From ff8f302031d04a2d383e753018aab5deede9885b6741f3d40c467539af1b6ebb Mon Sep 17 00:00:00 2001 From: Stefan Dirsch Date: Thu, 10 Sep 2020 08:27:40 +0000 Subject: [PATCH] Accepting request 833334 from home:mgorse:branches:X11:XOrg -Add U_xfree86_take_second_ref_for_xcursor.patch: fix use-after-free when switching VTs. OBS-URL: https://build.opensuse.org/request/show/833334 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=776 --- U_xfree86_take_second_ref_for_xcursor.patch | 33 +++++++++++++++++++++ xorg-x11-server.changes | 6 ++++ xorg-x11-server.spec | 2 ++ 3 files changed, 41 insertions(+) create mode 100644 U_xfree86_take_second_ref_for_xcursor.patch diff --git a/U_xfree86_take_second_ref_for_xcursor.patch b/U_xfree86_take_second_ref_for_xcursor.patch new file mode 100644 index 0000000..6c576d7 --- /dev/null +++ b/U_xfree86_take_second_ref_for_xcursor.patch @@ -0,0 +1,33 @@ +From 919f1f46fc67dae93b2b3f278fcbfc77af34ec58 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michel=20D=C3=A4nzer?= +Date: Mon, 31 Aug 2020 12:10:43 +0200 +Subject: [PATCH] xfree86: Take second reference for SavedCursor in + xf86CursorSetCursor + +The same pointer is kept in CurrentCursor as well, therefore two +RefCursor calls are needed. + +Fixes use-after-free after switching VTs. + +Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1067 +--- + hw/xfree86/ramdac/xf86CursorRD.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/xfree86/ramdac/xf86CursorRD.c b/hw/xfree86/ramdac/xf86CursorRD.c +index 9aa3de97b..c8362d169 100644 +--- a/hw/xfree86/ramdac/xf86CursorRD.c ++++ b/hw/xfree86/ramdac/xf86CursorRD.c +@@ -334,6 +334,9 @@ xf86CursorSetCursor(DeviceIntPtr pDev, ScreenPtr pScreen, CursorPtr pCurs, + ScreenPriv->HotY = cursor->bits->yhot; + + if (!infoPtr->pScrn->vtSema) { ++ cursor = RefCursor(cursor); ++ if (ScreenPriv->SavedCursor) ++ FreeCursor(ScreenPriv->SavedCursor, None); + ScreenPriv->SavedCursor = cursor; + return; + } +-- +2.28.0 + diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index fdd6c64..cdff067 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Sep 9 18:50:37 UTC 2020 - Michael Gorse + +-Add U_xfree86_take_second_ref_for_xcursor.patch: fix + use-after-free when switching VTs. + ------------------------------------------------------------------- Thu Aug 27 19:29:29 UTC 2020 - bjorn.lie@gmail.com diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 6fc7de0..c176aa3 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -249,6 +249,7 @@ Patch1503: u_xfree86-Do-not-claim-pci-slots-if-fb-slot-is-already.patch Patch1505: U_xwayland-Allow-passing-a-fd.patch Patch1600: U_glamor_egl-Reject-OpenGL-2.1-early-on.patch +Patch1700: U_xfree86_take_second_ref_for_xcursor.patch %description This package contains the X.Org Server. @@ -398,6 +399,7 @@ sh %{SOURCE92} --verify . %{SOURCE91} %patch1503 -p1 %patch1505 -p1 %patch1600 -p1 +%patch1700 -p1 %build %define _lto_cflags %{nil}