- U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch

* fixes regression for security fix for CVE-2024-31083 (bsc#1222312, boo#1222442, gitlab xserver issue #1659) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=885
2024-04-10 13:25:42 +00:00 · 2024-04-10 13:25:42 +00:00 · 7cf27825ed
commit 7cf27825ed
parent 25a7aa1fcd
3 changed files with 84 additions and 0 deletions
--- a/U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
+++ b/U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
@ -0,0 +1,74 @@
+From c3c2218ab797516e4d63a93a078d77c6ce872d03 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Fri, 5 Apr 2024 15:24:49 +0200
+Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs()
+
+ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
+then frees it using FreeGlyph() to decrease the reference count, after
+AddGlyph() has increased it.
+
+AddGlyph() however may chose to reuse an existing glyph if it's already
+in the glyphSet, and free the glyph that was given, in which case the
+caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
+already freed glyph, as reported by ASan:
+
+  READ of size 4 thread T0
+    #0 in FreeGlyph xserver/render/glyph.c:252
+    #1 in ProcRenderAddGlyphs xserver/render/render.c:1174
+    #2 in Dispatch xserver/dix/dispatch.c:546
+    #3 in dix_main xserver/dix/main.c:271
+    #4 in main xserver/dix/stubmain.c:34
+    #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+    #6 in __libc_start_main_impl ../csu/libc-start.c:360
+    #7  (/usr/bin/Xwayland+0x44fe4)
+  Address is located 0 bytes inside of 64-byte region
+  freed by thread T0 here:
+    #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
+    #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
+    #2 in AddGlyph xserver/render/glyph.c:295
+    #3 in ProcRenderAddGlyphs xserver/render/render.c:1173
+    #4 in Dispatch xserver/dix/dispatch.c:546
+    #5 in dix_main xserver/dix/main.c:271
+    #6 in main xserver/dix/stubmain.c:34
+    #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+  previously allocated by thread T0 here:
+    #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
+    #1 in AllocateGlyph xserver/render/glyph.c:355
+    #2 in ProcRenderAddGlyphs xserver/render/render.c:1085
+    #3 in Dispatch xserver/dix/dispatch.c:546
+    #4 in dix_main xserver/dix/main.c:271
+    #5 in main xserver/dix/stubmain.c:34
+    #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+  SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
+
+To avoid that, make sure not to free the given glyph in AddGlyph().
+
+v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
+v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
+
+Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
+Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+(cherry picked from commit 337d8d48b618d4fc0168a7b978be4c3447650b04)
+
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1478>
+---
+ render/glyph.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/render/glyph.c b/render/glyph.c
+index d5fc5f3c9..f5069d42f 100644
+--- a/render/glyph.c
+++ b/render/glyph.c
+@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id)
+     gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature,
+                       TRUE, glyph->sha1);
+     if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) {
+-        FreeGlyphPicture(glyph);
+-        dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH);
+         glyph = gr->glyph;
+     }
+     else if (gr->glyph != glyph) {
+-- 
+2.35.3
+
--- a/xorg-x11-server.changes
+++ b/xorg-x11-server.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Apr 10 13:20:43 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
+
+- U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
+  * fixes regression for security fix for CVE-2024-31083 (bsc#1222312, 
+    boo#1222442, gitlab xserver issue #1659)
+
 -------------------------------------------------------------------
 Thu Apr  4 08:13:19 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -240,6 +240,7 @@ Patch1930:      u_xfree86-activate-GPU-screens-on-autobind.patch
 Patch1960:      u_sync-pci-ids-with-Mesa.patch

 Patch1218176:   u_miCloseScreen_check_for_null_pScreen_dev_private.patch
+Patch1222442:   U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch

 %description
 This package contains the X.Org Server.
@ -398,6 +399,8 @@ sh %{SOURCE92} --verify . %{SOURCE91}

 %patch -P 1218176 -p1

+%patch -P 1222442 -p1
+
 %build
 # We have some -z now related errors during X default startup (boo#1197994):
 # - when loading modesetting: gbm_bo_get_plane_count