1
0

- U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch

* Out-of-bounds memory write in XKB button actions (CVE-2023-6377, 
    ZDI-CAN-22412, ZDI-CAN-22413, bsc#1217765)
- U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
  * Out-of-bounds memory read in RRChangeOutputProperty and
    RRChangeProviderProperty (CVE-2023-6478, ZDI-CAN-22561,
    bsc#1217766)

OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=862
This commit is contained in:
Joan Torres 2023-12-13 09:18:18 +00:00 committed by Git OBS Bridge
parent f2b0c39e9f
commit d3adf84eb2
4 changed files with 151 additions and 0 deletions

View File

@ -0,0 +1,75 @@
From 924fbcb74ae5434afa7ce4603cd85ebcbdcccad5 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 28 Nov 2023 15:19:04 +1000
Subject: [PATCH xserver] Xi: allocate enough XkbActions for our buttons
button->xkb_acts is supposed to be an array sufficiently large for all
our buttons, not just a single XkbActions struct. Allocating
insufficient memory here means when we memcpy() later in
XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
leading to the usual security ooopsiedaisies.
CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
Xi/exevents.c | 8 ++++++--
dix/devices.c | 11 +++++++++++
2 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/Xi/exevents.c b/Xi/exevents.c
index dcd4efb3bc..f24de9eec4 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -612,12 +612,16 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
if (from->button->xkb_acts) {
if (!to->button->xkb_acts) {
- to->button->xkb_acts = calloc(1, sizeof(XkbAction));
+ to->button->xkb_acts = calloc(from->button->numButtons, sizeof(XkbAction));
if (!to->button->xkb_acts)
FatalError("[Xi] not enough memory for xkb_acts.\n");
+ } else {
+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
+ from->button->numButtons,
+ sizeof(XkbAction));
}
memcpy(to->button->xkb_acts, from->button->xkb_acts,
- sizeof(XkbAction));
+ from->button->numButtons * sizeof(XkbAction));
}
else {
free(to->button->xkb_acts);
diff --git a/dix/devices.c b/dix/devices.c
index 7150734a58..deb3010206 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -2530,6 +2530,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
if (master->button && master->button->numButtons != maxbuttons) {
int i;
+ int last_num_buttons = master->button->numButtons;
+
DeviceChangedEvent event = {
.header = ET_Internal,
.type = ET_DeviceChanged,
@@ -2540,6 +2542,15 @@ RecalculateMasterButtons(DeviceIntPtr slave)
};
master->button->numButtons = maxbuttons;
+ if (last_num_buttons < maxbuttons) {
+ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
+ maxbuttons,
+ sizeof(XkbAction));
+ memset(&master->button->xkb_acts[last_num_buttons],
+ 0,
+ (maxbuttons - last_num_buttons) * sizeof(XkbAction));
+ }
+
memcpy(&event.buttons.names, master->button->labels, maxbuttons *
sizeof(Atom));
--
2.43.0

View File

@ -0,0 +1,59 @@
From bd59316fe54b2bcad94c883e81fe7cae2a90cdd6 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 27 Nov 2023 16:27:49 +1000
Subject: [PATCH xserver] randr: avoid integer truncation in length check of
ProcRRChange*Property
Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
See also xserver@8f454b79 where this same bug was fixed for the core
protocol and XI.
This fixes an OOB read and the resulting information disclosure.
Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->nUnits value the expected request size was
truncated, passing the REQUEST_FIXED_SIZE check.
The server then proceeded with reading at least stuff->num_items bytes
(depending on stuff->format) from the request and stuffing whatever it
finds into the property. In the process it would also allocate at least
stuff->nUnits bytes, i.e. 4GB.
CVE-2023-XXXXX, ZDI-CAN-22561
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
randr/rrproperty.c | 2 +-
randr/rrproviderproperty.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/randr/rrproperty.c b/randr/rrproperty.c
index 25469f57b2..c4fef8a1f6 100644
--- a/randr/rrproperty.c
+++ b/randr/rrproperty.c
@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
char format, mode;
unsigned long len;
int sizeInBytes;
- int totalSize;
+ uint64_t totalSize;
int err;
REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
index b79c17f9bf..90c5a9a933 100644
--- a/randr/rrproviderproperty.c
+++ b/randr/rrproviderproperty.c
@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
char format, mode;
unsigned long len;
int sizeInBytes;
- int totalSize;
+ uint64_t totalSize;
int err;
REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
--
2.43.0

View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Mon Dec 4 18:49:47 UTC 2023 - Stefan Dirsch <sndirsch@suse.com>
- U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
* Out-of-bounds memory write in XKB button actions (CVE-2023-6377,
ZDI-CAN-22412, ZDI-CAN-22413, bsc#1217765)
- U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
* Out-of-bounds memory read in RRChangeOutputProperty and
RRChangeProviderProperty (CVE-2023-6478, ZDI-CAN-22561,
bsc#1217766)
-------------------------------------------------------------------
Wed Oct 25 11:05:06 UTC 2023 - Stefan Dirsch <sndirsch@suse.com>

View File

@ -243,6 +243,9 @@ Patch1940: U_xephyr-Don-t-check-for-SeatId-anymore.patch
Patch1960: u_sync-pci-ids-with-Mesa.patch
Patch1217765: U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
Patch1217766: U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
%description
This package contains the X.Org Server.
@ -401,6 +404,9 @@ sh %{SOURCE92} --verify . %{SOURCE91}
%patch1940 -p1
%patch1960 -p1
%patch1217765 -p1
%patch1217766 -p1
%build
# We have some -z now related errors during X default startup (boo#1197994):
# - when loading modesetting: gbm_bo_get_plane_count