[Git][xorg-team/xserver/xorg-server][debian-unstable] 8 commits: present: Send a PresentConfigureNotify event for destroyed windows

Timo Aaltonen pushed to branch debian-unstable at X Strike Force / xserver / xorg-server

Commits:

b98fc07d

by Adam Jackson at 2023-04-24T10:13:27+02:00

present: Send a PresentConfigureNotify event for destroyed windows

This enables fixing a deadlock case on the client side, where the client
ends up blocked waiting for a Present event that will never come because
the window was destroyed. The new PresentWindowDestroyed flag allows the
client to avoid blocking indefinitely.

Signed-off-by: Adam Jackson <ajax@redhat.com>
See-also: https://gitlab.freedesktop.org/mesa/mesa/-/issues/116
See-also: https://gitlab.freedesktop.org/mesa/mesa/-/issues/6685
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 462b06033e66a32308d940eb5fc47f5e4c914dc0)

2c33ee9f

by Sam James at 2023-10-23T23:30:14-04:00

Switch to libbsd-overlay

This is more portable than libbsd as everything Just Works, even on BSD systems,
and is the recommended method of consuming libbsd nowadays.

It also helpfully lets things work with glibc-provided functions for new
enough glibc.

[For the 21.1.x backport, take inspiration from @alanc's commit to libxdmcp
at https://gitlab.freedesktop.org/xorg/lib/libxdmcp/-/commit/c01da8ebd0969efd15388ce999e121127cc46f67.]

Closes: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/973
Co-authored-by: Guillem Jover <guillem@hadrons.org>
(cherry picked from commit 94945a52746ee2612c6cd394692f49e2ed5fc56b)
Signed-off-by: Sam James <sam@gentoo.org>

f2922f6f

by Peter Hutterer at 2023-10-25T10:51:17+10:00

Xi/randr: fix handling of PropModeAppend/Prepend

The handling of appending/prepending properties was incorrect, with at
least two bugs: the property length was set to the length of the new
part only, i.e. appending or prepending N elements to a property with P
existing elements always resulted in the property having N elements
instead of N + P.

Second, when pre-pending a value to a property, the offset for the old
values was incorrect, leaving the new property with potentially
uninitalized values and/or resulting in OOB memory writes.
For example, prepending a 3 element value to a 5 element property would
result in this 8 value array:
  [N, N, N, ?, ?, P, P, P ] P, P
                            ^OOB write

The XI2 code is a copy/paste of the RandR code, so the bug exists in
both.

CVE-2023-5367, ZDI-CAN-22153

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 541ab2ecd41d4d8689e71855d93e492bc554719a)

3e290b3c

by Peter Hutterer at 2023-10-25T10:51:18+10:00

mi: reset the PointerWindows reference on screen switch

PointerWindows[] keeps a reference to the last window our sprite
entered - changes are usually handled by CheckMotion().

If we switch between screens via XWarpPointer our
dev->spriteInfo->sprite->win is set to the new screen's root window.
If there's another window at the cursor location CheckMotion() will
trigger the right enter/leave events later. If there is not, it skips
that process and we never trigger LeaveWindow() - PointerWindows[] for
the device still refers to the previous window.

If that window is destroyed we have a dangling reference that will
eventually cause a use-after-free bug when checking the window hierarchy
later.

To trigger this, we require:
- two protocol screens
- XWarpPointer to the other screen's root window
- XDestroyWindow before entering any other window

This is a niche bug so we hack around it by making sure we reset the
PointerWindows[] entry so we cannot have a dangling pointer. This
doesn't handle Enter/Leave events correctly but the previous code didn't
either.

CVE-2023-5380, ZDI-CAN-21608

This vulnerability was discovered by:
Sri working with Trend Micro Zero Day Initiative

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 564ccf2ce9616620456102727acb8b0256b7bbd7)

6197bea0

by Peter Hutterer at 2023-10-25T11:05:28+10:00

xserver 21.1.9

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

944cd44c

by Timo Aaltonen at 2023-10-25T10:38:20+03:00

Merge branch 'upstream-unstable' into debian-unstable

2fa4d26b
by Timo Aaltonen at 2023-10-25T10:39:32+03:00
```
version bump
```
dd2d222c
by Timo Aaltonen at 2023-10-25T10:43:07+03:00
```
release to sid
```

Changes:

Xi/xiproperty.c

@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
                  XIDestroyDeviceProperty(prop);
              return BadAlloc;
+         }
 -        new_value.size = len;
 +        new_value.size = total_len;
          new_value.type = type;
          new_value.format = format;
@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
          case PropModePrepend:
              new_data = new_value.data;
              old_data = (void *) (((char *) new_value.data) +
 -                                  (prop_value->size * size_in_bytes));
 +                                  (len * size_in_bytes));
              break;
+         }
          if (new_data)

configure.ac

@@ -26,8 +26,8 @@ dnl
  dnl Process this file with autoconf to create configure.
  AC_PREREQ(2.60)
 -AC_INIT([xorg-server], 21.1.8, [https://gitlab.freedesktop.org/xorg/xserver/issues], xorg-server)
 -RELEASE_DATE="2023-03-29"
 +AC_INIT([xorg-server], 21.1.9, [https://gitlab.freedesktop.org/xorg/xserver/issues], xorg-server)
 +RELEASE_DATE="2023-10-25"
  RELEASE_NAME="Caramel Ice Cream"
  AC_CONFIG_SRCDIR([Makefile.am])
  AC_CONFIG_MACRO_DIR([m4])
@@ -164,8 +164,16 @@ AC_REPLACE_FUNCS([reallocarray strcasecmp strcasestr strlcat strlcpy strndup\
  	timingsafe_memcmp])
  AM_CONDITIONAL(POLL, [test "x$ac_cv_func_poll" = "xyes"])
 -AC_CHECK_LIB([bsd], [arc4random_buf])
 -AC_CHECK_FUNCS([arc4random_buf])
 +# Checks for non-standard functions and fallback to libbsd if we can
 +# We only check for arc4random_buf, because if we have that, we don't
 +# need/use getentropy.
 +AC_LINK_IFELSE([AC_LANG_CALL([], [arc4random_buf])],
 +               [TRY_LIBBSD="no"], [TRY_LIBBSD="yes"])
 +AS_IF([test "x$TRY_LIBBSD" = "xyes"],
 +      [PKG_CHECK_MODULES([LIBBSD], [libbsd-overlay], [
 +	CFLAGS="$CFLAGS $LIBBSD_CFLAGS"
 +	LIBS="$LIBS $LIBBSD_LIBS"
 +], [:])])
  AC_CHECK_DECLS([program_invocation_short_name], [], [], [[#include <errno.h>]])

debian/changelog

 +xorg-server (2:21.1.9-1) unstable; urgency=medium
++
 +  * New upstream release.
 +    - CVE-2023-5367
 +    - CVE-2023-5380
 +    - CVE-2023-5574
++
 + -- Timo Aaltonen <tjaalton@debian.org>  Wed, 25 Oct 2023 10:43:00 +0300
++
  xorg-server (2:21.1.8-1) unstable; urgency=medium
    * patches: Drop an obsolete patch. (Closes: #1034413)

dix/enterleave.h

@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
  extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
 -extern void LeaveWindow(DeviceIntPtr dev);
+-
  extern void CoreFocusEvent(DeviceIntPtr kbd,
                             int type, int mode, int detail, WindowPtr pWin);

include/eventstr.h

@@ -335,4 +335,7 @@ union _InternalEvent {
      GestureEvent gesture_event;
  };
 +extern void
 +LeaveWindow(DeviceIntPtr dev);
++
  #endif

include/os.h

@@ -50,16 +50,13 @@ SOFTWARE.
  #include "misc.h"
  #include <stdarg.h>
  #include <stdint.h>
 +#if defined(HAVE_REALLOCARRAY)
 +#include <stdlib.h>       /* for reallocarray */
 +#endif
  #include <string.h>
  #ifdef MONOTONIC_CLOCK
  #include <time.h>
  #endif
 -#if defined(HAVE_LIBBSD) && defined(HAVE_REALLOCARRAY)
 -#include <bsd/stdlib.h>       /* for reallocarray */
 -#endif
 -#if defined(HAVE_LIBBSD) && defined(HAVE_STRLCPY)
 -#include <bsd/string.h>       /* for strlcpy, strlcat */
 -#endif
  #define SCREEN_SAVER_ON   0
  #define SCREEN_SAVER_OFF  1

meson.build

@@ -3,10 +3,10 @@ project('xserver', 'c',
              'buildtype=debugoptimized',
              'c_std=gnu99',
          ],
 -        version: '21.1.8',
 +        version: '21.1.9',
          meson_version: '>= 0.47.0',
+ )
 -release_date = '2023-03-29'
 +release_date = '2023-10-25'
  add_project_arguments('-DHAVE_DIX_CONFIG_H', language: ['c', 'objc'])
  cc = meson.get_compiler('c')
@@ -96,7 +96,7 @@ applewmproto_dep = dependency('applewmproto', version: '>= 1.4', fallback: ['xor
  xshmfence_dep = dependency('xshmfence', version: '>= 1.1', required: false)
  pixman_dep = dependency('pixman-1')
 -libbsd_dep = dependency('libbsd', required: false)
 +libbsd_dep = dependency('libbsd-overlay', required: false)
  xkbcomp_dep = dependency('xkbcomp', required: false)
  xkbfile_dep = dependency('xkbfile')
  xfont2_dep = dependency('xfont2', version: '>= 2.0')

mi/mipointer.c

@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
  #ifdef PANORAMIX
          && noPanoramiXExtension
  #endif
 -        )
 -        UpdateSpriteForScreen(pDev, pScreen);
 +        ) {
 +            DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
 +            /* Hack for CVE-2023-5380: if we're moving
 +             * screens PointerWindows[] keeps referring to the
 +             * old window. If that gets destroyed we have a UAF
 +             * bug later. Only happens when jumping from a window
 +             * to the root window on the other screen.
 +             * Enter/Leave events are incorrect for that case but
 +             * too niche to fix.
 +             */
 +            LeaveWindow(pDev);
 +            if (master)
 +                LeaveWindow(master);
 +            UpdateSpriteForScreen(pDev, pScreen);
 +    }
+ }
  /**

os/auth.c

@@ -46,9 +46,7 @@ from The Open Group.
  #ifdef WIN32
  #include    <X11/Xw32defs.h>
  #endif
 -#ifdef HAVE_LIBBSD
 -#include   <bsd/stdlib.h>       /* for arc4random_buf() */
 -#endif
 +#include   <stdlib.h>       /* for arc4random_buf() */
  struct protocol {
      unsigned short name_length;

present/present_event.c

@@ -102,7 +102,8 @@ present_event_swap(xGenericEvent *from, xGenericEvent *to)
+ }
  void
 -present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw, WindowPtr sibling)
 +present_send_config_notify(WindowPtr window, int x, int y, int w, int h,
 +                           int bw, WindowPtr sibling, CARD32 flags)
+ {
      present_window_priv_ptr window_priv = present_window_priv(window);
@@ -122,7 +123,7 @@ present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw,
              .off_y = 0,
              .pixmap_width = w,
              .pixmap_height = h,
 -            .pixmap_flags = 0
 +            .pixmap_flags = flags
          };
          present_event_ptr event;

present/present_priv.h

@@ -43,6 +43,11 @@
  #define DebugPresent(x)
  #endif
 +/* XXX this belongs in presentproto */
 +#ifndef PresentWindowDestroyed
 +#define PresentWindowDestroyed (1 << 0)
 +#endif
++
  extern int present_request;
  extern DevPrivateKeyRec present_screen_private_key;
@@ -307,7 +312,7 @@ void
  present_free_events(WindowPtr window);
  void
 -present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw, WindowPtr sibling);
 +present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw, WindowPtr sibling, CARD32 flags);
  void
  present_send_complete_notify(WindowPtr window, CARD8 kind, CARD8 mode, CARD32 serial, uint64_t ust, uint64_t msc);

present/present_screen.c

@@ -93,6 +93,15 @@ present_destroy_window(WindowPtr window)
      present_screen_priv_ptr screen_priv = present_screen_priv(screen);
      present_window_priv_ptr window_priv = present_window_priv(window);
 +    present_send_config_notify(window,
 +                               window->drawable.x,
 +                               window->drawable.y,
 +                               window->drawable.width,
 +                               window->drawable.height,
 +                               window->borderWidth,
 +                               window->nextSib,
 +                               PresentWindowDestroyed);
++
      if (window_priv) {
          present_clear_window_notifies(window);
          present_free_events(window);
@@ -123,7 +132,7 @@ present_config_notify(WindowPtr window,
      ScreenPtr screen = window->drawable.pScreen;
      present_screen_priv_ptr screen_priv = present_screen_priv(screen);
 -    present_send_config_notify(window, x, y, w, h, bw, sibling);
 +    present_send_config_notify(window, x, y, w, h, bw, sibling, 0);
      unwrap(screen_priv, screen, ConfigNotify);
      if (screen->ConfigNotify)

randr/rrproperty.c

@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
                  RRDestroyOutputProperty(prop);
              return BadAlloc;
+         }
 -        new_value.size = len;
 +        new_value.size = total_len;
          new_value.type = type;
          new_value.format = format;
@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
          case PropModePrepend:
              new_data = new_value.data;
              old_data = (void *) (((char *) new_value.data) +
 -                                  (prop_value->size * size_in_bytes));
 +                                  (len * size_in_bytes));
              break;
+         }
          if (new_data)