import tigervnc-1.14.0-2.el9

i9-beta changed/i9-beta/tigervnc-1.14.0-2.el9.inferit
Arkady L. Shane 2 months ago
parent 89d5fd3721
commit 71b730989d
Signed by: tigro
GPG Key ID: 1EC08A25C9DB2503

2
.gitignore vendored

@ -1 +1 @@
SOURCES/tigervnc-1.13.1.tar.gz SOURCES/tigervnc-1.14.0.tar.gz

@ -1 +1 @@
6f7a23f14833f552c88523da1a5e102f3b8d35c2 SOURCES/tigervnc-1.13.1.tar.gz 9e67944113159da85f42c24b43f40b842f23feb3 SOURCES/tigervnc-1.14.0.tar.gz

@ -0,0 +1,24 @@
From 4f6a3521874da5a67fd746389cfa9b6199eb3582 Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Mon, 29 Jul 2024 16:16:08 +0200
Subject: [PATCH] Add missing comma in default security type list
Otherwise it merges with the next entry, removing both of them from the
default list.
---
common/rfb/SecurityClient.cxx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/common/rfb/SecurityClient.cxx b/common/rfb/SecurityClient.cxx
index 12860662f..63e0cadc0 100644
--- a/common/rfb/SecurityClient.cxx
+++ b/common/rfb/SecurityClient.cxx
@@ -60,7 +60,7 @@ StringParameter SecurityClient::secTypes
"X509Plain,TLSPlain,X509Vnc,TLSVnc,X509None,TLSNone,"
#endif
#ifdef HAVE_NETTLE
- "RA2,RA2_256,RA2ne,RA2ne_256,DH,MSLogonII"
+ "RA2,RA2_256,RA2ne,RA2ne_256,DH,MSLogonII,"
#endif
"VncAuth,None",
ConfViewer);

@ -0,0 +1,29 @@
From 6d9017eeb364491cf2acdf1c7e61aee8dd198527 Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Fri, 30 Aug 2024 16:15:09 +0200
Subject: [PATCH] Correctly handle ZRLE cursors
Cursor data has a depth of 32 bits and hence cannot use CPIXELs.
This is a regression from baca73d.
---
common/rfb/ZRLEDecoder.cxx | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/common/rfb/ZRLEDecoder.cxx b/common/rfb/ZRLEDecoder.cxx
index 474fd6ca1..e274a697a 100644
--- a/common/rfb/ZRLEDecoder.cxx
+++ b/common/rfb/ZRLEDecoder.cxx
@@ -125,10 +125,10 @@ void ZRLEDecoder::zrleDecode(const Rect& r, rdr::InStream* is,
Pixel maxPixel = pf.pixelFromRGB((uint16_t)-1, (uint16_t)-1, (uint16_t)-1);
bool fitsInLS3Bytes = maxPixel < (1<<24);
bool fitsInMS3Bytes = (maxPixel & 0xff) == 0;
- bool isLowCPixel = (sizeof(T) == 4) &&
+ bool isLowCPixel = (sizeof(T) == 4) && (pf.depth <= 24) &&
((fitsInLS3Bytes && pf.isLittleEndian()) ||
(fitsInMS3Bytes && pf.isBigEndian()));
- bool isHighCPixel = (sizeof(T) == 4) &&
+ bool isHighCPixel = (sizeof(T) == 4) && (pf.depth <= 24) &&
((fitsInLS3Bytes && pf.isBigEndian()) ||
(fitsInMS3Bytes && pf.isLittleEndian()));

@ -0,0 +1,27 @@
From 445e0230cf4e939dcc59caf5d5f001c2f7b04da6 Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Thu, 15 Aug 2024 14:24:42 +0200
Subject: [PATCH] Handle existing config directory in vncpasswd
This fixes commit a79c33d.
---
unix/vncpasswd/vncpasswd.cxx | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/unix/vncpasswd/vncpasswd.cxx b/unix/vncpasswd/vncpasswd.cxx
index 6666955f1..9f794e129 100644
--- a/unix/vncpasswd/vncpasswd.cxx
+++ b/unix/vncpasswd/vncpasswd.cxx
@@ -213,8 +213,10 @@ int main(int argc, char** argv)
exit(1);
}
if (os::mkdir_p(configDir, 0777) == -1) {
- fprintf(stderr, "Could not create VNC config directory: %s\n", strerror(errno));
- exit(1);
+ if (errno != EEXIST) {
+ fprintf(stderr, "Could not create VNC config directory: %s\n", strerror(errno));
+ exit(1);
+ }
}
snprintf(fname, sizeof(fname), "%s/passwd", configDir);
}

@ -0,0 +1,29 @@
From 4db34f73d461b973867ddaf18bf690219229cd7a Mon Sep 17 00:00:00 2001
From: Carlos Santos <casantos@redhat.com>
Date: Thu, 25 Jul 2024 18:39:59 -0300
Subject: [PATCH] vncsession: use /bin/sh if the user shell is not set
An empty shell field in the password file is valid, although not common.
Use /bin/sh in this case, as documented in the passwd(5) man page, since
the vncserver script requires a non-empty SHELL environment variable.
Fixes issue #1786.
Signed-off-by: Carlos Santos <casantos@redhat.com>
---
unix/vncserver/vncsession.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
index 1ee096c7c..98a0432aa 100644
--- a/unix/vncserver/vncsession.c
+++ b/unix/vncserver/vncsession.c
@@ -545,7 +545,7 @@ run_script(const char *username, const char *display, char **envp)
// Set up some basic environment for the script
setenv("HOME", pwent->pw_dir, 1);
- setenv("SHELL", pwent->pw_shell, 1);
+ setenv("SHELL", *pwent->pw_shell != '\0' ? pwent->pw_shell : "/bin/sh", 1);
setenv("LOGNAME", pwent->pw_name, 1);
setenv("USER", pwent->pw_name, 1);
setenv("USERNAME", pwent->pw_name, 1);

@ -1,6 +1,7 @@
diff -up xserver/configure.ac.xserver116-rebased xserver/configure.ac diff --git a/configure.ac b/configure.ac
--- xserver/configure.ac.xserver116-rebased 2016-09-29 13:14:45.595441590 +0200 index 0909cc5b4..c01873200 100644
+++ xserver/configure.ac 2016-09-29 13:14:45.631442006 +0200 --- a/configure.ac
+++ b/configure.ac
@@ -74,6 +74,7 @@ dnl forcing an entire recompile.x @@ -74,6 +74,7 @@ dnl forcing an entire recompile.x
AC_CONFIG_HEADERS(include/version-config.h) AC_CONFIG_HEADERS(include/version-config.h)
@ -9,35 +10,30 @@ diff -up xserver/configure.ac.xserver116-rebased xserver/configure.ac
AC_PROG_LN_S AC_PROG_LN_S
LT_PREREQ([2.2]) LT_PREREQ([2.2])
LT_INIT([disable-static win32-dll]) LT_INIT([disable-static win32-dll])
@@ -1863,6 +1864,10 @@ if test "x$XVFB" = xyes; then @@ -1735,6 +1736,14 @@ if test "x$XVFB" = xyes; then
AC_SUBST([XVFB_SYS_LIBS]) AC_SUBST([XVFB_SYS_LIBS])
fi fi
+dnl Xvnc DDX +dnl Xvnc DDX
+AC_SUBST([XVNC_CPPFLAGS], ["-DHAVE_DIX_CONFIG_H $XSERVER_CFLAGS"])
+AC_SUBST([XVNC_LIBS], ["$FB_LIB $FIXES_LIB $XEXT_LIB $CONFIG_LIB $DBE_LIB $RECORD_LIB $GLX_LIBS $RANDR_LIB $RENDER_LIB $DAMAGE_LIB $DRI3_LIB $PRESENT_LIB $MIEXT_SYNC_LIB $MIEXT_DAMAGE_LIB $MIEXT_SHADOW_LIB $XI_LIB $XKB_LIB $XKB_STUB_LIB $COMPOSITE_LIB $MAIN_LIB"]) +AC_SUBST([XVNC_LIBS], ["$FB_LIB $FIXES_LIB $XEXT_LIB $CONFIG_LIB $DBE_LIB $RECORD_LIB $GLX_LIBS $RANDR_LIB $RENDER_LIB $DAMAGE_LIB $DRI3_LIB $PRESENT_LIB $MIEXT_SYNC_LIB $MIEXT_DAMAGE_LIB $MIEXT_SHADOW_LIB $XI_LIB $XKB_LIB $XKB_STUB_LIB $COMPOSITE_LIB $MAIN_LIB"])
+AC_SUBST([XVNC_SYS_LIBS], ["$GLX_SYS_LIBS"]) +AC_SUBST([XVNC_SYS_LIBS], ["$GLX_SYS_LIBS"])
+
+PKG_CHECK_MODULES(GBM, "$LIBGBM", [GBM=yes], [GBM=no])
+if test "x$GBM" = xyes; then
+ AC_DEFINE(HAVE_GBM, 1, [Have GBM support])
+fi
dnl Xnest DDX dnl Xnest DDX
@@ -1898,6 +1903,8 @@ if test "x$XORG" = xauto; then @@ -2058,7 +2067,6 @@ if test "x$GLAMOR" = xyes; then
fi [AC_DEFINE(GLAMOR_HAS_EGL_QUERY_DRIVER, 1, [Have GLAMOR_HAS_EGL_QUERY_DRIVER])],
AC_MSG_RESULT([$XORG]) [])
+AC_DEFINE_UNQUOTED(XORG_VERSION_CURRENT, [$VENDOR_RELEASE], [Current Xorg version]) - PKG_CHECK_MODULES(GBM, "$LIBGBM", [GBM=yes], [GBM=no])
+ if test "x$GBM" = xyes; then
if test "x$XORG" = xyes; then AC_DEFINE(GLAMOR_HAS_GBM, 1,
XORG_DDXINCS='-I$(top_srcdir)/hw/xfree86 -I$(top_srcdir)/hw/xfree86/include -I$(top_srcdir)/hw/xfree86/common' [Build glamor with GBM-based EGL support])
XORG_OSINCS='-I$(top_srcdir)/hw/xfree86/os-support -I$(top_srcdir)/hw/xfree86/os-support/bus -I$(top_srcdir)/os' @@ -2523,6 +2531,7 @@ hw/dmx/Makefile
@@ -2116,7 +2123,6 @@ if test "x$XORG" = xyes; then
AC_DEFINE(XORG_SERVER, 1, [Building Xorg server])
AC_DEFINE(XORGSERVER, 1, [Building Xorg server])
AC_DEFINE(XFree86Server, 1, [Building XFree86 server])
- AC_DEFINE_UNQUOTED(XORG_VERSION_CURRENT, [$VENDOR_RELEASE], [Current Xorg version])
AC_DEFINE(NEED_XF86_TYPES, 1, [Need XFree86 typedefs])
AC_DEFINE(NEED_XF86_PROTOTYPES, 1, [Need XFree86 helper functions])
AC_DEFINE(__XSERVERNAME__, "Xorg", [Name of X server])
@@ -2691,6 +2697,7 @@ hw/dmx/Makefile
hw/dmx/man/Makefile hw/dmx/man/Makefile
hw/vfb/Makefile hw/vfb/Makefile
hw/vfb/man/Makefile hw/vfb/man/Makefile
@ -45,47 +41,98 @@ diff -up xserver/configure.ac.xserver116-rebased xserver/configure.ac
hw/xnest/Makefile hw/xnest/Makefile
hw/xnest/man/Makefile hw/xnest/man/Makefile
hw/xwin/Makefile hw/xwin/Makefile
diff -up xserver/hw/Makefile.am.xserver116-rebased xserver/hw/Makefile.am diff --git a/dri3/Makefile.am b/dri3/Makefile.am
--- xserver/hw/Makefile.am.xserver116-rebased 2016-09-29 13:14:45.601441659 +0200 index e47a734e0..99c3718a5 100644
+++ xserver/hw/Makefile.am 2016-09-29 13:14:45.631442006 +0200 --- a/dri3/Makefile.am
@@ -38,7 +38,8 @@ SUBDIRS = \ +++ b/dri3/Makefile.am
$(DMX_SUBDIRS) \ @@ -1,7 +1,7 @@
$(KDRIVE_SUBDIRS) \ noinst_LTLIBRARIES = libdri3.la
$(XQUARTZ_SUBDIRS) \ AM_CFLAGS = \
- $(XWAYLAND_SUBDIRS) - -DHAVE_XORG_CONFIG_H \
+ $(XWAYLAND_SUBDIRS) \ - @DIX_CFLAGS@ @XORG_CFLAGS@
+ vnc + @DIX_CFLAGS@ \
+ @LIBDRM_CFLAGS@
libdri3_la_SOURCES = \
dri3.h \
diff --git a/dri3/dri3.c b/dri3/dri3.c
index ba32facd7..191252969 100644
--- a/dri3/dri3.c
+++ b/dri3/dri3.c
@@ -20,10 +20,6 @@
* OF THIS SOFTWARE.
*/
-#ifdef HAVE_XORG_CONFIG_H
-#include <xorg-config.h>
-#endif
-
#include "dri3_priv.h"
DIST_SUBDIRS = dmx xfree86 vfb xnest xwin xquartz kdrive xwayland #include <drm_fourcc.h>
diff --git a/dri3/dri3_priv.h b/dri3/dri3_priv.h
index b087a9529..f319d1770 100644
--- a/dri3/dri3_priv.h
+++ b/dri3/dri3_priv.h
@@ -23,6 +23,7 @@
#ifndef _DRI3PRIV_H_
#define _DRI3PRIV_H_
diff --git xserver/mi/miinitext.c xserver/mi/miinitext.c +#include "dix-config.h"
index 5596e21..003fc3c 100644 #include <X11/X.h>
--- xserver/mi/miinitext.c #include "scrnintstr.h"
+++ xserver/mi/miinitext.c #include "misc.h"
@@ -107,8 +107,15 @@ SOFTWARE. diff --git a/dri3/dri3_request.c b/dri3/dri3_request.c
#include "os.h" index 958877efa..687168930 100644
#include "globals.h" --- a/dri3/dri3_request.c
+++ b/dri3/dri3_request.c
@@ -20,10 +20,6 @@
* OF THIS SOFTWARE.
*/
+#ifdef TIGERVNC -#ifdef HAVE_XORG_CONFIG_H
+extern void vncExtensionInit(INITARGS); -#include <xorg-config.h>
+#endif -#endif
-
#include "dri3_priv.h"
#include <syncsrv.h>
#include <unistd.h>
diff --git a/dri3/dri3_screen.c b/dri3/dri3_screen.c
index b98259753..3c7e5bf60 100644
--- a/dri3/dri3_screen.c
+++ b/dri3/dri3_screen.c
@@ -20,10 +20,6 @@
* OF THIS SOFTWARE.
*/
-#ifdef HAVE_XORG_CONFIG_H
-#include <xorg-config.h>
-#endif
-
#include "dri3_priv.h"
#include <syncsdk.h>
#include <misync.h>
diff --git a/hw/Makefile.am b/hw/Makefile.am
index 19895dc77..3ecfa8b7a 100644
--- a/hw/Makefile.am
+++ b/hw/Makefile.am
@@ -44,3 +44,5 @@ DIST_SUBDIRS = dmx xfree86 vfb xnest xwin xquartz kdrive xwayland
relink:
$(AM_V_at)for i in $(SUBDIRS) ; do $(MAKE) -C $$i relink || exit 1 ; done
+ +
/* List of built-in (statically linked) extensions */ +SUBDIRS += vnc
static const ExtensionModule staticExtensions[] = { diff --git a/include/dix-config.h.in b/include/dix-config.h.in
+#ifdef TIGERVNC index f8fc67067..d53c4e72f 100644
+ {vncExtensionInit, "VNC-EXTENSION", NULL}, --- a/include/dix-config.h.in
+#endif +++ b/include/dix-config.h.in
{GEExtensionInit, "Generic Event Extension", &noGEExtension}, @@ -83,6 +83,9 @@
{ShapeExtensionInit, "SHAPE", NULL}, /* Define to 1 if you have the <fcntl.h> header file. */
#ifdef MITSHM #undef HAVE_FCNTL_H
--- xserver/include/os.h~ 2016-10-03 09:07:29.000000000 +0200
+++ xserver/include/os.h 2016-10-03 14:13:00.013654506 +0200 +/* Have GBM support */
@@ -621,7 +621,7 @@ +#undef HAVE_GBM
extern _X_EXPORT void +
LogClose(enum ExitCode error); /* Define to 1 if you have the `getdtablesize' function. */
extern _X_EXPORT Bool #undef HAVE_GETDTABLESIZE
-LogSetParameter(LogParameter param, int value);
+LogSetParameter(enum _LogParameter param, int value);
extern _X_EXPORT void
LogVWrite(int verb, const char *f, va_list args)
_X_ATTRIBUTE_PRINTF(2, 0);

@ -1,80 +0,0 @@
From a31ba141824a7649e11f0ef7673718ce559d6337 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 3 Oct 2023 11:53:05 +1000
Subject: [PATCH xserver 1/4] Xi/randr: fix handling of PropModeAppend/Prepend
The handling of appending/prepending properties was incorrect, with at
least two bugs: the property length was set to the length of the new
part only, i.e. appending or prepending N elements to a property with P
existing elements always resulted in the property having N elements
instead of N + P.
Second, when pre-pending a value to a property, the offset for the old
values was incorrect, leaving the new property with potentially
uninitalized values and/or resulting in OOB memory writes.
For example, prepending a 3 element value to a 5 element property would
result in this 8 value array:
[N, N, N, ?, ?, P, P, P ] P, P
^OOB write
The XI2 code is a copy/paste of the RandR code, so the bug exists in
both.
CVE-2023-5367, ZDI-CAN-22153
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
Xi/xiproperty.c | 4 ++--
randr/rrproperty.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
index 6ec419e870..563c4f31a5 100644
--- a/Xi/xiproperty.c
+++ b/Xi/xiproperty.c
@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
XIDestroyDeviceProperty(prop);
return BadAlloc;
}
- new_value.size = len;
+ new_value.size = total_len;
new_value.type = type;
new_value.format = format;
@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
case PropModePrepend:
new_data = new_value.data;
old_data = (void *) (((char *) new_value.data) +
- (prop_value->size * size_in_bytes));
+ (len * size_in_bytes));
break;
}
if (new_data)
diff --git a/randr/rrproperty.c b/randr/rrproperty.c
index c2fb9585c6..25469f57b2 100644
--- a/randr/rrproperty.c
+++ b/randr/rrproperty.c
@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
RRDestroyOutputProperty(prop);
return BadAlloc;
}
- new_value.size = len;
+ new_value.size = total_len;
new_value.type = type;
new_value.format = format;
@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
case PropModePrepend:
new_data = new_value.data;
old_data = (void *) (((char *) new_value.data) +
- (prop_value->size * size_in_bytes));
+ (len * size_in_bytes));
break;
}
if (new_data)
--
2.41.0

@ -1,99 +0,0 @@
From 004f461c440cb6611eefb48fbbb4fa53a6d49f80 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Thu, 5 Oct 2023 12:19:45 +1000
Subject: [PATCH xserver 2/4] mi: reset the PointerWindows reference on screen
switch
PointerWindows[] keeps a reference to the last window our sprite
entered - changes are usually handled by CheckMotion().
If we switch between screens via XWarpPointer our
dev->spriteInfo->sprite->win is set to the new screen's root window.
If there's another window at the cursor location CheckMotion() will
trigger the right enter/leave events later. If there is not, it skips
that process and we never trigger LeaveWindow() - PointerWindows[] for
the device still refers to the previous window.
If that window is destroyed we have a dangling reference that will
eventually cause a use-after-free bug when checking the window hierarchy
later.
To trigger this, we require:
- two protocol screens
- XWarpPointer to the other screen's root window
- XDestroyWindow before entering any other window
This is a niche bug so we hack around it by making sure we reset the
PointerWindows[] entry so we cannot have a dangling pointer. This
doesn't handle Enter/Leave events correctly but the previous code didn't
either.
CVE-2023-5380, ZDI-CAN-21608
This vulnerability was discovered by:
Sri working with Trend Micro Zero Day Initiative
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Adam Jackson <ajax@redhat.com>
---
dix/enterleave.h | 2 --
include/eventstr.h | 3 +++
mi/mipointer.c | 17 +++++++++++++++--
3 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/dix/enterleave.h b/dix/enterleave.h
index 4b833d8a3b..e8af924c68 100644
--- a/dix/enterleave.h
+++ b/dix/enterleave.h
@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
-extern void LeaveWindow(DeviceIntPtr dev);
-
extern void CoreFocusEvent(DeviceIntPtr kbd,
int type, int mode, int detail, WindowPtr pWin);
diff --git a/include/eventstr.h b/include/eventstr.h
index bf3b95fe4a..2bae3b0767 100644
--- a/include/eventstr.h
+++ b/include/eventstr.h
@@ -296,4 +296,7 @@ union _InternalEvent {
#endif
};
+extern void
+LeaveWindow(DeviceIntPtr dev);
+
#endif
diff --git a/mi/mipointer.c b/mi/mipointer.c
index 75be1aeeb8..b12ae9be1d 100644
--- a/mi/mipointer.c
+++ b/mi/mipointer.c
@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
#ifdef PANORAMIX
&& noPanoramiXExtension
#endif
- )
- UpdateSpriteForScreen(pDev, pScreen);
+ ) {
+ DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
+ /* Hack for CVE-2023-5380: if we're moving
+ * screens PointerWindows[] keeps referring to the
+ * old window. If that gets destroyed we have a UAF
+ * bug later. Only happens when jumping from a window
+ * to the root window on the other screen.
+ * Enter/Leave events are incorrect for that case but
+ * too niche to fix.
+ */
+ LeaveWindow(pDev);
+ if (master)
+ LeaveWindow(master);
+ UpdateSpriteForScreen(pDev, pScreen);
+ }
}
/**
--
2.41.0

@ -1,74 +0,0 @@
From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 28 Nov 2023 15:19:04 +1000
Subject: [PATCH] Xi: allocate enough XkbActions for our buttons
button->xkb_acts is supposed to be an array sufficiently large for all
our buttons, not just a single XkbActions struct. Allocating
insufficient memory here means when we memcpy() later in
XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
leading to the usual security ooopsiedaisies.
CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
Xi/exevents.c | 12 ++++++------
dix/devices.c | 10 ++++++++++
2 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/Xi/exevents.c b/Xi/exevents.c
index dcd4efb3bc..54ea11a938 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
}
if (from->button->xkb_acts) {
- if (!to->button->xkb_acts) {
- to->button->xkb_acts = calloc(1, sizeof(XkbAction));
- if (!to->button->xkb_acts)
- FatalError("[Xi] not enough memory for xkb_acts.\n");
- }
+ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
+ maxbuttons,
+ sizeof(XkbAction));
+ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
memcpy(to->button->xkb_acts, from->button->xkb_acts,
- sizeof(XkbAction));
+ from->button->numButtons * sizeof(XkbAction));
}
else {
free(to->button->xkb_acts);
diff --git a/dix/devices.c b/dix/devices.c
index b063128df0..3f3224d626 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
if (master->button && master->button->numButtons != maxbuttons) {
int i;
+ int last_num_buttons = master->button->numButtons;
+
DeviceChangedEvent event = {
.header = ET_Internal,
.type = ET_DeviceChanged,
@@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
};
master->button->numButtons = maxbuttons;
+ if (last_num_buttons < maxbuttons) {
+ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
+ maxbuttons,
+ sizeof(XkbAction));
+ memset(&master->button->xkb_acts[last_num_buttons],
+ 0,
+ (maxbuttons - last_num_buttons) * sizeof(XkbAction));
+ }
memcpy(&event.buttons.names, master->button->labels, maxbuttons *
sizeof(Atom));
--
GitLab

@ -1,59 +0,0 @@
From 3e0222fcae552685d423914a683c1709dc5f6d6b Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 27 Nov 2023 16:27:49 +1000
Subject: [PATCH xserver] randr: avoid integer truncation in length check of
ProcRRChange*Property
Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
See also xserver@8f454b79 where this same bug was fixed for the core
protocol and XI.
This fixes an OOB read and the resulting information disclosure.
Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->nUnits value the expected request size was
truncated, passing the REQUEST_FIXED_SIZE check.
The server then proceeded with reading at least stuff->num_items bytes
(depending on stuff->format) from the request and stuffing whatever it
finds into the property. In the process it would also allocate at least
stuff->nUnits bytes, i.e. 4GB.
CVE-2023-XXXXX, ZDI-CAN-22561
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
randr/rrproperty.c | 2 +-
randr/rrproviderproperty.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/randr/rrproperty.c b/randr/rrproperty.c
index 25469f57b2..c4fef8a1f6 100644
--- a/randr/rrproperty.c
+++ b/randr/rrproperty.c
@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
char format, mode;
unsigned long len;
int sizeInBytes;
- int totalSize;
+ uint64_t totalSize;
int err;
REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
index b79c17f9bf..90c5a9a933 100644
--- a/randr/rrproviderproperty.c
+++ b/randr/rrproviderproperty.c
@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
char format, mode;
unsigned long len;
int sizeInBytes;
- int totalSize;
+ uint64_t totalSize;
int err;
REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
--
2.43.0

@ -1,51 +0,0 @@
From 77e294797db17845808462b588d4e7a2130196bc Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Thu, 14 Dec 2023 11:29:49 +1000
Subject: [PATCH xserver] dix: allocate enough space for logical button maps
Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for
each logical button currently down. Since buttons can be arbitrarily mapped
to anything up to 255 make sure we have enough bits for the maximum mapping.
CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
Xi/xiquerypointer.c | 3 +--
dix/enterleave.c | 5 +++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
index 5b77b1a444..2b05ac5f39 100644
--- a/Xi/xiquerypointer.c
+++ b/Xi/xiquerypointer.c
@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client)
if (pDev->button) {
int i;
- rep.buttons_len =
- bytes_to_int32(bits_to_bytes(pDev->button->numButtons));
+ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */
rep.length += rep.buttons_len;
buttons = calloc(rep.buttons_len, 4);
if (!buttons)
diff --git a/dix/enterleave.c b/dix/enterleave.c
index 867ec74363..ded8679d76 100644
--- a/dix/enterleave.c
+++ b/dix/enterleave.c
@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail,
mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);
- /* XI 2 event */
- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;
+ /* XI 2 event contains the logical button map - maps are CARD8
+ * so we need 256 bits for the possibly maximum mapping */
+ btlen = (mouse->button) ? bits_to_bytes(256) : 0;
btlen = bytes_to_int32(btlen);
len = sizeof(xXIFocusInEvent) + btlen * 4;
--
2.43.0

@ -1,84 +0,0 @@
From 45ea0a93934c8a3760a4d68ba4ffc932375f60de Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 18 Dec 2023 14:27:50 +1000
Subject: [PATCH xserver 1/2] dix: Allocate sufficient xEvents for our
DeviceStateNotify
If a device has both a button class and a key class and numButtons is
zero, we can get an OOB write due to event under-allocation.
This function seems to assume a device has either keys or buttons, not
both. It has two virtually identical code paths, both of which assume
they're applying to the first event in the sequence.
A device with both a key and button class triggered a logic bug - only
one xEvent was allocated but the deviceStateNotify pointer was pushed on
once per type. So effectively this logic code:
int count = 1;
if (button && nbuttons > 32) count++;
if (key && nbuttons > 0) count++;
if (key && nkeys > 32) count++; // this is basically always true
// count is at 2 for our keys + zero button device
ev = alloc(count * sizeof(xEvent));
FixDeviceStateNotify(ev);
if (button)
FixDeviceStateNotify(ev++);
if (key)
FixDeviceStateNotify(ev++); // santa drops into the wrong chimney here
If the device has more than 3 valuators, the OOB is pushed back - we're
off by one so it will happen when the last deviceValuator event is
written instead.
Fix this by allocating the maximum number of events we may allocate.
Note that the current behavior is not protocol-correct anyway, this
patch fixes only the allocation issue.
Note that this issue does not trigger if the device has at least one
button. While the server does not prevent a button class with zero
buttons, it is very unlikely.
CVE-2024-0229, ZDI-CAN-22678
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
dix/enterleave.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/dix/enterleave.c b/dix/enterleave.c
index ded8679d76..17964b00a4 100644
--- a/dix/enterleave.c
+++ b/dix/enterleave.c
@@ -675,7 +675,8 @@ static void
DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
{
int evcount = 1;
- deviceStateNotify *ev, *sev;
+ deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
+ deviceStateNotify *ev;
deviceKeyStateNotify *kev;
deviceButtonStateNotify *bev;
@@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
}
}
- sev = ev = xallocarray(evcount, sizeof(xEvent));
+ ev = sev;
FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
if (b != NULL) {
@@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
DeviceStateNotifyMask, NullGrab);
- free(sev);
}
void
--
2.43.0

@ -1,216 +0,0 @@
From 4c7a16b089b721b9c07f4ed593deba4f22158dbf Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 18 Dec 2023 12:26:20 +1000
Subject: [PATCH xserver 2/2] dix: fix DeviceStateNotify event calculation
The previous code only made sense if one considers buttons and keys to
be mutually exclusive on a device. That is not necessarily true, causing
a number of issues.
This function allocates and fills in the number of xEvents we need to
send the device state down the wire. This is split across multiple
32-byte devices including one deviceStateNotify event and optional
deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple)
deviceValuator events.
The previous behavior would instead compose a sequence
of [state, buttonstate, state, keystate, valuator...]. This is not
protocol correct, and on top of that made the code extremely convoluted.
Fix this by streamlining: add both button and key into the deviceStateNotify
and then append the key state and button state, followed by the
valuators. Finally, the deviceValuator events contain up to 6 valuators
per event but we only ever sent through 3 at a time. Let's double that
troughput.
CVE-2024-0229, ZDI-CAN-22678
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
dix/enterleave.c | 119 ++++++++++++++++++++---------------------------
1 file changed, 51 insertions(+), 68 deletions(-)
diff --git a/dix/enterleave.c b/dix/enterleave.c
index 17964b00a4..7b7ba1098b 100644
--- a/dix/enterleave.c
+++ b/dix/enterleave.c
@@ -615,9 +615,15 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
ev->type = DeviceValuator;
ev->deviceid = dev->id;
- ev->num_valuators = nval < 3 ? nval : 3;
+ ev->num_valuators = nval < 6 ? nval : 6;
ev->first_valuator = first;
switch (ev->num_valuators) {
+ case 6:
+ ev->valuator5 = v->axisVal[first + 5];
+ case 5:
+ ev->valuator4 = v->axisVal[first + 4];
+ case 4:
+ ev->valuator3 = v->axisVal[first + 3];
case 3:
ev->valuator2 = v->axisVal[first + 2];
case 2:
@@ -626,7 +632,6 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
ev->valuator0 = v->axisVal[first];
break;
}
- first += ev->num_valuators;
}
static void
@@ -646,7 +651,7 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
ev->num_buttons = b->numButtons;
memcpy((char *) ev->buttons, (char *) b->down, 4);
}
- else if (k) {
+ if (k) {
ev->classes_reported |= (1 << KeyClass);
ev->num_keys = k->xkbInfo->desc->max_key_code -
k->xkbInfo->desc->min_key_code;
@@ -670,15 +675,26 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
}
}
-
+/**
+ * The device state notify event is split across multiple 32-byte events.
+ * The first one contains the first 32 button state bits, the first 32
+ * key state bits, and the first 3 valuator values.
+ *
+ * If a device has more than that, the server sends out:
+ * - one deviceButtonStateNotify for buttons 32 and above
+ * - one deviceKeyStateNotify for keys 32 and above
+ * - one deviceValuator event per 6 valuators above valuator 4
+ *
+ * All events but the last one have the deviceid binary ORed with MORE_EVENTS,
+ */
static void
DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
{
+ /* deviceStateNotify, deviceKeyStateNotify, deviceButtonStateNotify
+ * and one deviceValuator for each 6 valuators */
+ deviceStateNotify sev[3 + (MAX_VALUATORS + 6)/6];
int evcount = 1;
- deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
- deviceStateNotify *ev;
- deviceKeyStateNotify *kev;
- deviceButtonStateNotify *bev;
+ deviceStateNotify *ev = sev;
KeyClassPtr k;
ButtonClassPtr b;
@@ -691,82 +707,49 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
if ((b = dev->button) != NULL) {
nbuttons = b->numButtons;
- if (nbuttons > 32)
+ if (nbuttons > 32) /* first 32 are encoded in deviceStateNotify */
evcount++;
}
if ((k = dev->key) != NULL) {
nkeys = k->xkbInfo->desc->max_key_code - k->xkbInfo->desc->min_key_code;
- if (nkeys > 32)
+ if (nkeys > 32) /* first 32 are encoded in deviceStateNotify */
evcount++;
- if (nbuttons > 0) {
- evcount++;
- }
}
if ((v = dev->valuator) != NULL) {
nval = v->numAxes;
-
- if (nval > 3)
- evcount++;
- if (nval > 6) {
- if (!(k && b))
- evcount++;
- if (nval > 9)
- evcount += ((nval - 7) / 3);
- }
+ /* first three are encoded in deviceStateNotify, then
+ * it's 6 per deviceValuator event */
+ evcount += ((nval - 3) + 6)/6;
}
- ev = sev;
- FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
+ BUG_RETURN(evcount <= ARRAY_SIZE(sev));
- if (b != NULL) {
- FixDeviceStateNotify(dev, ev++, NULL, b, v, first);
- first += 3;
- nval -= 3;
- if (nbuttons > 32) {
- (ev - 1)->deviceid |= MORE_EVENTS;
- bev = (deviceButtonStateNotify *) ev++;
- bev->type = DeviceButtonStateNotify;
- bev->deviceid = dev->id;
- memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
- DOWN_LENGTH - 4);
- }
- if (nval > 0) {
- (ev - 1)->deviceid |= MORE_EVENTS;
- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
- first += 3;
- nval -= 3;
- }
+ FixDeviceStateNotify(dev, ev, k, b, v, first);
+
+ if (b != NULL && nbuttons > 32) {
+ deviceButtonStateNotify *bev = (deviceButtonStateNotify *) ++ev;
+ (ev - 1)->deviceid |= MORE_EVENTS;
+ bev->type = DeviceButtonStateNotify;
+ bev->deviceid = dev->id;
+ memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
+ DOWN_LENGTH - 4);
}
- if (k != NULL) {
- FixDeviceStateNotify(dev, ev++, k, NULL, v, first);
- first += 3;
- nval -= 3;
- if (nkeys > 32) {
- (ev - 1)->deviceid |= MORE_EVENTS;
- kev = (deviceKeyStateNotify *) ev++;
- kev->type = DeviceKeyStateNotify;
- kev->deviceid = dev->id;
- memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
- }
- if (nval > 0) {
- (ev - 1)->deviceid |= MORE_EVENTS;
- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
- first += 3;
- nval -= 3;
- }
+ if (k != NULL && nkeys > 32) {
+ deviceKeyStateNotify *kev = (deviceKeyStateNotify *) ++ev;
+ (ev - 1)->deviceid |= MORE_EVENTS;
+ kev->type = DeviceKeyStateNotify;
+ kev->deviceid = dev->id;
+ memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
}
+ first = 3;
+ nval -= 3;
while (nval > 0) {
- FixDeviceStateNotify(dev, ev++, NULL, NULL, v, first);
- first += 3;
- nval -= 3;
- if (nval > 0) {
- (ev - 1)->deviceid |= MORE_EVENTS;
- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
- first += 3;
- nval -= 3;
- }
+ ev->deviceid |= MORE_EVENTS;
+ FixDeviceValuator(dev, (deviceValuator *) ++ev, v, first);
+ first += 6;
+ nval -= 6;
}
DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
--
2.43.0

@ -1,37 +0,0 @@
From 061eb684996627347acdf87ec11d108cedee71b6 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Thu, 21 Dec 2023 13:48:10 +1000
Subject: [PATCH xserver] Xi: when creating a new ButtonClass, set the number
of buttons
There's a racy sequence where a master device may copy the button class
from the slave, without ever initializing numButtons. This leads to a
device with zero buttons but a button class which is invalid.
Let's copy the numButtons value from the source - by definition if we
don't have a button class yet we do not have any other slave devices
with more than this number of buttons anyway.
CVE-2024-0229, ZDI-CAN-22678
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
Xi/exevents.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/Xi/exevents.c b/Xi/exevents.c
index 54ea11a938..e161714682 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
to->button = calloc(1, sizeof(ButtonClassRec));
if (!to->button)
FatalError("[Xi] no memory for class shift.\n");
+ to->button->numButtons = from->button->numButtons;
}
else
classes->button = NULL;
--
2.43.0

@ -1,109 +0,0 @@
From a483b5c7724469309e3df427730cbb8b805b9c9f Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Thu, 4 Jan 2024 10:01:24 +1000
Subject: [PATCH xserver] Xi: flush hierarchy events after adding/removing
master devices
The `XISendDeviceHierarchyEvent()` function allocates space to store up
to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`.
If a device with a given ID was removed and a new device with the same
ID added both in the same operation, the single device ID will lead to
two info structures being written to `info`.
Since this case can occur for every device ID at once, a total of two
times `MAXDEVICES` info structures might be written to the allocation.
To avoid it, once one add/remove master is processed, send out the
device hierarchy event for the current state and continue. That event
thus only ever has exactly one of either added/removed in it (and
optionally slave attached/detached).
CVE-2024-21885, ZDI-CAN-22744
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
Xi/xichangehierarchy.c | 30 ++++++++++++++++++++++++------
1 file changed, 24 insertions(+), 6 deletions(-)
diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
index 01eb7a8af4..67eedddec6 100644
--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
@@ -340,6 +340,11 @@ ProcXIChangeHierarchy(ClientPtr client)
size_t len; /* length of data remaining in request */
int rc = Success;
int flags[MAXDEVICES] = { 0 };
+ enum {
+ NO_CHANGE,
+ FLUSH,
+ CHANGED,
+ } changes = NO_CHANGE;
REQUEST(xXIChangeHierarchyReq);
REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq);
@@ -389,8 +394,9 @@ ProcXIChangeHierarchy(ClientPtr client)
rc = add_master(client, c, flags);
if (rc != Success)
goto unwind;
- }
+ changes = FLUSH;
break;
+ }
case XIRemoveMaster:
{
xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
@@ -399,8 +405,9 @@ ProcXIChangeHierarchy(ClientPtr client)
rc = remove_master(client, r, flags);
if (rc != Success)
goto unwind;
- }
+ changes = FLUSH;
break;
+ }
case XIDetachSlave:
{
xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
@@ -409,8 +416,9 @@ ProcXIChangeHierarchy(ClientPtr client)
rc = detach_slave(client, c, flags);
if (rc != Success)
goto unwind;
- }
+ changes = CHANGED;
break;
+ }
case XIAttachSlave:
{
xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
@@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client)
rc = attach_slave(client, c, flags);
if (rc != Success)
goto unwind;
+ changes = CHANGED;
+ break;
}
+ default:
break;
}
+ if (changes == FLUSH) {
+ XISendDeviceHierarchyEvent(flags);
+ memset(flags, 0, sizeof(flags));
+ changes = NO_CHANGE;
+ }
+
len -= any->length * 4;
any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
}
unwind:
-
- XISendDeviceHierarchyEvent(flags);
+ if (changes != NO_CHANGE)
+ XISendDeviceHierarchyEvent(flags);
return rc;
}
--
2.43.0

@ -1,70 +0,0 @@
From 4e0e99ef60f07757756913221847a26c71afc3e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
Date: Fri, 22 Dec 2023 18:28:31 +0100
Subject: [PATCH] Xi: do not keep linked list pointer during recursion
The `DisableDevice()` function is called whenever an enabled device
is disabled and it moves the device from the `inputInfo.devices` linked
list to the `inputInfo.off_devices` linked list.
However, its link/unlink operation has an issue during the recursive
call to `DisableDevice()` due to the `prev` pointer pointing to a
removed device.
This issue leads to a length mismatch between the total number of
devices and the number of device in the list, leading to a heap
overflow and, possibly, to local privilege escalation.
Simplify the code that checked whether the device passed to
`DisableDevice()` was in `inputInfo.devices` or not and find the
previous device after the recursion.
CVE-2024-21886, ZDI-CAN-22840
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
dix/devices.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/dix/devices.c b/dix/devices.c
index 3f3224d62..3a64d8702 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -451,14 +451,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
{
DeviceIntPtr *prev, other;
BOOL enabled;
+ BOOL dev_in_devices_list = FALSE;
int flags[MAXDEVICES] = { 0 };
if (!dev->enabled)
return TRUE;
- for (prev = &inputInfo.devices;
- *prev && (*prev != dev); prev = &(*prev)->next);
- if (*prev != dev)
+ for (other = inputInfo.devices; other; other = other->next) {
+ if (other == dev) {
+ dev_in_devices_list = TRUE;
+ break;
+ }
+ }
+
+ if (!dev_in_devices_list)
return FALSE;
TouchEndPhysicallyActiveTouches(dev);
@@ -509,6 +515,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
LeaveWindow(dev);
SetFocusOut(dev);
+ for (prev = &inputInfo.devices;
+ *prev && (*prev != dev); prev = &(*prev)->next);
+
*prev = dev->next;
dev->next = inputInfo.off_devices;
inputInfo.off_devices = dev;
--
2.43.0

@ -1,53 +0,0 @@
From 1a5e3c3e68d4f965077ea6a40ba57cc0d5a4e8cb Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Fri, 5 Jan 2024 09:40:27 +1000
Subject: [PATCH xserver] dix: when disabling a master, float disabled slaved
devices too
Disabling a master device floats all slave devices but we didn't do this
to already-disabled slave devices. As a result those devices kept their
reference to the master device resulting in access to already freed
memory if the master device was removed before the corresponding slave
device.
And to match this behavior, also forcibly reset that pointer during
CloseDownDevices().
Related to CVE-2024-21886, ZDI-CAN-22840
---
dix/devices.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/dix/devices.c b/dix/devices.c
index c7fa8fad69..87f4d4a213 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -482,6 +482,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
flags[other->id] |= XISlaveDetached;
}
}
+
+ for (other = inputInfo.off_devices; other; other = other->next) {
+ if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) {
+ AttachDevice(NULL, other, NULL);
+ flags[other->id] |= XISlaveDetached;
+ }
+ }
}
else {
for (other = inputInfo.devices; other; other = other->next) {
@@ -1088,6 +1095,11 @@ CloseDownDevices(void)
dev->master = NULL;
}
+ for (dev = inputInfo.off_devices; dev; dev = dev->next) {
+ if (!IsMaster(dev) && !IsFloating(dev))
+ dev->master = NULL;
+ }
+
CloseDeviceList(&inputInfo.devices);
CloseDeviceList(&inputInfo.off_devices);
--
2.43.0

@ -1,77 +0,0 @@
From 1801fe0ac3926882d47d7e1ad6c0518a2cdffd41 Mon Sep 17 00:00:00 2001
From: Povilas Kanapickas <povilas@radix.lt>
Date: Sun, 19 Dec 2021 18:11:07 +0200
Subject: [PATCH] dix: Fix use after free in input device shutdown
This fixes access to freed heap memory via dev->master. E.g. when
running BarrierNotify.ReceivesNotifyEvents/7 test from
xorg-integration-tests:
==24736==ERROR: AddressSanitizer: heap-use-after-free on address
0x619000065020 at pc 0x55c450e2b9cf bp 0x7fffc532fd20 sp 0x7fffc532fd10
READ of size 4 at 0x619000065020 thread T0
#0 0x55c450e2b9ce in GetMaster ../../../dix/devices.c:2722
#1 0x55c450e9d035 in IsFloating ../../../dix/events.c:346
#2 0x55c4513209c6 in GetDeviceUse ../../../Xi/xiquerydevice.c:525
../../../Xi/xichangehierarchy.c:95
#4 0x55c450e3455c in RemoveDevice ../../../dix/devices.c:1204
../../../hw/xfree86/common/xf86Xinput.c:1142
#6 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
#7 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
#8 0x55c450e837ef in dix_main ../../../dix/main.c:302
#9 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
#11 0x55c450d0113d in _start (/usr/lib/xorg/Xorg+0x117713d)
0x619000065020 is located 160 bytes inside of 912-byte region
[0x619000064f80,0x619000065310)
freed by thread T0 here:
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
#1 0x55c450e19f1c in CloseDevice ../../../dix/devices.c:1014
#2 0x55c450e343a4 in RemoveDevice ../../../dix/devices.c:1186
../../../hw/xfree86/common/xf86Xinput.c:1142
#4 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
#5 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
#6 0x55c450e837ef in dix_main ../../../dix/main.c:302
#7 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
previously allocated by thread T0 here:
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
#1 0x55c450e1c57b in AddInputDevice ../../../dix/devices.c:259
#2 0x55c450e34840 in AllocDevicePair ../../../dix/devices.c:2755
#3 0x55c45130318f in add_master ../../../Xi/xichangehierarchy.c:152
../../../Xi/xichangehierarchy.c:465
#5 0x55c4512cb9f5 in ProcIDispatch ../../../Xi/extinit.c:390
#6 0x55c450e6a92b in Dispatch ../../../dix/dispatch.c:551
#7 0x55c450e834b7 in dix_main ../../../dix/main.c:272
#8 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
The problem is caused by dev->master being not reset when disabling the
device, which then causes dangling pointer when the master device itself
is being deleted when exiting whole server.
Note that RecalculateMasterButtons() requires dev->master to be still
valid, so we can reset it only at the end of function.
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
---
dix/devices.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/dix/devices.c b/dix/devices.c
index e62c34c55..5f9ce1678 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -520,6 +520,7 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
}
RecalculateMasterButtons(dev);
+ dev->master = NULL;
return TRUE;
}
--
2.43.0

@ -4,8 +4,8 @@
%global modulename vncsession %global modulename vncsession
Name: tigervnc Name: tigervnc
Version: 1.13.1 Version: 1.14.0
Release: 3%{?dist}.6.inferit Release: 2%{?dist}.inferit
Summary: A TigerVNC remote display system Summary: A TigerVNC remote display system
%global _hardened_build 1 %global _hardened_build 1
@ -26,34 +26,25 @@ Patch1: tigervnc-use-gnome-as-default-session.patch
Patch2: tigervnc-vncsession-restore-script-systemd-service.patch Patch2: tigervnc-vncsession-restore-script-systemd-service.patch
# Upstream patches # Upstream patches
Patch50: tigervnc-vncsession-use-bin-sh-when-shell-not-set.patch
Patch51: tigervnc-add-missing-coma-in-default-security-type-list.patch
Patch52: tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch
Patch53: tigervnc-handle-existing-config-directory-in-vncpasswd.patch
Patch54: tigervnc-correctly-handle-zrle-cursors.patch
# Upstreamable patches # Upstreamable patches
Patch50: tigervnc-dont-get-pointer-position-for-floating-device.patch Patch80: tigervnc-dont-get-pointer-position-for-floating-device.patch
# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
Patch100: tigervnc-xserver120.patch Patch100: tigervnc-xserver120.patch
# 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start # 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start
Patch101: 0001-rpath-hack.patch Patch101: 0001-rpath-hack.patch
# Xorg CVEs # XServer patches
Patch200: xorg-CVE-2023-5367.patch
Patch201: xorg-CVE-2023-5380.patch
Patch202: xorg-CVE-2023-6377.patch
Patch203: xorg-CVE-2023-6478.patch
Patch204: xorg-CVE-2023-6816.patch
Patch205: xorg-CVE-2024-0229-1.patch
Patch206: xorg-CVE-2024-0229-2.patch
Patch207: xorg-CVE-2024-0229-3.patch
Patch208: xorg-CVE-2024-21885.patch
Patch209: xorg-CVE-2024-21886-1.patch
Patch210: xorg-CVE-2024-21886-2.patch
# Related to CVE-2024-21886
Patch211: xorg-dix-fix-use-after-free-in-input-device-shutdown.patch
# MSVSphere # MSVSphere
Patch500: 0001-Update-Russian-translation-for-menu.patch Patch500: 0001-Update-Russian-translation-for-menu.patch
BuildRequires: make BuildRequires: make
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: gettext BuildRequires: gettext
@ -89,11 +80,13 @@ BuildRequires: libXinerama-devel
BuildRequires: libXt-devel BuildRequires: libXt-devel
BuildRequires: libXtst-devel BuildRequires: libXtst-devel
BuildRequires: libdrm-devel BuildRequires: libdrm-devel
BuildRequires: mesa-libgbm-devel
BuildRequires: libtool BuildRequires: libtool
BuildRequires: libxkbfile-devel BuildRequires: libxkbfile-devel
BuildRequires: libxshmfence-devel BuildRequires: libxshmfence-devel
BuildRequires: mesa-libGL-devel BuildRequires: mesa-libGL-devel
BuildRequires: xorg-x11-font-utils BuildRequires: pkgconfig(fontutil)
BuildRequires: pkgconfig(xkbcomp)
BuildRequires: xorg-x11-server-devel BuildRequires: xorg-x11-server-devel
BuildRequires: xorg-x11-server-source BuildRequires: xorg-x11-server-source
BuildRequires: xorg-x11-util-macros BuildRequires: xorg-x11-util-macros
@ -178,20 +171,15 @@ This package contains icons for TigerVNC viewer
%package selinux %package selinux
Summary: SELinux module for TigerVNC Summary: SELinux module for TigerVNC
BuildArch: noarch BuildArch: noarch
BuildRequires: pkgconfig(systemd)
BuildRequires: selinux-policy
BuildRequires: selinux-policy-devel BuildRequires: selinux-policy-devel
# Required for restorecon
Requires: policycoreutils
# Required for matchpathcon
Requires: libselinux-utils
Requires: selinux-policy
Requires: selinux-policy-%{selinuxtype} Requires: selinux-policy-%{selinuxtype}
Requires(post): selinux-policy-base
Requires(post): selinux-policy-%{selinuxtype} Requires(post): selinux-policy-%{selinuxtype}
Requires(post): libselinux-utils BuildRequires: selinux-policy-devel
Requires(post): policycoreutils # Required for matchpathcon
Requires(post): policycoreutils-python-utils Requires: libselinux-utils
# Required for restorecon
Requires: policycoreutils
%{?selinux_requires}
%description selinux %description selinux
This package provides the SELinux policy module to ensure TigerVNC This package provides the SELinux policy module to ensure TigerVNC
@ -205,30 +193,24 @@ pushd unix/xserver
for all in `find . -type f -perm -001`; do for all in `find . -type f -perm -001`; do
chmod -x "$all" chmod -x "$all"
done done
%patch100 -p1 -b .xserver120-rebased # Xorg patches
%patch101 -p1 -b .rpath %patch -P100 -p1 -b .xserver120-rebased
%patch200 -p1 -b .xorg-CVE-2023-5367 %patch -P101 -p1 -b .rpath
%patch201 -p1 -b .xorg-CVE-2023-5380
%patch202 -p1 -b .xorg-CVE-2023-6377
%patch203 -p1 -b .xorg-CVE-2023-6478
%patch204 -p1 -b .xorg-CVE-2023-6816
%patch205 -p1 -b .xorg-CVE-2024-0229-1
%patch206 -p1 -b .xorg-CVE-2024-0229-2
%patch207 -p1 -b .xorg-CVE-2024-0229-3
%patch208 -p1 -b .xorg-CVE-2024-21885
%patch209 -p1 -b .xorg-CVE-2024-21886-1
%patch210 -p1 -b .xorg-CVE-2024-21886-2
%patch211 -p1 -b .xorg-dix-fix-use-after-free-in-input-device-shutdown
popd popd
%patch1 -p1 -b .use-gnome-as-default-session # Tigervnc patches
%patch2 -p1 -b .vncsession-restore-script-systemd-service %patch -P1 -p1 -b .use-gnome-as-default-session
%patch -P2 -p1 -b .vncsession-restore-script-systemd-service
# Upstream patches # Upstream patches
%patch -P50 -p1 -b .vncsession-use-bin-sh-when-shell-not-set
%patch -P51 -p1 -b .add-missing-coma-in-default-security-type-list
%patch -P52 -p1 -b .vncsession-move-existing-log-to-log-old-if-present
%patch -P53 -p1 -b .handle-existing-config-directory-in-vncpasswd
%patch -P54 -p1 -b .correctly-handle-zrle-cursors.patch
# Upstreamable patches # Upstreamable patches
%patch50 -p1 -b .dont-get-pointer-position-for-floating-device %patch -P80 -p1 -b .dont-get-pointer-position-for-floating-device
# MSVSphere # MSVSphere
%patch500 -p1 -b .update-russian-translation-for-menu %patch500 -p1 -b .update-russian-translation-for-menu
@ -263,11 +245,10 @@ autoreconf -fiv
--with-fontdir=%{_datadir}/X11/fonts \ --with-fontdir=%{_datadir}/X11/fonts \
--with-xkb-output=%{_localstatedir}/lib/xkb \ --with-xkb-output=%{_localstatedir}/lib/xkb \
--enable-install-libxf86config \ --enable-install-libxf86config \
--enable-glx --disable-dri --enable-dri2 --disable-dri3 \ --enable-glx --disable-dri --enable-dri2 --enable-dri3 \
--disable-unit-tests \ --disable-unit-tests \
--disable-config-hal \ --disable-config-hal \
--disable-config-udev \ --disable-config-udev \
--with-dri-driver-path=%{_libdir}/dri \
--without-dtrace \ --without-dtrace \
--disable-devel-docs \ --disable-devel-docs \
--disable-selective-werror --disable-selective-werror
@ -413,48 +394,67 @@ fi
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
%changelog %changelog
* Mon Feb 05 2024 Arkady L. Shane <tigro@msvsphere-os.ru> - 1.13.1-3.6.inferit * Sat Oct 12 2024 Arkady L. Shane <tigro@msvsphere-os.ru> - 1.14.0-2.inferit
- INF-1028 Update Russian translation for menu - INF-1028 Update Russian translation for menu
* Thu Jan 25 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-3.6 * Tue Jul 23 2024 Jan Grulich <jgrulich@redhat.com> - 1.14.0-2
- Fix use after free related to CVE-2024-21886 - 1.14.0
Resolves: RHEL-20435 Resolves: RHEL-45316
- Move old log to log.old if present
Resolves: RHEL-54294
- Fix shared memory leak
Resolves: RHEL-55768
* Mon Aug 05 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-11
- vncsession: use /bin/sh if the user shell is not set
Resolves: RHEL-50679
* Tue May 28 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-10
- vncconfig: add option to force view-only remote client connections
Resolves: RHEL-12144
* Tue Apr 16 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-9
- Fix CVE-2024-31080 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIGetSelectedEvents
Resolves: RHEL-30756
- Fix CVE-2024-31083 tigervnc: xorg-x11-server: User-after-free in ProcRenderAddGlyphs
Resolves: RHEL-30768
- Fix CVE-2024-31081 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice
Resolves: RHEL-30762
* Wed Feb 07 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-8
- Fix copy/paste error in the DeviceStateNotify - Fix copy/paste error in the DeviceStateNotify
Resolves: RHEL-20586 Resolves: RHEL-20533
* Fri Jan 19 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-3.5
- Don't try to get pointer position when the pointer becomes a floating device
Resolves: RHEL-20435
* Fri Jan 12 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-3.4 * Mon Jan 22 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-7
- Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice - Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice
Resolves: RHEL-20435 Resolves: RHEL-20389
- Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent - Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent
Resolves: RHEL-20424 Resolves: RHEL-20383
- Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access - Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access
Resolves: RHEL-20586 Resolves: RHEL-20533
- Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer - Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer
Resolves: RHEL-21247 Resolves: RHEL-21213
* Wed Dec 13 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-3.3 * Mon Jan 08 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-6
- Updated fix for CVE-2023-6377 tigervnc: xorg-x11-server: out-of-bounds memory reads/writes in XKB button actions - Use dup() to get available file descriptor when using -inetd option
Resolves: RHEL-18413 Resolves: RHEL-19858
* Mon Dec 11 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-3.2 * Mon Dec 18 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-5
- Rebuild (selinux-policy)
Resolves: RHEL-18413
Resolves: RHEL-18425
* Thu Dec 07 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-3.1
- Fix CVE-2023-6377 tigervnc: xorg-x11-server: out-of-bounds memory reads/writes in XKB button actions - Fix CVE-2023-6377 tigervnc: xorg-x11-server: out-of-bounds memory reads/writes in XKB button actions
Resolves: RHEL-18413 Resolves: RHEL-18414
- Fix CVE-2023-6478 tigervnc: xorg-x11-server: out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty - Fix CVE-2023-6478 tigervnc: xorg-x11-server: out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty
Resolves: RHEL-18425 Resolves: RHEL-18426
* Thu Nov 02 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-3 * Wed Nov 01 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-4
- Fix CVE-2023-5380 tigervnc: xorg-x11-server: Use-after-free bug in DestroyWindow - Fix CVE-2023-5380 tigervnc: xorg-x11-server: Use-after-free bug in DestroyWindow
Resolves: RHEL-15237
- Fix CVE-2023-5367 tigervnc: xorg-x11-server: Out-of-bounds write in XIChangeDeviceProperty/RRChangeOutputProperty - Fix CVE-2023-5367 tigervnc: xorg-x11-server: Out-of-bounds write in XIChangeDeviceProperty/RRChangeOutputProperty
Resolves: RHEL-15233 Resolves: RHEL-15249
* Mon Oct 09 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-3
- Support username alias in PlainUsers
Resolves: RHEL-8430
* Tue Apr 11 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-2 * Tue Apr 11 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-2
- xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege - xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege
@ -465,9 +465,6 @@ fi
- 1.13.1 - 1.13.1
Resolves: bz#2175732 Resolves: bz#2175732
* Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 1.12.0-12
- Rebuilt for MSVSphere 9.1.
* Tue Feb 21 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-12 * Tue Feb 21 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-12
- SELinux: allow vncsession create .vnc directory - SELinux: allow vncsession create .vnc directory
Resolves: bz#2164703 Resolves: bz#2164703

Loading…
Cancel
Save