From c357f38b53d0d82dc73cce522e1c5869d06b38ca Mon Sep 17 00:00:00 2001 From: zhouwenpei Date: Thu, 18 Jan 2024 08:15:01 +0000 Subject: [PATCH 01/11] fix CVE-2024-21885,CVE-2024-21886,CVE-2024-0408,CVE-2024-0409,CVE-2023-6816,CVE-2024-0229 --- backport-0001-CVE-2024-0229.patch | 83 +++++++++++ backport-0001-CVE-2024-21886.patch | 70 ++++++++++ backport-0002-CVE-2024-0229.patch | 217 +++++++++++++++++++++++++++++ backport-0002-CVE-2024-21886.patch | 53 +++++++ backport-0003-CVE-2024-0229.patch | 37 +++++ backport-CVE-2023-6816.patch | 51 +++++++ backport-CVE-2024-0408.patch | 60 ++++++++ backport-CVE-2024-0409.patch | 56 ++++++++ backport-CVE-2024-21885.patch | 109 +++++++++++++++ xorg-x11-server.spec | 14 +- 10 files changed, 749 insertions(+), 1 deletion(-) create mode 100644 backport-0001-CVE-2024-0229.patch create mode 100644 backport-0001-CVE-2024-21886.patch create mode 100644 backport-0002-CVE-2024-0229.patch create mode 100644 backport-0002-CVE-2024-21886.patch create mode 100644 backport-0003-CVE-2024-0229.patch create mode 100644 backport-CVE-2023-6816.patch create mode 100644 backport-CVE-2024-0408.patch create mode 100644 backport-CVE-2024-0409.patch create mode 100644 backport-CVE-2024-21885.patch diff --git a/backport-0001-CVE-2024-0229.patch b/backport-0001-CVE-2024-0229.patch new file mode 100644 index 0000000..b5354ba --- /dev/null +++ b/backport-0001-CVE-2024-0229.patch @@ -0,0 +1,83 @@ +From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 18 Dec 2023 14:27:50 +1000 +Subject: [PATCH] dix: Allocate sufficient xEvents for our DeviceStateNotify + +If a device has both a button class and a key class and numButtons is +zero, we can get an OOB write due to event under-allocation. + +This function seems to assume a device has either keys or buttons, not +both. It has two virtually identical code paths, both of which assume +they're applying to the first event in the sequence. + +A device with both a key and button class triggered a logic bug - only +one xEvent was allocated but the deviceStateNotify pointer was pushed on +once per type. So effectively this logic code: + + int count = 1; + if (button && nbuttons > 32) count++; + if (key && nbuttons > 0) count++; + if (key && nkeys > 32) count++; // this is basically always true + // count is at 2 for our keys + zero button device + + ev = alloc(count * sizeof(xEvent)); + FixDeviceStateNotify(ev); + if (button) + FixDeviceStateNotify(ev++); + if (key) + FixDeviceStateNotify(ev++); // santa drops into the wrong chimney here + +If the device has more than 3 valuators, the OOB is pushed back - we're +off by one so it will happen when the last deviceValuator event is +written instead. + +Fix this by allocating the maximum number of events we may allocate. +Note that the current behavior is not protocol-correct anyway, this +patch fixes only the allocation issue. + +Note that this issue does not trigger if the device has at least one +button. While the server does not prevent a button class with zero +buttons, it is very unlikely. + +CVE-2024-0229, ZDI-CAN-22678 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative +--- + dix/enterleave.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/dix/enterleave.c b/dix/enterleave.c +index ded8679d76..17964b00a4 100644 +--- a/dix/enterleave.c ++++ b/dix/enterleave.c +@@ -675,7 +675,8 @@ static void + DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + { + int evcount = 1; +- deviceStateNotify *ev, *sev; ++ deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3]; ++ deviceStateNotify *ev; + deviceKeyStateNotify *kev; + deviceButtonStateNotify *bev; + +@@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + } + } + +- sev = ev = xallocarray(evcount, sizeof(xEvent)); ++ ev = sev; + FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first); + + if (b != NULL) { +@@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + + DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount, + DeviceStateNotifyMask, NullGrab); +- free(sev); + } + + void +-- +GitLab + diff --git a/backport-0001-CVE-2024-21886.patch b/backport-0001-CVE-2024-21886.patch new file mode 100644 index 0000000..e58fe8d --- /dev/null +++ b/backport-0001-CVE-2024-21886.patch @@ -0,0 +1,70 @@ +From bc1fdbe46559dd947674375946bbef54dd0ce36b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Fri, 22 Dec 2023 18:28:31 +0100 +Subject: [PATCH] Xi: do not keep linked list pointer during recursion + +The `DisableDevice()` function is called whenever an enabled device +is disabled and it moves the device from the `inputInfo.devices` linked +list to the `inputInfo.off_devices` linked list. + +However, its link/unlink operation has an issue during the recursive +call to `DisableDevice()` due to the `prev` pointer pointing to a +removed device. + +This issue leads to a length mismatch between the total number of +devices and the number of device in the list, leading to a heap +overflow and, possibly, to local privilege escalation. + +Simplify the code that checked whether the device passed to +`DisableDevice()` was in `inputInfo.devices` or not and find the +previous device after the recursion. + +CVE-2024-21886, ZDI-CAN-22840 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative +--- + dix/devices.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/dix/devices.c b/dix/devices.c +index dca98c8d1b..389d28a23c 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) + { + DeviceIntPtr *prev, other; + BOOL enabled; ++ BOOL dev_in_devices_list = FALSE; + int flags[MAXDEVICES] = { 0 }; + + if (!dev->enabled) + return TRUE; + +- for (prev = &inputInfo.devices; +- *prev && (*prev != dev); prev = &(*prev)->next); +- if (*prev != dev) ++ for (other = inputInfo.devices; other; other = other->next) { ++ if (other == dev) { ++ dev_in_devices_list = TRUE; ++ break; ++ } ++ } ++ ++ if (!dev_in_devices_list) + return FALSE; + + TouchEndPhysicallyActiveTouches(dev); +@@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) + LeaveWindow(dev); + SetFocusOut(dev); + ++ for (prev = &inputInfo.devices; ++ *prev && (*prev != dev); prev = &(*prev)->next); ++ + *prev = dev->next; + dev->next = inputInfo.off_devices; + inputInfo.off_devices = dev; +-- +GitLab + diff --git a/backport-0002-CVE-2024-0229.patch b/backport-0002-CVE-2024-0229.patch new file mode 100644 index 0000000..1704fad --- /dev/null +++ b/backport-0002-CVE-2024-0229.patch @@ -0,0 +1,217 @@ +From 219c54b8a3337456ce5270ded6a67bcde53553d5 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 18 Dec 2023 12:26:20 +1000 +Subject: [PATCH] dix: fix DeviceStateNotify event calculation + +The previous code only made sense if one considers buttons and keys to +be mutually exclusive on a device. That is not necessarily true, causing +a number of issues. + +This function allocates and fills in the number of xEvents we need to +send the device state down the wire. This is split across multiple +32-byte devices including one deviceStateNotify event and optional +deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple) +deviceValuator events. + +The previous behavior would instead compose a sequence +of [state, buttonstate, state, keystate, valuator...]. This is not +protocol correct, and on top of that made the code extremely convoluted. + +Fix this by streamlining: add both button and key into the deviceStateNotify +and then append the key state and button state, followed by the +valuators. Finally, the deviceValuator events contain up to 6 valuators +per event but we only ever sent through 3 at a time. Let's double that +troughput. + +CVE-2024-0229, ZDI-CAN-22678 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative +--- + dix/enterleave.c | 121 ++++++++++++++++++++--------------------------- + 1 file changed, 52 insertions(+), 69 deletions(-) + +diff --git a/dix/enterleave.c b/dix/enterleave.c +index 17964b00a4..7b7ba1098b 100644 +--- a/dix/enterleave.c ++++ b/dix/enterleave.c +@@ -615,9 +615,15 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, + + ev->type = DeviceValuator; + ev->deviceid = dev->id; +- ev->num_valuators = nval < 3 ? nval : 3; ++ ev->num_valuators = nval < 6 ? nval : 6; + ev->first_valuator = first; + switch (ev->num_valuators) { ++ case 6: ++ ev->valuator2 = v->axisVal[first + 5]; ++ case 5: ++ ev->valuator2 = v->axisVal[first + 4]; ++ case 4: ++ ev->valuator2 = v->axisVal[first + 3]; + case 3: + ev->valuator2 = v->axisVal[first + 2]; + case 2: +@@ -626,7 +632,6 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, + ev->valuator0 = v->axisVal[first]; + break; + } +- first += ev->num_valuators; + } + + static void +@@ -646,7 +651,7 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k, + ev->num_buttons = b->numButtons; + memcpy((char *) ev->buttons, (char *) b->down, 4); + } +- else if (k) { ++ if (k) { + ev->classes_reported |= (1 << KeyClass); + ev->num_keys = k->xkbInfo->desc->max_key_code - + k->xkbInfo->desc->min_key_code; +@@ -670,15 +675,26 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k, + } + } + +- ++/** ++ * The device state notify event is split across multiple 32-byte events. ++ * The first one contains the first 32 button state bits, the first 32 ++ * key state bits, and the first 3 valuator values. ++ * ++ * If a device has more than that, the server sends out: ++ * - one deviceButtonStateNotify for buttons 32 and above ++ * - one deviceKeyStateNotify for keys 32 and above ++ * - one deviceValuator event per 6 valuators above valuator 4 ++ * ++ * All events but the last one have the deviceid binary ORed with MORE_EVENTS, ++ */ + static void + DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + { ++ /* deviceStateNotify, deviceKeyStateNotify, deviceButtonStateNotify ++ * and one deviceValuator for each 6 valuators */ ++ deviceStateNotify sev[3 + (MAX_VALUATORS + 6)/6]; + int evcount = 1; +- deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3]; +- deviceStateNotify *ev; +- deviceKeyStateNotify *kev; +- deviceButtonStateNotify *bev; ++ deviceStateNotify *ev = sev; + + KeyClassPtr k; + ButtonClassPtr b; +@@ -691,82 +707,49 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + + if ((b = dev->button) != NULL) { + nbuttons = b->numButtons; +- if (nbuttons > 32) ++ if (nbuttons > 32) /* first 32 are encoded in deviceStateNotify */ + evcount++; + } + if ((k = dev->key) != NULL) { + nkeys = k->xkbInfo->desc->max_key_code - k->xkbInfo->desc->min_key_code; +- if (nkeys > 32) ++ if (nkeys > 32) /* first 32 are encoded in deviceStateNotify */ + evcount++; +- if (nbuttons > 0) { +- evcount++; +- } + } + if ((v = dev->valuator) != NULL) { + nval = v->numAxes; +- +- if (nval > 3) +- evcount++; +- if (nval > 6) { +- if (!(k && b)) +- evcount++; +- if (nval > 9) +- evcount += ((nval - 7) / 3); +- } ++ /* first three are encoded in deviceStateNotify, then ++ * it's 6 per deviceValuator event */ ++ evcount += ((nval - 3) + 6)/6; + } + +- ev = sev; +- FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first); +- +- if (b != NULL) { +- FixDeviceStateNotify(dev, ev++, NULL, b, v, first); +- first += 3; +- nval -= 3; +- if (nbuttons > 32) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- bev = (deviceButtonStateNotify *) ev++; +- bev->type = DeviceButtonStateNotify; +- bev->deviceid = dev->id; +- memcpy((char *) &bev->buttons[4], (char *) &b->down[4], +- DOWN_LENGTH - 4); +- } +- if (nval > 0) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); +- first += 3; +- nval -= 3; +- } ++ BUG_RETURN(evcount <= ARRAY_SIZE(sev)); ++ ++ FixDeviceStateNotify(dev, ev, k, b, v, first); ++ ++ if (b != NULL && nbuttons > 32) { ++ deviceButtonStateNotify *bev = (deviceButtonStateNotify *) ++ev; ++ (ev - 1)->deviceid |= MORE_EVENTS; ++ bev->type = DeviceButtonStateNotify; ++ bev->deviceid = dev->id; ++ memcpy((char *) &bev->buttons[4], (char *) &b->down[4], ++ DOWN_LENGTH - 4); + } + +- if (k != NULL) { +- FixDeviceStateNotify(dev, ev++, k, NULL, v, first); +- first += 3; +- nval -= 3; +- if (nkeys > 32) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- kev = (deviceKeyStateNotify *) ev++; +- kev->type = DeviceKeyStateNotify; +- kev->deviceid = dev->id; +- memmove((char *) &kev->keys[0], (char *) &k->down[4], 28); +- } +- if (nval > 0) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); +- first += 3; +- nval -= 3; +- } ++ if (k != NULL && nkeys > 32) { ++ deviceKeyStateNotify *kev = (deviceKeyStateNotify *) ++ev; ++ (ev - 1)->deviceid |= MORE_EVENTS; ++ kev->type = DeviceKeyStateNotify; ++ kev->deviceid = dev->id; ++ memmove((char *) &kev->keys[0], (char *) &k->down[4], 28); + } + ++ first = 3; ++ nval -= 3; + while (nval > 0) { +- FixDeviceStateNotify(dev, ev++, NULL, NULL, v, first); +- first += 3; +- nval -= 3; +- if (nval > 0) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); +- first += 3; +- nval -= 3; +- } ++ ev->deviceid |= MORE_EVENTS; ++ FixDeviceValuator(dev, (deviceValuator *) ++ev, v, first); ++ first += 6; ++ nval -= 6; + } + + DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount, +-- +GitLab + diff --git a/backport-0002-CVE-2024-21886.patch b/backport-0002-CVE-2024-21886.patch new file mode 100644 index 0000000..de74224 --- /dev/null +++ b/backport-0002-CVE-2024-21886.patch @@ -0,0 +1,53 @@ +From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Fri, 5 Jan 2024 09:40:27 +1000 +Subject: [PATCH] dix: when disabling a master, float disabled slaved devices + too + +Disabling a master device floats all slave devices but we didn't do this +to already-disabled slave devices. As a result those devices kept their +reference to the master device resulting in access to already freed +memory if the master device was removed before the corresponding slave +device. + +And to match this behavior, also forcibly reset that pointer during +CloseDownDevices(). + +Related to CVE-2024-21886, ZDI-CAN-22840 +--- + dix/devices.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/dix/devices.c b/dix/devices.c +index 389d28a23c..84a6406d13 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) + flags[other->id] |= XISlaveDetached; + } + } ++ ++ for (other = inputInfo.off_devices; other; other = other->next) { ++ if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) { ++ AttachDevice(NULL, other, NULL); ++ flags[other->id] |= XISlaveDetached; ++ } ++ } + } + else { + for (other = inputInfo.devices; other; other = other->next) { +@@ -1088,6 +1095,11 @@ CloseDownDevices(void) + dev->master = NULL; + } + ++ for (dev = inputInfo.off_devices; dev; dev = dev->next) { ++ if (!IsMaster(dev) && !IsFloating(dev)) ++ dev->master = NULL; ++ } ++ + CloseDeviceList(&inputInfo.devices); + CloseDeviceList(&inputInfo.off_devices); + +-- +GitLab + diff --git a/backport-0003-CVE-2024-0229.patch b/backport-0003-CVE-2024-0229.patch new file mode 100644 index 0000000..1624ec1 --- /dev/null +++ b/backport-0003-CVE-2024-0229.patch @@ -0,0 +1,37 @@ +From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Thu, 21 Dec 2023 13:48:10 +1000 +Subject: [PATCH] Xi: when creating a new ButtonClass, set the number of + buttons + +There's a racy sequence where a master device may copy the button class +from the slave, without ever initializing numButtons. This leads to a +device with zero buttons but a button class which is invalid. + +Let's copy the numButtons value from the source - by definition if we +don't have a button class yet we do not have any other slave devices +with more than this number of buttons anyway. + +CVE-2024-0229, ZDI-CAN-22678 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative +--- + Xi/exevents.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Xi/exevents.c b/Xi/exevents.c +index 54ea11a938..e161714682 100644 +--- a/Xi/exevents.c ++++ b/Xi/exevents.c +@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) + to->button = calloc(1, sizeof(ButtonClassRec)); + if (!to->button) + FatalError("[Xi] no memory for class shift.\n"); ++ to->button->numButtons = from->button->numButtons; + } + else + classes->button = NULL; +-- +GitLab + diff --git a/backport-CVE-2023-6816.patch b/backport-CVE-2023-6816.patch new file mode 100644 index 0000000..e928729 --- /dev/null +++ b/backport-CVE-2023-6816.patch @@ -0,0 +1,51 @@ +From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Thu, 14 Dec 2023 11:29:49 +1000 +Subject: [PATCH] dix: allocate enough space for logical button maps + +Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for +each logical button currently down. Since buttons can be arbitrarily mapped +to anything up to 255 make sure we have enough bits for the maximum mapping. + +CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative +--- + Xi/xiquerypointer.c | 3 +-- + dix/enterleave.c | 5 +++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c +index 5b77b1a444..2b05ac5f39 100644 +--- a/Xi/xiquerypointer.c ++++ b/Xi/xiquerypointer.c +@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client) + if (pDev->button) { + int i; + +- rep.buttons_len = +- bytes_to_int32(bits_to_bytes(pDev->button->numButtons)); ++ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */ + rep.length += rep.buttons_len; + buttons = calloc(rep.buttons_len, 4); + if (!buttons) +diff --git a/dix/enterleave.c b/dix/enterleave.c +index 867ec74363..ded8679d76 100644 +--- a/dix/enterleave.c ++++ b/dix/enterleave.c +@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail, + + mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER); + +- /* XI 2 event */ +- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0; ++ /* XI 2 event contains the logical button map - maps are CARD8 ++ * so we need 256 bits for the possibly maximum mapping */ ++ btlen = (mouse->button) ? bits_to_bytes(256) : 0; + btlen = bytes_to_int32(btlen); + len = sizeof(xXIFocusInEvent) + btlen * 4; + +-- +GitLab + diff --git a/backport-CVE-2024-0408.patch b/backport-CVE-2024-0408.patch new file mode 100644 index 0000000..1efab49 --- /dev/null +++ b/backport-CVE-2024-0408.patch @@ -0,0 +1,60 @@ +From e5e8586a12a3ec915673edffa10dc8fe5e15dac3 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 6 Dec 2023 12:09:41 +0100 +Subject: [PATCH] glx: Call XACE hooks on the GLX buffer + +The XSELINUX code will label resources at creation by checking the +access mode. When the access mode is DixCreateAccess, it will call the +function to label the new resource SELinuxLabelResource(). + +However, GLX buffers do not go through the XACE hooks when created, +hence leaving the resource actually unlabeled. + +When, later, the client tries to create another resource using that +drawable (like a GC for example), the XSELINUX code would try to use +the security ID of that object which has never been labeled, get a NULL +pointer and crash when checking whether the requested permissions are +granted for subject security ID. + +To avoid the issue, make sure to call the XACE hooks when creating the +GLX buffers. + +Credit goes to Donn Seeley for providing the patch. + +CVE-2024-0408 + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +--- + glx/glxcmds.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/glx/glxcmds.c b/glx/glxcmds.c +index fc26a2e345..1e46d0c723 100644 +--- a/glx/glxcmds.c ++++ b/glx/glxcmds.c +@@ -48,6 +48,7 @@ + #include "indirect_util.h" + #include "protocol-versions.h" + #include "glxvndabi.h" ++#include "xace.h" + + static char GLXServerVendorName[] = "SGI"; + +@@ -1392,6 +1393,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId, + if (!pPixmap) + return BadAlloc; + ++ err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP, ++ pPixmap, RT_NONE, NULL, DixCreateAccess); ++ if (err != Success) { ++ (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap); ++ return err; ++ } ++ + /* Assign the pixmap the same id as the pbuffer and add it as a + * resource so it and the DRI2 drawable will be reclaimed when the + * pbuffer is destroyed. */ +-- +GitLab + diff --git a/backport-CVE-2024-0409.patch b/backport-CVE-2024-0409.patch new file mode 100644 index 0000000..7e956fb --- /dev/null +++ b/backport-CVE-2024-0409.patch @@ -0,0 +1,56 @@ +From 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 6 Dec 2023 11:51:56 +0100 +Subject: [PATCH] ephyr,xwayland: Use the proper private key for cursor + +The cursor in DIX is actually split in two parts, the cursor itself and +the cursor bits, each with their own devPrivates. + +The cursor itself includes the cursor bits, meaning that the cursor bits +devPrivates in within structure of the cursor. + +Both Xephyr and Xwayland were using the private key for the cursor bits +to store the data for the cursor, and when using XSELINUX which comes +with its own special devPrivates, the data stored in that cursor bits' +devPrivates would interfere with the XSELINUX devPrivates data and the +SELINUX security ID would point to some other unrelated data, causing a +crash in the XSELINUX code when trying to (re)use the security ID. + +CVE-2024-0409 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +--- + hw/kdrive/ephyr/ephyrcursor.c | 2 +- + hw/xwayland/xwayland-cursor.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/kdrive/ephyr/ephyrcursor.c b/hw/kdrive/ephyr/ephyrcursor.c +index f991899c50..3f192d034a 100644 +--- a/hw/kdrive/ephyr/ephyrcursor.c ++++ b/hw/kdrive/ephyr/ephyrcursor.c +@@ -246,7 +246,7 @@ miPointerSpriteFuncRec EphyrPointerSpriteFuncs = { + Bool + ephyrCursorInit(ScreenPtr screen) + { +- if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR_BITS, ++ if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR, + sizeof(ephyrCursorRec))) + return FALSE; + +diff --git a/hw/xwayland/xwayland-cursor.c b/hw/xwayland/xwayland-cursor.c +index e3c1aaa50c..bd94b0cfbb 100644 +--- a/hw/xwayland/xwayland-cursor.c ++++ b/hw/xwayland/xwayland-cursor.c +@@ -431,7 +431,7 @@ static miPointerScreenFuncRec xwl_pointer_screen_funcs = { + Bool + xwl_screen_init_cursor(struct xwl_screen *xwl_screen) + { +- if (!dixRegisterPrivateKey(&xwl_cursor_private_key, PRIVATE_CURSOR_BITS, 0)) ++ if (!dixRegisterPrivateKey(&xwl_cursor_private_key, PRIVATE_CURSOR, 0)) + return FALSE; + + return miPointerInitialize(xwl_screen->screen, +-- +GitLab + diff --git a/backport-CVE-2024-21885.patch b/backport-CVE-2024-21885.patch new file mode 100644 index 0000000..949efd7 --- /dev/null +++ b/backport-CVE-2024-21885.patch @@ -0,0 +1,109 @@ +From 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Thu, 4 Jan 2024 10:01:24 +1000 +Subject: [PATCH] Xi: flush hierarchy events after adding/removing master + devices + +The `XISendDeviceHierarchyEvent()` function allocates space to store up +to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`. + +If a device with a given ID was removed and a new device with the same +ID added both in the same operation, the single device ID will lead to +two info structures being written to `info`. + +Since this case can occur for every device ID at once, a total of two +times `MAXDEVICES` info structures might be written to the allocation. + +To avoid it, once one add/remove master is processed, send out the +device hierarchy event for the current state and continue. That event +thus only ever has exactly one of either added/removed in it (and +optionally slave attached/detached). + +CVE-2024-21885, ZDI-CAN-22744 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative +--- + Xi/xichangehierarchy.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c +index d2d985848d..72d00451e3 100644 +--- a/Xi/xichangehierarchy.c ++++ b/Xi/xichangehierarchy.c +@@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client) + size_t len; /* length of data remaining in request */ + int rc = Success; + int flags[MAXDEVICES] = { 0 }; ++ enum { ++ NO_CHANGE, ++ FLUSH, ++ CHANGED, ++ } changes = NO_CHANGE; + + REQUEST(xXIChangeHierarchyReq); + REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq); +@@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = add_master(client, c, flags); + if (rc != Success) + goto unwind; +- } ++ changes = FLUSH; + break; ++ } + case XIRemoveMaster: + { + xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any; +@@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = remove_master(client, r, flags); + if (rc != Success) + goto unwind; +- } ++ changes = FLUSH; + break; ++ } + case XIDetachSlave: + { + xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any; +@@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = detach_slave(client, c, flags); + if (rc != Success) + goto unwind; +- } ++ changes = CHANGED; + break; ++ } + case XIAttachSlave: + { + xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any; +@@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = attach_slave(client, c, flags); + if (rc != Success) + goto unwind; ++ changes = CHANGED; ++ break; + } ++ default: + break; + } + ++ if (changes == FLUSH) { ++ XISendDeviceHierarchyEvent(flags); ++ memset(flags, 0, sizeof(flags)); ++ changes = NO_CHANGE; ++ } ++ + len -= any->length * 4; + any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4); + } + + unwind: +- +- XISendDeviceHierarchyEvent(flags); ++ if (changes != NO_CHANGE) ++ XISendDeviceHierarchyEvent(flags); + return rc; + } +-- +GitLab + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 26d7728..3e0bcf6 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.11 -Release: 24 +Release: 25 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -111,6 +111,15 @@ Patch6023: backport-CVE-2023-5367.patch Patch6024: backport-CVE-2023-5380.patch Patch6025: backport-CVE-2023-6478.patch Patch6026: backport-CVE-2023-6377.patch +Patch6027: backport-CVE-2024-21885.patch +Patch6028: backport-0001-CVE-2024-21886.patch +Patch6029: backport-0002-CVE-2024-21886.patch +Patch6030: backport-CVE-2024-0408.patch +Patch6031: backport-CVE-2024-0409.patch +Patch6032: backport-CVE-2023-6816.patch +Patch6033: backport-0001-CVE-2024-0229.patch +Patch6034: backport-0002-CVE-2024-0229.patch +Patch6035: backport-0003-CVE-2024-0229.patch BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex git gcc BuildRequires: systemtap-sdt-devel libtool pkgconfig @@ -452,6 +461,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_mandir}/man*/* %changelog +* Thu Jan 18 2024 zhouwenpei -1.20.11-25 +- fix CVE-2024-21885,CVE-2024-21886,CVE-2024-0408,CVE-2024-0409,CVE-2024-6816,CVE-2024-0229 + * Fri Dec 15 2023 zhangpan -1.20.11-24 - fix CVE-2023-6478 CVE-2023-6377 -- Gitee From 9edc01cebae49ff40644c5f60633545652f41de8 Mon Sep 17 00:00:00 2001 From: yangchenguang Date: Mon, 29 Jan 2024 09:32:31 +0800 Subject: [PATCH 02/11] Modify sw_64 patch to use all arch Signed-off-by: yangchenguang (cherry picked from commit 066f3a0a9007e6e924469907d01e8b948c23afdf) --- xorg-x11-server.spec | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 3e0bcf6..c09824d 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.11 -Release: 25 +Release: 26 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -90,9 +90,7 @@ Patch6005: backport-0001-CVE-2022-2319.patch Patch6006: backport-0002-CVE-2022-2319.patch Patch6007: backport-CVE-2022-2320.patch Patch6008: backport-CVE-2022-3551.patch -%ifarch sw_64 Patch6009: xorg-server-1.20.11-sw.patch -%endif Patch6010: backport-CVE-2022-3553.patch Patch6011: backport-0001-CVE-2022-46340.patch Patch6012: backport-0002-CVE-2022-46340.patch @@ -461,6 +459,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_mandir}/man*/* %changelog +* Mon Jan 29 2024 yangchenguang - 1.20.11-26 +- Modify sw_64 patch to use all arch + * Thu Jan 18 2024 zhouwenpei -1.20.11-25 - fix CVE-2024-21885,CVE-2024-21886,CVE-2024-0408,CVE-2024-0409,CVE-2024-6816,CVE-2024-0229 -- Gitee From 994cbc86cd379a5be2ddadcacb53b564881917ab Mon Sep 17 00:00:00 2001 From: niuwanli Date: Mon, 5 Feb 2024 10:59:45 +0800 Subject: [PATCH 03/11] fix segfault if CreateGC failed in XaceHook --- ...fault-if-CreateGC-failed-in-XaceHook.patch | 35 +++++++++++++++++++ xorg-x11-server.spec | 6 +++- 2 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 fix-segfault-if-CreateGC-failed-in-XaceHook.patch diff --git a/fix-segfault-if-CreateGC-failed-in-XaceHook.patch b/fix-segfault-if-CreateGC-failed-in-XaceHook.patch new file mode 100644 index 0000000..f114402 --- /dev/null +++ b/fix-segfault-if-CreateGC-failed-in-XaceHook.patch @@ -0,0 +1,35 @@ +From 9b1bb4a69190aaecafcbcafd97f6b42811c6e14b Mon Sep 17 00:00:00 2001 +From: niuwanli +Date: Wed, 24 Jan 2024 17:14:47 +0800 +Subject: [PATCH] Fix the FreeGC call funcs not checked + +--- + dix/gc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/dix/gc.c b/dix/gc.c +index 4ccbd3b..80b375b 100644 +--- a/dix/gc.c ++++ b/dix/gc.c +@@ -770,14 +770,16 @@ FreeGC(void *value, XID gid) + GCPtr pGC = (GCPtr) value; + + CloseFont(pGC->font, (Font) 0); +- (*pGC->funcs->DestroyClip) (pGC); ++ if (pGC->funcs) ++ (*pGC->funcs->DestroyClip) (pGC); + + if (!pGC->tileIsPixel) + (*pGC->pScreen->DestroyPixmap) (pGC->tile.pixmap); + if (pGC->stipple) + (*pGC->pScreen->DestroyPixmap) (pGC->stipple); + +- (*pGC->funcs->DestroyGC) (pGC); ++ if (pGC->funcs) ++ (*pGC->funcs->DestroyGC) (pGC); + if (pGC->dash != DefaultDash) + free(pGC->dash); + dixFreeObjectWithPrivates(pGC, PRIVATE_GC); +-- +2.33.0 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index c09824d..145db8d 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.11 -Release: 26 +Release: 27 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -118,6 +118,7 @@ Patch6032: backport-CVE-2023-6816.patch Patch6033: backport-0001-CVE-2024-0229.patch Patch6034: backport-0002-CVE-2024-0229.patch Patch6035: backport-0003-CVE-2024-0229.patch +Patch6036: fix-segfault-if-CreateGC-failed-in-XaceHook.patch BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex git gcc BuildRequires: systemtap-sdt-devel libtool pkgconfig @@ -459,6 +460,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_mandir}/man*/* %changelog +* Mon Feb 5 2024 niuwanli - 1.20.11-27 +- fix segfault if CreateGC failed in XaceHook + * Mon Jan 29 2024 yangchenguang - 1.20.11-26 - Modify sw_64 patch to use all arch -- Gitee From 61cc5da207556ad6c6250bce0577f2d4c8c8af78 Mon Sep 17 00:00:00 2001 From: zhang-liang-pengkun Date: Wed, 28 Feb 2024 17:57:27 +0800 Subject: [PATCH 04/11] fix changelog and headline.CVE-2023-6816 Signed-off-by: zhang-liang-pengkun (cherry picked from commit 826aad9f47e346aada912097d6235f4f2ec2ff93) --- xorg-x11-server.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 145db8d..2a698a7 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.11 -Release: 27 +Release: 28 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -460,6 +460,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_mandir}/man*/* %changelog +* Wed Feb 28 2024 zhangliangpengkun - 1.20.11-28 +- fix changelog The CVE is should be CVE-2023-6816. + * Mon Feb 5 2024 niuwanli - 1.20.11-27 - fix segfault if CreateGC failed in XaceHook @@ -467,7 +470,7 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete - Modify sw_64 patch to use all arch * Thu Jan 18 2024 zhouwenpei -1.20.11-25 -- fix CVE-2024-21885,CVE-2024-21886,CVE-2024-0408,CVE-2024-0409,CVE-2024-6816,CVE-2024-0229 +- fix CVE-2024-21885,CVE-2024-21886,CVE-2024-0408,CVE-2024-0409,CVE-2023-6816,CVE-2024-0229 * Fri Dec 15 2023 zhangpan -1.20.11-24 - fix CVE-2023-6478 CVE-2023-6377 -- Gitee From 73daa49c67cd37e1e0562dd40ed20a520f062aee Mon Sep 17 00:00:00 2001 From: yangl777 Date: Sun, 7 Apr 2024 08:48:32 +0000 Subject: [PATCH 05/11] fix CVE-2024-31080 CVE-2024-31081 CVE-2024-31082 CVE-2024-31083 (cherry picked from commit 9bd7748d2277afa93e0e55d9a82fae3ffbbf075c) --- backport-CVE-2024-31080.patch | 48 ++++++++++++++ backport-CVE-2024-31081.patch | 46 ++++++++++++++ backport-CVE-2024-31082.patch | 50 +++++++++++++++ backport-CVE-2024-31083.patch | 115 ++++++++++++++++++++++++++++++++++ xorg-x11-server.spec | 9 ++- 5 files changed, 267 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-31080.patch create mode 100644 backport-CVE-2024-31081.patch create mode 100644 backport-CVE-2024-31082.patch create mode 100644 backport-CVE-2024-31083.patch diff --git a/backport-CVE-2024-31080.patch b/backport-CVE-2024-31080.patch new file mode 100644 index 0000000..70a5094 --- /dev/null +++ b/backport-CVE-2024-31080.patch @@ -0,0 +1,48 @@ +From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 22 Mar 2024 18:51:45 -0700 +Subject: [PATCH] Xi: ProcXIGetSelectedEvents needs to use unswapped length to + send reply + +CVE-2024-31080 + +Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762 +Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.") +Signed-off-by: Alan Coopersmith +Part-of: + +Conflict:NA +Reference:https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b +--- + Xi/xiselectev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c +index edcb8a0d36..ac14949871 100644 +--- a/Xi/xiselectev.c ++++ b/Xi/xiselectev.c +@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client) + InputClientsPtr others = NULL; + xXIEventMask *evmask = NULL; + DeviceIntPtr dev; ++ uint32_t length; + + REQUEST(xXIGetSelectedEventsReq); + REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq); +@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client) + } + } + ++ /* save the value before SRepXIGetSelectedEvents swaps it */ ++ length = reply.length; + WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply); + + if (reply.num_masks) +- WriteToClient(client, reply.length * 4, buffer); ++ WriteToClient(client, length * 4, buffer); + + free(buffer); + return Success; +-- +GitLab + diff --git a/backport-CVE-2024-31081.patch b/backport-CVE-2024-31081.patch new file mode 100644 index 0000000..b1adbc4 --- /dev/null +++ b/backport-CVE-2024-31081.patch @@ -0,0 +1,46 @@ +From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 22 Mar 2024 18:56:27 -0700 +Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to + send reply + +CVE-2024-31081 + +Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.") +Signed-off-by: Alan Coopersmith +Part-of: + +Conflict:NA +Reference:https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee +--- + Xi/xipassivegrab.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c +index c9ac2f8553..896233bec2 100644 +--- a/Xi/xipassivegrab.c ++++ b/Xi/xipassivegrab.c +@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client) + GrabParameters param; + void *tmp; + int mask_len; ++ uint32_t length; + + REQUEST(xXIPassiveGrabDeviceReq); + REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, +@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client) + } + } + ++ /* save the value before SRepXIPassiveGrabDevice swaps it */ ++ length = rep.length; + WriteReplyToClient(client, sizeof(rep), &rep); + if (rep.num_modifiers) +- WriteToClient(client, rep.length * 4, modifiers_failed); ++ WriteToClient(client, length * 4, modifiers_failed); + + out: + free(modifiers_failed); +-- +GitLab + diff --git a/backport-CVE-2024-31082.patch b/backport-CVE-2024-31082.patch new file mode 100644 index 0000000..f12b13c --- /dev/null +++ b/backport-CVE-2024-31082.patch @@ -0,0 +1,50 @@ +From 6c684d035c06fd41c727f0ef0744517580864cef Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 22 Mar 2024 19:07:34 -0700 +Subject: [PATCH] Xquartz: ProcAppleDRICreatePixmap needs to use unswapped + length to send reply + +CVE-2024-31082 + +Fixes: 14205ade0 ("XQuartz: appledri: Fix byte swapping in replies") +Signed-off-by: Alan Coopersmith +Part-of: + +Conflict:NA +Reference:https://gitlab.freedesktop.org/xorg/xserver/-/commit/6c684d035c06fd41c727f0ef0744517580864cef +--- + hw/xquartz/xpr/appledri.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/hw/xquartz/xpr/appledri.c b/hw/xquartz/xpr/appledri.c +index 77574655b2..40422b61a9 100644 +--- a/hw/xquartz/xpr/appledri.c ++++ b/hw/xquartz/xpr/appledri.c +@@ -272,6 +272,7 @@ ProcAppleDRICreatePixmap(ClientPtr client) + xAppleDRICreatePixmapReply rep; + int width, height, pitch, bpp; + void *ptr; ++ CARD32 stringLength; + + REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq); + +@@ -307,6 +308,7 @@ ProcAppleDRICreatePixmap(ClientPtr client) + if (sizeof(rep) != sz_xAppleDRICreatePixmapReply) + ErrorF("error sizeof(rep) is %zu\n", sizeof(rep)); + ++ stringLength = rep.stringLength; /* save unswapped value */ + if (client->swapped) { + swaps(&rep.sequenceNumber); + swapl(&rep.length); +@@ -319,7 +321,7 @@ ProcAppleDRICreatePixmap(ClientPtr client) + } + + WriteToClient(client, sizeof(rep), &rep); +- WriteToClient(client, rep.stringLength, path); ++ WriteToClient(client, stringLength, path); + + return Success; + } +-- +GitLab + diff --git a/backport-CVE-2024-31083.patch b/backport-CVE-2024-31083.patch new file mode 100644 index 0000000..b23908d --- /dev/null +++ b/backport-CVE-2024-31083.patch @@ -0,0 +1,115 @@ +From bdca6c3d1f5057eeb31609b1280fc93237b00c77 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 30 Jan 2024 13:13:35 +1000 +Subject: [PATCH] render: fix refcounting of glyphs during ProcRenderAddGlyphs + +Previously, AllocateGlyph would return a new glyph with refcount=0 and a +re-used glyph would end up not changing the refcount at all. The +resulting glyph_new array would thus have multiple entries pointing to +the same non-refcounted glyphs. + +AddGlyph may free a glyph, resulting in a UAF when the same glyph +pointer is then later used. + +Fix this by returning a refcount of 1 for a new glyph and always +incrementing the refcount for a re-used glyph, followed by dropping that +refcount back down again when we're done with it. + +CVE-2024-31083, ZDI-CAN-22880 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Part-of: + +Conflict: render/glyphstr_priv.h => render/glyphstr.h and void FreeGlyph(GlyphPtr glyph, int format) => extern void FreeGlyph(GlyphPtr glyph, int format) +Reference:https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdca6c3d1f5057eeb31609b1280fc93237b00c77 +--- + render/glyph.c | 5 +- + render/glyphstr.h | 1 + + render/render.c | 15 +++-- + 3 files changed, 15 insertions(+), 6 deletions(-) + create mode 100644 render/glyphstr.h.orig + +diff --git a/render/glyph.c b/render/glyph.c +index f3ed9cf..d5fc5f3 100644 +--- a/render/glyph.c ++++ b/render/glyph.c +@@ -245,10 +245,11 @@ FreeGlyphPicture(GlyphPtr glyph) + } + } + +-static void ++void + FreeGlyph(GlyphPtr glyph, int format) + { + CheckDuplicates(&globalGlyphs[format], "FreeGlyph"); ++ BUG_RETURN(glyph->refcnt == 0); + if (--glyph->refcnt == 0) { + GlyphRefPtr gr; + int i; +@@ -354,7 +355,7 @@ AllocateGlyph(xGlyphInfo * gi, int fdepth) + glyph = (GlyphPtr) malloc(size); + if (!glyph) + return 0; +- glyph->refcnt = 0; ++ glyph->refcnt = 1; + glyph->size = size + sizeof(xGlyphInfo); + glyph->info = *gi; + dixInitPrivates(glyph, (char *) glyph + head_size, PRIVATE_GLYPH); +diff --git a/render/glyphstr.h b/render/glyphstr.h +index 2f51bd2..3b1d806 100644 +--- a/render/glyphstr.h ++++ b/render/glyphstr.h +@@ -108,6 +108,7 @@ extern Bool + extern GlyphPtr FindGlyph(GlyphSetPtr glyphSet, Glyph id); + + extern GlyphPtr AllocateGlyph(xGlyphInfo * gi, int format); ++extern void FreeGlyph(GlyphPtr glyph, int format); + + extern Bool + ResizeGlyphSet(GlyphSetPtr glyphSet, CARD32 change); +diff --git a/render/render.c b/render/render.c +index 456f156..5bc2a20 100644 +--- a/render/render.c ++++ b/render/render.c +@@ -1076,6 +1076,7 @@ ProcRenderAddGlyphs(ClientPtr client) + + if (glyph_new->glyph && glyph_new->glyph != DeletedGlyph) { + glyph_new->found = TRUE; ++ ++glyph_new->glyph->refcnt; + } + else { + GlyphPtr glyph; +@@ -1168,8 +1169,10 @@ ProcRenderAddGlyphs(ClientPtr client) + err = BadAlloc; + goto bail; + } +- for (i = 0; i < nglyphs; i++) ++ for (i = 0; i < nglyphs; i++) { + AddGlyph(glyphSet, glyphs[i].glyph, glyphs[i].id); ++ FreeGlyph(glyphs[i].glyph, glyphSet->fdepth); ++ } + + if (glyphsBase != glyphsLocal) + free(glyphsBase); +@@ -1179,9 +1182,13 @@ ProcRenderAddGlyphs(ClientPtr client) + FreePicture((void *) pSrc, 0); + if (pSrcPix) + FreeScratchPixmapHeader(pSrcPix); +- for (i = 0; i < nglyphs; i++) +- if (glyphs[i].glyph && !glyphs[i].found) +- free(glyphs[i].glyph); ++ for (i = 0; i < nglyphs; i++) { ++ if (glyphs[i].glyph) { ++ --glyphs[i].glyph->refcnt; ++ if (!glyphs[i].found) ++ free(glyphs[i].glyph); ++ } ++ } + if (glyphsBase != glyphsLocal) + free(glyphsBase); + return err; +-- +2.43.0 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 2a698a7..832a9a3 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.11 -Release: 28 +Release: 29 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -119,6 +119,10 @@ Patch6033: backport-0001-CVE-2024-0229.patch Patch6034: backport-0002-CVE-2024-0229.patch Patch6035: backport-0003-CVE-2024-0229.patch Patch6036: fix-segfault-if-CreateGC-failed-in-XaceHook.patch +Patch6037: backport-CVE-2024-31080.patch +Patch6038: backport-CVE-2024-31081.patch +Patch6039: backport-CVE-2024-31082.patch +Patch6040: backport-CVE-2024-31083.patch BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex git gcc BuildRequires: systemtap-sdt-devel libtool pkgconfig @@ -460,6 +464,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_mandir}/man*/* %changelog +* Sun Apr 7 2024 yanglu -1.20.11-29 +- fix CVE-2024-31080 CVE-2024-31081 CVE-2024-31082 CVE-2024-31083 + * Wed Feb 28 2024 zhangliangpengkun - 1.20.11-28 - fix changelog The CVE is should be CVE-2023-6816. -- Gitee From 888c7a3a08deeccc8e840080dd53d6fc0554ed3e Mon Sep 17 00:00:00 2001 From: yangl777 Date: Wed, 17 Apr 2024 06:13:32 +0000 Subject: [PATCH 06/11] fix regression caused by the fix for CVE-2024-31083 (cherry picked from commit 69b341c2690d1c4d09cd694606ac2186428eab8f) --- ...sible-double-free-in-ProcRenderAddGl.patch | 75 +++++++++++++++++++ xorg-x11-server.spec | 6 +- 2 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 backport-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch diff --git a/backport-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch b/backport-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch new file mode 100644 index 0000000..a7ec271 --- /dev/null +++ b/backport-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch @@ -0,0 +1,75 @@ +From 337d8d48b618d4fc0168a7b978be4c3447650b04 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Fri, 5 Apr 2024 15:24:49 +0200 +Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs() + +ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and +then frees it using FreeGlyph() to decrease the reference count, after +AddGlyph() has increased it. + +AddGlyph() however may chose to reuse an existing glyph if it's already +in the glyphSet, and free the glyph that was given, in which case the +caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an +already freed glyph, as reported by ASan: + + READ of size 4 thread T0 + #0 in FreeGlyph xserver/render/glyph.c:252 + #1 in ProcRenderAddGlyphs xserver/render/render.c:1174 + #2 in Dispatch xserver/dix/dispatch.c:546 + #3 in dix_main xserver/dix/main.c:271 + #4 in main xserver/dix/stubmain.c:34 + #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + #6 in __libc_start_main_impl ../csu/libc-start.c:360 + #7 (/usr/bin/Xwayland+0x44fe4) + Address is located 0 bytes inside of 64-byte region + freed by thread T0 here: + #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52 + #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538 + #2 in AddGlyph xserver/render/glyph.c:295 + #3 in ProcRenderAddGlyphs xserver/render/render.c:1173 + #4 in Dispatch xserver/dix/dispatch.c:546 + #5 in dix_main xserver/dix/main.c:271 + #6 in main xserver/dix/stubmain.c:34 + #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + previously allocated by thread T0 here: + #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69 + #1 in AllocateGlyph xserver/render/glyph.c:355 + #2 in ProcRenderAddGlyphs xserver/render/render.c:1085 + #3 in Dispatch xserver/dix/dispatch.c:546 + #4 in dix_main xserver/dix/main.c:271 + #5 in main xserver/dix/stubmain.c:34 + #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph + +To avoid that, make sure not to free the given glyph in AddGlyph(). + +v2: Simplify the test using the boolean returned from AddGlyph() (Michel) +v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter) + +Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs +Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659 +Signed-off-by: Olivier Fourdan +Part-of: + +Conflict:NA +Reference:https://gitlab.freedesktop.org/xorg/xserver/-/commit/6c684d035c06fd41c727f0ef0744517580864cef +--- + render/glyph.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/render/glyph.c b/render/glyph.c +index 13991f8a12..5fa7f3b5b4 100644 +--- a/render/glyph.c ++++ b/render/glyph.c +@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id) + gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature, + TRUE, glyph->sha1); + if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) { +- FreeGlyphPicture(glyph); +- dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH); + glyph = gr->glyph; + } + else if (gr->glyph != glyph) { +-- +GitLab + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 832a9a3..bc13aaa 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.11 -Release: 29 +Release: 30 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -123,6 +123,7 @@ Patch6037: backport-CVE-2024-31080.patch Patch6038: backport-CVE-2024-31081.patch Patch6039: backport-CVE-2024-31082.patch Patch6040: backport-CVE-2024-31083.patch +Patch6041: backport-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex git gcc BuildRequires: systemtap-sdt-devel libtool pkgconfig @@ -464,6 +465,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_mandir}/man*/* %changelog +* Wed Apr 17 2024 yanglu -1.20.11-30 +- fix regression caused by the fix for CVE-2024-31083 + * Sun Apr 7 2024 yanglu -1.20.11-29 - fix CVE-2024-31080 CVE-2024-31081 CVE-2024-31082 CVE-2024-31083 -- Gitee From 6bf3748e77e6ab561ff3c1de1ebca1803addaacd Mon Sep 17 00:00:00 2001 From: yangl777 Date: Fri, 26 Apr 2024 08:13:30 +0000 Subject: [PATCH 07/11] backport some upstream patches --- ...-after-free-in-input-device-shutdown.patch | 81 +++++++++++++++++++ ...-copy-paste-error-in-the-DeviceState.patch | 36 +++++++++ xorg-x11-server.spec | 11 ++- 3 files changed, 127 insertions(+), 1 deletion(-) create mode 100644 backport-dix-Fix-use-after-free-in-input-device-shutdown.patch create mode 100644 backport-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch diff --git a/backport-dix-Fix-use-after-free-in-input-device-shutdown.patch b/backport-dix-Fix-use-after-free-in-input-device-shutdown.patch new file mode 100644 index 0000000..7ba81b4 --- /dev/null +++ b/backport-dix-Fix-use-after-free-in-input-device-shutdown.patch @@ -0,0 +1,81 @@ +From 1801fe0ac3926882d47d7e1ad6c0518a2cdffd41 Mon Sep 17 00:00:00 2001 +From: Povilas Kanapickas +Date: Sun, 19 Dec 2021 18:11:07 +0200 +Subject: [PATCH] dix: Fix use after free in input device shutdown + +This fixes access to freed heap memory via dev->master. E.g. when +running BarrierNotify.ReceivesNotifyEvents/7 test from +xorg-integration-tests: + +==24736==ERROR: AddressSanitizer: heap-use-after-free on address +0x619000065020 at pc 0x55c450e2b9cf bp 0x7fffc532fd20 sp 0x7fffc532fd10 +READ of size 4 at 0x619000065020 thread T0 + #0 0x55c450e2b9ce in GetMaster ../../../dix/devices.c:2722 + #1 0x55c450e9d035 in IsFloating ../../../dix/events.c:346 + #2 0x55c4513209c6 in GetDeviceUse ../../../Xi/xiquerydevice.c:525 +../../../Xi/xichangehierarchy.c:95 + #4 0x55c450e3455c in RemoveDevice ../../../dix/devices.c:1204 +../../../hw/xfree86/common/xf86Xinput.c:1142 + #6 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038 + #7 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068 + #8 0x55c450e837ef in dix_main ../../../dix/main.c:302 + #9 0x55c4517a8d93 in main ../../../dix/stubmain.c:34 +(/lib/x86_64-linux-gnu/libc.so.6+0x28564) + #11 0x55c450d0113d in _start (/usr/lib/xorg/Xorg+0x117713d) + +0x619000065020 is located 160 bytes inside of 912-byte region +[0x619000064f80,0x619000065310) +freed by thread T0 here: +(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf) + #1 0x55c450e19f1c in CloseDevice ../../../dix/devices.c:1014 + #2 0x55c450e343a4 in RemoveDevice ../../../dix/devices.c:1186 +../../../hw/xfree86/common/xf86Xinput.c:1142 + #4 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038 + #5 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068 + #6 0x55c450e837ef in dix_main ../../../dix/main.c:302 + #7 0x55c4517a8d93 in main ../../../dix/stubmain.c:34 +(/lib/x86_64-linux-gnu/libc.so.6+0x28564) + +previously allocated by thread T0 here: +(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6) + #1 0x55c450e1c57b in AddInputDevice ../../../dix/devices.c:259 + #2 0x55c450e34840 in AllocDevicePair ../../../dix/devices.c:2755 + #3 0x55c45130318f in add_master ../../../Xi/xichangehierarchy.c:152 +../../../Xi/xichangehierarchy.c:465 + #5 0x55c4512cb9f5 in ProcIDispatch ../../../Xi/extinit.c:390 + #6 0x55c450e6a92b in Dispatch ../../../dix/dispatch.c:551 + #7 0x55c450e834b7 in dix_main ../../../dix/main.c:272 + #8 0x55c4517a8d93 in main ../../../dix/stubmain.c:34 +(/lib/x86_64-linux-gnu/libc.so.6+0x28564) + +The problem is caused by dev->master being not reset when disabling the +device, which then causes dangling pointer when the master device itself +is being deleted when exiting whole server. + +Note that RecalculateMasterButtons() requires dev->master to be still +valid, so we can reset it only at the end of function. + +Signed-off-by: Povilas Kanapickas + +Reference:https://gitlab.freedesktop.org/xorg/xserver/-/commit/1801fe0ac3926882d47d7e1ad6c0518a2cdffd41 +Conflict:NA + +--- + dix/devices.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/dix/devices.c b/dix/devices.c +index e62c34c55e..5f9ce1678f 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -520,6 +520,7 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) + } + + RecalculateMasterButtons(dev); ++ dev->master = NULL; + + return TRUE; + } +-- +GitLab + diff --git a/backport-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch b/backport-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch new file mode 100644 index 0000000..61edc8e --- /dev/null +++ b/backport-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch @@ -0,0 +1,36 @@ +From 133e0d651c5d12bf01999d6289e84e224ba77adc Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 22 Jan 2024 14:22:12 +1000 +Subject: [PATCH] dix: fix valuator copy/paste error in the DeviceStateNotify + event + +Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5 + +Conflict:NA +Reference:https://gitlab.freedesktop.org/xorg/xserver/-/commit/133e0d651c5d12bf01999d6289e84e224ba77adc +--- + dix/enterleave.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/dix/enterleave.c b/dix/enterleave.c +index 7b7ba1098b..c1e6ac600e 100644 +--- a/dix/enterleave.c ++++ b/dix/enterleave.c +@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, + ev->first_valuator = first; + switch (ev->num_valuators) { + case 6: +- ev->valuator2 = v->axisVal[first + 5]; ++ ev->valuator5 = v->axisVal[first + 5]; + case 5: +- ev->valuator2 = v->axisVal[first + 4]; ++ ev->valuator4 = v->axisVal[first + 4]; + case 4: +- ev->valuator2 = v->axisVal[first + 3]; ++ ev->valuator3 = v->axisVal[first + 3]; + case 3: + ev->valuator2 = v->axisVal[first + 2]; + case 2: +-- +GitLab + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index bc13aaa..d478be4 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.11 -Release: 30 +Release: 31 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -124,6 +124,8 @@ Patch6038: backport-CVE-2024-31081.patch Patch6039: backport-CVE-2024-31082.patch Patch6040: backport-CVE-2024-31083.patch Patch6041: backport-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch +Patch6042: backport-dix-Fix-use-after-free-in-input-device-shutdown.patch +Patch6043: backport-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex git gcc BuildRequires: systemtap-sdt-devel libtool pkgconfig @@ -465,6 +467,13 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_mandir}/man*/* %changelog +* Fri Apr 26 2024 yanglu -1.20.11-31 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:fix regression caused by the fix for CVE-2024-0229 + fix use after free related to CVE-2024-21886 + * Wed Apr 17 2024 yanglu -1.20.11-30 - fix regression caused by the fix for CVE-2024-31083 -- Gitee From 1f6842e7d0ebde17487e022cf0b9f5bd090cd8cb Mon Sep 17 00:00:00 2001 From: cuiyudong Date: Fri, 9 Aug 2024 14:59:16 +0800 Subject: [PATCH 08/11] phytium: xfree86: Fixed display error for ps23xx when using ast and pe2201 bmc card (cherry picked from commit d33ef9e6e9f131869758d5a80803490ef3b101f8) --- ...Fixed-display-error-for-ps23xx-when-.patch | 195 ++++++++++++++++++ xorg-x11-server.spec | 9 +- 2 files changed, 203 insertions(+), 1 deletion(-) create mode 100644 0025-phytium-xfree86-Fixed-display-error-for-ps23xx-when-.patch diff --git a/0025-phytium-xfree86-Fixed-display-error-for-ps23xx-when-.patch b/0025-phytium-xfree86-Fixed-display-error-for-ps23xx-when-.patch new file mode 100644 index 0000000..4ae04a3 --- /dev/null +++ b/0025-phytium-xfree86-Fixed-display-error-for-ps23xx-when-.patch @@ -0,0 +1,195 @@ +From 5836cdc9865b480be90603e3e4f6b2d604952370 Mon Sep 17 00:00:00 2001 +From: Jiakun Shuai +Date: Mon, 20 May 2024 15:29:26 +0800 +Subject: [PATCH] phytium: xfree86: Fixed display error for ps23xx when using + ast and pe2201 bmc card + +bugzilla: https://gitee.com/openeuler/kernel/issues/I9NGXP + +Used in conjunction with issue number I9NGXP to fix display error +for ps23xx when using ast and pe2201 bmc card. + +Signed-off-by: Jiakun Shuai +--- + hw/xfree86/drivers/modesetting/driver.c | 158 +++++++++++++++++++++++- + 1 file changed, 157 insertions(+), 1 deletion(-) + +diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c +index ef4a314..f9555e4 100644 +--- a/hw/xfree86/drivers/modesetting/driver.c ++++ b/hw/xfree86/drivers/modesetting/driver.c +@@ -1143,6 +1143,162 @@ msUpdateIntersect(modesettingPtr ms, shadowBufPtr pBuf, BoxPtr box, + return dirty; + } + ++static void align_memcpy(void *dest, void *source, size_t size) ++{ ++ char *dst1, *dst2, *p, *src, *dst; ++ ++ src = (char *)source; ++ dst = (char *)dest; ++ ++ dst1 = (char *)(((unsigned long)dst + 0xf) & ~0xf); ++ dst2 = (char *)(((unsigned long)dst + size) & ~0xf); ++ p = dst; ++ ++ while((p< dst1) && size){ ++ *p++ = *src++; ++ size--; ++ }; ++ ++ memcpy(dst1, (char *)src, (size & (~0xf))); ++ ++ src += (size & (~0xf)); ++ size = (size & 0xf); ++ ++ p = dst2; ++ while(size--){ ++ *p++ = *src++; ++ }; ++} ++ ++#define AST_BMC_VENDOR_ID 0x1a03 ++#define FT_BMC_VENDOR_ID 0x1db7 ++#define FT_BMC_DEVICE_ID 0xdc3e ++#define DRM_AST_VRAM_TYPE_DEVICE 0x0 ++#define DRM_IOCTL_AST_VRAM_TYPE_DEVICE DRM_IO(DRM_COMMAND_BASE + DRM_AST_VRAM_TYPE_DEVICE) ++#define DRM_PHYTIUM_VRAM_TYPE_DEVICE 0x0 ++#define DRM_IOCTL_PHYTIUM_VRAM_TYPE_DEVICE DRM_IO(DRM_COMMAND_BASE + DRM_PHYTIUM_VRAM_TYPE_DEVICE) ++ ++static Bool device_is_ast_bmc(struct pci_device *pci) ++{ ++ if (pci->vendor_id == AST_BMC_VENDOR_ID) { ++ return TRUE; ++ } ++ ++ return FALSE; ++} ++ ++static Bool device_is_ft_bmc(struct pci_device *pci) ++{ ++ if (pci->vendor_id == FT_BMC_VENDOR_ID && pci->device_id == FT_BMC_DEVICE_ID) { ++ return TRUE; ++ } ++ ++ return FALSE; ++} ++ ++static void ++msshadowUpdatePacked(ScreenPtr pScreen, shadowBufPtr pBuf) ++{ ++ RegionPtr damage = DamageRegion(pBuf->pDamage); ++ PixmapPtr pShadow = pBuf->pPixmap; ++ int nbox = RegionNumRects(damage); ++ BoxPtr pbox = RegionRects(damage); ++ FbBits *shaBase, *shaLine, *sha; ++ FbStride shaStride; ++ int scrBase, scrLine, scr; ++ int shaBpp; ++ _X_UNUSED int shaXoff, shaYoff; ++ int x, y, w, h, width; ++ int i; ++ FbBits *winBase = NULL, *win; ++ CARD32 winSize; ++ static Bool firstQuery = TRUE; ++ static Bool forceAlign = FALSE; ++ Bool isAstBMC = FALSE; ++ Bool isFtBMC = FALSE; ++ ScrnInfoPtr pScrn = xf86ScreenToScrn(pScreen); ++ modesettingPtr ms = modesettingPTR(pScrn); ++ struct pci_device *pci = NULL; ++ ++ if (BUS_PLATFORM == ms->pEnt->location.type) { ++ pci = ms->pEnt->location.id.plat->pdev; ++ } else if (BUS_PCI == ms->pEnt->location.type) { ++ pci = ms->pEnt->location.id.pci; ++ } ++ ++ if (pci && device_is_ast_bmc(pci)) { ++ isAstBMC = TRUE; ++ if (firstQuery) { ++ if (1 == drmIoctl(ms->fd, DRM_IOCTL_AST_VRAM_TYPE_DEVICE, NULL)) { ++ forceAlign = TRUE; ++ } ++ firstQuery = FALSE; ++ } ++ } else if (pci && device_is_ft_bmc(pci)) { ++ isFtBMC = TRUE; ++ if (firstQuery) { ++ if (1 == drmIoctl(ms->fd, DRM_IOCTL_PHYTIUM_VRAM_TYPE_DEVICE, NULL)) { ++ forceAlign = TRUE; ++ } ++ firstQuery = FALSE; ++ } ++ } ++ ++ fbGetDrawable(&pShadow->drawable, shaBase, shaStride, shaBpp, shaXoff, ++ shaYoff); ++ while (nbox--) { ++ x = pbox->x1 * shaBpp; ++ y = pbox->y1; ++ w = (pbox->x2 - pbox->x1) * shaBpp; ++ h = pbox->y2 - pbox->y1; ++ ++ scrLine = (x >> FB_SHIFT); ++ shaLine = shaBase + y * shaStride + (x >> FB_SHIFT); ++ ++ x &= FB_MASK; ++ w = (w + x + FB_MASK) >> FB_SHIFT; ++ ++ while (h--) { ++ winSize = 0; ++ scrBase = 0; ++ width = w; ++ scr = scrLine; ++ sha = shaLine; ++ while (width) { ++ /* how much remains in this window */ ++ i = scrBase + winSize - scr; ++ if (i <= 0 || scr < scrBase) { ++ winBase = (FbBits *) (*pBuf->window) (pScreen, ++ y, ++ scr * sizeof(FbBits), ++ SHADOW_WINDOW_WRITE, ++ &winSize, ++ pBuf->closure); ++ if (!winBase) ++ return; ++ scrBase = scr; ++ winSize /= sizeof(FbBits); ++ i = winSize; ++ } ++ win = winBase + (scr - scrBase); ++ if (i > width) ++ i = width; ++ width -= i; ++ scr += i; ++ if ((isFtBMC || isAstBMC) && forceAlign) { ++ align_memcpy(win, sha, i * sizeof(FbBits)); ++ } else { ++ memcpy(win, sha, i * sizeof(FbBits)); ++ } ++ sha += i; ++ } ++ shaLine += shaStride; ++ y++; ++ } ++ pbox++; ++ } ++} ++ + static void + msUpdatePacked(ScreenPtr pScreen, shadowBufPtr pBuf) + { +@@ -1193,7 +1349,7 @@ msUpdatePacked(ScreenPtr pScreen, shadowBufPtr pBuf) + if (use_3224) + shadowUpdate32to24(pScreen, pBuf); + else +- shadowUpdatePacked(pScreen, pBuf); ++ msshadowUpdatePacked(pScreen, pBuf); + } + + static Bool +-- +2.37.0 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index d478be4..97b7d49 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.11 -Release: 31 +Release: 32 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -79,6 +79,7 @@ Patch0028: 0024-xwayland-Remove-unnecessary-xwl_window_is_toplevel-c.patch Patch0100: 0001-Fix-the-crash-in-shadowUpdatePacked-because-of-memcp.patch Patch0101: 0002-present-Crash-in-present_scmd_get_crtc-and-present_flush.patch +Patch0102: 0025-phytium-xfree86-Fixed-display-error-for-ps23xx-when-.patch Patch0029: xorg-s11-server-CVE-2018-20839.patch Patch6000: backport-CVE-2021-4008.patch @@ -467,6 +468,12 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_mandir}/man*/* %changelog +* Thu May 30 2024 shuaijiakun -1.20.11-32 +- Type:feature +- CVE:NA +- SUG:NA +- DESC:fix display error for ps23xx when using ast and pe2201 bmc card. + * Fri Apr 26 2024 yanglu -1.20.11-31 - Type:bugfix - CVE:NA -- Gitee From 32b0b29d546be34d8d71656ba656a303cd1153d0 Mon Sep 17 00:00:00 2001 From: lingsheng <860373352@qq.com> Date: Fri, 25 Oct 2024 02:50:03 +0000 Subject: [PATCH 09/11] fix x86_64 build Macro %delete_la was defined to %nil in openEuler-rpm-config-31-1, .la files are deleted automatically during %install stage. So, remove %delete_la in spec now. --- xorg-x11-server.spec | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 97b7d49..91dbe54 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.11 -Release: 32 +Release: 33 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -377,12 +377,9 @@ find . -type f | egrep '.*\.(c|h|am|ac|inc|m4|h.in|pc.in|man.pre|pl|txt)$' | xargs tar cf - | (cd %{inst_srcdir} && tar xf -) find %{inst_srcdir}/hw/xfree86 -name \*.c -delete -{ -%delete_la %ifnarch %{ix86} x86_64 sw_64 rm -f %{buildroot}/%{_libdir}/xorg/modules/lib{int10,vbe}.so %endif -} %files common %doc COPYING @@ -468,6 +465,12 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_mandir}/man*/* %changelog +* Fri Oct 25 2024 lingsheng - 1.20.11-33 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:fix x86_64 build + * Thu May 30 2024 shuaijiakun -1.20.11-32 - Type:feature - CVE:NA -- Gitee From 7c2518f0e261bbe1fe06b50c66ae6145031276c0 Mon Sep 17 00:00:00 2001 From: lingsheng <860373352@qq.com> Date: Fri, 25 Oct 2024 06:57:34 +0000 Subject: [PATCH 10/11] fix CVE-2023-5574 --- backport-0001-CVE-2023-5574.patch | 109 ++++++++++++++++++++++++++++++ backport-0002-CVE-2023-5574.patch | 39 +++++++++++ backport-0003-CVE-2023-5574.patch | 50 ++++++++++++++ xorg-x11-server.spec | 11 ++- 4 files changed, 208 insertions(+), 1 deletion(-) create mode 100644 backport-0001-CVE-2023-5574.patch create mode 100644 backport-0002-CVE-2023-5574.patch create mode 100644 backport-0003-CVE-2023-5574.patch diff --git a/backport-0001-CVE-2023-5574.patch b/backport-0001-CVE-2023-5574.patch new file mode 100644 index 0000000..a3631c4 --- /dev/null +++ b/backport-0001-CVE-2023-5574.patch @@ -0,0 +1,109 @@ +From 1953f460b9ad1a9cdf0fcce70f6ad3310b713d5f Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Thu, 12 Oct 2023 12:44:13 +1000 +Subject: [PATCH] fb: properly wrap/unwrap CloseScreen + +fbCloseScreen assumes that it overrides miCloseScreen (which just +calls FreePixmap(screen->devPrivates)) and emulates that instead of +wrapping it. + +This is a wrong assumption, we may have ShmCloseScreen in the mix too, +resulting in leaks (see below). Fix this by properly setting up the +CloseScreen wrapper. + +This means we no longer need the manual DestroyPixmap call in +vfbCloseScreen, reverting d348ab06aae21c153ecbc3511aeafc8ab66d8303 + +CVE-2023-5574, ZDI-CAN-21213 + +This vulnerability was discovered by: +Sri working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer +Reviewed-by: Adam Jackson +--- + fb/fb.h | 1 + + fb/fbscreen.c | 14 ++++++++++---- + hw/vfb/InitOutput.c | 7 ------- + 3 files changed, 11 insertions(+), 11 deletions(-) + +diff --git a/fb/fb.h b/fb/fb.h +index d157b6956d..cd7bd05d21 100644 +--- a/fb/fb.h ++++ b/fb/fb.h +@@ -410,6 +410,7 @@ typedef struct { + #endif + DevPrivateKeyRec gcPrivateKeyRec; + DevPrivateKeyRec winPrivateKeyRec; ++ CloseScreenProcPtr CloseScreen; + } FbScreenPrivRec, *FbScreenPrivPtr; + + #define fbGetScreenPrivate(pScreen) ((FbScreenPrivPtr) \ +diff --git a/fb/fbscreen.c b/fb/fbscreen.c +index 4ab807ab50..c481033f98 100644 +--- a/fb/fbscreen.c ++++ b/fb/fbscreen.c +@@ -29,6 +29,7 @@ + Bool + fbCloseScreen(ScreenPtr pScreen) + { ++ FbScreenPrivPtr screen_priv = fbGetScreenPrivate(pScreen); + int d; + DepthPtr depths = pScreen->allowedDepths; + +@@ -37,9 +38,10 @@ fbCloseScreen(ScreenPtr pScreen) + free(depths[d].vids); + free(depths); + free(pScreen->visuals); +- if (pScreen->devPrivate) +- FreePixmap((PixmapPtr)pScreen->devPrivate); +- return TRUE; ++ ++ pScreen->CloseScreen = screen_priv->CloseScreen; ++ ++ return pScreen->CloseScreen(pScreen); + } + + Bool +@@ -144,6 +146,7 @@ fbFinishScreenInit(ScreenPtr pScreen, void *pbits, int xsize, int ysize, + int dpix, int dpiy, int width, int bpp) + #endif + { ++ FbScreenPrivPtr screen_priv; + VisualPtr visuals; + DepthPtr depths; + int nvisuals; +@@ -177,8 +180,11 @@ fbFinishScreenInit(ScreenPtr pScreen, void *pbits, int xsize, int ysize, + rootdepth, ndepths, depths, + defaultVisual, nvisuals, visuals)) + return FALSE; +- /* overwrite miCloseScreen with our own */ ++ ++ screen_priv = fbGetScreenPrivate(pScreen); ++ screen_priv->CloseScreen = pScreen->CloseScreen; + pScreen->CloseScreen = fbCloseScreen; ++ + return TRUE; + } + +diff --git a/hw/vfb/InitOutput.c b/hw/vfb/InitOutput.c +index 48efb61b2f..076fb7defa 100644 +--- a/hw/vfb/InitOutput.c ++++ b/hw/vfb/InitOutput.c +@@ -720,13 +720,6 @@ vfbCloseScreen(ScreenPtr pScreen) + + pScreen->CloseScreen = pvfb->closeScreen; + +- /* +- * fb overwrites miCloseScreen, so do this here +- */ +- if (pScreen->devPrivate) +- (*pScreen->DestroyPixmap) (pScreen->devPrivate); +- pScreen->devPrivate = NULL; +- + return pScreen->CloseScreen(pScreen); + } + +-- +GitLab + diff --git a/backport-0002-CVE-2023-5574.patch b/backport-0002-CVE-2023-5574.patch new file mode 100644 index 0000000..50ed818 --- /dev/null +++ b/backport-0002-CVE-2023-5574.patch @@ -0,0 +1,39 @@ +From b6fe3f924aecac6d6e311673511ce61aa2f7a81f Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Thu, 12 Oct 2023 12:42:06 +1000 +Subject: [PATCH] mi: fix CloseScreen initialization order + +If SHM is enabled it will set the CloseScreen pointer, only to be +overridden by the hardcoded miCloseScreen pointer. Do this the other way +round, miCloseScreen is the bottom of our stack. + +Direct leak of 48 byte(s) in 2 object(s) allocated from: + #0 0x7f5ea3ad8cc7 in calloc (/lib64/libasan.so.8+0xd8cc7) (BuildId: d8f3addefe29e892d775c30eb364afd3c2484ca5)) + #1 0x70adfb in ShmInitScreenPriv ../Xext/shm.c:213 + +Signed-off-by: Peter Hutterer +Reviewed-by: Adam Jackson + +--- + mi/miscrinit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mi/miscrinit.c b/mi/miscrinit.c +index 264622d..907e46a 100644 +--- a/mi/miscrinit.c ++++ b/mi/miscrinit.c +@@ -242,10 +242,10 @@ miScreenInit(ScreenPtr pScreen, void *pbits, /* pointer to screen bits */ + pScreen->numVisuals = numVisuals; + pScreen->visuals = visuals; + if (width) { ++ pScreen->CloseScreen = miCloseScreen; + #ifdef MITSHM + ShmRegisterFbFuncs(pScreen); + #endif +- pScreen->CloseScreen = miCloseScreen; + } + /* else CloseScreen */ + /* QueryBestSize, SaveScreen, GetImage, GetSpans */ +-- +2.27.0 + diff --git a/backport-0003-CVE-2023-5574.patch b/backport-0003-CVE-2023-5574.patch new file mode 100644 index 0000000..5b2fa9a --- /dev/null +++ b/backport-0003-CVE-2023-5574.patch @@ -0,0 +1,50 @@ +From ab2c58ba4719fc31c19c7829b06bdba8a88bd586 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 24 Oct 2023 12:09:36 +1000 +Subject: [PATCH] dix: always initialize pScreen->CloseScreen + +CloseScreen is wrapped by the various modules, many of which do not +check if they're the last ones unwrapping. This is fine if the order of +those modules never changes but when it does we might get a NULL-pointer +dereference by some naive code doing a + + pScreen->CloseScreen = priv->CloseScreen; + free(priv); + return (*pScreen->CloseScreen)(pScreen); + +To avoid this set it to a default function that just returns TRUE that's +guaranteed to be the last one. +--- + dix/dispatch.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index eaac39b7c9..cd092fd409 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -3890,6 +3890,12 @@ static int indexForScanlinePad[65] = { + 3 /* 64 bits per scanline pad unit */ + }; + ++static Bool ++DefaultCloseScreen(ScreenPtr screen) ++{ ++ return TRUE; ++} ++ + /* + grow the array of screenRecs if necessary. + call the device-supplied initialization procedure +@@ -3949,6 +3955,9 @@ static int init_screen(ScreenPtr pScreen, int i, Bool gpu) + PixmapWidthPaddingInfo[depth].notPower2 = 0; + } + } ++ ++ pScreen->CloseScreen = DefaultCloseScreen; ++ + return 0; + } + +-- +GitLab + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 91dbe54..107dd07 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.11 -Release: 33 +Release: 34 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -127,6 +127,9 @@ Patch6040: backport-CVE-2024-31083.patch Patch6041: backport-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch Patch6042: backport-dix-Fix-use-after-free-in-input-device-shutdown.patch Patch6043: backport-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch +Patch6044: backport-0001-CVE-2023-5574.patch +Patch6045: backport-0002-CVE-2023-5574.patch +Patch6046: backport-0003-CVE-2023-5574.patch BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex git gcc BuildRequires: systemtap-sdt-devel libtool pkgconfig @@ -465,6 +468,12 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_mandir}/man*/* %changelog +* Fri Oct 25 2024 lingsheng - 1.20.11-34 +- Type:CVE +- CVE:CVE-2023-5574 +- SUG:NA +- DESC:fix CVE-2023-5574 + * Fri Oct 25 2024 lingsheng - 1.20.11-33 - Type:bugfix - CVE:NA -- Gitee From 860e359a5472fd984fb7d8a67307503fe6f07940 Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Mon, 4 Nov 2024 14:47:27 +0800 Subject: [PATCH 11/11] Fix CVE-2024-9632 --- backport-CVE-2024-9632.patch | 57 ++++++++++++++++++++++++++++++++++++ xorg-x11-server.spec | 6 +++- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-9632.patch diff --git a/backport-CVE-2024-9632.patch b/backport-CVE-2024-9632.patch new file mode 100644 index 0000000..f47803f --- /dev/null +++ b/backport-CVE-2024-9632.patch @@ -0,0 +1,57 @@ +From 85b776571487f52e756f68a069c768757369bfe3 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 10 Oct 2024 10:37:28 +0200 +Subject: [PATCH] xkb: Fix buffer overflow in _XkbSetCompatMap() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +origin: https://gitlab.freedesktop.org/xorg/xserver/-/commit/85b776571487f52e756f68a069c768757369bfe3 + +The _XkbSetCompatMap() function attempts to resize the `sym_interpret` +buffer. + +However, It didn't update its size properly. It updated `num_si` only, +without updating `size_si`. + +This may lead to local privilege escalation if the server is run as root +or remote code execution (e.g. x11 over ssh). + +CVE-2024-9632, ZDI-CAN-24756 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Reviewed-by: Peter Hutterer +Tested-by: Peter Hutterer +Reviewed-by: José Expósito +Part-of: +--- + xkb/xkb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 868d7c1e64..aaf9716b36 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -2990,13 +2990,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, + XkbSymInterpretPtr sym; + unsigned int skipped = 0; + +- if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) { +- compat->num_si = req->firstSI + req->nSI; ++ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) { ++ compat->num_si = compat->size_si = req->firstSI + req->nSI; + compat->sym_interpret = reallocarray(compat->sym_interpret, +- compat->num_si, ++ compat->size_si, + sizeof(XkbSymInterpretRec)); + if (!compat->sym_interpret) { +- compat->num_si = 0; ++ compat->num_si = compat->size_si = 0; + return BadAlloc; + } + } +-- +GitLab + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 107dd07..a0d251b 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.11 -Release: 34 +Release: 35 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -130,6 +130,7 @@ Patch6043: backport-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch Patch6044: backport-0001-CVE-2023-5574.patch Patch6045: backport-0002-CVE-2023-5574.patch Patch6046: backport-0003-CVE-2023-5574.patch +Patch6047: backport-CVE-2024-9632.patch BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex git gcc BuildRequires: systemtap-sdt-devel libtool pkgconfig @@ -468,6 +469,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_mandir}/man*/* %changelog +* Mon Nov 04 2024 wangkai <13474090681@163.com> - 1.20.11-35 +- Fix CVE-2024-9632 + * Fri Oct 25 2024 lingsheng - 1.20.11-34 - Type:CVE - CVE:CVE-2023-5574 -- Gitee