[2/2] xserver-xorg: backport fix for CVE-2023-1393

Message ID	20230419134143.1530528-2-ross.burton@arm.com
State	New
Headers	show Return-Path: <ross.burton@arm.com> ip: 217.140.110.172, mailfrom: ross.burton@arm.com) From: Ross Burton <ross.burton@arm.com> To: openembedded-core@lists.openembedded.org Cc: nd@arm.com Subject: [PATCH 2/2] xserver-xorg: backport fix for CVE-2023-1393 Date: Wed, 19 Apr 2023 14:41:43 +0100 Message-Id: <20230419134143.1530528-2-ross.burton@arm.com> In-Reply-To: <20230419134143.1530528-1-ross.burton@arm.com> References: <20230419134143.1530528-1-ross.burton@arm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable
Series	[1/2] screen: backport fix for CVE-2023-24626 \| expand [1/2] screen: backport fix for CVE-2023-24626 [2/2] xserver-xorg: backport fix for CVE-2023-1393

Message ID

20230419134143.1530528-2-ross.burton@arm.com

State

New

Headers

From: Ross Burton <ross.burton@arm.com>
To: openembedded-core@lists.openembedded.org
Cc: nd@arm.com
Subject: [PATCH 2/2] xserver-xorg: backport fix for CVE-2023-1393
Date: Wed, 19 Apr 2023 14:41:43 +0100
Message-Id: <20230419134143.1530528-2-ross.burton@arm.com>
In-Reply-To: <20230419134143.1530528-1-ross.burton@arm.com>
References: <20230419134143.1530528-1-ross.burton@arm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Series

[1/2] screen: backport fix for CVE-2023-24626 | expand

Commit Message

Ross Burton April 19, 2023, 1:41 p.m. UTC

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 ...posite-Fix-use-after-free-of-the-COW.patch | 46 +++++++++++++++++++
 .../xorg-xserver/xserver-xorg_21.1.7.bb       |  3 +-
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch

Comments

Khem Raj April 20, 2023, 1:38 a.m. UTC | #1

Fails to patch - https://errors.yoctoproject.org/Errors/Details/700408/

On Wed, Apr 19, 2023 at 6:41 AM Ross Burton <ross.burton@arm.com> wrote:
>
> Signed-off-by: Ross Burton <ross.burton@arm.com>
> ---
>  ...posite-Fix-use-after-free-of-the-COW.patch | 46 +++++++++++++++++++
>  .../xorg-xserver/xserver-xorg_21.1.7.bb       |  3 +-
>  2 files changed, 48 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch
>
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch
> new file mode 100644
> index 00000000000..fc426daba51
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch
> @@ -0,0 +1,46 @@
> +From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001
> +From: Olivier Fourdan <ofourdan@redhat.com>
> +Date: Mon, 13 Mar 2023 11:08:47 +0100
> +Subject: [PATCH] composite: Fix use-after-free of the COW
> +
> +ZDI-CAN-19866/CVE-2023-1393
> +
> +If a client explicitly destroys the compositor overlay window (aka COW),
> +we would leave a dangling pointer to that window in the CompScreen
> +structure, which will trigger a use-after-free later.
> +
> +Make sure to clear the CompScreen pointer to the COW when the latter gets
> +destroyed explicitly by the client.
> +
> +This vulnerability was discovered by:
> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> +
> +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
> +Reviewed-by: Adam Jackson <ajax@redhat.com>
> +
> +CVE: CVE-2023-1393
> +Upstream-Status: Backport
> +Signed-off-by: Ross Burton <ross.burton@arm.com>
> +---
> + composite/compwindow.c | 5 +++++
> + 1 file changed, 5 insertions(+)
> +
> +diff --git a/composite/compwindow.c b/composite/compwindow.c
> +index 4e2494b86..b30da589e 100644
> +--- a/composite/compwindow.c
> ++++ b/composite/compwindow.c
> +@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
> +     ret = (*pScreen->DestroyWindow) (pWin);
> +     cs->DestroyWindow = pScreen->DestroyWindow;
> +     pScreen->DestroyWindow = compDestroyWindow;
> ++
> ++    /* Did we just destroy the overlay window? */
> ++    if (pWin == cs->pOverlayWin)
> ++        cs->pOverlayWin = NULL;
> ++
> + /*    compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
> +     return ret;
> + }
> +--
> +2.34.1
> +
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb
> index 212c7d39c23..f0771cc86ec 100644
> --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb
> @@ -1,7 +1,8 @@
>  require xserver-xorg.inc
>
>  SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
> -           file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
> +            file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
> +            file://0001-composite-Fix-use-after-free-of-the-COW.patch \
>             "
>  SRC_URI[sha256sum] = "d9c60b2dd0ec52326ca6ab20db0e490b1ff4f566f59ca742d6532e92795877bb"
>
> --
> 2.34.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#180221): https://lists.openembedded.org/g/openembedded-core/message/180221
> Mute This Topic: https://lists.openembedded.org/mt/98366626/1997914
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Ross Burton April 20, 2023, 11:42 a.m. UTC | #2

Yeah, drop this, I failed to update my branch to include the 21.1.8 upgrade that had been sent.

Ross

> On 20 Apr 2023, at 02:38, Khem Raj <raj.khem@gmail.com> wrote:
> 
> Fails to patch - https://errors.yoctoproject.org/Errors/Details/700408/
> 
> On Wed, Apr 19, 2023 at 6:41 AM Ross Burton <ross.burton@arm.com> wrote:
>> 
>> Signed-off-by: Ross Burton <ross.burton@arm.com>
>> ---
>> ...posite-Fix-use-after-free-of-the-COW.patch | 46 +++++++++++++++++++
>> .../xorg-xserver/xserver-xorg_21.1.7.bb       |  3 +-
>> 2 files changed, 48 insertions(+), 1 deletion(-)
>> create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch
>> 
>> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch
>> new file mode 100644
>> index 00000000000..fc426daba51
>> --- /dev/null
>> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch
>> @@ -0,0 +1,46 @@
>> +From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001
>> +From: Olivier Fourdan <ofourdan@redhat.com>
>> +Date: Mon, 13 Mar 2023 11:08:47 +0100
>> +Subject: [PATCH] composite: Fix use-after-free of the COW
>> +
>> +ZDI-CAN-19866/CVE-2023-1393
>> +
>> +If a client explicitly destroys the compositor overlay window (aka COW),
>> +we would leave a dangling pointer to that window in the CompScreen
>> +structure, which will trigger a use-after-free later.
>> +
>> +Make sure to clear the CompScreen pointer to the COW when the latter gets
>> +destroyed explicitly by the client.
>> +
>> +This vulnerability was discovered by:
>> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
>> +
>> +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
>> +Reviewed-by: Adam Jackson <ajax@redhat.com>
>> +
>> +CVE: CVE-2023-1393
>> +Upstream-Status: Backport
>> +Signed-off-by: Ross Burton <ross.burton@arm.com>
>> +---
>> + composite/compwindow.c | 5 +++++
>> + 1 file changed, 5 insertions(+)
>> +
>> +diff --git a/composite/compwindow.c b/composite/compwindow.c
>> +index 4e2494b86..b30da589e 100644
>> +--- a/composite/compwindow.c
>> ++++ b/composite/compwindow.c
>> +@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
>> +     ret = (*pScreen->DestroyWindow) (pWin);
>> +     cs->DestroyWindow = pScreen->DestroyWindow;
>> +     pScreen->DestroyWindow = compDestroyWindow;
>> ++
>> ++    /* Did we just destroy the overlay window? */
>> ++    if (pWin == cs->pOverlayWin)
>> ++        cs->pOverlayWin = NULL;
>> ++
>> + /*    compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
>> +     return ret;
>> + }
>> +--
>> +2.34.1
>> +
>> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb
>> index 212c7d39c23..f0771cc86ec 100644
>> --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb
>> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb
>> @@ -1,7 +1,8 @@
>> require xserver-xorg.inc
>> 
>> SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
>> -           file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
>> +            file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
>> +            file://0001-composite-Fix-use-after-free-of-the-COW.patch \
>>            "
>> SRC_URI[sha256sum] = "d9c60b2dd0ec52326ca6ab20db0e490b1ff4f566f59ca742d6532e92795877bb"
>> 
>> --
>> 2.34.1
>> 
>> 
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#180221): https://lists.openembedded.org/g/openembedded-core/message/180221
>> Mute This Topic: https://lists.openembedded.org/mt/98366626/1997914
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com]
>> -=-=-=-=-=-=-=-=-=-=-=-

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch
new file mode 100644
index 00000000000..fc426daba51
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch
@@ -0,0 +1,46 @@ 
+From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 13 Mar 2023 11:08:47 +0100
+Subject: [PATCH] composite: Fix use-after-free of the COW
+
+ZDI-CAN-19866/CVE-2023-1393
+
+If a client explicitly destroys the compositor overlay window (aka COW),
+we would leave a dangling pointer to that window in the CompScreen
+structure, which will trigger a use-after-free later.
+
+Make sure to clear the CompScreen pointer to the COW when the latter gets
+destroyed explicitly by the client.
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+
+CVE: CVE-2023-1393
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ composite/compwindow.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/composite/compwindow.c b/composite/compwindow.c
+index 4e2494b86..b30da589e 100644
+--- a/composite/compwindow.c
++++ b/composite/compwindow.c
+@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
+     ret = (*pScreen->DestroyWindow) (pWin);
+     cs->DestroyWindow = pScreen->DestroyWindow;
+     pScreen->DestroyWindow = compDestroyWindow;
++
++    /* Did we just destroy the overlay window? */
++    if (pWin == cs->pOverlayWin)
++        cs->pOverlayWin = NULL;
++
+ /*    compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
+     return ret;
+ }
+-- 
+2.34.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb
index 212c7d39c23..f0771cc86ec 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb
@@ -1,7 +1,8 @@ 
 require xserver-xorg.inc
 
 SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
-           file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
+            file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
+            file://0001-composite-Fix-use-after-free-of-the-COW.patch \
            "
 SRC_URI[sha256sum] = "d9c60b2dd0ec52326ca6ab20db0e490b1ff4f566f59ca742d6532e92795877bb"

[2/2] xserver-xorg: backport fix for CVE-2023-1393

Commit Message

Comments

Patch