[AUTO-CHERRYPICK] Add CVE-2023-5574, CVE-2023-5367 & CVE-2023-5380 patch to xorg-x11-server ver 1.20.10 - branch main (#8609)

Co-authored-by: Alberto Perez <aperezguevar@microsoft.com>

Author: CBL-Mariner-Bot

SPECS/xorg-x11-server/CVE-2023-5367.patch

@@ -0,0 +1,44 @@
+diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
+index 6ec419e..563c4f3 100644
+--- a/Xi/xiproperty.c
++++ b/Xi/xiproperty.c
+@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
+                 XIDestroyDeviceProperty(prop);
+             return BadAlloc;
+         }
+-        new_value.size = len;
++        new_value.size = total_len;
+         new_value.type = type;
+         new_value.format = format;
+ 
+@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
+         case PropModePrepend:
+             new_data = new_value.data;
+             old_data = (void *) (((char *) new_value.data) +
+-                                  (prop_value->size * size_in_bytes));
++                                  (len * size_in_bytes));
+             break;
+         }
+         if (new_data)
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index c2fb958..25469f5 100644
+--- a/randr/rrproperty.c
++++ b/randr/rrproperty.c
+@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
+                 RRDestroyOutputProperty(prop);
+             return BadAlloc;
+         }
+-        new_value.size = len;
++        new_value.size = total_len;
+         new_value.type = type;
+         new_value.format = format;
+ 
+@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
+         case PropModePrepend:
+             new_data = new_value.data;
+             old_data = (void *) (((char *) new_value.data) +
+-                                  (prop_value->size * size_in_bytes));
++                                  (len * size_in_bytes));
+             break;
+         }
+         if (new_data)

SPECS/xorg-x11-server/CVE-2023-5380.patch

@@ -0,0 +1,53 @@
+diff --git a/dix/enterleave.h b/dix/enterleave.h
+index 4b833d8..e8af924 100644
+--- a/dix/enterleave.h
++++ b/dix/enterleave.h
+@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
+ 
+ extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
+ 
+-extern void LeaveWindow(DeviceIntPtr dev);
+-
+ extern void CoreFocusEvent(DeviceIntPtr kbd,
+                            int type, int mode, int detail, WindowPtr pWin);
+ 
+diff --git a/include/eventstr.h b/include/eventstr.h
+index bf3b95f..2bae3b0 100644
+--- a/include/eventstr.h
++++ b/include/eventstr.h
+@@ -296,4 +296,7 @@ union _InternalEvent {
+ #endif
+ };
+ 
++extern void
++LeaveWindow(DeviceIntPtr dev);
++
+ #endif
+diff --git a/mi/mipointer.c b/mi/mipointer.c
+index 75be1ae..b12ae9b 100644
+--- a/mi/mipointer.c
++++ b/mi/mipointer.c
+@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
+ #ifdef PANORAMIX
+         && noPanoramiXExtension
+ #endif
+-        )
+-        UpdateSpriteForScreen(pDev, pScreen);
++        ) {
++            DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
++            /* Hack for CVE-2023-5380: if we're moving
++             * screens PointerWindows[] keeps referring to the
++             * old window. If that gets destroyed we have a UAF
++             * bug later. Only happens when jumping from a window
++             * to the root window on the other screen.
++             * Enter/Leave events are incorrect for that case but
++             * too niche to fix.
++             */
++            LeaveWindow(pDev);
++            if (master)
++                LeaveWindow(master);
++            UpdateSpriteForScreen(pDev, pScreen);
++    }
+ }
+ 
+ /**

SPECS/xorg-x11-server/CVE-2023-5574.patch

@@ -0,0 +1,120 @@
+diff --git a/dix/dispatch.c b/dix/dispatch.c
+index a33bfaa..9aaec28 100644
+--- a/dix/dispatch.c
++++ b/dix/dispatch.c
+@@ -3819,6 +3819,12 @@ static int indexForScanlinePad[65] = {
+     3                           /* 64 bits per scanline pad unit */
+ };
+ 
++static Bool
++DefaultCloseScreen(ScreenPtr screen)
++{
++    return TRUE;
++}
++
+ /*
+ 	grow the array of screenRecs if necessary.
+ 	call the device-supplied initialization procedure
+@@ -3878,6 +3884,9 @@ static int init_screen(ScreenPtr pScreen, int i, Bool gpu)
+             PixmapWidthPaddingInfo[depth].notPower2 = 0;
+         }
+     }
++
++    pScreen->CloseScreen = DefaultCloseScreen;
++
+     return 0;
+ }
+ 
+diff --git a/fb/fb.h b/fb/fb.h
+index 8ab050d..404bca3 100644
+--- a/fb/fb.h
++++ b/fb/fb.h
+@@ -410,6 +410,7 @@ typedef struct {
+ #endif
+     DevPrivateKeyRec    gcPrivateKeyRec;
+     DevPrivateKeyRec    winPrivateKeyRec;
++    CloseScreenProcPtr  CloseScreen;
+ } FbScreenPrivRec, *FbScreenPrivPtr;
+ 
+ #define fbGetScreenPrivate(pScreen) ((FbScreenPrivPtr) \
+diff --git a/fb/fbscreen.c b/fb/fbscreen.c
+index 4ab807a..831d998 100644
+--- a/fb/fbscreen.c
++++ b/fb/fbscreen.c
+@@ -29,6 +29,7 @@
+ Bool
+ fbCloseScreen(ScreenPtr pScreen)
+ {
++    FbScreenPrivPtr screen_priv = fbGetScreenPrivate(pScreen);
+     int d;
+     DepthPtr depths = pScreen->allowedDepths;
+ 
+@@ -37,9 +38,11 @@ fbCloseScreen(ScreenPtr pScreen)
+         free(depths[d].vids);
+     free(depths);
+     free(pScreen->visuals);
+-    if (pScreen->devPrivate)
+-        FreePixmap((PixmapPtr)pScreen->devPrivate);
+-    return TRUE;
++
++
++    pScreen->CloseScreen = screen_priv->CloseScreen;
++
++    return pScreen->CloseScreen(pScreen);
+ }
+ 
+ Bool
+@@ -144,6 +147,7 @@ fbFinishScreenInit(ScreenPtr pScreen, void *pbits, int xsize, int ysize,
+                    int dpix, int dpiy, int width, int bpp)
+ #endif
+ {
++    FbScreenPrivPtr screen_priv;
+     VisualPtr visuals;
+     DepthPtr depths;
+     int nvisuals;
+@@ -178,7 +182,11 @@ fbFinishScreenInit(ScreenPtr pScreen, void *pbits, int xsize, int ysize,
+                       defaultVisual, nvisuals, visuals))
+         return FALSE;
+     /* overwrite miCloseScreen with our own */
++
++    screen_priv = fbGetScreenPrivate(pScreen);
++    screen_priv->CloseScreen = pScreen->CloseScreen;
+     pScreen->CloseScreen = fbCloseScreen;
++
+     return TRUE;
+ }
+ 
+diff --git a/hw/vfb/InitOutput.c b/hw/vfb/InitOutput.c
+index d9f23f3..0a47363 100644
+--- a/hw/vfb/InitOutput.c
++++ b/hw/vfb/InitOutput.c
+@@ -738,13 +738,6 @@ vfbCloseScreen(ScreenPtr pScreen)
+ 
+     pScreen->CloseScreen = pvfb->closeScreen;
+ 
+-    /*
+-     * fb overwrites miCloseScreen, so do this here
+-     */
+-    if (pScreen->devPrivate)
+-        (*pScreen->DestroyPixmap) (pScreen->devPrivate);
+-    pScreen->devPrivate = NULL;
+-
+     return pScreen->CloseScreen(pScreen);
+ }
+ 
+diff --git a/mi/miscrinit.c b/mi/miscrinit.c
+index 264622d..907e46a 100644
+--- a/mi/miscrinit.c
++++ b/mi/miscrinit.c
+@@ -242,10 +242,10 @@ miScreenInit(ScreenPtr pScreen, void *pbits,  /* pointer to screen bits */
+     pScreen->numVisuals = numVisuals;
+     pScreen->visuals = visuals;
+     if (width) {
++        pScreen->CloseScreen = miCloseScreen;
+ #ifdef MITSHM
+         ShmRegisterFbFuncs(pScreen);
+ #endif
+-        pScreen->CloseScreen = miCloseScreen;
+     }
+     /* else CloseScreen */
+     /* QueryBestSize, SaveScreen, GetImage, GetSpans */

SPECS/xorg-x11-server/xorg-x11-server.spec

@@ -21,7 +21,7 @@
 Summary:        X.Org X11 X server
 Name:           xorg-x11-server
 Version:        1.20.10
-Release:        7%{?dist}
+Release:        10%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -58,6 +58,9 @@ Patch8: CVE-2023-6377.patch
 Patch9: CVE-2023-6478.patch
 Patch10: CVE-2024-21885.patch
 Patch11: CVE-2023-6816.patch
+Patch12: CVE-2023-5574.patch
+Patch13: CVE-2023-5367.patch
+Patch14: CVE-2023-5380.patch
 
 # Backported Xwayland randr resolution change emulation support
 Patch501:       0001-dix-Add-GetCurrentClient-helper.patch
@@ -388,6 +391,15 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_datadir}/aclocal/xorg-server.m4
 
 %changelog
+* Thu Mar 28 2024 Alberto David Perez Guevara <aperezguevar@microsoft.com> - 1.20.10-10
+- Add patch for CVE-2023-5380
+
+* Thu Mar 28 2024 Alberto David Perez Guevara <aperezguevar@microsoft.com> - 1.20.10-9
+- Add patch for CVE-2023-5367
+
+* Thu Mar 28 2024 Alberto David Perez Guevara <aperezguevar@microsoft.com> - 1.20.10-8
+- Add patch for CVE-2023-5574
+
 * Mon Mar 12 2024 Aadhar Agarwal <aadagarwal@microsoft.com> - 1.20.10-7
 - Add patch for CVE-2023-6816