diff --git a/0001-dix-Fix-use-after-free-in-input-device-shutdown.patch b/0001-dix-Fix-use-after-free-in-input-device-shutdown.patch new file mode 100644 index 0000000000000000000000000000000000000000..c2d723fab14eb135ee05d3364c054fc8e74d5ae0 --- /dev/null +++ b/0001-dix-Fix-use-after-free-in-input-device-shutdown.patch @@ -0,0 +1,77 @@ +From 1801fe0ac3926882d47d7e1ad6c0518a2cdffd41 Mon Sep 17 00:00:00 2001 +From: Povilas Kanapickas +Date: Sun, 19 Dec 2021 18:11:07 +0200 +Subject: [PATCH] dix: Fix use after free in input device shutdown + +This fixes access to freed heap memory via dev->master. E.g. when +running BarrierNotify.ReceivesNotifyEvents/7 test from +xorg-integration-tests: + +==24736==ERROR: AddressSanitizer: heap-use-after-free on address +0x619000065020 at pc 0x55c450e2b9cf bp 0x7fffc532fd20 sp 0x7fffc532fd10 +READ of size 4 at 0x619000065020 thread T0 + #0 0x55c450e2b9ce in GetMaster ../../../dix/devices.c:2722 + #1 0x55c450e9d035 in IsFloating ../../../dix/events.c:346 + #2 0x55c4513209c6 in GetDeviceUse ../../../Xi/xiquerydevice.c:525 +../../../Xi/xichangehierarchy.c:95 + #4 0x55c450e3455c in RemoveDevice ../../../dix/devices.c:1204 +../../../hw/xfree86/common/xf86Xinput.c:1142 + #6 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038 + #7 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068 + #8 0x55c450e837ef in dix_main ../../../dix/main.c:302 + #9 0x55c4517a8d93 in main ../../../dix/stubmain.c:34 +(/lib/x86_64-linux-gnu/libc.so.6+0x28564) + #11 0x55c450d0113d in _start (/usr/lib/xorg/Xorg+0x117713d) + +0x619000065020 is located 160 bytes inside of 912-byte region +[0x619000064f80,0x619000065310) +freed by thread T0 here: +(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf) + #1 0x55c450e19f1c in CloseDevice ../../../dix/devices.c:1014 + #2 0x55c450e343a4 in RemoveDevice ../../../dix/devices.c:1186 +../../../hw/xfree86/common/xf86Xinput.c:1142 + #4 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038 + #5 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068 + #6 0x55c450e837ef in dix_main ../../../dix/main.c:302 + #7 0x55c4517a8d93 in main ../../../dix/stubmain.c:34 +(/lib/x86_64-linux-gnu/libc.so.6+0x28564) + +previously allocated by thread T0 here: +(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6) + #1 0x55c450e1c57b in AddInputDevice ../../../dix/devices.c:259 + #2 0x55c450e34840 in AllocDevicePair ../../../dix/devices.c:2755 + #3 0x55c45130318f in add_master ../../../Xi/xichangehierarchy.c:152 +../../../Xi/xichangehierarchy.c:465 + #5 0x55c4512cb9f5 in ProcIDispatch ../../../Xi/extinit.c:390 + #6 0x55c450e6a92b in Dispatch ../../../dix/dispatch.c:551 + #7 0x55c450e834b7 in dix_main ../../../dix/main.c:272 + #8 0x55c4517a8d93 in main ../../../dix/stubmain.c:34 +(/lib/x86_64-linux-gnu/libc.so.6+0x28564) + +The problem is caused by dev->master being not reset when disabling the +device, which then causes dangling pointer when the master device itself +is being deleted when exiting whole server. + +Note that RecalculateMasterButtons() requires dev->master to be still +valid, so we can reset it only at the end of function. + +Signed-off-by: Povilas Kanapickas +--- + dix/devices.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/dix/devices.c b/dix/devices.c +index e62c34c55..5f9ce1678 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -520,6 +520,7 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) + } + + RecalculateMasterButtons(dev); ++ dev->master = NULL; + + return TRUE; + } +-- +2.43.0 + diff --git a/0001-dix-allocate-enough-space-for-logical-button-maps.patch b/0001-dix-allocate-enough-space-for-logical-button-maps.patch new file mode 100644 index 0000000000000000000000000000000000000000..e11eb0ef90966fef396c5a67a3138f5700263022 --- /dev/null +++ b/0001-dix-allocate-enough-space-for-logical-button-maps.patch @@ -0,0 +1,51 @@ +From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Thu, 14 Dec 2023 11:29:49 +1000 +Subject: [PATCH 1/9] dix: allocate enough space for logical button maps + +Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for +each logical button currently down. Since buttons can be arbitrarily mapped +to anything up to 255 make sure we have enough bits for the maximum mapping. + +CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative +--- + Xi/xiquerypointer.c | 3 +-- + dix/enterleave.c | 5 +++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c +index 5b77b1a44..2b05ac5f3 100644 +--- a/Xi/xiquerypointer.c ++++ b/Xi/xiquerypointer.c +@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client) + if (pDev->button) { + int i; + +- rep.buttons_len = +- bytes_to_int32(bits_to_bytes(pDev->button->numButtons)); ++ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */ + rep.length += rep.buttons_len; + buttons = calloc(rep.buttons_len, 4); + if (!buttons) +diff --git a/dix/enterleave.c b/dix/enterleave.c +index 867ec7436..ded8679d7 100644 +--- a/dix/enterleave.c ++++ b/dix/enterleave.c +@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail, + + mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER); + +- /* XI 2 event */ +- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0; ++ /* XI 2 event contains the logical button map - maps are CARD8 ++ * so we need 256 bits for the possibly maximum mapping */ ++ btlen = (mouse->button) ? bits_to_bytes(256) : 0; + btlen = bytes_to_int32(btlen); + len = sizeof(xXIFocusInEvent) + btlen * 4; + +-- +2.43.0 + diff --git a/0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch b/0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch new file mode 100644 index 0000000000000000000000000000000000000000..363af1f8f88ea1886735185debfc0f6f6483e703 --- /dev/null +++ b/0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch @@ -0,0 +1,33 @@ +From 133e0d651c5d12bf01999d6289e84e224ba77adc Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 22 Jan 2024 14:22:12 +1000 +Subject: [PATCH] dix: fix valuator copy/paste error in the DeviceStateNotify + event + +Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5 +--- + dix/enterleave.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/dix/enterleave.c b/dix/enterleave.c +index 7b7ba1098..c1e6ac600 100644 +--- a/dix/enterleave.c ++++ b/dix/enterleave.c +@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, + ev->first_valuator = first; + switch (ev->num_valuators) { + case 6: +- ev->valuator2 = v->axisVal[first + 5]; ++ ev->valuator5 = v->axisVal[first + 5]; + case 5: +- ev->valuator2 = v->axisVal[first + 4]; ++ ev->valuator4 = v->axisVal[first + 4]; + case 4: +- ev->valuator2 = v->axisVal[first + 3]; ++ ev->valuator3 = v->axisVal[first + 3]; + case 3: + ev->valuator2 = v->axisVal[first + 2]; + case 2: +-- +2.44.0 + diff --git a/0001-ephyr-Fix-incompatible-pointer-type-build-error.patch b/0001-ephyr-Fix-incompatible-pointer-type-build-error.patch new file mode 100644 index 0000000000000000000000000000000000000000..345e6600f04afc4a271d95c68c71346280108864 --- /dev/null +++ b/0001-ephyr-Fix-incompatible-pointer-type-build-error.patch @@ -0,0 +1,54 @@ +From e89edec497bac581ca9b614fb00c25365580f045 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Fri, 19 Jan 2024 13:05:51 +0100 +Subject: [PATCH] ephyr: Fix incompatible pointer type build error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix a compilation error on 32 bits architectures with gcc 14: + + ephyr_glamor_xv.c: In function ‘ephyr_glamor_xv_init’: + ephyr_glamor_xv.c:154:31: error: assignment to ‘SetPortAttributeFuncPtr’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int, int, void *)’} from incompatible pointer type ‘int (*)(KdScreenInfo *, Atom, INT32, void *)’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int, long int, void *)’} [-Wincompatible-pointer-types] + 154 | adaptor->SetPortAttribute = ephyr_glamor_xv_set_port_attribute; + | ^ + ephyr_glamor_xv.c:155:31: error: assignment to ‘GetPortAttributeFuncPtr’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int, int *, void *)’} from incompatible pointer type ‘int (*)(KdScreenInfo *, Atom, INT32 *, void *)’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int, long int *, void *)’} [-Wincompatible-pointer-types] + 155 | adaptor->GetPortAttribute = ephyr_glamor_xv_get_port_attribute; + | ^ + +Build error logs: +https://koji.fedoraproject.org/koji/taskinfo?taskID=111964273 + +Signed-off-by: José Expósito +--- + hw/kdrive/ephyr/ephyr_glamor_xv.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/hw/kdrive/ephyr/ephyr_glamor_xv.c b/hw/kdrive/ephyr/ephyr_glamor_xv.c +index 4dd15cf41..b5eae48c8 100644 +--- a/hw/kdrive/ephyr/ephyr_glamor_xv.c ++++ b/hw/kdrive/ephyr/ephyr_glamor_xv.c +@@ -50,16 +50,16 @@ ephyr_glamor_xv_stop_video(KdScreenInfo *screen, void *data, Bool cleanup) + + static int + ephyr_glamor_xv_set_port_attribute(KdScreenInfo *screen, +- Atom attribute, INT32 value, void *data) ++ Atom attribute, int value, void *data) + { +- return glamor_xv_set_port_attribute(data, attribute, value); ++ return glamor_xv_set_port_attribute(data, attribute, (INT32)value); + } + + static int + ephyr_glamor_xv_get_port_attribute(KdScreenInfo *screen, +- Atom attribute, INT32 *value, void *data) ++ Atom attribute, int *value, void *data) + { +- return glamor_xv_get_port_attribute(data, attribute, value); ++ return glamor_xv_get_port_attribute(data, attribute, (INT32 *)value); + } + + static void +-- +2.43.0 + diff --git a/0001-hw-Rename-boolean-config-value-field-from-bool-to-bo.patch b/0001-hw-Rename-boolean-config-value-field-from-bool-to-bo.patch new file mode 100644 index 0000000000000000000000000000000000000000..441c17ddb18b50f8bf8029fc2ce063e1181c1ed5 --- /dev/null +++ b/0001-hw-Rename-boolean-config-value-field-from-bool-to-bo.patch @@ -0,0 +1,153 @@ +From 454b3a826edb5fc6d0fea3a9cfd1a5e8fc568747 Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Mon, 22 Jul 2019 13:51:06 -0400 +Subject: [PATCH] hw: Rename boolean config value field from bool to boolean + +"bool" conflicts with C++ (meh) and stdbool.h (ngh alright fine). This +is a driver-visible change and will likely break the build for mach64, +but it can be fixed by simply using xf86ReturnOptValBool like every +other driver. + +Signed-off-by: Adam Jackson +--- + hw/xfree86/common/xf86Opt.h | 2 +- + hw/xfree86/common/xf86Option.c | 10 +++++----- + hw/xwin/winconfig.c | 22 +++++++++++----------- + hw/xwin/winconfig.h | 2 +- + 4 files changed, 18 insertions(+), 18 deletions(-) + +diff --git a/hw/xfree86/common/xf86Opt.h b/hw/xfree86/common/xf86Opt.h +index 3be2a0fc7..3046fbd41 100644 +--- a/hw/xfree86/common/xf86Opt.h ++++ b/hw/xfree86/common/xf86Opt.h +@@ -41,7 +41,7 @@ typedef union { + unsigned long num; + const char *str; + double realnum; +- Bool bool; ++ Bool boolean; + OptFrequency freq; + } ValueUnion; + +diff --git a/hw/xfree86/common/xf86Option.c b/hw/xfree86/common/xf86Option.c +index 06973bca3..ca538cc57 100644 +--- a/hw/xfree86/common/xf86Option.c ++++ b/hw/xfree86/common/xf86Option.c +@@ -213,7 +213,7 @@ LookupBoolOption(XF86OptionPtr optlist, const char *name, int deflt, + o.name = name; + o.type = OPTV_BOOLEAN; + if (ParseOptionValue(-1, optlist, &o, markUsed)) +- deflt = o.value.bool; ++ deflt = o.value.boolean; + return deflt; + } + +@@ -474,7 +474,7 @@ xf86ShowUnusedOptions(int scrnIndex, XF86OptionPtr opt) + static Bool + GetBoolValue(OptionInfoPtr p, const char *s) + { +- return xf86getBoolValue(&p->value.bool, s); ++ return xf86getBoolValue(&p->value.boolean, s); + } + + static Bool +@@ -678,7 +678,7 @@ ParseOptionValue(int scrnIndex, XF86OptionPtr options, OptionInfoPtr p, + if (markUsed) + xf86MarkOptionUsedByName(options, newn); + if (GetBoolValue(&opt, s)) { +- p->value.bool = !opt.value.bool; ++ p->value.boolean = !opt.value.boolean; + p->found = TRUE; + } + else { +@@ -869,7 +869,7 @@ xf86GetOptValBool(const OptionInfoRec * table, int token, Bool *value) + + p = xf86TokenToOptinfo(table, token); + if (p && p->found) { +- *value = p->value.bool; ++ *value = p->value.boolean; + return TRUE; + } + else +@@ -883,7 +883,7 @@ xf86ReturnOptValBool(const OptionInfoRec * table, int token, Bool def) + + p = xf86TokenToOptinfo(table, token); + if (p && p->found) { +- return p->value.bool; ++ return p->value.boolean; + } + else + return def; +diff --git a/hw/xwin/winconfig.c b/hw/xwin/winconfig.c +index 31894d2fb..646d69006 100644 +--- a/hw/xwin/winconfig.c ++++ b/hw/xwin/winconfig.c +@@ -623,7 +623,7 @@ winSetBoolOption(void *optlist, const char *name, int deflt) + o.name = name; + o.type = OPTV_BOOLEAN; + if (ParseOptionValue(-1, optlist, &o)) +- deflt = o.value.bool; ++ deflt = o.value.boolean; + return deflt; + } + +@@ -918,7 +918,7 @@ ParseOptionValue(int scrnIndex, void *options, OptionInfoPtr p) + } + if ((s = winFindOptionValue(options, newn)) != NULL) { + if (GetBoolValue(&opt, s)) { +- p->value.bool = !opt.value.bool; ++ p->value.boolean = !opt.value.boolean; + p->found = TRUE; + } + else { +@@ -968,25 +968,25 @@ static Bool + GetBoolValue(OptionInfoPtr p, const char *s) + { + if (*s == 0) { +- p->value.bool = TRUE; ++ p->value.boolean = TRUE; + } + else { + if (winNameCompare(s, "1") == 0) +- p->value.bool = TRUE; ++ p->value.boolean = TRUE; + else if (winNameCompare(s, "on") == 0) +- p->value.bool = TRUE; ++ p->value.boolean = TRUE; + else if (winNameCompare(s, "true") == 0) +- p->value.bool = TRUE; ++ p->value.boolean = TRUE; + else if (winNameCompare(s, "yes") == 0) +- p->value.bool = TRUE; ++ p->value.boolean = TRUE; + else if (winNameCompare(s, "0") == 0) +- p->value.bool = FALSE; ++ p->value.boolean = FALSE; + else if (winNameCompare(s, "off") == 0) +- p->value.bool = FALSE; ++ p->value.boolean = FALSE; + else if (winNameCompare(s, "false") == 0) +- p->value.bool = FALSE; ++ p->value.boolean = FALSE; + else if (winNameCompare(s, "no") == 0) +- p->value.bool = FALSE; ++ p->value.boolean = FALSE; + } + return TRUE; + } +diff --git a/hw/xwin/winconfig.h b/hw/xwin/winconfig.h +index f079368c7..bd1f59650 100644 +--- a/hw/xwin/winconfig.h ++++ b/hw/xwin/winconfig.h +@@ -199,7 +199,7 @@ typedef union { + unsigned long num; + char *str; + double realnum; +- Bool bool; ++ Bool boolean; + OptFrequency freq; + } ValueUnion; + +-- +2.43.0 + diff --git a/0001-present-Send-a-PresentConfigureNotify-event-for-dest.patch b/0001-present-Send-a-PresentConfigureNotify-event-for-dest.patch new file mode 100644 index 0000000000000000000000000000000000000000..d9eea48785eb62518d48767d5002bdb351d4984a --- /dev/null +++ b/0001-present-Send-a-PresentConfigureNotify-event-for-dest.patch @@ -0,0 +1,105 @@ +From b98fc07d3442a289c6bef82df50dd0a2d01de71a Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Thu, 2 Feb 2023 12:26:27 -0500 +Subject: [PATCH xserver] present: Send a PresentConfigureNotify event for + destroyed windows +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This enables fixing a deadlock case on the client side, where the client +ends up blocked waiting for a Present event that will never come because +the window was destroyed. The new PresentWindowDestroyed flag allows the +client to avoid blocking indefinitely. + +Signed-off-by: Adam Jackson +See-also: https://gitlab.freedesktop.org/mesa/mesa/-/issues/116 +See-also: https://gitlab.freedesktop.org/mesa/mesa/-/issues/6685 +Reviewed-by: Michel Dänzer +(cherry picked from commit 462b06033e66a32308d940eb5fc47f5e4c914dc0) +--- + present/present_event.c | 5 +++-- + present/present_priv.h | 7 ++++++- + present/present_screen.c | 11 ++++++++++- + 3 files changed, 19 insertions(+), 4 deletions(-) + +diff --git a/present/present_event.c b/present/present_event.c +index 435b26b70..849732dc8 100644 +--- a/present/present_event.c ++++ b/present/present_event.c +@@ -102,7 +102,8 @@ present_event_swap(xGenericEvent *from, xGenericEvent *to) + } + + void +-present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw, WindowPtr sibling) ++present_send_config_notify(WindowPtr window, int x, int y, int w, int h, ++ int bw, WindowPtr sibling, CARD32 flags) + { + present_window_priv_ptr window_priv = present_window_priv(window); + +@@ -122,7 +123,7 @@ present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw, + .off_y = 0, + .pixmap_width = w, + .pixmap_height = h, +- .pixmap_flags = 0 ++ .pixmap_flags = flags + }; + present_event_ptr event; + +diff --git a/present/present_priv.h b/present/present_priv.h +index 6ebd009a2..4ad729864 100644 +--- a/present/present_priv.h ++++ b/present/present_priv.h +@@ -43,6 +43,11 @@ + #define DebugPresent(x) + #endif + ++/* XXX this belongs in presentproto */ ++#ifndef PresentWindowDestroyed ++#define PresentWindowDestroyed (1 << 0) ++#endif ++ + extern int present_request; + + extern DevPrivateKeyRec present_screen_private_key; +@@ -307,7 +312,7 @@ void + present_free_events(WindowPtr window); + + void +-present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw, WindowPtr sibling); ++present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw, WindowPtr sibling, CARD32 flags); + + void + present_send_complete_notify(WindowPtr window, CARD8 kind, CARD8 mode, CARD32 serial, uint64_t ust, uint64_t msc); +diff --git a/present/present_screen.c b/present/present_screen.c +index 15684eda4..2c29aafd2 100644 +--- a/present/present_screen.c ++++ b/present/present_screen.c +@@ -93,6 +93,15 @@ present_destroy_window(WindowPtr window) + present_screen_priv_ptr screen_priv = present_screen_priv(screen); + present_window_priv_ptr window_priv = present_window_priv(window); + ++ present_send_config_notify(window, ++ window->drawable.x, ++ window->drawable.y, ++ window->drawable.width, ++ window->drawable.height, ++ window->borderWidth, ++ window->nextSib, ++ PresentWindowDestroyed); ++ + if (window_priv) { + present_clear_window_notifies(window); + present_free_events(window); +@@ -123,7 +132,7 @@ present_config_notify(WindowPtr window, + ScreenPtr screen = window->drawable.pScreen; + present_screen_priv_ptr screen_priv = present_screen_priv(screen); + +- present_send_config_notify(window, x, y, w, h, bw, sibling); ++ present_send_config_notify(window, x, y, w, h, bw, sibling, 0); + + unwrap(screen_priv, screen, ConfigNotify); + if (screen->ConfigNotify) +-- +2.40.0 + diff --git a/0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch b/0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch new file mode 100644 index 0000000000000000000000000000000000000000..549f90a74854a09722f071e4c60f585391abc592 --- /dev/null +++ b/0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch @@ -0,0 +1,72 @@ +From 337d8d48b618d4fc0168a7b978be4c3447650b04 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Fri, 5 Apr 2024 15:24:49 +0200 +Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs() + +ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and +then frees it using FreeGlyph() to decrease the reference count, after +AddGlyph() has increased it. + +AddGlyph() however may chose to reuse an existing glyph if it's already +in the glyphSet, and free the glyph that was given, in which case the +caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an +already freed glyph, as reported by ASan: + + READ of size 4 thread T0 + #0 in FreeGlyph xserver/render/glyph.c:252 + #1 in ProcRenderAddGlyphs xserver/render/render.c:1174 + #2 in Dispatch xserver/dix/dispatch.c:546 + #3 in dix_main xserver/dix/main.c:271 + #4 in main xserver/dix/stubmain.c:34 + #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + #6 in __libc_start_main_impl ../csu/libc-start.c:360 + #7 (/usr/bin/Xwayland+0x44fe4) + Address is located 0 bytes inside of 64-byte region + freed by thread T0 here: + #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52 + #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538 + #2 in AddGlyph xserver/render/glyph.c:295 + #3 in ProcRenderAddGlyphs xserver/render/render.c:1173 + #4 in Dispatch xserver/dix/dispatch.c:546 + #5 in dix_main xserver/dix/main.c:271 + #6 in main xserver/dix/stubmain.c:34 + #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + previously allocated by thread T0 here: + #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69 + #1 in AllocateGlyph xserver/render/glyph.c:355 + #2 in ProcRenderAddGlyphs xserver/render/render.c:1085 + #3 in Dispatch xserver/dix/dispatch.c:546 + #4 in dix_main xserver/dix/main.c:271 + #5 in main xserver/dix/stubmain.c:34 + #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph + +To avoid that, make sure not to free the given glyph in AddGlyph(). + +v2: Simplify the test using the boolean returned from AddGlyph() (Michel) +v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter) + +Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs +Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659 +Signed-off-by: Olivier Fourdan +Part-of: +--- + render/glyph.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/render/glyph.c b/render/glyph.c +index 13991f8a1..5fa7f3b5b 100644 +--- a/render/glyph.c ++++ b/render/glyph.c +@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id) + gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature, + TRUE, glyph->sha1); + if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) { +- FreeGlyphPicture(glyph); +- dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH); + glyph = gr->glyph; + } + else if (gr->glyph != glyph) { +-- +2.44.0 + diff --git a/0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch b/0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch new file mode 100644 index 0000000000000000000000000000000000000000..2db1508f96c2c3331a2e0a4fa52141e8d2aa11f0 --- /dev/null +++ b/0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch @@ -0,0 +1,54 @@ +From 56351307017e2501f7cd6e31efcfb55c19aba75a Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 10 Oct 2024 10:37:28 +0200 +Subject: [PATCH] xkb: Fix buffer overflow in _XkbSetCompatMap() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The _XkbSetCompatMap() function attempts to resize the `sym_interpret` +buffer. + +However, It didn't update its size properly. It updated `num_si` only, +without updating `size_si`. + +This may lead to local privilege escalation if the server is run as root +or remote code execution (e.g. x11 over ssh). + +CVE-2024-9632, ZDI-CAN-24756 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Reviewed-by: Peter Hutterer +Tested-by: Peter Hutterer +Reviewed-by: José Expósito +--- + xkb/xkb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index f203270d5..70e8279aa 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -2991,13 +2991,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, + XkbSymInterpretPtr sym; + unsigned int skipped = 0; + +- if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) { +- compat->num_si = req->firstSI + req->nSI; ++ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) { ++ compat->num_si = compat->size_si = req->firstSI + req->nSI; + compat->sym_interpret = reallocarray(compat->sym_interpret, +- compat->num_si, ++ compat->size_si, + sizeof(XkbSymInterpretRec)); + if (!compat->sym_interpret) { +- compat->num_si = 0; ++ compat->num_si = compat->size_si = 0; + return BadAlloc; + } + } +-- +2.46.2 + diff --git a/dist b/dist index 9c0e36ec42a2d9bfefacb21ac6354c9ddd910533..1fe92cf0fdf9c2625d878a2ace258f64c1e8ca44 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8 +an8_10 diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index f2b1c1951c71a2a7057ab9e88b5b7fb10af488bf..78e54e04d2b52cb4d43893cc980ab95d250aec35 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -9,7 +9,7 @@ # check out the master branch, pull, cherry-pick, and push. # X.org requires lazy relocations to work. -%define anolis_release .0.6 +%define anolis_release .0.1 %undefine _hardened_build %undefine _strict_symbol_defs_build @@ -47,7 +47,7 @@ Summary: X.Org X11 X server Name: xorg-x11-server Version: 1.20.11 -Release: 16%{?gitdate:.%{gitdate}}%{anolis_release}%{?dist} +Release: 25%{?gitdate:.%{gitdate}}%{anolis_release}%{?dist} URL: http://www.x.org License: MIT Group: User Interface/X @@ -112,6 +112,7 @@ Patch202: 0001-modesetting-Reduce-glamor-initialization-failed-mess.patch Patch203: 0001-xfree86-Only-switch-to-original-VT-if-it-is-active.patch Patch204: 0001-xf86-logind-Fix-drm_drop_master-before-vt_reldisp.patch Patch205: 0001-present-Check-for-NULL-to-prevent-crash.patch +Patch206: 0001-present-Send-a-PresentConfigureNotify-event-for-dest.patch # CVE-2021-4011 Patch10009: 0001-record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch @@ -147,44 +148,51 @@ Patch10024: 0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch Patch10025: 0008-Xext-fix-invalid-event-type-mask-in-XTestSwapFakeInp.patch # CVE-2023-0494 Patch10026: 0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch -# upstream: 26ef545b3502f61ca722a7a3373507e88ef64110 # CVE-2023-1393 Patch10027: 0001-composite-Fix-use-after-free-of-the-COW.patch -Patch10028: xorg-server-1.20.11-sw.patch - - -# CVE-2024-31080 CVE-2024-31081 CVE-2024-31082 CVE-2024-31083 from https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463 -# CVE-2024-31080 -Patch10029: 0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch -# CVE-2024-31081 -Patch10030: 0002-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch -# CVE-2024-31082 -Patch10031: 0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch -# CVE-2024-31083 -Patch10032: 0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch - # CVE-2023-5367 -Patch10033: 0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch +Patch10028: 0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch # CVE-2023-5380 -Patch10034: 0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch +Patch10029: 0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch # CVE-2023-6377 -Patch10035: 0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch +Patch10030: 0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch # CVE-2023-6478 -Patch10036: 0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch +Patch10031: 0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch +# CVE-2023-6816 +Patch10032: 0001-dix-allocate-enough-space-for-logical-button-maps.patch # CVE-2024-0229 -Patch10037: 0002-dix-Allocate-sufficient-xEvents-for-our-DeviceStateN.patch -Patch10038: 0003-dix-fix-DeviceStateNotify-event-calculation.patch -Patch10039: 0004-Xi-when-creating-a-new-ButtonClass-set-the-number-of.patch +Patch10033: 0002-dix-Allocate-sufficient-xEvents-for-our-DeviceStateN.patch +Patch10034: 0003-dix-fix-DeviceStateNotify-event-calculation.patch +Patch10035: 0004-Xi-when-creating-a-new-ButtonClass-set-the-number-of.patch # CVE-2024-21885 -Patch10040: 0005-Xi-flush-hierarchy-events-after-adding-removing-mast.patch +Patch10036: 0005-Xi-flush-hierarchy-events-after-adding-removing-mast.patch # CVE-2024-21886 -Patch10041: 0006-Xi-do-not-keep-linked-list-pointer-during-recursion.patch -Patch10042: 0007-dix-when-disabling-a-master-float-disabled-slaved-de.patch +Patch10037: 0006-Xi-do-not-keep-linked-list-pointer-during-recursion.patch +Patch10038: 0007-dix-when-disabling-a-master-float-disabled-slaved-de.patch # CVE-2024-0408 -Patch10043: 0008-glx-Call-XACE-hooks-on-the-GLX-buffer.patch +Patch10039: 0008-glx-Call-XACE-hooks-on-the-GLX-buffer.patch # CVE-2024-0409 -Patch10044: 0009-ephyr-xwayland-Use-the-proper-private-key-for-cursor.patch - +Patch10040: 0009-ephyr-xwayland-Use-the-proper-private-key-for-cursor.patch +# Fix compilation error +Patch10041: 0001-hw-Rename-boolean-config-value-field-from-bool-to-bo.patch +# Related to CVE-2024-21886 +Patch10042: 0001-dix-Fix-use-after-free-in-input-device-shutdown.patch +# Fix compilation error on i686 +Patch10043: 0001-ephyr-Fix-incompatible-pointer-type-build-error.patch +# Fix copy and paste error in CVE-2024-0229 +Patch10044: 0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch +# CVE-2024-31080 +Patch10045: 0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch +# CVE-2024-31081 +Patch10046: 0002-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch +# CVE-2024-31082 +Patch10047: 0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch +# CVE-2024-31083 +Patch10048: 0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch +Patch10049: 0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch +# CVE-2024-9632 +Patch10050: 0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch +Patch20000: xorg-server-1.20.11-sw.patch BuildRequires: make BuildRequires: systemtap-sdt-devel @@ -348,7 +356,7 @@ License: MIT and GPLv2 Requires: xorg-x11-server-common >= %{version}-%{release} # required for xvfb-run Requires: xorg-x11-xauth -Requires: glibc +Requires: util-linux Provides: Xvfb Provides: /usr/bin/Xvfb Provides: /usr/bin/xvfb-run @@ -648,28 +656,58 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %changelog -* Thu Sep 05 2024 yuan0927 - 1.20.11-16.0.6 -- Fix the splash screen issue in the phytium S5000C - -* Tue Jul 09 2024 lutw - 1.20.11-16.0.5 -- Fix ix CVE-2023-5367 CVE-2023-5380 CVE-2023-6377 CVE-2023-6478 CVE-2024-0229 CVE-2024-21885 CVE-2024-21886 CVE-2024-0408 CVE-2024-0409 - -* Fri Jun 07 2024 Kai Song - 1.20.11-16.0.4 -- Fix CVE-2024-31080,CVE-2024-31081,CVE-2024-31082,CVE-2024-31083 - -* Thu Mar 21 2024 Weisson - 1.20.11-16.0.3 -- cherry-pick: `add sw arch #3b1aa1ee2c00aeebe71a618589826c2d1cab136e`. - -* Thu Mar 21 2024 wxiat - 1.20.11-16.0.2 -- cherry-pick `add sw arch #1ba6a0036d929c82c5516a18350d5c27cc28e210`. - -* Thu Dec 26 2023 Kaiqiang Wang - 1.20.11-16.0.1 -- CVE fix for: CVE-2023-1393 - Resolves: rhbz#2180296 - -* Mon May 29 2023 Hangbo Fan - 1.20.11-15.0.1 +* Tue Nov 05 2024 Hangbo Fan - 1.20.11-25.0.1 - Add doc sub package - Fix doc package installation (wangkaiyuan@inspur.com) +- cherry-pick `add sw arch #1ba6a0036d929c82c5516a18350d5c27cc28e210`. (nijie@wxiat.com) +- cherry-pick: `add sw arch #3b1aa1ee2c00aeebe71a618589826c2d1cab136e`. (Weisson@linux.alibaba.com) +- Fix the splash screen issue in the phytium S5000C (yuanxia2073@phytium.com.cn) + +* Tue Oct 29 2024 José Expósito - 1.20.11-25 +- CVE fix for CVE-2024-9632 + +* Wed Apr 10 2024 José Expósito - 1.20.11-24 +- Fix regression caused by the fix for CVE-2024-31083 + +* Thu Apr 04 2024 José Expósito - 1.20.11-23 +- CVE fix for: CVE-2024-31080, CVE-2024-31081, CVE-2024-31082 and + CVE-2024-31083 +- Add util-linux as a dependency of Xvfb +- Fix compilation error on i686 + +* Thu Jan 18 2024 José Expósito - 1.20.11-22 +- Fix use after free related to CVE-2024-21886 + +* Tue Jan 16 2024 José Expósito - 1.20.11-21 +- CVE fix for: CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886, + CVE-2024-0408 and CVE-2024-0409 + Resolves: https://issues.redhat.com/browse/RHEL-21207 + Resolves: https://issues.redhat.com/browse/RHEL-20528 + Resolves: https://issues.redhat.com/browse/RHEL-20378 + Resolves: https://issues.redhat.com/browse/RHEL-20384 + Resolves: https://issues.redhat.com/browse/RHEL-21191 + Resolves: https://issues.redhat.com/browse/RHEL-21198 + +* Thu Dec 14 2023 José Expósito - 1.20.11-20 +- CVE fix for: CVE-2023-6377, CVE-2023-6478 + Resolves: https://issues.redhat.com/browse/RHEL-18321 + Resolves: https://issues.redhat.com/browse/RHEL-18327 + +* Wed Oct 25 2023 José Expósito - 1.20.11-19 +- CVE fix for: CVE-2023-5380 + Resolves: https://issues.redhat.com/browse/RHEL-14060 + +* Wed Oct 25 2023 José Expósito - 1.20.11-18 +- CVE fix for: CVE-2023-5367 + Resolves: https://issues.redhat.com/browse/RHEL-13430 + +* Tue Jun 6 2023 Olivier Fourdan - 1.20.11-17 +- Backport fix for a deadlock with DRI3 + Resolves: rhbz#2192556 + +* Fri Mar 31 2023 Olivier Fourdan - 1.20.11-16 +- CVE fix for: CVE-2023-1393 + Resolves: rhbz#2180296 * Wed Feb 22 2023 Olivier Fourdan - 1.20.11-15 - Rebuild for the missing debuginfo