- U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch

* Out-of-bounds memory write in XKB button actions (CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413, bsc#1217765) - U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch * Out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty (CVE-2023-6478, ZDI-CAN-22561, bsc#1217766) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=862
2023-12-13 09:18:18 +00:00 · 2023-12-13 09:18:18 +00:00 · d3adf84eb2
commit d3adf84eb2
parent f2b0c39e9f
4 changed files with 151 additions and 0 deletions
--- a/U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
+++ b/U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
@ -0,0 +1,75 @@
+From 924fbcb74ae5434afa7ce4603cd85ebcbdcccad5 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 28 Nov 2023 15:19:04 +1000
+Subject: [PATCH xserver] Xi: allocate enough XkbActions for our buttons
+
+button->xkb_acts is supposed to be an array sufficiently large for all
+our buttons, not just a single XkbActions struct. Allocating
+insufficient memory here means when we memcpy() later in
+XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
+leading to the usual security ooopsiedaisies.
+
+CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+---
+ Xi/exevents.c |  8 ++++++--
+ dix/devices.c | 11 +++++++++++
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index dcd4efb3bc..f24de9eec4 100644
+--- a/Xi/exevents.c
+++ b/Xi/exevents.c
+@@ -612,12 +612,16 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
+ 
+         if (from->button->xkb_acts) {
+             if (!to->button->xkb_acts) {
+-                to->button->xkb_acts = calloc(1, sizeof(XkbAction));
+                to->button->xkb_acts = calloc(from->button->numButtons, sizeof(XkbAction));
+                 if (!to->button->xkb_acts)
+                     FatalError("[Xi] not enough memory for xkb_acts.\n");
+            } else {
+                to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
+                                                       from->button->numButtons,
+                                                       sizeof(XkbAction));
+             }
+             memcpy(to->button->xkb_acts, from->button->xkb_acts,
+-                   sizeof(XkbAction));
+                   from->button->numButtons * sizeof(XkbAction));
+         }
+         else {
+             free(to->button->xkb_acts);
+diff --git a/dix/devices.c b/dix/devices.c
+index 7150734a58..deb3010206 100644
+--- a/dix/devices.c
+++ b/dix/devices.c
+@@ -2530,6 +2530,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+ 
+     if (master->button && master->button->numButtons != maxbuttons) {
+         int i;
+        int last_num_buttons = master->button->numButtons;
+
+         DeviceChangedEvent event = {
+             .header = ET_Internal,
+             .type = ET_DeviceChanged,
+@@ -2540,6 +2542,15 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+         };
+ 
+         master->button->numButtons = maxbuttons;
+        if (last_num_buttons < maxbuttons) {
+            master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
+                                                       maxbuttons,
+                                                       sizeof(XkbAction));
+            memset(&master->button->xkb_acts[last_num_buttons],
+                   0,
+                   (maxbuttons - last_num_buttons) * sizeof(XkbAction));
+        }
+
+ 
+         memcpy(&event.buttons.names, master->button->labels, maxbuttons *
+                sizeof(Atom));
+-- 
+2.43.0
+
--- a/U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
+++ b/U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
@ -0,0 +1,59 @@
+From bd59316fe54b2bcad94c883e81fe7cae2a90cdd6 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 27 Nov 2023 16:27:49 +1000
+Subject: [PATCH xserver] randr: avoid integer truncation in length check of
+ ProcRRChange*Property
+
+Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
+See also xserver@8f454b79 where this same bug was fixed for the core
+protocol and XI.
+
+This fixes an OOB read and the resulting information disclosure.
+
+Length calculation for the request was clipped to a 32-bit integer. With
+the correct stuff->nUnits value the expected request size was
+truncated, passing the REQUEST_FIXED_SIZE check.
+
+The server then proceeded with reading at least stuff->num_items bytes
+(depending on stuff->format) from the request and stuffing whatever it
+finds into the property. In the process it would also allocate at least
+stuff->nUnits bytes, i.e. 4GB.
+
+CVE-2023-XXXXX, ZDI-CAN-22561
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+---
+ randr/rrproperty.c         | 2 +-
+ randr/rrproviderproperty.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index 25469f57b2..c4fef8a1f6 100644
+--- a/randr/rrproperty.c
+++ b/randr/rrproperty.c
+@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
+     char format, mode;
+     unsigned long len;
+     int sizeInBytes;
+-    int totalSize;
+    uint64_t totalSize;
+     int err;
+ 
+     REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
+diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
+index b79c17f9bf..90c5a9a933 100644
+--- a/randr/rrproviderproperty.c
+++ b/randr/rrproviderproperty.c
+@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
+     char format, mode;
+     unsigned long len;
+     int sizeInBytes;
+-    int totalSize;
+    uint64_t totalSize;
+     int err;
+ 
+     REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
+-- 
+2.43.0
+
--- a/xorg-x11-server.changes
+++ b/xorg-x11-server.changes
@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Mon Dec  4 18:49:47 UTC 2023 - Stefan Dirsch <sndirsch@suse.com>
+
+- U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
+  * Out-of-bounds memory write in XKB button actions (CVE-2023-6377, 
+    ZDI-CAN-22412, ZDI-CAN-22413, bsc#1217765)
+- U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
+  * Out-of-bounds memory read in RRChangeOutputProperty and
+    RRChangeProviderProperty (CVE-2023-6478, ZDI-CAN-22561,
+    bsc#1217766)
+
 -------------------------------------------------------------------
 Wed Oct 25 11:05:06 UTC 2023 - Stefan Dirsch <sndirsch@suse.com>

--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -243,6 +243,9 @@ Patch1940:      U_xephyr-Don-t-check-for-SeatId-anymore.patch

 Patch1960:      u_sync-pci-ids-with-Mesa.patch

+Patch1217765:   U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
+Patch1217766:   U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
+
 %description
 This package contains the X.Org Server.

@ -401,6 +404,9 @@ sh %{SOURCE92} --verify . %{SOURCE91}
 %patch1940 -p1
 %patch1960 -p1

+%patch1217765 -p1
+%patch1217766 -p1
+
 %build
 # We have some -z now related errors during X default startup (boo#1197994):
 # - when loading modesetting: gbm_bo_get_plane_count