1
0

Accepting request 1166666 from X11:XOrg

- U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
  * fixes regression for security fix for CVE-2024-31083 (bsc#1222312, 
    boo#1222442, gitlab xserver issue #1659)

OBS-URL: https://build.opensuse.org/request/show/1166666
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xorg-x11-server?expand=0&rev=430
This commit is contained in:
Ana Guerrero 2024-04-11 17:40:24 +00:00 committed by Git OBS Bridge
commit 6a5a8cfee5
3 changed files with 84 additions and 0 deletions

View File

@ -0,0 +1,74 @@
From c3c2218ab797516e4d63a93a078d77c6ce872d03 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Fri, 5 Apr 2024 15:24:49 +0200
Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs()
ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
then frees it using FreeGlyph() to decrease the reference count, after
AddGlyph() has increased it.
AddGlyph() however may chose to reuse an existing glyph if it's already
in the glyphSet, and free the glyph that was given, in which case the
caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
already freed glyph, as reported by ASan:
READ of size 4 thread T0
#0 in FreeGlyph xserver/render/glyph.c:252
#1 in ProcRenderAddGlyphs xserver/render/render.c:1174
#2 in Dispatch xserver/dix/dispatch.c:546
#3 in dix_main xserver/dix/main.c:271
#4 in main xserver/dix/stubmain.c:34
#5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 in __libc_start_main_impl ../csu/libc-start.c:360
#7 (/usr/bin/Xwayland+0x44fe4)
Address is located 0 bytes inside of 64-byte region
freed by thread T0 here:
#0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
#1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
#2 in AddGlyph xserver/render/glyph.c:295
#3 in ProcRenderAddGlyphs xserver/render/render.c:1173
#4 in Dispatch xserver/dix/dispatch.c:546
#5 in dix_main xserver/dix/main.c:271
#6 in main xserver/dix/stubmain.c:34
#7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
#0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
#1 in AllocateGlyph xserver/render/glyph.c:355
#2 in ProcRenderAddGlyphs xserver/render/render.c:1085
#3 in Dispatch xserver/dix/dispatch.c:546
#4 in dix_main xserver/dix/main.c:271
#5 in main xserver/dix/stubmain.c:34
#6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
To avoid that, make sure not to free the given glyph in AddGlyph().
v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 337d8d48b618d4fc0168a7b978be4c3447650b04)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1478>
---
render/glyph.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/render/glyph.c b/render/glyph.c
index d5fc5f3c9..f5069d42f 100644
--- a/render/glyph.c
+++ b/render/glyph.c
@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id)
gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature,
TRUE, glyph->sha1);
if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) {
- FreeGlyphPicture(glyph);
- dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH);
glyph = gr->glyph;
}
else if (gr->glyph != glyph) {
--
2.35.3

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed Apr 10 13:20:43 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
- U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
* fixes regression for security fix for CVE-2024-31083 (bsc#1222312,
boo#1222442, gitlab xserver issue #1659)
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Apr 4 08:13:19 UTC 2024 - Stefan Dirsch <sndirsch@suse.com> Thu Apr 4 08:13:19 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

View File

@ -240,6 +240,7 @@ Patch1930: u_xfree86-activate-GPU-screens-on-autobind.patch
Patch1960: u_sync-pci-ids-with-Mesa.patch Patch1960: u_sync-pci-ids-with-Mesa.patch
Patch1218176: u_miCloseScreen_check_for_null_pScreen_dev_private.patch Patch1218176: u_miCloseScreen_check_for_null_pScreen_dev_private.patch
Patch1222442: U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
%description %description
This package contains the X.Org Server. This package contains the X.Org Server.
@ -398,6 +399,8 @@ sh %{SOURCE92} --verify . %{SOURCE91}
%patch -P 1218176 -p1 %patch -P 1218176 -p1
%patch -P 1222442 -p1
%build %build
# We have some -z now related errors during X default startup (boo#1197994): # We have some -z now related errors during X default startup (boo#1197994):
# - when loading modesetting: gbm_bo_get_plane_count # - when loading modesetting: gbm_bo_get_plane_count