xorg-x11-server-xwayland/0007-fix-CVE-2024-0409.patch

From 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 6 May 2024 17:27:34 +0800
Subject: [PATCH] ephyr,xwayland: Use the proper private key for cursor.

The cursor in DIX is actually split in two parts, the cursor itself and
the cursor bits, each with their own devPrivates.

The cursor itself includes the cursor bits, meaning that the cursor bits
devPrivates in within structure of the cursor.

Both Xephyr and Xwayland were using the private key for the cursor bits
to store the data for the cursor, and when using XSELINUX which comes
with its own special devPrivates, the data stored in that cursor bits'
devPrivates would interfere with the XSELINUX devPrivates data and the
SELINUX security ID would point to some other unrelated data, causing a
crash in the XSELINUX code when trying to (re)use the security ID.

CVE-2024-0409

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 hw/xwayland/xwayland-cursor.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/xwayland/xwayland-cursor.c b/hw/xwayland/xwayland-cursor.c
index e3c1aaa..bd94b0c 100644
--- a/hw/xwayland/xwayland-cursor.c
+++ b/hw/xwayland/xwayland-cursor.c
@@ -431,7 +431,7 @@ static miPointerScreenFuncRec xwl_pointer_screen_funcs = {
 Bool
 xwl_screen_init_cursor(struct xwl_screen *xwl_screen)
 {
-    if (!dixRegisterPrivateKey(&xwl_cursor_private_key, PRIVATE_CURSOR_BITS, 0))
+    if (!dixRegisterPrivateKey(&xwl_cursor_private_key, PRIVATE_CURSOR, 0))
         return FALSE;
 
     return miPointerInitialize(xwl_screen->screen,
-- 
2.33.0
fix CVE-2023-6377 CVE-2023-6478 CVE-2023-6816 CVE-2024-0408 CVE-2024-0409 2024-05-06 17:40:27 +08:00			`From 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7 Mon Sep 17 00:00:00 2001`
			`From: Olivier Fourdan <ofourdan@redhat.com>`
			`Date: Mon, 6 May 2024 17:27:34 +0800`
			`Subject: [PATCH] ephyr,xwayland: Use the proper private key for cursor.`

			`The cursor in DIX is actually split in two parts, the cursor itself and`
			`the cursor bits, each with their own devPrivates.`

			`The cursor itself includes the cursor bits, meaning that the cursor bits`
			`devPrivates in within structure of the cursor.`

			`Both Xephyr and Xwayland were using the private key for the cursor bits`
			`to store the data for the cursor, and when using XSELINUX which comes`
			`with its own special devPrivates, the data stored in that cursor bits'`
			`devPrivates would interfere with the XSELINUX devPrivates data and the`
			`SELINUX security ID would point to some other unrelated data, causing a`
			`crash in the XSELINUX code when trying to (re)use the security ID.`

			`CVE-2024-0409`

			`Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>`
			`Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>`
			`---`
			`hw/xwayland/xwayland-cursor.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/hw/xwayland/xwayland-cursor.c b/hw/xwayland/xwayland-cursor.c`
			`index e3c1aaa..bd94b0c 100644`
			`--- a/hw/xwayland/xwayland-cursor.c`
			`+++ b/hw/xwayland/xwayland-cursor.c`
			`@@ -431,7 +431,7 @@ static miPointerScreenFuncRec xwl_pointer_screen_funcs = {`
			`Bool`
			`xwl_screen_init_cursor(struct xwl_screen *xwl_screen)`
			`{`
			`- if (!dixRegisterPrivateKey(&xwl_cursor_private_key, PRIVATE_CURSOR_BITS, 0))`
			`+ if (!dixRegisterPrivateKey(&xwl_cursor_private_key, PRIVATE_CURSOR, 0))`
			`return FALSE;`

			`return miPointerInitialize(xwl_screen->screen,`
			`--`
			`2.33.0`