From 4bc77761e1831d5db6132eeaad0a9104669368e1 Mon Sep 17 00:00:00 2001
From: songkai <songkai01@inspur.com>
Date: Fri, 7 Jun 2024 14:04:50 +0800
Subject: [PATCH] Fix
 CVE-2024-31080,CVE-2024-31081,CVE-2024-31082,CVE-2024-31083

---
 ...ctedEvents-needs-to-use-unswapped-le.patch |  45 +++++++
 ...GrabDevice-needs-to-use-unswapped-le.patch |  43 +++++++
 ...eDRICreatePixmap-needs-to-use-unswap.patch |  47 ++++++++
 ...unting-of-glyphs-during-ProcRenderAd.patch | 112 ++++++++++++++++++
 xorg-x11-server.spec                          |  16 ++-
 5 files changed, 262 insertions(+), 1 deletion(-)
 create mode 100644 0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch
 create mode 100644 0002-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch
 create mode 100644 0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch
 create mode 100644 0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch

diff --git a/0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch b/0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch
new file mode 100644
index 0000000..5a64c75
--- /dev/null
+++ b/0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch
@@ -0,0 +1,45 @@
+From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 22 Mar 2024 18:51:45 -0700
+Subject: [PATCH 1/4] Xi: ProcXIGetSelectedEvents needs to use unswapped length
+ to send reply
+
+CVE-2024-31080
+
+Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
+Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+---
+ Xi/xiselectev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
+index edcb8a0d3..ac1494987 100644
+--- a/Xi/xiselectev.c
++++ b/Xi/xiselectev.c
+@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
+     InputClientsPtr others = NULL;
+     xXIEventMask *evmask = NULL;
+     DeviceIntPtr dev;
++    uint32_t length;
+ 
+     REQUEST(xXIGetSelectedEventsReq);
+     REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
+@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
+         }
+     }
+ 
++    /* save the value before SRepXIGetSelectedEvents swaps it */
++    length = reply.length;
+     WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
+ 
+     if (reply.num_masks)
+-        WriteToClient(client, reply.length * 4, buffer);
++        WriteToClient(client, length * 4, buffer);
+ 
+     free(buffer);
+     return Success;
+-- 
+2.44.0
+
diff --git a/0002-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch b/0002-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch
new file mode 100644
index 0000000..4e061f7
--- /dev/null
+++ b/0002-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch
@@ -0,0 +1,43 @@
+From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 22 Mar 2024 18:56:27 -0700
+Subject: [PATCH 2/4] Xi: ProcXIPassiveGrabDevice needs to use unswapped length
+ to send reply
+
+CVE-2024-31081
+
+Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+---
+ Xi/xipassivegrab.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
+index c9ac2f855..896233bec 100644
+--- a/Xi/xipassivegrab.c
++++ b/Xi/xipassivegrab.c
+@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+     GrabParameters param;
+     void *tmp;
+     int mask_len;
++    uint32_t length;
+ 
+     REQUEST(xXIPassiveGrabDeviceReq);
+     REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
+@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+         }
+     }
+ 
++    /* save the value before SRepXIPassiveGrabDevice swaps it */
++    length = rep.length;
+     WriteReplyToClient(client, sizeof(rep), &rep);
+     if (rep.num_modifiers)
+-        WriteToClient(client, rep.length * 4, modifiers_failed);
++        WriteToClient(client, length * 4, modifiers_failed);
+ 
+  out:
+     free(modifiers_failed);
+-- 
+2.44.0
+
diff --git a/0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch b/0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch
new file mode 100644
index 0000000..df0a498
--- /dev/null
+++ b/0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch
@@ -0,0 +1,47 @@
+From 6c684d035c06fd41c727f0ef0744517580864cef Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 22 Mar 2024 19:07:34 -0700
+Subject: [PATCH 3/4] Xquartz: ProcAppleDRICreatePixmap needs to use unswapped
+ length to send reply
+
+CVE-2024-31082
+
+Fixes: 14205ade0 ("XQuartz: appledri: Fix byte swapping in replies")
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+---
+ hw/xquartz/xpr/appledri.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/hw/xquartz/xpr/appledri.c b/hw/xquartz/xpr/appledri.c
+index 77574655b..40422b61a 100644
+--- a/hw/xquartz/xpr/appledri.c
++++ b/hw/xquartz/xpr/appledri.c
+@@ -272,6 +272,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
+     xAppleDRICreatePixmapReply rep;
+     int width, height, pitch, bpp;
+     void *ptr;
++    CARD32 stringLength;
+ 
+     REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq);
+ 
+@@ -307,6 +308,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
+     if (sizeof(rep) != sz_xAppleDRICreatePixmapReply)
+         ErrorF("error sizeof(rep) is %zu\n", sizeof(rep));
+ 
++    stringLength = rep.stringLength;  /* save unswapped value */
+     if (client->swapped) {
+         swaps(&rep.sequenceNumber);
+         swapl(&rep.length);
+@@ -319,7 +321,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
+     }
+ 
+     WriteToClient(client, sizeof(rep), &rep);
+-    WriteToClient(client, rep.stringLength, path);
++    WriteToClient(client, stringLength, path);
+ 
+     return Success;
+ }
+-- 
+2.44.0
+
diff --git a/0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch b/0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch
new file mode 100644
index 0000000..dcbf337
--- /dev/null
+++ b/0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch
@@ -0,0 +1,112 @@
+From bdca6c3d1f5057eeb31609b1280fc93237b00c77 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 30 Jan 2024 13:13:35 +1000
+Subject: [PATCH 4/4] render: fix refcounting of glyphs during
+ ProcRenderAddGlyphs
+
+Previously, AllocateGlyph would return a new glyph with refcount=0 and a
+re-used glyph would end up not changing the refcount at all. The
+resulting glyph_new array would thus have multiple entries pointing to
+the same non-refcounted glyphs.
+
+AddGlyph may free a glyph, resulting in a UAF when the same glyph
+pointer is then later used.
+
+Fix this by returning a refcount of 1 for a new glyph and always
+incrementing the refcount for a re-used glyph, followed by dropping that
+refcount back down again when we're done with it.
+
+CVE-2024-31083, ZDI-CAN-22880
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+---
+ render/glyph.c         |  5 +++--
+ render/glyphstr_priv.h |  1 +
+ render/render.c        | 15 +++++++++++----
+ 3 files changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/render/glyph.c b/render/glyph.c
+index 850ea8440..13991f8a1 100644
+--- a/render/glyph.c
++++ b/render/glyph.c
+@@ -245,10 +245,11 @@ FreeGlyphPicture(GlyphPtr glyph)
+     }
+ }
+ 
+-static void
++void
+ FreeGlyph(GlyphPtr glyph, int format)
+ {
+     CheckDuplicates(&globalGlyphs[format], "FreeGlyph");
++    BUG_RETURN(glyph->refcnt == 0);
+     if (--glyph->refcnt == 0) {
+         GlyphRefPtr gr;
+         int i;
+@@ -354,7 +355,7 @@ AllocateGlyph(xGlyphInfo * gi, int fdepth)
+     glyph = (GlyphPtr) malloc(size);
+     if (!glyph)
+         return 0;
+-    glyph->refcnt = 0;
++    glyph->refcnt = 1;
+     glyph->size = size + sizeof(xGlyphInfo);
+     glyph->info = *gi;
+     dixInitPrivates(glyph, (char *) glyph + head_size, PRIVATE_GLYPH);
+diff --git a/render/glyphstr.h b/render/glyphstr.h
+index 2f51bd244..3b1d806d1 100644
+--- a/render/glyphstr.h
++++ b/render/glyphstr.h
+@@ -108,6 +108,7 @@ extern Bool
+ extern GlyphPtr FindGlyph(GlyphSetPtr glyphSet, Glyph id);
+ 
+ extern GlyphPtr AllocateGlyph(xGlyphInfo * gi, int format);
++extern void FreeGlyph(GlyphPtr glyph, int format);
+ 
+ extern Bool
+  ResizeGlyphSet(GlyphSetPtr glyphSet, CARD32 change);
+diff --git a/render/render.c b/render/render.c
+index 29c5055c6..fe5e37dd9 100644
+--- a/render/render.c
++++ b/render/render.c
+@@ -1076,6 +1076,7 @@ ProcRenderAddGlyphs(ClientPtr client)
+ 
+         if (glyph_new->glyph && glyph_new->glyph != DeletedGlyph) {
+             glyph_new->found = TRUE;
++            ++glyph_new->glyph->refcnt;
+         }
+         else {
+             GlyphPtr glyph;
+@@ -1168,8 +1169,10 @@ ProcRenderAddGlyphs(ClientPtr client)
+         err = BadAlloc;
+         goto bail;
+     }
+-    for (i = 0; i < nglyphs; i++)
++    for (i = 0; i < nglyphs; i++) {
+         AddGlyph(glyphSet, glyphs[i].glyph, glyphs[i].id);
++        FreeGlyph(glyphs[i].glyph, glyphSet->fdepth);
++    }
+ 
+     if (glyphsBase != glyphsLocal)
+         free(glyphsBase);
+@@ -1179,9 +1182,13 @@ ProcRenderAddGlyphs(ClientPtr client)
+         FreePicture((void *) pSrc, 0);
+     if (pSrcPix)
+         FreeScratchPixmapHeader(pSrcPix);
+-    for (i = 0; i < nglyphs; i++)
+-        if (glyphs[i].glyph && !glyphs[i].found)
+-            free(glyphs[i].glyph);
++    for (i = 0; i < nglyphs; i++) {
++        if (glyphs[i].glyph) {
++            --glyphs[i].glyph->refcnt;
++            if (!glyphs[i].found)
++                free(glyphs[i].glyph);
++        }
++    }
+     if (glyphsBase != glyphsLocal)
+         free(glyphsBase);
+     return err;
+-- 
+2.44.0
+
diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec
index a42bf4c..f62d429 100644
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@@ -9,7 +9,7 @@
 # check out the master branch, pull, cherry-pick, and push.
 
 # X.org requires lazy relocations to work.
-%define anolis_release .0.3
+%define anolis_release .0.4
 %undefine _hardened_build
 %undefine _strict_symbol_defs_build
 
@@ -151,6 +151,17 @@ Patch10026: 0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch
 Patch10027: 0001-composite-Fix-use-after-free-of-the-COW.patch
 Patch10028: xorg-server-1.20.11-sw.patch
 
+
+# CVE-2024-31080 CVE-2024-31081 CVE-2024-31082 CVE-2024-31083 from https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463
+# CVE-2024-31080  
+Patch10029: 0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch
+# CVE-2024-31081
+Patch10030: 0002-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch 
+# CVE-2024-31082
+Patch10031: 0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch
+# CVE-2024-31083
+Patch10032: 0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch
+
 BuildRequires: make
 BuildRequires: systemtap-sdt-devel
 BuildRequires: git
@@ -613,6 +624,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
 
 
 %changelog
+* Fri Jun 07 2024 Kai Song <songkai01@inspur.com> - 1.20.11-16.0.4
+- Fix CVE-2024-31080,CVE-2024-31081,CVE-2024-31082,CVE-2024-31083
+
 * Thu Mar 21 2024 Weisson <Weisson@linux.alibaba.com> - 1.20.11-16.0.3
 - cherry-pick: `add sw arch #3b1aa1ee2c00aeebe71a618589826c2d1cab136e`.
 
-- 
Gitee