* [kirkstone][patch 3/3] xwayland: Fix CVE-2023-6377 CVE-2023-6478
2024-01-26 2:46 [kirkstone][patch 1/3] python3-jinja2: upgrade 3.1.1 -> 3.1.2 chee.yang.lee
2024-01-26 2:46 ` [kirkstone][patch 2/3] python3-jinja2: upgrade 3.1.2 -> 3.1.3 chee.yang.lee
@ 2024-01-26 2:46 ` chee.yang.lee
1 sibling, 0 replies; 3+ messages in thread
From: chee.yang.lee @ 2024-01-26 2:46 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
.../xwayland/xwayland/CVE-2023-6377.patch | 82 +++++++++++++++++++
.../xwayland/xwayland/CVE-2023-6478.patch | 66 +++++++++++++++
.../xwayland/xwayland_22.1.8.bb | 2 +
3 files changed, 150 insertions(+)
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2023-6377.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2023-6478.patch
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6377.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6377.patch
new file mode 100644
index 0000000000..f650f495a3
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6377.patch
@@ -0,0 +1,82 @@
+CVE: CVE-2023-6377
+Upstream-Status: Backport [ https://gitlab.freedesktop.org/xorg/xserver/-/commit/19e9f199950aaa4b9b7696936d1b067475da999c ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+
+From 19e9f199950aaa4b9b7696936d1b067475da999c Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 28 Nov 2023 15:19:04 +1000
+Subject: [PATCH] Xi: allocate enough XkbActions for our buttons
+
+button->xkb_acts is supposed to be an array sufficiently large for all
+our buttons, not just a single XkbActions struct. Allocating
+insufficient memory here means when we memcpy() later in
+XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
+leading to the usual security ooopsiedaisies.
+
+CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+(cherry picked from commit 0c1a93d319558fe3ab2d94f51d174b4f93810afd)
+---
+ Xi/exevents.c | 12 ++++++------
+ dix/devices.c | 10 ++++++++++
+ 2 files changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index dcd4efb3bc..54ea11a938 100644
+--- a/Xi/exevents.c
++++ b/Xi/exevents.c
+@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
+ }
+
+ if (from->button->xkb_acts) {
+- if (!to->button->xkb_acts) {
+- to->button->xkb_acts = calloc(1, sizeof(XkbAction));
+- if (!to->button->xkb_acts)
+- FatalError("[Xi] not enough memory for xkb_acts.\n");
+- }
++ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
++ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
++ maxbuttons,
++ sizeof(XkbAction));
++ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
+ memcpy(to->button->xkb_acts, from->button->xkb_acts,
+- sizeof(XkbAction));
++ from->button->numButtons * sizeof(XkbAction));
+ }
+ else {
+ free(to->button->xkb_acts);
+diff --git a/dix/devices.c b/dix/devices.c
+index 7150734a58..20fef16923 100644
+--- a/dix/devices.c
++++ b/dix/devices.c
+@@ -2530,6 +2530,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+
+ if (master->button && master->button->numButtons != maxbuttons) {
+ int i;
++ int last_num_buttons = master->button->numButtons;
++
+ DeviceChangedEvent event = {
+ .header = ET_Internal,
+ .type = ET_DeviceChanged,
+@@ -2540,6 +2542,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+ };
+
+ master->button->numButtons = maxbuttons;
++ if (last_num_buttons < maxbuttons) {
++ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
++ maxbuttons,
++ sizeof(XkbAction));
++ memset(&master->button->xkb_acts[last_num_buttons],
++ 0,
++ (maxbuttons - last_num_buttons) * sizeof(XkbAction));
++ }
+
+ memcpy(&event.buttons.names, master->button->labels, maxbuttons *
+ sizeof(Atom));
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6478.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6478.patch
new file mode 100644
index 0000000000..23fbc0e9e2
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6478.patch
@@ -0,0 +1,66 @@
+CVE: CVE-2023-6478
+Upstream-Status: Backport [ https://gitlab.freedesktop.org/xorg/xserver/-/commit/aaf854fb25541380cc38a221c15f0e8372f48872 ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+
+From aaf854fb25541380cc38a221c15f0e8372f48872 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 27 Nov 2023 16:27:49 +1000
+Subject: [PATCH] randr: avoid integer truncation in length check of
+ ProcRRChange*Property
+
+Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
+See also xserver@8f454b79 where this same bug was fixed for the core
+protocol and XI.
+
+This fixes an OOB read and the resulting information disclosure.
+
+Length calculation for the request was clipped to a 32-bit integer. With
+the correct stuff->nUnits value the expected request size was
+truncated, passing the REQUEST_FIXED_SIZE check.
+
+The server then proceeded with reading at least stuff->num_items bytes
+(depending on stuff->format) from the request and stuffing whatever it
+finds into the property. In the process it would also allocate at least
+stuff->nUnits bytes, i.e. 4GB.
+
+CVE-2023-6478, ZDI-CAN-22561
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+(cherry picked from commit 14f480010a93ff962fef66a16412fafff81ad632)
+---
+ randr/rrproperty.c | 2 +-
+ randr/rrproviderproperty.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index 25469f57b2..c4fef8a1f6 100644
+--- a/randr/rrproperty.c
++++ b/randr/rrproperty.c
+@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
+ char format, mode;
+ unsigned long len;
+ int sizeInBytes;
+- int totalSize;
++ uint64_t totalSize;
+ int err;
+
+ REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
+diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
+index b79c17f9bf..90c5a9a933 100644
+--- a/randr/rrproviderproperty.c
++++ b/randr/rrproviderproperty.c
+@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
+ char format, mode;
+ unsigned long len;
+ int sizeInBytes;
+- int totalSize;
++ uint64_t totalSize;
+ int err;
+
+ REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
index 94797be8e0..e6e17d7da5 100644
--- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -11,6 +11,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=5df87950af51ac2c5822094553ea1880"
SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
file://CVE-2023-5367.patch \
+ file://CVE-2023-6377.patch \
+ file://CVE-2023-6478.patch \
"
SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
--
2.37.3
^ permalink raw reply related [flat|nested] 3+ messages in thread