Backport fix for a deadlock with DRI3

2023-06-07 06:21:36 +00:00
3 changed files with 1 additions and 192 deletions
--- a/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
+++ b/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
@ -1,80 +0,0 @@
 From a31ba141824a7649e11f0ef7673718ce559d6337 Mon Sep 17 00:00:00 2001
 From: Peter Hutterer <peter.hutterer@who-t.net>
 Date: Tue, 3 Oct 2023 11:53:05 +1000
 Subject: [PATCH xserver 1/4] Xi/randr: fix handling of PropModeAppend/Prepend
 The handling of appending/prepending properties was incorrect, with at
 least two bugs: the property length was set to the length of the new
 part only, i.e. appending or prepending N elements to a property with P
 existing elements always resulted in the property having N elements
 instead of N + P.
 Second, when pre-pending a value to a property, the offset for the old
 values was incorrect, leaving the new property with potentially
 uninitalized values and/or resulting in OOB memory writes.
 For example, prepending a 3 element value to a 5 element property would
 result in this 8 value array:
  [N, N, N, ?, ?, P, P, P ] P, P
                            ^OOB write
 The XI2 code is a copy/paste of the RandR code, so the bug exists in
 both.
 CVE-2023-5367, ZDI-CAN-22153
 This vulnerability was discovered by:
 Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
 ---
 Xi/xiproperty.c    | 4 ++--
 randr/rrproperty.c | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)
 diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
 index 6ec419e870..563c4f31a5 100644
 --- a/Xi/xiproperty.c
 +++ b/Xi/xiproperty.c
@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
                 XIDestroyDeviceProperty(prop);
             return BadAlloc;
         }
 -        new_value.size = len;
 +        new_value.size = total_len;
         new_value.type = type;
         new_value.format = format;
@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
         case PropModePrepend:
             new_data = new_value.data;
             old_data = (void *) (((char *) new_value.data) +
 -                                  (prop_value->size * size_in_bytes));
 +                                  (len * size_in_bytes));
             break;
         }
         if (new_data)
 diff --git a/randr/rrproperty.c b/randr/rrproperty.c
 index c2fb9585c6..25469f57b2 100644
 --- a/randr/rrproperty.c
 +++ b/randr/rrproperty.c
@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
                 RRDestroyOutputProperty(prop);
             return BadAlloc;
         }
 -        new_value.size = len;
 +        new_value.size = total_len;
         new_value.type = type;
         new_value.format = format;
@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
         case PropModePrepend:
             new_data = new_value.data;
             old_data = (void *) (((char *) new_value.data) +
 -                                  (prop_value->size * size_in_bytes));
 +                                  (len * size_in_bytes));
             break;
         }
         if (new_data)
 -- 
 2.41.0
--- a/0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch
+++ b/0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch
@ -1,99 +0,0 @@
 From 004f461c440cb6611eefb48fbbb4fa53a6d49f80 Mon Sep 17 00:00:00 2001
 From: Peter Hutterer <peter.hutterer@who-t.net>
 Date: Thu, 5 Oct 2023 12:19:45 +1000
 Subject: [PATCH xserver 2/4] mi: reset the PointerWindows reference on screen
 switch
 PointerWindows[] keeps a reference to the last window our sprite
 entered - changes are usually handled by CheckMotion().
 If we switch between screens via XWarpPointer our
 dev->spriteInfo->sprite->win is set to the new screen's root window.
 If there's another window at the cursor location CheckMotion() will
 trigger the right enter/leave events later. If there is not, it skips
 that process and we never trigger LeaveWindow() - PointerWindows[] for
 the device still refers to the previous window.
 If that window is destroyed we have a dangling reference that will
 eventually cause a use-after-free bug when checking the window hierarchy
 later.
 To trigger this, we require:
 - two protocol screens
 - XWarpPointer to the other screen's root window
 - XDestroyWindow before entering any other window
 This is a niche bug so we hack around it by making sure we reset the
 PointerWindows[] entry so we cannot have a dangling pointer. This
 doesn't handle Enter/Leave events correctly but the previous code didn't
 either.
 CVE-2023-5380, ZDI-CAN-21608
 This vulnerability was discovered by:
 Sri working with Trend Micro Zero Day Initiative
 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
 Reviewed-by: Adam Jackson <ajax@redhat.com>
 ---
 dix/enterleave.h   |  2 --
 include/eventstr.h |  3 +++
 mi/mipointer.c     | 17 +++++++++++++++--
 3 files changed, 18 insertions(+), 4 deletions(-)
 diff --git a/dix/enterleave.h b/dix/enterleave.h
 index 4b833d8a3b..e8af924c68 100644
 --- a/dix/enterleave.h
 +++ b/dix/enterleave.h
@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
 extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
 -extern void LeaveWindow(DeviceIntPtr dev);
 -
 extern void CoreFocusEvent(DeviceIntPtr kbd,
                            int type, int mode, int detail, WindowPtr pWin);
 diff --git a/include/eventstr.h b/include/eventstr.h
 index bf3b95fe4a..2bae3b0767 100644
 --- a/include/eventstr.h
 +++ b/include/eventstr.h
@@ -296,4 +296,7 @@ union _InternalEvent {
 #endif
 };
 +extern void
 +LeaveWindow(DeviceIntPtr dev);
 +
 #endif
 diff --git a/mi/mipointer.c b/mi/mipointer.c
 index 75be1aeeb8..b12ae9be1d 100644
 --- a/mi/mipointer.c
 +++ b/mi/mipointer.c
@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
 #ifdef PANORAMIX
         && noPanoramiXExtension
 #endif
 -        )
 -        UpdateSpriteForScreen(pDev, pScreen);
 +        ) {
 +            DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
 +            /* Hack for CVE-2023-5380: if we're moving
 +             * screens PointerWindows[] keeps referring to the
 +             * old window. If that gets destroyed we have a UAF
 +             * bug later. Only happens when jumping from a window
 +             * to the root window on the other screen.
 +             * Enter/Leave events are incorrect for that case but
 +             * too niche to fix.
 +             */
 +            LeaveWindow(pDev);
 +            if (master)
 +                LeaveWindow(master);
 +            UpdateSpriteForScreen(pDev, pScreen);
 +    }
 }
 /**
 -- 
 2.41.0
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -42,7 +42,7 @@
 Summary:   X.Org X11 X server
 Name:      xorg-x11-server
 Version:   1.20.11
-Release:   21%{?gitdate:.%{gitdate}}%{?dist}
+Release:   19%{?gitdate:.%{gitdate}}%{?dist}
 URL:       http://www.x.org
 License:   MIT
@ -157,10 +157,6 @@ Patch10025: 0008-Xext-fix-invalid-event-type-mask-in-XTestSwapFakeInp.patch
 Patch10026: 0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch
 # CVE-2023-1393
 Patch10027: 0001-composite-Fix-use-after-free-of-the-COW.patch
 # CVE-2023-5367
 Patch10028: 0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
 # CVE-2023-5380
 Patch10029: 0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch
 BuildRequires: make
 BuildRequires: systemtap-sdt-devel
@ -570,14 +566,6 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
 %changelog
 * Wed Oct 25 2023 José Expósito <jexposit@redhat.com> - 1.20.11-20
 - CVE fix for: CVE-2023-5380
  Resolves: https://issues.redhat.com/browse/RHEL-14062
 * Wed Oct 25 2023 José Expósito <jexposit@redhat.com> - 1.20.11-20
 - CVE fix for: CVE-2023-5367
  Resolves: https://issues.redhat.com/browse/RHEL-13430
 * Tue Jun  6 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-19
 - Backport fix for a deadlock with DRI3
  Resolves: rhbz#2192550