From 7cf27825ed6619a419e44fff8f65fd543e2837a7e9f50d4630afe863145014b9 Mon Sep 17 00:00:00 2001 From: Stefan Dirsch Date: Wed, 10 Apr 2024 13:25:42 +0000 Subject: [PATCH] - U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch * fixes regression for security fix for CVE-2024-31083 (bsc#1222312, boo#1222442, gitlab xserver issue #1659) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=885 --- ...sible-double-free-in-ProcRenderAddGl.patch | 74 +++++++++++++++++++ xorg-x11-server.changes | 7 ++ xorg-x11-server.spec | 3 + 3 files changed, 84 insertions(+) create mode 100644 U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch diff --git a/U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch b/U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch new file mode 100644 index 0000000..0c1dda5 --- /dev/null +++ b/U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch @@ -0,0 +1,74 @@ +From c3c2218ab797516e4d63a93a078d77c6ce872d03 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Fri, 5 Apr 2024 15:24:49 +0200 +Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs() + +ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and +then frees it using FreeGlyph() to decrease the reference count, after +AddGlyph() has increased it. + +AddGlyph() however may chose to reuse an existing glyph if it's already +in the glyphSet, and free the glyph that was given, in which case the +caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an +already freed glyph, as reported by ASan: + + READ of size 4 thread T0 + #0 in FreeGlyph xserver/render/glyph.c:252 + #1 in ProcRenderAddGlyphs xserver/render/render.c:1174 + #2 in Dispatch xserver/dix/dispatch.c:546 + #3 in dix_main xserver/dix/main.c:271 + #4 in main xserver/dix/stubmain.c:34 + #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + #6 in __libc_start_main_impl ../csu/libc-start.c:360 + #7 (/usr/bin/Xwayland+0x44fe4) + Address is located 0 bytes inside of 64-byte region + freed by thread T0 here: + #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52 + #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538 + #2 in AddGlyph xserver/render/glyph.c:295 + #3 in ProcRenderAddGlyphs xserver/render/render.c:1173 + #4 in Dispatch xserver/dix/dispatch.c:546 + #5 in dix_main xserver/dix/main.c:271 + #6 in main xserver/dix/stubmain.c:34 + #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + previously allocated by thread T0 here: + #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69 + #1 in AllocateGlyph xserver/render/glyph.c:355 + #2 in ProcRenderAddGlyphs xserver/render/render.c:1085 + #3 in Dispatch xserver/dix/dispatch.c:546 + #4 in dix_main xserver/dix/main.c:271 + #5 in main xserver/dix/stubmain.c:34 + #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph + +To avoid that, make sure not to free the given glyph in AddGlyph(). + +v2: Simplify the test using the boolean returned from AddGlyph() (Michel) +v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter) + +Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs +Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659 +Signed-off-by: Olivier Fourdan +(cherry picked from commit 337d8d48b618d4fc0168a7b978be4c3447650b04) + +Part-of: +--- + render/glyph.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/render/glyph.c b/render/glyph.c +index d5fc5f3c9..f5069d42f 100644 +--- a/render/glyph.c ++++ b/render/glyph.c +@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id) + gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature, + TRUE, glyph->sha1); + if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) { +- FreeGlyphPicture(glyph); +- dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH); + glyph = gr->glyph; + } + else if (gr->glyph != glyph) { +-- +2.35.3 + diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index a6beb50..94ccdd8 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Apr 10 13:20:43 UTC 2024 - Stefan Dirsch + +- U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch + * fixes regression for security fix for CVE-2024-31083 (bsc#1222312, + boo#1222442, gitlab xserver issue #1659) + ------------------------------------------------------------------- Thu Apr 4 08:13:19 UTC 2024 - Stefan Dirsch diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 59118c7..565d0bd 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -240,6 +240,7 @@ Patch1930: u_xfree86-activate-GPU-screens-on-autobind.patch Patch1960: u_sync-pci-ids-with-Mesa.patch Patch1218176: u_miCloseScreen_check_for_null_pScreen_dev_private.patch +Patch1222442: U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch %description This package contains the X.Org Server. @@ -398,6 +399,8 @@ sh %{SOURCE92} --verify . %{SOURCE91} %patch -P 1218176 -p1 +%patch -P 1222442 -p1 + %build # We have some -z now related errors during X default startup (boo#1197994): # - when loading modesetting: gbm_bo_get_plane_count