a/randr/rrproperty.c b/randr/rrproperty.c
-index c2fb9585c6..25469f57b2 100644
---- a/randr/rrproperty.c
-+++ b/randr/rrproperty.c
-@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
-                 RRDestroyOutputProperty(prop);
-             return BadAlloc;
-         }
--        new_value.size = len;
-+        new_value.size = total_len;
-         new_value.type = type;
-         new_value.format = format;
- 
-@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
-         case PropModePrepend:
-             new_data = new_value.data;
-             old_data = (void *) (((char *) new_value.data) +
--                                  (prop_value->size * size_in_bytes));
-+                                  (len * size_in_bytes));
-             break;
-         }
-         if (new_data)
--- 
-2.41.0
-

0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch

@@ -1,99 +0,0 @@
-From 004f461c440cb6611eefb48fbbb4fa53a6d49f80 Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Thu, 5 Oct 2023 12:19:45 +1000
-Subject: [PATCH xserver 2/4] mi: reset the PointerWindows reference on screen
- switch
-
-PointerWindows[] keeps a reference to the last window our sprite
-entered - changes are usually handled by CheckMotion().
-
-If we switch between screens via XWarpPointer our
-dev->spriteInfo->sprite->win is set to the new screen's root window.
-If there's another window at the cursor location CheckMotion() will
-trigger the right enter/leave events later. If there is not, it skips
-that process and we never trigger LeaveWindow() - PointerWindows[] for
-the device still refers to the previous window.
-
-If that window is destroyed we have a dangling reference that will
-eventually cause a use-after-free bug when checking the window hierarchy
-later.
-
-To trigger this, we require:
-- two protocol screens
-- XWarpPointer to the other screen's root window
-- XDestroyWindow before entering any other window
-
-This is a niche bug so we hack around it by making sure we reset the
-PointerWindows[] entry so we cannot have a dangling pointer. This
-doesn't handle Enter/Leave events correctly but the previous code didn't
-either.
-
-CVE-2023-5380, ZDI-CAN-21608
-
-This vulnerability was discovered by:
-Sri working with Trend Micro Zero Day Initiative
-
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-Reviewed-by: Adam Jackson <ajax@redhat.com>
----
- dix/enterleave.h   |  2 --
- include/eventstr.h |  3 +++
- mi/mipointer.c     | 17 +++++++++++++++--
- 3 files changed, 18 insertions(+), 4 deletions(-)
-
-diff --git a/dix/enterleave.h b/dix/enterleave.h
-index 4b833d8a3b..e8af924c68 100644
---- a/dix/enterleave.h
-+++ b/dix/enterleave.h
-@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
- 
- extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
- 
--extern void LeaveWindow(DeviceIntPtr dev);
--
- extern void CoreFocusEvent(DeviceIntPtr kbd,
-                            int type, int mode, int detail, WindowPtr pWin);
- 
-diff --git a/include/eventstr.h b/include/eventstr.h
-index bf3b95fe4a..2bae3b0767 100644
---- a/include/eventstr.h
-+++ b/include/eventstr.h
-@@ -296,4 +296,7 @@ union _InternalEvent {
- #endif
- };
- 
-+extern void
-+LeaveWindow(DeviceIntPtr dev);
-+
- #endif
-diff --git a/mi/mipointer.c b/mi/mipointer.c
-index 75be1aeeb8..b12ae9be1d 100644
---- a/mi/mipointer.c
-+++ b/mi/mipointer.c
-@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
- #ifdef PANORAMIX
-         && noPanoramiXExtension
- #endif
--        )
--        UpdateSpriteForScreen(pDev, pScreen);
-+        ) {
-+            DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
-+            /* Hack for CVE-2023-5380: if we're moving
-+             * screens PointerWindows[] keeps referring to the
-+             * old window. If that gets destroyed we have a UAF
-+             * bug later. Only happens when jumping from a window
-+             * to the root window on the other screen.
-+             * Enter/Leave events are incorrect for that case but
-+             * too niche to fix.
-+             */
-+            LeaveWindow(pDev);
-+            if (master)
-+                LeaveWindow(master);
-+            UpdateSpriteForScreen(pDev, pScreen);
-+    }
- }
- 
- /**
--- 
-2.41.0
-

xorg-x11-server.spec

@@ -42,7 +42,7 @@
 Summary:   X.Org X11 X server
 Name:      xorg-x11-server
 Version:   1.20.11
-Release:   21%{?gitdate:.%{gitdate}}%{?dist}
+Release:   19%{?gitdate:.%{gitdate}}%{?dist}
 URL:       http://www.x.org
 License:   MIT
 
@@ -157,10 +157,6 @@ Patch10025: 0008-Xext-fix-invalid-event-type-mask-in-XTestSwapFakeInp.patch
 Patch10026: 0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch
 # CVE-2023-1393
 Patch10027: 0001-composite-Fix-use-after-free-of-the-COW.patch
-# CVE-2023-5367
-Patch10028: 0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
-# CVE-2023-5380
-Patch10029: 0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch
 
 BuildRequires: make
 BuildRequires: systemtap-sdt-devel
@@ -570,14 +566,6 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
 
 
 %changelog
-* Wed Oct 25 2023 José Expósito <jexposit@redhat.com> - 1.20.11-20
-- CVE fix for: CVE-2023-5380
-  Resolves: https://issues.redhat.com/browse/RHEL-14062
-
-* Wed Oct 25 2023 José Expósito <jexposit@redhat.com> - 1.20.11-20
-- CVE fix for: CVE-2023-5367
-  Resolves: https://issues.redhat.com/browse/RHEL-13430
-
 * Tue Jun  6 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-19
 - Backport fix for a deadlock with DRI3
   Resolves: rhbz#2192550