From d3adf84eb2eedb5c8d2aa8e0b71d956ed64cb38cc03c1be08b2cf6c3bda2f462 Mon Sep 17 00:00:00 2001 From: Joan Torres Date: Wed, 13 Dec 2023 09:18:18 +0000 Subject: [PATCH] - U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch * Out-of-bounds memory write in XKB button actions (CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413, bsc#1217765) - U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch * Out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty (CVE-2023-6478, ZDI-CAN-22561, bsc#1217766) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=862 --- ...te-enough-XkbActions-for-our-buttons.patch | 75 +++++++++++++++++++ ...ger-truncation-in-length-check-of-Pr.patch | 59 +++++++++++++++ xorg-x11-server.changes | 11 +++ xorg-x11-server.spec | 6 ++ 4 files changed, 151 insertions(+) create mode 100644 U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch create mode 100644 U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch diff --git a/U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch b/U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch new file mode 100644 index 0000000..4bf7b21 --- /dev/null +++ b/U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch @@ -0,0 +1,75 @@ +From 924fbcb74ae5434afa7ce4603cd85ebcbdcccad5 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 28 Nov 2023 15:19:04 +1000 +Subject: [PATCH xserver] Xi: allocate enough XkbActions for our buttons + +button->xkb_acts is supposed to be an array sufficiently large for all +our buttons, not just a single XkbActions struct. Allocating +insufficient memory here means when we memcpy() later in +XkbSetDeviceInfo we write into memory that wasn't ours to begin with, +leading to the usual security ooopsiedaisies. + +CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative +--- + Xi/exevents.c | 8 ++++++-- + dix/devices.c | 11 +++++++++++ + 2 files changed, 17 insertions(+), 2 deletions(-) + +diff --git a/Xi/exevents.c b/Xi/exevents.c +index dcd4efb3bc..f24de9eec4 100644 +--- a/Xi/exevents.c ++++ b/Xi/exevents.c +@@ -612,12 +612,16 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) + + if (from->button->xkb_acts) { + if (!to->button->xkb_acts) { +- to->button->xkb_acts = calloc(1, sizeof(XkbAction)); ++ to->button->xkb_acts = calloc(from->button->numButtons, sizeof(XkbAction)); + if (!to->button->xkb_acts) + FatalError("[Xi] not enough memory for xkb_acts.\n"); ++ } else { ++ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts, ++ from->button->numButtons, ++ sizeof(XkbAction)); + } + memcpy(to->button->xkb_acts, from->button->xkb_acts, +- sizeof(XkbAction)); ++ from->button->numButtons * sizeof(XkbAction)); + } + else { + free(to->button->xkb_acts); +diff --git a/dix/devices.c b/dix/devices.c +index 7150734a58..deb3010206 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -2530,6 +2530,8 @@ RecalculateMasterButtons(DeviceIntPtr slave) + + if (master->button && master->button->numButtons != maxbuttons) { + int i; ++ int last_num_buttons = master->button->numButtons; ++ + DeviceChangedEvent event = { + .header = ET_Internal, + .type = ET_DeviceChanged, +@@ -2540,6 +2542,15 @@ RecalculateMasterButtons(DeviceIntPtr slave) + }; + + master->button->numButtons = maxbuttons; ++ if (last_num_buttons < maxbuttons) { ++ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts, ++ maxbuttons, ++ sizeof(XkbAction)); ++ memset(&master->button->xkb_acts[last_num_buttons], ++ 0, ++ (maxbuttons - last_num_buttons) * sizeof(XkbAction)); ++ } ++ + + memcpy(&event.buttons.names, master->button->labels, maxbuttons * + sizeof(Atom)); +-- +2.43.0 + diff --git a/U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch b/U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch new file mode 100644 index 0000000..3a74787 --- /dev/null +++ b/U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch @@ -0,0 +1,59 @@ +From bd59316fe54b2bcad94c883e81fe7cae2a90cdd6 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 27 Nov 2023 16:27:49 +1000 +Subject: [PATCH xserver] randr: avoid integer truncation in length check of + ProcRRChange*Property + +Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty. +See also xserver@8f454b79 where this same bug was fixed for the core +protocol and XI. + +This fixes an OOB read and the resulting information disclosure. + +Length calculation for the request was clipped to a 32-bit integer. With +the correct stuff->nUnits value the expected request size was +truncated, passing the REQUEST_FIXED_SIZE check. + +The server then proceeded with reading at least stuff->num_items bytes +(depending on stuff->format) from the request and stuffing whatever it +finds into the property. In the process it would also allocate at least +stuff->nUnits bytes, i.e. 4GB. + +CVE-2023-XXXXX, ZDI-CAN-22561 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative +--- + randr/rrproperty.c | 2 +- + randr/rrproviderproperty.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/randr/rrproperty.c b/randr/rrproperty.c +index 25469f57b2..c4fef8a1f6 100644 +--- a/randr/rrproperty.c ++++ b/randr/rrproperty.c +@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client) + char format, mode; + unsigned long len; + int sizeInBytes; +- int totalSize; ++ uint64_t totalSize; + int err; + + REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq); +diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c +index b79c17f9bf..90c5a9a933 100644 +--- a/randr/rrproviderproperty.c ++++ b/randr/rrproviderproperty.c +@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client) + char format, mode; + unsigned long len; + int sizeInBytes; +- int totalSize; ++ uint64_t totalSize; + int err; + + REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq); +-- +2.43.0 + diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index 21a7eb6..0965057 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Mon Dec 4 18:49:47 UTC 2023 - Stefan Dirsch + +- U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch + * Out-of-bounds memory write in XKB button actions (CVE-2023-6377, + ZDI-CAN-22412, ZDI-CAN-22413, bsc#1217765) +- U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch + * Out-of-bounds memory read in RRChangeOutputProperty and + RRChangeProviderProperty (CVE-2023-6478, ZDI-CAN-22561, + bsc#1217766) + ------------------------------------------------------------------- Wed Oct 25 11:05:06 UTC 2023 - Stefan Dirsch diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 878b5a7..9be7f6e 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -243,6 +243,9 @@ Patch1940: U_xephyr-Don-t-check-for-SeatId-anymore.patch Patch1960: u_sync-pci-ids-with-Mesa.patch +Patch1217765: U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch +Patch1217766: U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch + %description This package contains the X.Org Server. @@ -401,6 +404,9 @@ sh %{SOURCE92} --verify . %{SOURCE91} %patch1940 -p1 %patch1960 -p1 +%patch1217765 -p1 +%patch1217766 -p1 + %build # We have some -z now related errors during X default startup (boo#1197994): # - when loading modesetting: gbm_bo_get_plane_count