MSVSphere Packaging Team
5 months ago
parent
9022eab8ca
commit
41b4e9a538
GPG Key ID:
B2B0B9F29E528FE8
@ -0,0 +1,166 @@
|
||||
From 8c92ef59890c6d6e2be456658d3b9c145eda8629 Mon Sep 17 00:00:00 2001
|
||||
From: Keith Packard <keithp@keithp.com>
|
||||
Date: Sat, 7 Nov 2020 22:22:47 -0800
|
||||
Subject: [PATCH libX11] Avoid recursing through _XError due to sequence
|
||||
adjustment
|
||||
|
||||
This patch is based on research done by Dmitry Osipenko to uncover the
|
||||
cause of a large class of Xlib lockups.
|
||||
|
||||
_XError must unlock and re-lock the display around the call to the
|
||||
user error handler function. When re-locking the display, two
|
||||
functions are called to ensure that the display is ready to generate a request:
|
||||
|
||||
_XIDHandler(dpy);
|
||||
_XSeqSyncFunction(dpy);
|
||||
|
||||
The first ensures that there is at least one XID available to use
|
||||
(possibly calling _xcb_generate_id to do so). The second makes sure a
|
||||
reply is received at least every 65535 requests to keep sequence
|
||||
numbers in sync (possibly generating a GetInputFocus request and
|
||||
synchronously awaiting the reply).
|
||||
|
||||
If the second of these does generate a GetInputFocus request and wait
|
||||
for the reply, then a pending error will cause recursion into _XError,
|
||||
which deadlocks the display.
|
||||
|
||||
One seemingly easy fix is to have _XError avoid those calls by
|
||||
invoking InternalLockDisplay instead of LockDisplay. That function
|
||||
does everything that LockDisplay does *except* call those final two
|
||||
functions which may end up receiving an error.
|
||||
|
||||
However, that doesn't protect the system from applications which call
|
||||
some legal Xlib function from within their error handler. Any Xlib
|
||||
function which cannot generate protocol or wait for events is valid,
|
||||
including many which invoke LockDisplay.
|
||||
|
||||
What we need to do is make LockDisplay skip these two function calls
|
||||
precisely when it is called from within the _XError context for the
|
||||
same display.
|
||||
|
||||
This patch accomplishes this by creating a list of threads in the
|
||||
display which are in _XError, and then having LockDisplay check the
|
||||
current thread against those list elements.
|
||||
|
||||
Inspired-by: Dmitry Osipenko <digetx@gmail.com>
|
||||
Signed-off-by: Keith Packard <keithp@keithp.com>
|
||||
Tested-by: Dmitry Osipenko <digetx@gmail.com>
|
||||
Reviewed-by: Dmitry Osipenko <digetx@gmail.com>
|
||||
(cherry picked from commit 30ccef3a48029bf4fc31d4abda2d2778d0ad6277)
|
||||
---
|
||||
include/X11/Xlibint.h | 2 ++
|
||||
src/OpenDis.c | 1 +
|
||||
src/XlibInt.c | 10 ++++++++++
|
||||
src/locking.c | 12 ++++++++++++
|
||||
src/locking.h | 12 ++++++++++++
|
||||
5 files changed, 37 insertions(+)
|
||||
|
||||
diff --git a/include/X11/Xlibint.h b/include/X11/Xlibint.h
|
||||
index 6b95bcf7..09078e3f 100644
|
||||
--- a/include/X11/Xlibint.h
|
||||
+++ b/include/X11/Xlibint.h
|
||||
@@ -202,6 +202,8 @@ struct _XDisplay
|
||||
unsigned long last_request_read_upper32bit;
|
||||
unsigned long request_upper32bit;
|
||||
#endif
|
||||
+
|
||||
+ struct _XErrorThreadInfo *error_threads;
|
||||
};
|
||||
|
||||
#define XAllocIDs(dpy,ids,n) (*(dpy)->idlist_alloc)(dpy,ids,n)
|
||||
diff --git a/src/OpenDis.c b/src/OpenDis.c
|
||||
index 82723578..85901168 100644
|
||||
--- a/src/OpenDis.c
|
||||
+++ b/src/OpenDis.c
|
||||
@@ -201,6 +201,7 @@ XOpenDisplay (
|
||||
X_DPY_SET_LAST_REQUEST_READ(dpy, 0);
|
||||
dpy->default_screen = iscreen; /* Value returned by ConnectDisplay */
|
||||
dpy->last_req = (char *)&_dummy_request;
|
||||
+ dpy->error_threads = NULL;
|
||||
|
||||
/* Initialize the display lock */
|
||||
if (InitDisplayLock(dpy) != 0) {
|
||||
diff --git a/src/XlibInt.c b/src/XlibInt.c
|
||||
index 4e45e62b..8771b791 100644
|
||||
--- a/src/XlibInt.c
|
||||
+++ b/src/XlibInt.c
|
||||
@@ -1482,6 +1482,11 @@ int _XError (
|
||||
if (_XErrorFunction != NULL) {
|
||||
int rtn_val;
|
||||
#ifdef XTHREADS
|
||||
+ struct _XErrorThreadInfo thread_info = {
|
||||
+ .error_thread = xthread_self(),
|
||||
+ .next = dpy->error_threads
|
||||
+ }, **prev;
|
||||
+ dpy->error_threads = &thread_info;
|
||||
if (dpy->lock)
|
||||
(*dpy->lock->user_lock_display)(dpy);
|
||||
UnlockDisplay(dpy);
|
||||
@@ -1491,6 +1496,11 @@ int _XError (
|
||||
LockDisplay(dpy);
|
||||
if (dpy->lock)
|
||||
(*dpy->lock->user_unlock_display)(dpy);
|
||||
+
|
||||
+ /* unlink thread_info from the list */
|
||||
+ for (prev = &dpy->error_threads; *prev != &thread_info; prev = &(*prev)->next)
|
||||
+ ;
|
||||
+ *prev = thread_info.next;
|
||||
#endif
|
||||
return rtn_val;
|
||||
} else {
|
||||
diff --git a/src/locking.c b/src/locking.c
|
||||
index 9f4fe067..bcadc857 100644
|
||||
--- a/src/locking.c
|
||||
+++ b/src/locking.c
|
||||
@@ -453,6 +453,9 @@ static void _XLockDisplay(
|
||||
XTHREADS_FILE_LINE_ARGS
|
||||
)
|
||||
{
|
||||
+#ifdef XTHREADS
|
||||
+ struct _XErrorThreadInfo *ti;
|
||||
+#endif
|
||||
#ifdef XTHREADS_WARN
|
||||
_XLockDisplayWarn(dpy, file, line);
|
||||
#else
|
||||
@@ -460,6 +463,15 @@ static void _XLockDisplay(
|
||||
#endif
|
||||
if (dpy->lock->locking_level > 0)
|
||||
_XDisplayLockWait(dpy);
|
||||
+#ifdef XTHREADS
|
||||
+ /*
|
||||
+ * Skip the two function calls below which may generate requests
|
||||
+ * when LockDisplay is called from within _XError.
|
||||
+ */
|
||||
+ for (ti = dpy->error_threads; ti; ti = ti->next)
|
||||
+ if (ti->error_thread == xthread_self())
|
||||
+ return;
|
||||
+#endif
|
||||
_XIDHandler(dpy);
|
||||
_XSeqSyncFunction(dpy);
|
||||
}
|
||||
diff --git a/src/locking.h b/src/locking.h
|
||||
index 5251a60c..59fc866e 100644
|
||||
--- a/src/locking.h
|
||||
+++ b/src/locking.h
|
||||
@@ -149,6 +149,18 @@ typedef struct _LockInfoRec {
|
||||
xmutex_t lock;
|
||||
} LockInfoRec;
|
||||
|
||||
+/* A list of threads currently invoking error handlers on this display
|
||||
+ * LockDisplay operates differently for these threads, avoiding
|
||||
+ * generating any requests or reading any events as that can cause
|
||||
+ * recursion into the error handling code, which will deadlock the
|
||||
+ * thread.
|
||||
+ */
|
||||
+struct _XErrorThreadInfo
|
||||
+{
|
||||
+ struct _XErrorThreadInfo *next;
|
||||
+ xthread_t error_thread;
|
||||
+};
|
||||
+
|
||||
/* XOpenDis.c */
|
||||
extern int (*_XInitDisplayLock_fn)(Display *dpy);
|
||||
extern void (*_XFreeDisplayLock_fn)(Display *dpy);
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@ -0,0 +1,58 @@
|
||||
From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Sun, 17 Sep 2023 14:19:40 -0700
|
||||
Subject: [PATCH] CVE-2023-43785: out-of-bounds memory access in
|
||||
_XkbReadKeySyms()
|
||||
|
||||
Make sure we allocate enough memory in the first place, and
|
||||
also handle error returns from _XkbReadBufferCopyKeySyms() when
|
||||
it detects out-of-bounds issues.
|
||||
|
||||
Reported-by: Gregory James DUCK <gjduck@gmail.com>
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/xkb/XKBGetMap.c | 14 +++++++++-----
|
||||
1 file changed, 9 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
|
||||
index 2891d21e..31199e4a 100644
|
||||
--- a/src/xkb/XKBGetMap.c
|
||||
+++ b/src/xkb/XKBGetMap.c
|
||||
@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
|
||||
if (offset + newMap->nSyms >= map->size_syms) {
|
||||
register int sz;
|
||||
|
||||
- sz = map->size_syms + 128;
|
||||
+ sz = offset + newMap->nSyms;
|
||||
+ sz = ((sz + (unsigned) 128) / 128) * 128;
|
||||
_XkbResizeArray(map->syms, map->size_syms, sz, KeySym);
|
||||
if (map->syms == NULL) {
|
||||
map->size_syms = 0;
|
||||
@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
|
||||
map->size_syms = sz;
|
||||
}
|
||||
if (newMap->nSyms > 0) {
|
||||
- _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
|
||||
- newMap->nSyms);
|
||||
+ if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
|
||||
+ newMap->nSyms) == 0)
|
||||
+ return BadLength;
|
||||
offset += newMap->nSyms;
|
||||
}
|
||||
else {
|
||||
@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
|
||||
newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp);
|
||||
if (newSyms == NULL)
|
||||
return BadAlloc;
|
||||
- if (newMap->nSyms > 0)
|
||||
- _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms);
|
||||
+ if (newMap->nSyms > 0) {
|
||||
+ if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0)
|
||||
+ return BadLength;
|
||||
+ }
|
||||
else
|
||||
newSyms[0] = NoSymbol;
|
||||
oldMap->kt_index[0] = newMap->ktIndex[0];
|
||||
--
|
||||
2.41.0
|
||||
|
||||
@ -0,0 +1,37 @@
|
||||
From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Thu, 7 Sep 2023 15:54:30 -0700
|
||||
Subject: [PATCH 1/3] CVE-2023-43786: stack exhaustion from infinite recursion
|
||||
in PutSubImage()
|
||||
|
||||
When splitting a single line of pixels into chunks to send to the
|
||||
X server, be sure to take into account the number of bits per pixel,
|
||||
so we don't just loop forever trying to send more pixels than fit in
|
||||
the given request size and not breaking them down into a small enough
|
||||
chunk to fix.
|
||||
|
||||
Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/PutImage.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/PutImage.c b/src/PutImage.c
|
||||
index 857ee916..a6db7b42 100644
|
||||
--- a/src/PutImage.c
|
||||
+++ b/src/PutImage.c
|
||||
@@ -914,8 +914,9 @@ PutSubImage (
|
||||
req_width, req_height - SubImageHeight,
|
||||
dest_bits_per_pixel, dest_scanline_pad);
|
||||
} else {
|
||||
- int SubImageWidth = (((Available << 3) / dest_scanline_pad)
|
||||
- * dest_scanline_pad) - left_pad;
|
||||
+ int SubImageWidth = ((((Available << 3) / dest_scanline_pad)
|
||||
+ * dest_scanline_pad) - left_pad)
|
||||
+ / dest_bits_per_pixel;
|
||||
|
||||
PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y,
|
||||
(unsigned int) SubImageWidth, 1,
|
||||
--
|
||||
2.41.0
|
||||
|
||||
@ -0,0 +1,59 @@
|
||||
From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001
|
||||
From: Yair Mizrahi <yairm@jfrog.com>
|
||||
Date: Thu, 7 Sep 2023 16:15:32 -0700
|
||||
Subject: [PATCH] CVE-2023-43787: Integer overflow in XCreateImage() leading to
|
||||
a heap overflow
|
||||
|
||||
When the format is `Pixmap` it calculates the size of the image data as:
|
||||
ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
|
||||
There is no validation on the `width` of the image, and so this
|
||||
calculation exceeds the capacity of a 4-byte integer, causing an overflow.
|
||||
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/ImUtil.c | 20 +++++++++++++++-----
|
||||
1 file changed, 15 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/ImUtil.c b/src/ImUtil.c
|
||||
index 36f08a03..fbfad33e 100644
|
||||
--- a/src/ImUtil.c
|
||||
+++ b/src/ImUtil.c
|
||||
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
|
||||
#include <X11/Xlibint.h>
|
||||
#include <X11/Xutil.h>
|
||||
#include <stdio.h>
|
||||
+#include <limits.h>
|
||||
#include "ImUtil.h"
|
||||
|
||||
static int _XDestroyImage(XImage *);
|
||||
@@ -361,13 +362,22 @@ XImage *XCreateImage (
|
||||
/*
|
||||
* compute per line accelerator.
|
||||
*/
|
||||
- {
|
||||
- if (format == ZPixmap)
|
||||
+ if (format == ZPixmap) {
|
||||
+ if ((INT_MAX / bits_per_pixel) < width) {
|
||||
+ Xfree(image);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
min_bytes_per_line =
|
||||
- ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
|
||||
- else
|
||||
+ ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
|
||||
+ } else {
|
||||
+ if ((INT_MAX - offset) < width) {
|
||||
+ Xfree(image);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
min_bytes_per_line =
|
||||
- ROUNDUP((width + offset), image->bitmap_pad);
|
||||
+ ROUNDUP((width + offset), image->bitmap_pad);
|
||||
}
|
||||
if (image_bytes_per_line == 0) {
|
||||
image->bytes_per_line = min_bytes_per_line;
|
||||
--
|
||||
2.41.0
|
||||
|
||||
@ -0,0 +1,40 @@
|
||||
From 623b77d4f30b47258a40f89262e5aa5d25e95fa7 Mon Sep 17 00:00:00 2001
|
||||
From: Benno Schulenberg <bensberg@telfort.nl>
|
||||
Date: Mon, 14 Feb 2022 11:33:25 +0100
|
||||
Subject: [PATCH] imDefLkup: verify that a pointer isn't NULL before using it
|
||||
|
||||
It is possible for _XimICOfXICID() to return NULL, so it is necessary
|
||||
to check this isn't actually the case before dereferencing the pointer.
|
||||
All other callers of _XimICOfXICID() do this check too.
|
||||
|
||||
(The check itself is ugly, but it follows the style of the code in the
|
||||
rest of the module.)
|
||||
|
||||
Fixes issue #45.
|
||||
|
||||
Reported-by: Bhavi Dhingra
|
||||
|
||||
Original-patch-by: Bhavi Dhingra
|
||||
|
||||
Signed-off-by: Benno Schulenberg <bensberg@telfort.nl>
|
||||
---
|
||||
modules/im/ximcp/imDefLkup.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules/im/ximcp/imDefLkup.c b/modules/im/ximcp/imDefLkup.c
|
||||
index dea7f66d..dd1adf53 100644
|
||||
--- a/modules/im/ximcp/imDefLkup.c
|
||||
+++ b/modules/im/ximcp/imDefLkup.c
|
||||
@@ -88,7 +88,8 @@ _XimSetEventMaskCallback(
|
||||
|
||||
if (imid == im->private.proto.imid) {
|
||||
if (icid) {
|
||||
- ic = _XimICOfXICID(im, icid);
|
||||
+ if (!(ic = _XimICOfXICID(im, icid)))
|
||||
+ return False;
|
||||
_XimProcICSetEventMask(ic, (XPointer)&buf_s[2]);
|
||||
} else {
|
||||
_XimProcIMSetEventMask(im, (XPointer)&buf_s[2]);
|
||||
--
|
||||
2.46.0
|
||||
|
||||
@ -0,0 +1,41 @@
|
||||
From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Thu, 7 Sep 2023 15:55:04 -0700
|
||||
Subject: [PATCH 2/3] XPutImage: clip images to maximum height & width allowed
|
||||
by protocol
|
||||
|
||||
The PutImage request specifies height & width of the image as CARD16
|
||||
(unsigned 16-bit integer), same as the maximum dimensions of an X11
|
||||
Drawable, which the image is being copied to.
|
||||
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/PutImage.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/src/PutImage.c b/src/PutImage.c
|
||||
index a6db7b42..ba411e36 100644
|
||||
--- a/src/PutImage.c
|
||||
+++ b/src/PutImage.c
|
||||
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
|
||||
#include "Xlibint.h"
|
||||
#include "Xutil.h"
|
||||
#include <stdio.h>
|
||||
+#include <limits.h>
|
||||
#include "Cr.h"
|
||||
#include "ImUtil.h"
|
||||
#include "reallocarray.h"
|
||||
@@ -962,6 +963,10 @@ XPutImage (
|
||||
height = image->height - req_yoffset;
|
||||
if ((width <= 0) || (height <= 0))
|
||||
return 0;
|
||||
+ if (width > USHRT_MAX)
|
||||
+ width = USHRT_MAX;
|
||||
+ if (height > USHRT_MAX)
|
||||
+ height = USHRT_MAX;
|
||||
|
||||
if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) {
|
||||
dest_bits_per_pixel = 1;
|
||||
--
|
||||
2.41.0
|
||||
|
||||
@ -0,0 +1,47 @@
|
||||
From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Thu, 7 Sep 2023 16:12:27 -0700
|
||||
Subject: [PATCH 3/3] XCreatePixmap: trigger BadValue error for out-of-range
|
||||
dimensions
|
||||
|
||||
The CreatePixmap request specifies height & width of the image as CARD16
|
||||
(unsigned 16-bit integer), so if either is larger than that, set it to 0
|
||||
so the X server returns a BadValue error as the protocol requires.
|
||||
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/CrPixmap.c | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/src/CrPixmap.c b/src/CrPixmap.c
|
||||
index cdf31207..3cb2ca6d 100644
|
||||
--- a/src/CrPixmap.c
|
||||
+++ b/src/CrPixmap.c
|
||||
@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
|
||||
#include <config.h>
|
||||
#endif
|
||||
#include "Xlibint.h"
|
||||
+#include <limits.h>
|
||||
|
||||
#ifdef USE_DYNAMIC_XCURSOR
|
||||
void
|
||||
@@ -47,6 +48,16 @@ Pixmap XCreatePixmap (
|
||||
Pixmap pid;
|
||||
register xCreatePixmapReq *req;
|
||||
|
||||
+ /*
|
||||
+ * Force a BadValue X Error if the requested dimensions are larger
|
||||
+ * than the X11 protocol has room for, since that's how callers expect
|
||||
+ * to get notified of errors.
|
||||
+ */
|
||||
+ if (width > USHRT_MAX)
|
||||
+ width = 0;
|
||||
+ if (height > USHRT_MAX)
|
||||
+ height = 0;
|
||||
+
|
||||
LockDisplay(dpy);
|
||||
GetReq(CreatePixmap, req);
|
||||
req->drawable = d;
|
||||
--
|
||||
2.41.0
|
||||
|
||||
Loading…
Reference in new issue