wok-current view xorg-server/stuff/CVE-2023-5380.patch @ rev 25634
Mass update, new toolchain gcc 8.3.0, glibc 2.28.0
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Sun Jan 14 08:12:37 2024 +0000 (20 months ago) |
| parents | |
| children |
line source
1 From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001
2 From: Peter Hutterer <peter.hutterer@who-t.net>
3 Date: Thu, 5 Oct 2023 12:19:45 +1000
4 Subject: [PATCH] mi: reset the PointerWindows reference on screen switch
6 PointerWindows[] keeps a reference to the last window our sprite
7 entered - changes are usually handled by CheckMotion().
9 If we switch between screens via XWarpPointer our
10 dev->spriteInfo->sprite->win is set to the new screen's root window.
11 If there's another window at the cursor location CheckMotion() will
12 trigger the right enter/leave events later. If there is not, it skips
13 that process and we never trigger LeaveWindow() - PointerWindows[] for
14 the device still refers to the previous window.
16 If that window is destroyed we have a dangling reference that will
17 eventually cause a use-after-free bug when checking the window hierarchy
18 later.
20 To trigger this, we require:
21 - two protocol screens
22 - XWarpPointer to the other screen's root window
23 - XDestroyWindow before entering any other window
25 This is a niche bug so we hack around it by making sure we reset the
26 PointerWindows[] entry so we cannot have a dangling pointer. This
27 doesn't handle Enter/Leave events correctly but the previous code didn't
28 either.
30 CVE-2023-5380, ZDI-CAN-21608
32 This vulnerability was discovered by:
33 Sri working with Trend Micro Zero Day Initiative
35 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
36 Reviewed-by: Adam Jackson <ajax@redhat.com>
37 ---
38 dix/enterleave.h | 2 --
39 include/eventstr.h | 3 +++
40 mi/mipointer.c | 17 +++++++++++++++--
41 3 files changed, 18 insertions(+), 4 deletions(-)
43 diff --git a/dix/enterleave.h b/dix/enterleave.h
44 index 4b833d8a3b..e8af924c68 100644
45 --- a/dix/enterleave.h
46 +++ b/dix/enterleave.h
47 @@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
49 extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
51 -extern void LeaveWindow(DeviceIntPtr dev);
52 -
53 extern void CoreFocusEvent(DeviceIntPtr kbd,
54 int type, int mode, int detail, WindowPtr pWin);
56 diff --git a/include/eventstr.h b/include/eventstr.h
57 index 93308f9b24..a9926eaeef 100644
58 --- a/include/eventstr.h
59 +++ b/include/eventstr.h
60 @@ -335,4 +335,7 @@ union _InternalEvent {
61 GestureEvent gesture_event;
62 };
64 +extern void
65 +LeaveWindow(DeviceIntPtr dev);
66 +
67 #endif
68 diff --git a/mi/mipointer.c b/mi/mipointer.c
69 index a638f25d4a..8cf0035140 100644
70 --- a/mi/mipointer.c
71 +++ b/mi/mipointer.c
72 @@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
73 #ifdef PANORAMIX
74 && noPanoramiXExtension
75 #endif
76 - )
77 - UpdateSpriteForScreen(pDev, pScreen);
78 + ) {
79 + DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
80 + /* Hack for CVE-2023-5380: if we're moving
81 + * screens PointerWindows[] keeps referring to the
82 + * old window. If that gets destroyed we have a UAF
83 + * bug later. Only happens when jumping from a window
84 + * to the root window on the other screen.
85 + * Enter/Leave events are incorrect for that case but
86 + * too niche to fix.
87 + */
88 + LeaveWindow(pDev);
89 + if (master)
90 + LeaveWindow(master);
91 + UpdateSpriteForScreen(pDev, pScreen);
92 + }
93 }
95 /**
96 --
97 GitLab
99 B