On Mon, Nov 6, 2023 at 5:02 AM Vijay Anusuri <[email protected]> wrote: > > Hi Steve, > > Xserver-xorg version is the same for both mickledore and kirkstone. Could you > please merge this patch to mickledore along with kirkstone.
I will merge these patches to the stable branches after it hits the master branch. Steve > > Thanks & Regards, > Vijay > > On Mon, Nov 6, 2023 at 4:51 PM Vijay Anusuri via lists.openembedded.org > <[email protected]> wrote: >> >> From: Vijay Anusuri <[email protected]> >> >> Upstream-Status: Backport >> [https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a >> & >> https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7 >> & >> https://gitlab.freedesktop.org/xorg/xserver/-/commit/1953f460b9ad1a9cdf0fcce70f6ad3310b713d5f >> & >> https://gitlab.freedesktop.org/xorg/xserver/-/commit/b6fe3f924aecac6d6e311673511ce61aa2f7a81f >> & >> https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab2c58ba4719fc31c19c7829b06bdba8a88bd586] >> >> Signed-off-by: Vijay Anusuri <[email protected]> >> --- >> .../xserver-xorg/CVE-2023-5367.patch | 84 +++++++++++++ >> .../xserver-xorg/CVE-2023-5380.patch | 102 ++++++++++++++++ >> .../xserver-xorg/CVE-2023-5574-1.patch | 113 ++++++++++++++++++ >> .../xserver-xorg/CVE-2023-5574-2.patch | 42 +++++++ >> .../xserver-xorg/CVE-2023-5574-3.patch | 54 +++++++++ >> .../xorg-xserver/xserver-xorg_21.1.8.bb | 5 + >> 6 files changed, 400 insertions(+) >> create mode 100644 >> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch >> create mode 100644 >> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch >> create mode 100644 >> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-1.patch >> create mode 100644 >> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-2.patch >> create mode 100644 >> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-3.patch >> >> diff --git >> a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch >> b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch >> new file mode 100644 >> index 0000000000..508588481e >> --- /dev/null >> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch >> @@ -0,0 +1,84 @@ >> +From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001 >> +From: Peter Hutterer <[email protected]> >> +Date: Tue, 3 Oct 2023 11:53:05 +1000 >> +Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend >> + >> +The handling of appending/prepending properties was incorrect, with at >> +least two bugs: the property length was set to the length of the new >> +part only, i.e. appending or prepending N elements to a property with P >> +existing elements always resulted in the property having N elements >> +instead of N + P. >> + >> +Second, when pre-pending a value to a property, the offset for the old >> +values was incorrect, leaving the new property with potentially >> +uninitalized values and/or resulting in OOB memory writes. >> +For example, prepending a 3 element value to a 5 element property would >> +result in this 8 value array: >> + [N, N, N, ?, ?, P, P, P ] P, P >> + ^OOB write >> + >> +The XI2 code is a copy/paste of the RandR code, so the bug exists in >> +both. >> + >> +CVE-2023-5367, ZDI-CAN-22153 >> + >> +This vulnerability was discovered by: >> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative >> + >> +Signed-off-by: Peter Hutterer <[email protected]> >> + >> +Upstream-Status: Backport >> [https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a] >> +CVE: CVE-2023-5367 >> +Signed-off-by: Vijay Anusuri <[email protected]> >> +--- >> + Xi/xiproperty.c | 4 ++-- >> + randr/rrproperty.c | 4 ++-- >> + 2 files changed, 4 insertions(+), 4 deletions(-) >> + >> +diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c >> +index 066ba21fba..d315f04d0e 100644 >> +--- a/Xi/xiproperty.c >> ++++ b/Xi/xiproperty.c >> +@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, >> Atom type, >> + XIDestroyDeviceProperty(prop); >> + return BadAlloc; >> + } >> +- new_value.size = len; >> ++ new_value.size = total_len; >> + new_value.type = type; >> + new_value.format = format; >> + >> +@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, >> Atom type, >> + case PropModePrepend: >> + new_data = new_value.data; >> + old_data = (void *) (((char *) new_value.data) + >> +- (prop_value->size * size_in_bytes)); >> ++ (len * size_in_bytes)); >> + break; >> + } >> + if (new_data) >> +diff --git a/randr/rrproperty.c b/randr/rrproperty.c >> +index c2fb9585c6..25469f57b2 100644 >> +--- a/randr/rrproperty.c >> ++++ b/randr/rrproperty.c >> +@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom >> property, Atom type, >> + RRDestroyOutputProperty(prop); >> + return BadAlloc; >> + } >> +- new_value.size = len; >> ++ new_value.size = total_len; >> + new_value.type = type; >> + new_value.format = format; >> + >> +@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom >> property, Atom type, >> + case PropModePrepend: >> + new_data = new_value.data; >> + old_data = (void *) (((char *) new_value.data) + >> +- (prop_value->size * size_in_bytes)); >> ++ (len * size_in_bytes)); >> + break; >> + } >> + if (new_data) >> +-- >> +GitLab >> + >> diff --git >> a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch >> b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch >> new file mode 100644 >> index 0000000000..57e2a5abdf >> --- /dev/null >> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch >> @@ -0,0 +1,102 @@ >> +From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001 >> +From: Peter Hutterer <[email protected]> >> +Date: Thu, 5 Oct 2023 12:19:45 +1000 >> +Subject: [PATCH] mi: reset the PointerWindows reference on screen switch >> + >> +PointerWindows[] keeps a reference to the last window our sprite >> +entered - changes are usually handled by CheckMotion(). >> + >> +If we switch between screens via XWarpPointer our >> +dev->spriteInfo->sprite->win is set to the new screen's root window. >> +If there's another window at the cursor location CheckMotion() will >> +trigger the right enter/leave events later. If there is not, it skips >> +that process and we never trigger LeaveWindow() - PointerWindows[] for >> +the device still refers to the previous window. >> + >> +If that window is destroyed we have a dangling reference that will >> +eventually cause a use-after-free bug when checking the window hierarchy >> +later. >> + >> +To trigger this, we require: >> +- two protocol screens >> +- XWarpPointer to the other screen's root window >> +- XDestroyWindow before entering any other window >> + >> +This is a niche bug so we hack around it by making sure we reset the >> +PointerWindows[] entry so we cannot have a dangling pointer. This >> +doesn't handle Enter/Leave events correctly but the previous code didn't >> +either. >> + >> +CVE-2023-5380, ZDI-CAN-21608 >> + >> +This vulnerability was discovered by: >> +Sri working with Trend Micro Zero Day Initiative >> + >> +Signed-off-by: Peter Hutterer <[email protected]> >> +Reviewed-by: Adam Jackson <[email protected]> >> + >> +Upstream-Status: Backport >> [https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7] >> +CVE: CVE-2023-5380 >> +Signed-off-by: Vijay Anusuri <[email protected]> >> +--- >> + dix/enterleave.h | 2 -- >> + include/eventstr.h | 3 +++ >> + mi/mipointer.c | 17 +++++++++++++++-- >> + 3 files changed, 18 insertions(+), 4 deletions(-) >> + >> +diff --git a/dix/enterleave.h b/dix/enterleave.h >> +index 4b833d8a3b..e8af924c68 100644 >> +--- a/dix/enterleave.h >> ++++ b/dix/enterleave.h >> +@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev, >> + >> + extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode); >> + >> +-extern void LeaveWindow(DeviceIntPtr dev); >> +- >> + extern void CoreFocusEvent(DeviceIntPtr kbd, >> + int type, int mode, int detail, WindowPtr pWin); >> + >> +diff --git a/include/eventstr.h b/include/eventstr.h >> +index 93308f9b24..a9926eaeef 100644 >> +--- a/include/eventstr.h >> ++++ b/include/eventstr.h >> +@@ -335,4 +335,7 @@ union _InternalEvent { >> + GestureEvent gesture_event; >> + }; >> + >> ++extern void >> ++LeaveWindow(DeviceIntPtr dev); >> ++ >> + #endif >> +diff --git a/mi/mipointer.c b/mi/mipointer.c >> +index a638f25d4a..8cf0035140 100644 >> +--- a/mi/mipointer.c >> ++++ b/mi/mipointer.c >> +@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr >> pScreen, int x, int y) >> + #ifdef PANORAMIX >> + && noPanoramiXExtension >> + #endif >> +- ) >> +- UpdateSpriteForScreen(pDev, pScreen); >> ++ ) { >> ++ DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER); >> ++ /* Hack for CVE-2023-5380: if we're moving >> ++ * screens PointerWindows[] keeps referring to the >> ++ * old window. If that gets destroyed we have a UAF >> ++ * bug later. Only happens when jumping from a window >> ++ * to the root window on the other screen. >> ++ * Enter/Leave events are incorrect for that case but >> ++ * too niche to fix. >> ++ */ >> ++ LeaveWindow(pDev); >> ++ if (master) >> ++ LeaveWindow(master); >> ++ UpdateSpriteForScreen(pDev, pScreen); >> ++ } >> + } >> + >> + /** >> +-- >> +GitLab >> + >> diff --git >> a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-1.patch >> b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-1.patch >> new file mode 100644 >> index 0000000000..9a8e583e78 >> --- /dev/null >> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-1.patch >> @@ -0,0 +1,113 @@ >> +From 1953f460b9ad1a9cdf0fcce70f6ad3310b713d5f Mon Sep 17 00:00:00 2001 >> +From: Peter Hutterer <[email protected]> >> +Date: Thu, 12 Oct 2023 12:44:13 +1000 >> +Subject: [PATCH] fb: properly wrap/unwrap CloseScreen >> + >> +fbCloseScreen assumes that it overrides miCloseScreen (which just >> +calls FreePixmap(screen->devPrivates)) and emulates that instead of >> +wrapping it. >> + >> +This is a wrong assumption, we may have ShmCloseScreen in the mix too, >> +resulting in leaks (see below). Fix this by properly setting up the >> +CloseScreen wrapper. >> + >> +This means we no longer need the manual DestroyPixmap call in >> +vfbCloseScreen, reverting d348ab06aae21c153ecbc3511aeafc8ab66d8303 >> + >> +CVE-2023-5574, ZDI-CAN-21213 >> + >> +This vulnerability was discovered by: >> +Sri working with Trend Micro Zero Day Initiative >> + >> +Signed-off-by: Peter Hutterer <[email protected]> >> +Reviewed-by: Adam Jackson <[email protected]> >> + >> +Upstream-Status: Backport >> [https://gitlab.freedesktop.org/xorg/xserver/-/commit/1953f460b9ad1a9cdf0fcce70f6ad3310b713d5f] >> +CVE: CVE-2023-5574 >> +Signed-off-by: Vijay Anusuri <[email protected]> >> +--- >> + fb/fb.h | 1 + >> + fb/fbscreen.c | 14 ++++++++++---- >> + hw/vfb/InitOutput.c | 7 ------- >> + 3 files changed, 11 insertions(+), 11 deletions(-) >> + >> +diff --git a/fb/fb.h b/fb/fb.h >> +index d157b6956d..cd7bd05d21 100644 >> +--- a/fb/fb.h >> ++++ b/fb/fb.h >> +@@ -410,6 +410,7 @@ typedef struct { >> + #endif >> + DevPrivateKeyRec gcPrivateKeyRec; >> + DevPrivateKeyRec winPrivateKeyRec; >> ++ CloseScreenProcPtr CloseScreen; >> + } FbScreenPrivRec, *FbScreenPrivPtr; >> + >> + #define fbGetScreenPrivate(pScreen) ((FbScreenPrivPtr) \ >> +diff --git a/fb/fbscreen.c b/fb/fbscreen.c >> +index 4ab807ab50..c481033f98 100644 >> +--- a/fb/fbscreen.c >> ++++ b/fb/fbscreen.c >> +@@ -29,6 +29,7 @@ >> + Bool >> + fbCloseScreen(ScreenPtr pScreen) >> + { >> ++ FbScreenPrivPtr screen_priv = fbGetScreenPrivate(pScreen); >> + int d; >> + DepthPtr depths = pScreen->allowedDepths; >> + >> +@@ -37,9 +38,10 @@ fbCloseScreen(ScreenPtr pScreen) >> + free(depths[d].vids); >> + free(depths); >> + free(pScreen->visuals); >> +- if (pScreen->devPrivate) >> +- FreePixmap((PixmapPtr)pScreen->devPrivate); >> +- return TRUE; >> ++ >> ++ pScreen->CloseScreen = screen_priv->CloseScreen; >> ++ >> ++ return pScreen->CloseScreen(pScreen); >> + } >> + >> + Bool >> +@@ -144,6 +146,7 @@ fbFinishScreenInit(ScreenPtr pScreen, void *pbits, int >> xsize, int ysize, >> + int dpix, int dpiy, int width, int bpp) >> + #endif >> + { >> ++ FbScreenPrivPtr screen_priv; >> + VisualPtr visuals; >> + DepthPtr depths; >> + int nvisuals; >> +@@ -177,8 +180,11 @@ fbFinishScreenInit(ScreenPtr pScreen, void *pbits, int >> xsize, int ysize, >> + rootdepth, ndepths, depths, >> + defaultVisual, nvisuals, visuals)) >> + return FALSE; >> +- /* overwrite miCloseScreen with our own */ >> ++ >> ++ screen_priv = fbGetScreenPrivate(pScreen); >> ++ screen_priv->CloseScreen = pScreen->CloseScreen; >> + pScreen->CloseScreen = fbCloseScreen; >> ++ >> + return TRUE; >> + } >> + >> +diff --git a/hw/vfb/InitOutput.c b/hw/vfb/InitOutput.c >> +index 48efb61b2f..076fb7defa 100644 >> +--- a/hw/vfb/InitOutput.c >> ++++ b/hw/vfb/InitOutput.c >> +@@ -720,13 +720,6 @@ vfbCloseScreen(ScreenPtr pScreen) >> + >> + pScreen->CloseScreen = pvfb->closeScreen; >> + >> +- /* >> +- * fb overwrites miCloseScreen, so do this here >> +- */ >> +- if (pScreen->devPrivate) >> +- (*pScreen->DestroyPixmap) (pScreen->devPrivate); >> +- pScreen->devPrivate = NULL; >> +- >> + return pScreen->CloseScreen(pScreen); >> + } >> + >> +-- >> +GitLab >> + >> diff --git >> a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-2.patch >> b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-2.patch >> new file mode 100644 >> index 0000000000..2cdef752c7 >> --- /dev/null >> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-2.patch >> @@ -0,0 +1,42 @@ >> +From b6fe3f924aecac6d6e311673511ce61aa2f7a81f Mon Sep 17 00:00:00 2001 >> +From: Peter Hutterer <[email protected]> >> +Date: Thu, 12 Oct 2023 12:42:06 +1000 >> +Subject: [PATCH] mi: fix CloseScreen initialization order >> + >> +If SHM is enabled it will set the CloseScreen pointer, only to be >> +overridden by the hardcoded miCloseScreen pointer. Do this the other way >> +round, miCloseScreen is the bottom of our stack. >> + >> +Direct leak of 48 byte(s) in 2 object(s) allocated from: >> + #0 0x7f5ea3ad8cc7 in calloc (/lib64/libasan.so.8+0xd8cc7) (BuildId: >> d8f3addefe29e892d775c30eb364afd3c2484ca5)) >> + #1 0x70adfb in ShmInitScreenPriv ../Xext/shm.c:213 >> + >> +Signed-off-by: Peter Hutterer <[email protected]> >> +Reviewed-by: Adam Jackson <[email protected]> >> + >> +Upstream-Status: Backport >> [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b6fe3f924aecac6d6e311673511ce61aa2f7a81f] >> +CVE: CVE-2023-5574 >> +Signed-off-by: Vijay Anusuri <[email protected]> >> +--- >> + mi/miscrinit.c | 2 +- >> + 1 file changed, 1 insertion(+), 1 deletion(-) >> + >> +diff --git a/mi/miscrinit.c b/mi/miscrinit.c >> +index 3bb52b1bc6..b88938c9ae 100644 >> +--- a/mi/miscrinit.c >> ++++ b/mi/miscrinit.c >> +@@ -249,10 +249,10 @@ miScreenInit(ScreenPtr pScreen, void *pbits, /* >> pointer to screen bits */ >> + pScreen->numVisuals = numVisuals; >> + pScreen->visuals = visuals; >> + if (width) { >> ++ pScreen->CloseScreen = miCloseScreen; >> + #ifdef MITSHM >> + ShmRegisterFbFuncs(pScreen); >> + #endif >> +- pScreen->CloseScreen = miCloseScreen; >> + } >> + /* else CloseScreen */ >> + /* QueryBestSize */ >> +-- >> +GitLab >> + >> diff --git >> a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-3.patch >> b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-3.patch >> new file mode 100644 >> index 0000000000..47c247ef0c >> --- /dev/null >> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-3.patch >> @@ -0,0 +1,54 @@ >> +From ab2c58ba4719fc31c19c7829b06bdba8a88bd586 Mon Sep 17 00:00:00 2001 >> +From: Peter Hutterer <[email protected]> >> +Date: Tue, 24 Oct 2023 12:09:36 +1000 >> +Subject: [PATCH] dix: always initialize pScreen->CloseScreen >> + >> +CloseScreen is wrapped by the various modules, many of which do not >> +check if they're the last ones unwrapping. This is fine if the order of >> +those modules never changes but when it does we might get a NULL-pointer >> +dereference by some naive code doing a >> + >> + pScreen->CloseScreen = priv->CloseScreen; >> + free(priv); >> + return (*pScreen->CloseScreen)(pScreen); >> + >> +To avoid this set it to a default function that just returns TRUE that's >> +guaranteed to be the last one. >> + >> +Upstream-Status: Backport >> [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab2c58ba4719fc31c19c7829b06bdba8a88bd586] >> +CVE: CVE-2023-5574 >> +Signed-off-by: Vijay Anusuri <[email protected]> >> +--- >> + dix/dispatch.c | 9 +++++++++ >> + 1 file changed, 9 insertions(+) >> + >> +diff --git a/dix/dispatch.c b/dix/dispatch.c >> +index eaac39b7c9..cd092fd409 100644 >> +--- a/dix/dispatch.c >> ++++ b/dix/dispatch.c >> +@@ -3890,6 +3890,12 @@ static int indexForScanlinePad[65] = { >> + 3 /* 64 bits per scanline pad unit */ >> + }; >> + >> ++static Bool >> ++DefaultCloseScreen(ScreenPtr screen) >> ++{ >> ++ return TRUE; >> ++} >> ++ >> + /* >> + grow the array of screenRecs if necessary. >> + call the device-supplied initialization procedure >> +@@ -3949,6 +3955,9 @@ static int init_screen(ScreenPtr pScreen, int i, Bool >> gpu) >> + PixmapWidthPaddingInfo[depth].notPower2 = 0; >> + } >> + } >> ++ >> ++ pScreen->CloseScreen = DefaultCloseScreen; >> ++ >> + return 0; >> + } >> + >> +-- >> +GitLab >> + >> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb >> b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb >> index 19db7ea434..a0f905f83b 100644 >> --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb >> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb >> @@ -2,6 +2,11 @@ require xserver-xorg.inc >> >> SRC_URI += >> "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \ >> file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \ >> + file://CVE-2023-5367.patch \ >> + file://CVE-2023-5380.patch \ >> + file://CVE-2023-5574-1.patch \ >> + file://CVE-2023-5574-2.patch \ >> + file://CVE-2023-5574-3.patch \ >> " >> SRC_URI[sha256sum] = >> "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152" >> >> -- >> 2.25.1 >> >> >> >>
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#190229): https://lists.openembedded.org/g/openembedded-core/message/190229 Mute This Topic: https://lists.openembedded.org/mt/102417729/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
