wok-current annotate xorg-server/stuff/CVE-2023-5380.patch @ rev 25634

Mass update, new toolchain gcc 8.3.0, glibc 2.28.0
author Stanislas Leduc <shann@slitaz.org>
date Sun Jan 14 08:12:37 2024 +0000 (20 months ago)
parents
children
rev   line source
shann@25634 1 From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001
shann@25634 2 From: Peter Hutterer <peter.hutterer@who-t.net>
shann@25634 3 Date: Thu, 5 Oct 2023 12:19:45 +1000
shann@25634 4 Subject: [PATCH] mi: reset the PointerWindows reference on screen switch
shann@25634 5
shann@25634 6 PointerWindows[] keeps a reference to the last window our sprite
shann@25634 7 entered - changes are usually handled by CheckMotion().
shann@25634 8
shann@25634 9 If we switch between screens via XWarpPointer our
shann@25634 10 dev->spriteInfo->sprite->win is set to the new screen's root window.
shann@25634 11 If there's another window at the cursor location CheckMotion() will
shann@25634 12 trigger the right enter/leave events later. If there is not, it skips
shann@25634 13 that process and we never trigger LeaveWindow() - PointerWindows[] for
shann@25634 14 the device still refers to the previous window.
shann@25634 15
shann@25634 16 If that window is destroyed we have a dangling reference that will
shann@25634 17 eventually cause a use-after-free bug when checking the window hierarchy
shann@25634 18 later.
shann@25634 19
shann@25634 20 To trigger this, we require:
shann@25634 21 - two protocol screens
shann@25634 22 - XWarpPointer to the other screen's root window
shann@25634 23 - XDestroyWindow before entering any other window
shann@25634 24
shann@25634 25 This is a niche bug so we hack around it by making sure we reset the
shann@25634 26 PointerWindows[] entry so we cannot have a dangling pointer. This
shann@25634 27 doesn't handle Enter/Leave events correctly but the previous code didn't
shann@25634 28 either.
shann@25634 29
shann@25634 30 CVE-2023-5380, ZDI-CAN-21608
shann@25634 31
shann@25634 32 This vulnerability was discovered by:
shann@25634 33 Sri working with Trend Micro Zero Day Initiative
shann@25634 34
shann@25634 35 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
shann@25634 36 Reviewed-by: Adam Jackson <ajax@redhat.com>
shann@25634 37 ---
shann@25634 38 dix/enterleave.h | 2 --
shann@25634 39 include/eventstr.h | 3 +++
shann@25634 40 mi/mipointer.c | 17 +++++++++++++++--
shann@25634 41 3 files changed, 18 insertions(+), 4 deletions(-)
shann@25634 42
shann@25634 43 diff --git a/dix/enterleave.h b/dix/enterleave.h
shann@25634 44 index 4b833d8a3b..e8af924c68 100644
shann@25634 45 --- a/dix/enterleave.h
shann@25634 46 +++ b/dix/enterleave.h
shann@25634 47 @@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
shann@25634 48
shann@25634 49 extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
shann@25634 50
shann@25634 51 -extern void LeaveWindow(DeviceIntPtr dev);
shann@25634 52 -
shann@25634 53 extern void CoreFocusEvent(DeviceIntPtr kbd,
shann@25634 54 int type, int mode, int detail, WindowPtr pWin);
shann@25634 55
shann@25634 56 diff --git a/include/eventstr.h b/include/eventstr.h
shann@25634 57 index 93308f9b24..a9926eaeef 100644
shann@25634 58 --- a/include/eventstr.h
shann@25634 59 +++ b/include/eventstr.h
shann@25634 60 @@ -335,4 +335,7 @@ union _InternalEvent {
shann@25634 61 GestureEvent gesture_event;
shann@25634 62 };
shann@25634 63
shann@25634 64 +extern void
shann@25634 65 +LeaveWindow(DeviceIntPtr dev);
shann@25634 66 +
shann@25634 67 #endif
shann@25634 68 diff --git a/mi/mipointer.c b/mi/mipointer.c
shann@25634 69 index a638f25d4a..8cf0035140 100644
shann@25634 70 --- a/mi/mipointer.c
shann@25634 71 +++ b/mi/mipointer.c
shann@25634 72 @@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
shann@25634 73 #ifdef PANORAMIX
shann@25634 74 && noPanoramiXExtension
shann@25634 75 #endif
shann@25634 76 - )
shann@25634 77 - UpdateSpriteForScreen(pDev, pScreen);
shann@25634 78 + ) {
shann@25634 79 + DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
shann@25634 80 + /* Hack for CVE-2023-5380: if we're moving
shann@25634 81 + * screens PointerWindows[] keeps referring to the
shann@25634 82 + * old window. If that gets destroyed we have a UAF
shann@25634 83 + * bug later. Only happens when jumping from a window
shann@25634 84 + * to the root window on the other screen.
shann@25634 85 + * Enter/Leave events are incorrect for that case but
shann@25634 86 + * too niche to fix.
shann@25634 87 + */
shann@25634 88 + LeaveWindow(pDev);
shann@25634 89 + if (master)
shann@25634 90 + LeaveWindow(master);
shann@25634 91 + UpdateSpriteForScreen(pDev, pScreen);
shann@25634 92 + }
shann@25634 93 }
shann@25634 94
shann@25634 95 /**
shann@25634 96 --
shann@25634 97 GitLab
shann@25634 98
shann@25634 99 B