Sure Ross. Thanks & Regards, Vijay
On Mon, Nov 6, 2023 at 4:08 PM Ross Burton <ross.bur...@arm.com> wrote: > It would be much appreciated if you could submit to master first and then > backport to the stable releases, as it makes tracking what releases have > been fixed a lot easier. > > Ross > > > On 6 Nov 2023, at 05:47, Vijay Anusuri via lists.openembedded.org > <vanusuri=mvista....@lists.openembedded.org> wrote: > > > > From: Vijay Anusuri <vanus...@mvista.com> > > > > Upstream-Status: Backport > > [ > https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a > > & > > > https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7 > > & > > > https://gitlab.freedesktop.org/xorg/xserver/-/commit/1953f460b9ad1a9cdf0fcce70f6ad3310b713d5f > > & > > > https://gitlab.freedesktop.org/xorg/xserver/-/commit/b6fe3f924aecac6d6e311673511ce61aa2f7a81f > > & > > > https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab2c58ba4719fc31c19c7829b06bdba8a88bd586 > ] > > > > Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > > --- > > .../xserver-xorg/CVE-2023-5367.patch | 84 +++++++++++++ > > .../xserver-xorg/CVE-2023-5380.patch | 102 ++++++++++++++++ > > .../xserver-xorg/CVE-2023-5574-1.patch | 113 ++++++++++++++++++ > > .../xserver-xorg/CVE-2023-5574-2.patch | 42 +++++++ > > .../xserver-xorg/CVE-2023-5574-3.patch | 54 +++++++++ > > .../xorg-xserver/xserver-xorg_1.20.14.bb | 5 + > > 6 files changed, 400 insertions(+) > > create mode 100644 > meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch > > create mode 100644 > meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch > > create mode 100644 > meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-1.patch > > create mode 100644 > meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-2.patch > > create mode 100644 > meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-3.patch > > > > diff --git > a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch > b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch > > new file mode 100644 > > index 0000000000..508588481e > > --- /dev/null > > +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch > > @@ -0,0 +1,84 @@ > > +From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001 > > +From: Peter Hutterer <peter.hutte...@who-t.net> > > +Date: Tue, 3 Oct 2023 11:53:05 +1000 > > +Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend > > + > > +The handling of appending/prepending properties was incorrect, with at > > +least two bugs: the property length was set to the length of the new > > +part only, i.e. appending or prepending N elements to a property with P > > +existing elements always resulted in the property having N elements > > +instead of N + P. > > + > > +Second, when pre-pending a value to a property, the offset for the old > > +values was incorrect, leaving the new property with potentially > > +uninitalized values and/or resulting in OOB memory writes. > > +For example, prepending a 3 element value to a 5 element property would > > +result in this 8 value array: > > + [N, N, N, ?, ?, P, P, P ] P, P > > + ^OOB write > > + > > +The XI2 code is a copy/paste of the RandR code, so the bug exists in > > +both. > > + > > +CVE-2023-5367, ZDI-CAN-22153 > > + > > +This vulnerability was discovered by: > > +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative > > + > > +Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net> > > + > > +Upstream-Status: Backport [ > https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a > ] > > +CVE: CVE-2023-5367 > > +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > > +--- > > + Xi/xiproperty.c | 4 ++-- > > + randr/rrproperty.c | 4 ++-- > > + 2 files changed, 4 insertions(+), 4 deletions(-) > > + > > +diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c > > +index 066ba21fba..d315f04d0e 100644 > > +--- a/Xi/xiproperty.c > > ++++ b/Xi/xiproperty.c > > +@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom > property, Atom type, > > + XIDestroyDeviceProperty(prop); > > + return BadAlloc; > > + } > > +- new_value.size = len; > > ++ new_value.size = total_len; > > + new_value.type = type; > > + new_value.format = format; > > + > > +@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom > property, Atom type, > > + case PropModePrepend: > > + new_data = new_value.data; > > + old_data = (void *) (((char *) new_value.data) + > > +- (prop_value->size * size_in_bytes)); > > ++ (len * size_in_bytes)); > > + break; > > + } > > + if (new_data) > > +diff --git a/randr/rrproperty.c b/randr/rrproperty.c > > +index c2fb9585c6..25469f57b2 100644 > > +--- a/randr/rrproperty.c > > ++++ b/randr/rrproperty.c > > +@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom > property, Atom type, > > + RRDestroyOutputProperty(prop); > > + return BadAlloc; > > + } > > +- new_value.size = len; > > ++ new_value.size = total_len; > > + new_value.type = type; > > + new_value.format = format; > > + > > +@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom > property, Atom type, > > + case PropModePrepend: > > + new_data = new_value.data; > > + old_data = (void *) (((char *) new_value.data) + > > +- (prop_value->size * size_in_bytes)); > > ++ (len * size_in_bytes)); > > + break; > > + } > > + if (new_data) > > +-- > > +GitLab > > + > > diff --git > a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch > b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch > > new file mode 100644 > > index 0000000000..720340d83b > > --- /dev/null > > +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch > > @@ -0,0 +1,102 @@ > > +From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001 > > +From: Peter Hutterer <peter.hutte...@who-t.net> > > +Date: Thu, 5 Oct 2023 12:19:45 +1000 > > +Subject: [PATCH] mi: reset the PointerWindows reference on screen switch > > + > > +PointerWindows[] keeps a reference to the last window our sprite > > +entered - changes are usually handled by CheckMotion(). > > + > > +If we switch between screens via XWarpPointer our > > +dev->spriteInfo->sprite->win is set to the new screen's root window. > > +If there's another window at the cursor location CheckMotion() will > > +trigger the right enter/leave events later. If there is not, it skips > > +that process and we never trigger LeaveWindow() - PointerWindows[] for > > +the device still refers to the previous window. > > + > > +If that window is destroyed we have a dangling reference that will > > +eventually cause a use-after-free bug when checking the window hierarchy > > +later. > > + > > +To trigger this, we require: > > +- two protocol screens > > +- XWarpPointer to the other screen's root window > > +- XDestroyWindow before entering any other window > > + > > +This is a niche bug so we hack around it by making sure we reset the > > +PointerWindows[] entry so we cannot have a dangling pointer. This > > +doesn't handle Enter/Leave events correctly but the previous code didn't > > +either. > > + > > +CVE-2023-5380, ZDI-CAN-21608 > > + > > +This vulnerability was discovered by: > > +Sri working with Trend Micro Zero Day Initiative > > + > > +Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net> > > +Reviewed-by: Adam Jackson <a...@redhat.com> > > + > > +Upstream-Status: Backport [ > https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7 > ] > > +CVE: CVE-2023-5380 > > +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > > +--- > > + dix/enterleave.h | 2 -- > > + include/eventstr.h | 3 +++ > > + mi/mipointer.c | 17 +++++++++++++++-- > > + 3 files changed, 18 insertions(+), 4 deletions(-) > > + > > +diff --git a/dix/enterleave.h b/dix/enterleave.h > > +index 4b833d8..e8af924 100644 > > +--- a/dix/enterleave.h > > ++++ b/dix/enterleave.h > > +@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev, > > + > > + extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode); > > + > > +-extern void LeaveWindow(DeviceIntPtr dev); > > +- > > + extern void CoreFocusEvent(DeviceIntPtr kbd, > > + int type, int mode, int detail, WindowPtr > pWin); > > + > > +diff --git a/include/eventstr.h b/include/eventstr.h > > +index bf3b95f..2bae3b0 100644 > > +--- a/include/eventstr.h > > ++++ b/include/eventstr.h > > +@@ -296,4 +296,7 @@ union _InternalEvent { > > + #endif > > + }; > > + > > ++extern void > > ++LeaveWindow(DeviceIntPtr dev); > > ++ > > + #endif > > +diff --git a/mi/mipointer.c b/mi/mipointer.c > > +index 75be1ae..b12ae9b 100644 > > +--- a/mi/mipointer.c > > ++++ b/mi/mipointer.c > > +@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr > pScreen, int x, int y) > > + #ifdef PANORAMIX > > + && noPanoramiXExtension > > + #endif > > +- ) > > +- UpdateSpriteForScreen(pDev, pScreen); > > ++ ) { > > ++ DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER); > > ++ /* Hack for CVE-2023-5380: if we're moving > > ++ * screens PointerWindows[] keeps referring to the > > ++ * old window. If that gets destroyed we have a UAF > > ++ * bug later. Only happens when jumping from a window > > ++ * to the root window on the other screen. > > ++ * Enter/Leave events are incorrect for that case but > > ++ * too niche to fix. > > ++ */ > > ++ LeaveWindow(pDev); > > ++ if (master) > > ++ LeaveWindow(master); > > ++ UpdateSpriteForScreen(pDev, pScreen); > > ++ } > > + } > > + > > + /** > > +-- > > +2.25.1 > > + > > diff --git > a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-1.patch > b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-1.patch > > new file mode 100644 > > index 0000000000..9a8e583e78 > > --- /dev/null > > +++ > b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-1.patch > > @@ -0,0 +1,113 @@ > > +From 1953f460b9ad1a9cdf0fcce70f6ad3310b713d5f Mon Sep 17 00:00:00 2001 > > +From: Peter Hutterer <peter.hutte...@who-t.net> > > +Date: Thu, 12 Oct 2023 12:44:13 +1000 > > +Subject: [PATCH] fb: properly wrap/unwrap CloseScreen > > + > > +fbCloseScreen assumes that it overrides miCloseScreen (which just > > +calls FreePixmap(screen->devPrivates)) and emulates that instead of > > +wrapping it. > > + > > +This is a wrong assumption, we may have ShmCloseScreen in the mix too, > > +resulting in leaks (see below). Fix this by properly setting up the > > +CloseScreen wrapper. > > + > > +This means we no longer need the manual DestroyPixmap call in > > +vfbCloseScreen, reverting d348ab06aae21c153ecbc3511aeafc8ab66d8303 > > + > > +CVE-2023-5574, ZDI-CAN-21213 > > + > > +This vulnerability was discovered by: > > +Sri working with Trend Micro Zero Day Initiative > > + > > +Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net> > > +Reviewed-by: Adam Jackson <a...@redhat.com> > > + > > +Upstream-Status: Backport [ > https://gitlab.freedesktop.org/xorg/xserver/-/commit/1953f460b9ad1a9cdf0fcce70f6ad3310b713d5f > ] > > +CVE: CVE-2023-5574 > > +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > > +--- > > + fb/fb.h | 1 + > > + fb/fbscreen.c | 14 ++++++++++---- > > + hw/vfb/InitOutput.c | 7 ------- > > + 3 files changed, 11 insertions(+), 11 deletions(-) > > + > > +diff --git a/fb/fb.h b/fb/fb.h > > +index d157b6956d..cd7bd05d21 100644 > > +--- a/fb/fb.h > > ++++ b/fb/fb.h > > +@@ -410,6 +410,7 @@ typedef struct { > > + #endif > > + DevPrivateKeyRec gcPrivateKeyRec; > > + DevPrivateKeyRec winPrivateKeyRec; > > ++ CloseScreenProcPtr CloseScreen; > > + } FbScreenPrivRec, *FbScreenPrivPtr; > > + > > + #define fbGetScreenPrivate(pScreen) ((FbScreenPrivPtr) \ > > +diff --git a/fb/fbscreen.c b/fb/fbscreen.c > > +index 4ab807ab50..c481033f98 100644 > > +--- a/fb/fbscreen.c > > ++++ b/fb/fbscreen.c > > +@@ -29,6 +29,7 @@ > > + Bool > > + fbCloseScreen(ScreenPtr pScreen) > > + { > > ++ FbScreenPrivPtr screen_priv = fbGetScreenPrivate(pScreen); > > + int d; > > + DepthPtr depths = pScreen->allowedDepths; > > + > > +@@ -37,9 +38,10 @@ fbCloseScreen(ScreenPtr pScreen) > > + free(depths[d].vids); > > + free(depths); > > + free(pScreen->visuals); > > +- if (pScreen->devPrivate) > > +- FreePixmap((PixmapPtr)pScreen->devPrivate); > > +- return TRUE; > > ++ > > ++ pScreen->CloseScreen = screen_priv->CloseScreen; > > ++ > > ++ return pScreen->CloseScreen(pScreen); > > + } > > + > > + Bool > > +@@ -144,6 +146,7 @@ fbFinishScreenInit(ScreenPtr pScreen, void *pbits, > int xsize, int ysize, > > + int dpix, int dpiy, int width, int bpp) > > + #endif > > + { > > ++ FbScreenPrivPtr screen_priv; > > + VisualPtr visuals; > > + DepthPtr depths; > > + int nvisuals; > > +@@ -177,8 +180,11 @@ fbFinishScreenInit(ScreenPtr pScreen, void *pbits, > int xsize, int ysize, > > + rootdepth, ndepths, depths, > > + defaultVisual, nvisuals, visuals)) > > + return FALSE; > > +- /* overwrite miCloseScreen with our own */ > > ++ > > ++ screen_priv = fbGetScreenPrivate(pScreen); > > ++ screen_priv->CloseScreen = pScreen->CloseScreen; > > + pScreen->CloseScreen = fbCloseScreen; > > ++ > > + return TRUE; > > + } > > + > > +diff --git a/hw/vfb/InitOutput.c b/hw/vfb/InitOutput.c > > +index 48efb61b2f..076fb7defa 100644 > > +--- a/hw/vfb/InitOutput.c > > ++++ b/hw/vfb/InitOutput.c > > +@@ -720,13 +720,6 @@ vfbCloseScreen(ScreenPtr pScreen) > > + > > + pScreen->CloseScreen = pvfb->closeScreen; > > + > > +- /* > > +- * fb overwrites miCloseScreen, so do this here > > +- */ > > +- if (pScreen->devPrivate) > > +- (*pScreen->DestroyPixmap) (pScreen->devPrivate); > > +- pScreen->devPrivate = NULL; > > +- > > + return pScreen->CloseScreen(pScreen); > > + } > > + > > +-- > > +GitLab > > + > > diff --git > a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-2.patch > b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-2.patch > > new file mode 100644 > > index 0000000000..4204be9bdd > > --- /dev/null > > +++ > b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-2.patch > > @@ -0,0 +1,42 @@ > > +From b6fe3f924aecac6d6e311673511ce61aa2f7a81f Mon Sep 17 00:00:00 2001 > > +From: Peter Hutterer <peter.hutte...@who-t.net> > > +Date: Thu, 12 Oct 2023 12:42:06 +1000 > > +Subject: [PATCH] mi: fix CloseScreen initialization order > > + > > +If SHM is enabled it will set the CloseScreen pointer, only to be > > +overridden by the hardcoded miCloseScreen pointer. Do this the other way > > +round, miCloseScreen is the bottom of our stack. > > + > > +Direct leak of 48 byte(s) in 2 object(s) allocated from: > > + #0 0x7f5ea3ad8cc7 in calloc (/lib64/libasan.so.8+0xd8cc7) (BuildId: > d8f3addefe29e892d775c30eb364afd3c2484ca5)) > > + #1 0x70adfb in ShmInitScreenPriv ../Xext/shm.c:213 > > + > > +Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net> > > +Reviewed-by: Adam Jackson <a...@redhat.com> > > + > > +Upstream-Status: Backport [ > https://gitlab.freedesktop.org/xorg/xserver/-/commit/b6fe3f924aecac6d6e311673511ce61aa2f7a81f > ] > > +CVE: CVE-2023-5574 > > +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > > +--- > > + mi/miscrinit.c | 2 +- > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > + > > +diff --git a/mi/miscrinit.c b/mi/miscrinit.c > > +index 264622d..907e46a 100644 > > +--- a/mi/miscrinit.c > > ++++ b/mi/miscrinit.c > > +@@ -242,10 +242,10 @@ miScreenInit(ScreenPtr pScreen, void *pbits, /* > pointer to screen bits */ > > + pScreen->numVisuals = numVisuals; > > + pScreen->visuals = visuals; > > + if (width) { > > ++ pScreen->CloseScreen = miCloseScreen; > > + #ifdef MITSHM > > + ShmRegisterFbFuncs(pScreen); > > + #endif > > +- pScreen->CloseScreen = miCloseScreen; > > + } > > + /* else CloseScreen */ > > + /* QueryBestSize, SaveScreen, GetImage, GetSpans */ > > +-- > > +2.25.1 > > + > > diff --git > a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-3.patch > b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-3.patch > > new file mode 100644 > > index 0000000000..47c247ef0c > > --- /dev/null > > +++ > b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-3.patch > > @@ -0,0 +1,54 @@ > > +From ab2c58ba4719fc31c19c7829b06bdba8a88bd586 Mon Sep 17 00:00:00 2001 > > +From: Peter Hutterer <peter.hutte...@who-t.net> > > +Date: Tue, 24 Oct 2023 12:09:36 +1000 > > +Subject: [PATCH] dix: always initialize pScreen->CloseScreen > > + > > +CloseScreen is wrapped by the various modules, many of which do not > > +check if they're the last ones unwrapping. This is fine if the order of > > +those modules never changes but when it does we might get a NULL-pointer > > +dereference by some naive code doing a > > + > > + pScreen->CloseScreen = priv->CloseScreen; > > + free(priv); > > + return (*pScreen->CloseScreen)(pScreen); > > + > > +To avoid this set it to a default function that just returns TRUE that's > > +guaranteed to be the last one. > > + > > +Upstream-Status: Backport [ > https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab2c58ba4719fc31c19c7829b06bdba8a88bd586 > ] > > +CVE: CVE-2023-5574 > > +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > > +--- > > + dix/dispatch.c | 9 +++++++++ > > + 1 file changed, 9 insertions(+) > > + > > +diff --git a/dix/dispatch.c b/dix/dispatch.c > > +index eaac39b7c9..cd092fd409 100644 > > +--- a/dix/dispatch.c > > ++++ b/dix/dispatch.c > > +@@ -3890,6 +3890,12 @@ static int indexForScanlinePad[65] = { > > + 3 /* 64 bits per scanline pad unit */ > > + }; > > + > > ++static Bool > > ++DefaultCloseScreen(ScreenPtr screen) > > ++{ > > ++ return TRUE; > > ++} > > ++ > > + /* > > + grow the array of screenRecs if necessary. > > + call the device-supplied initialization procedure > > +@@ -3949,6 +3955,9 @@ static int init_screen(ScreenPtr pScreen, int i, > Bool gpu) > > + PixmapWidthPaddingInfo[depth].notPower2 = 0; > > + } > > + } > > ++ > > ++ pScreen->CloseScreen = DefaultCloseScreen; > > ++ > > + return 0; > > + } > > + > > +-- > > +GitLab > > + > > diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb > b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb > > index 5c604fa86e..deb5526902 100644 > > --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb > > +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb > > @@ -16,6 +16,11 @@ SRC_URI += > "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat > > file://CVE-2022-46344.patch \ > > file://CVE-2023-0494.patch \ > > file://CVE-2023-1393.patch \ > > + file://CVE-2023-5367.patch \ > > + file://CVE-2023-5380.patch \ > > + file://CVE-2023-5574-1.patch \ > > + file://CVE-2023-5574-2.patch \ > > + file://CVE-2023-5574-3.patch \ > > " > > SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf" > > SRC_URI[sha256sum] = > "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066" > > -- > > 2.25.1 > > > > > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#190226): https://lists.openembedded.org/g/openembedded-core/message/190226 Mute This Topic: https://lists.openembedded.org/mt/102415098/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
