!292 Fix CVE-2024-9632

From: @wk333 
Reviewed-by: @technology208 
Signed-off-by: @technology208

0025-phytium-xfree86-Fixed-display-error-for-ps23xx-when-.patch

@@ -0,0 +1,195 @@
+From 5836cdc9865b480be90603e3e4f6b2d604952370 Mon Sep 17 00:00:00 2001
+From: Jiakun Shuai <shuaijiakun1288@phytium.com.cn>
+Date: Mon, 20 May 2024 15:29:26 +0800
+Subject: [PATCH] phytium: xfree86: Fixed display error for ps23xx when using
+ ast and pe2201 bmc card
+
+bugzilla: https://gitee.com/openeuler/kernel/issues/I9NGXP
+
+Used in conjunction with issue number I9NGXP to fix display error
+for ps23xx when using ast and pe2201 bmc card.
+
+Signed-off-by: Jiakun Shuai <shuaijiakun1288@phytium.com.cn>
+---
+ hw/xfree86/drivers/modesetting/driver.c | 158 +++++++++++++++++++++++-
+ 1 file changed, 157 insertions(+), 1 deletion(-)
+
+diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c
+index ef4a314..f9555e4 100644
+--- a/hw/xfree86/drivers/modesetting/driver.c
++++ b/hw/xfree86/drivers/modesetting/driver.c
+@@ -1143,6 +1143,162 @@ msUpdateIntersect(modesettingPtr ms, shadowBufPtr pBuf, BoxPtr box,
+     return dirty;
+ }
+ 
++static void align_memcpy(void *dest, void *source, size_t size)
++{
++    char *dst1, *dst2, *p, *src, *dst;
++
++    src = (char *)source;
++    dst = (char *)dest;
++
++    dst1 = (char *)(((unsigned long)dst + 0xf) & ~0xf);
++    dst2 = (char *)(((unsigned long)dst + size) & ~0xf);
++    p = dst;
++
++    while((p< dst1) && size){
++        *p++ = *src++;
++        size--;
++    };
++
++    memcpy(dst1, (char *)src, (size & (~0xf)));
++
++    src += (size & (~0xf));
++    size = (size & 0xf);
++
++    p = dst2;
++    while(size--){
++        *p++ = *src++;
++    };
++}
++
++#define AST_BMC_VENDOR_ID 0x1a03
++#define FT_BMC_VENDOR_ID 0x1db7
++#define FT_BMC_DEVICE_ID 0xdc3e
++#define DRM_AST_VRAM_TYPE_DEVICE 0x0
++#define DRM_IOCTL_AST_VRAM_TYPE_DEVICE DRM_IO(DRM_COMMAND_BASE + DRM_AST_VRAM_TYPE_DEVICE)
++#define DRM_PHYTIUM_VRAM_TYPE_DEVICE 0x0
++#define DRM_IOCTL_PHYTIUM_VRAM_TYPE_DEVICE DRM_IO(DRM_COMMAND_BASE + DRM_PHYTIUM_VRAM_TYPE_DEVICE)
++
++static Bool device_is_ast_bmc(struct pci_device *pci)
++{
++	if (pci->vendor_id == AST_BMC_VENDOR_ID) {
++		return TRUE;
++	}
++
++	return FALSE;
++}
++
++static Bool device_is_ft_bmc(struct pci_device *pci)
++{
++	if (pci->vendor_id == FT_BMC_VENDOR_ID && pci->device_id == FT_BMC_DEVICE_ID) {
++		return TRUE;
++	}
++
++	return FALSE;
++}
++
++static void
++msshadowUpdatePacked(ScreenPtr pScreen, shadowBufPtr pBuf)
++{
++    RegionPtr damage = DamageRegion(pBuf->pDamage);
++    PixmapPtr pShadow = pBuf->pPixmap;
++    int nbox = RegionNumRects(damage);
++    BoxPtr pbox = RegionRects(damage);
++    FbBits *shaBase, *shaLine, *sha;
++    FbStride shaStride;
++    int scrBase, scrLine, scr;
++    int shaBpp;
++    _X_UNUSED int shaXoff, shaYoff;
++    int x, y, w, h, width;
++    int i;
++    FbBits *winBase = NULL, *win;
++    CARD32 winSize;
++    static Bool firstQuery = TRUE;
++    static Bool forceAlign = FALSE;
++    Bool isAstBMC = FALSE;
++    Bool isFtBMC = FALSE;
++    ScrnInfoPtr pScrn = xf86ScreenToScrn(pScreen);
++    modesettingPtr ms = modesettingPTR(pScrn);
++    struct pci_device *pci = NULL;
++
++    if (BUS_PLATFORM == ms->pEnt->location.type) {
++        pci = ms->pEnt->location.id.plat->pdev;
++    } else if (BUS_PCI == ms->pEnt->location.type) {
++        pci = ms->pEnt->location.id.pci;
++    }
++
++    if (pci && device_is_ast_bmc(pci)) {
++        isAstBMC = TRUE;
++        if (firstQuery) {
++			if (1 == drmIoctl(ms->fd, DRM_IOCTL_AST_VRAM_TYPE_DEVICE, NULL)) {
++				forceAlign = TRUE;
++			}
++			firstQuery = FALSE;
++        }
++    } else if (pci && device_is_ft_bmc(pci)) {
++		isFtBMC = TRUE;
++		if (firstQuery) {
++			if (1 == drmIoctl(ms->fd, DRM_IOCTL_PHYTIUM_VRAM_TYPE_DEVICE, NULL)) {
++				forceAlign = TRUE;
++			}
++			firstQuery = FALSE;
++        }
++	}
++
++    fbGetDrawable(&pShadow->drawable, shaBase, shaStride, shaBpp, shaXoff,
++                  shaYoff);
++    while (nbox--) {
++        x = pbox->x1 * shaBpp;
++        y = pbox->y1;
++        w = (pbox->x2 - pbox->x1) * shaBpp;
++        h = pbox->y2 - pbox->y1;
++
++        scrLine = (x >> FB_SHIFT);
++        shaLine = shaBase + y * shaStride + (x >> FB_SHIFT);
++
++        x &= FB_MASK;
++        w = (w + x + FB_MASK) >> FB_SHIFT;
++
++        while (h--) {
++            winSize = 0;
++            scrBase = 0;
++            width = w;
++            scr = scrLine;
++            sha = shaLine;
++            while (width) {
++                /* how much remains in this window */
++                i = scrBase + winSize - scr;
++                if (i <= 0 || scr < scrBase) {
++                    winBase = (FbBits *) (*pBuf->window) (pScreen,
++                                                          y,
++                                                          scr * sizeof(FbBits),
++                                                          SHADOW_WINDOW_WRITE,
++                                                          &winSize,
++                                                          pBuf->closure);
++                    if (!winBase)
++                        return;
++                    scrBase = scr;
++                    winSize /= sizeof(FbBits);
++                    i = winSize;
++                }
++                win = winBase + (scr - scrBase);
++                if (i > width)
++                    i = width;
++                width -= i;
++                scr += i;
++                if ((isFtBMC || isAstBMC) && forceAlign) {
++                    align_memcpy(win, sha, i * sizeof(FbBits));
++                } else {
++                    memcpy(win, sha, i * sizeof(FbBits));
++                }
++                sha += i;
++            }
++            shaLine += shaStride;
++            y++;
++        }
++        pbox++;
++    }
++}
++
+ static void
+ msUpdatePacked(ScreenPtr pScreen, shadowBufPtr pBuf)
+ {
+@@ -1193,7 +1349,7 @@ msUpdatePacked(ScreenPtr pScreen, shadowBufPtr pBuf)
+     if (use_3224)
+         shadowUpdate32to24(pScreen, pBuf);
+     else
+-        shadowUpdatePacked(pScreen, pBuf);
++        msshadowUpdatePacked(pScreen, pBuf);
+ }
+ 
+ static Bool
+-- 
+2.37.0
+

backport-0001-CVE-2023-5574.patch

@@ -0,0 +1,109 @@
+From 1953f460b9ad1a9cdf0fcce70f6ad3310b713d5f Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 12 Oct 2023 12:44:13 +1000
+Subject: [PATCH] fb: properly wrap/unwrap CloseScreen
+
+fbCloseScreen assumes that it overrides miCloseScreen (which just
+calls FreePixmap(screen->devPrivates)) and emulates that instead of
+wrapping it.
+
+This is a wrong assumption, we may have ShmCloseScreen in the mix too,
+resulting in leaks (see below). Fix this by properly setting up the
+CloseScreen wrapper.
+
+This means we no longer need the manual DestroyPixmap call in
+vfbCloseScreen, reverting d348ab06aae21c153ecbc3511aeafc8ab66d8303
+
+CVE-2023-5574, ZDI-CAN-21213
+
+This vulnerability was discovered by:
+Sri working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+---
+ fb/fb.h             |  1 +
+ fb/fbscreen.c       | 14 ++++++++++----
+ hw/vfb/InitOutput.c |  7 -------
+ 3 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/fb/fb.h b/fb/fb.h
+index d157b6956d..cd7bd05d21 100644
+--- a/fb/fb.h
++++ b/fb/fb.h
+@@ -410,6 +410,7 @@ typedef struct {
+ #endif
+     DevPrivateKeyRec    gcPrivateKeyRec;
+     DevPrivateKeyRec    winPrivateKeyRec;
++    CloseScreenProcPtr  CloseScreen;
+ } FbScreenPrivRec, *FbScreenPrivPtr;
+ 
+ #define fbGetScreenPrivate(pScreen) ((FbScreenPrivPtr) \
+diff --git a/fb/fbscreen.c b/fb/fbscreen.c
+index 4ab807ab50..c481033f98 100644
+--- a/fb/fbscreen.c
++++ b/fb/fbscreen.c
+@@ -29,6 +29,7 @@
+ Bool
+ fbCloseScreen(ScreenPtr pScreen)
+ {
++    FbScreenPrivPtr screen_priv = fbGetScreenPrivate(pScreen);
+     int d;
+     DepthPtr depths = pScreen->allowedDepths;
+ 
+@@ -37,9 +38,10 @@ fbCloseScreen(ScreenPtr pScreen)
+         free(depths[d].vids);
+     free(depths);
+     free(pScreen->visuals);
+-    if (pScreen->devPrivate)
+-        FreePixmap((PixmapPtr)pScreen->devPrivate);
+-    return TRUE;
++
++    pScreen->CloseScreen = screen_priv->CloseScreen;
++
++    return pScreen->CloseScreen(pScreen);
+ }
+ 
+ Bool
+@@ -144,6 +146,7 @@ fbFinishScreenInit(ScreenPtr pScreen, void *pbits, int xsize, int ysize,
+                    int dpix, int dpiy, int width, int bpp)
+ #endif
+ {
++    FbScreenPrivPtr screen_priv;
+     VisualPtr visuals;
+     DepthPtr depths;
+     int nvisuals;
+@@ -177,8 +180,11 @@ fbFinishScreenInit(ScreenPtr pScreen, void *pbits, int xsize, int ysize,
+                       rootdepth, ndepths, depths,
+                       defaultVisual, nvisuals, visuals))
+         return FALSE;
+-    /* overwrite miCloseScreen with our own */
++
++    screen_priv = fbGetScreenPrivate(pScreen);
++    screen_priv->CloseScreen = pScreen->CloseScreen;
+     pScreen->CloseScreen = fbCloseScreen;
++
+     return TRUE;
+ }
+ 
+diff --git a/hw/vfb/InitOutput.c b/hw/vfb/InitOutput.c
+index 48efb61b2f..076fb7defa 100644
+--- a/hw/vfb/InitOutput.c
++++ b/hw/vfb/InitOutput.c
+@@ -720,13 +720,6 @@ vfbCloseScreen(ScreenPtr pScreen)
+ 
+     pScreen->CloseScreen = pvfb->closeScreen;
+ 
+-    /*
+-     * fb overwrites miCloseScreen, so do this here
+-     */
+-    if (pScreen->devPrivate)
+-        (*pScreen->DestroyPixmap) (pScreen->devPrivate);
+-    pScreen->devPrivate = NULL;
+-
+     return pScreen->CloseScreen(pScreen);
+ }
+ 
+-- 
+GitLab
+

backport-0002-CVE-2023-5574.patch

@@ -0,0 +1,39 @@
+From b6fe3f924aecac6d6e311673511ce61aa2f7a81f Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 12 Oct 2023 12:42:06 +1000
+Subject: [PATCH] mi: fix CloseScreen initialization order
+
+If SHM is enabled it will set the CloseScreen pointer, only to be
+overridden by the hardcoded miCloseScreen pointer. Do this the other way
+round, miCloseScreen is the bottom of our stack.
+
+Direct leak of 48 byte(s) in 2 object(s) allocated from:
+  #0 0x7f5ea3ad8cc7 in calloc (/lib64/libasan.so.8+0xd8cc7) (BuildId: d8f3addefe29e892d775c30eb364afd3c2484ca5))
+  #1 0x70adfb in ShmInitScreenPriv ../Xext/shm.c:213
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+
+---
+ mi/miscrinit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mi/miscrinit.c b/mi/miscrinit.c
+index 264622d..907e46a 100644
+--- a/mi/miscrinit.c
++++ b/mi/miscrinit.c
+@@ -242,10 +242,10 @@ miScreenInit(ScreenPtr pScreen, void *pbits,  /* pointer to screen bits */
+     pScreen->numVisuals = numVisuals;
+     pScreen->visuals = visuals;
+     if (width) {
++        pScreen->CloseScreen = miCloseScreen;
+ #ifdef MITSHM
+         ShmRegisterFbFuncs(pScreen);
+ #endif
+-        pScreen->CloseScreen = miCloseScreen;
+     }
+     /* else CloseScreen */
+     /* QueryBestSize, SaveScreen, GetImage, GetSpans */
+-- 
+2.27.0
+

backport-0003-CVE-2023-5574.patch

@@ -0,0 +1,50 @@
+From ab2c58ba4719fc31c19c7829b06bdba8a88bd586 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 24 Oct 2023 12:09:36 +1000
+Subject: [PATCH] dix: always initialize pScreen->CloseScreen
+
+CloseScreen is wrapped by the various modules, many of which do not
+check if they're the last ones unwrapping. This is fine if the order of
+those modules never changes but when it does we might get a NULL-pointer
+dereference by some naive code doing a
+
+   pScreen->CloseScreen = priv->CloseScreen;
+   free(priv);
+   return (*pScreen->CloseScreen)(pScreen);
+
+To avoid this set it to a default function that just returns TRUE that's
+guaranteed to be the last one.
+---
+ dix/dispatch.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/dix/dispatch.c b/dix/dispatch.c
+index eaac39b7c9..cd092fd409 100644
+--- a/dix/dispatch.c
++++ b/dix/dispatch.c
+@@ -3890,6 +3890,12 @@ static int indexForScanlinePad[65] = {
+     3                           /* 64 bits per scanline pad unit */
+ };
+ 
++static Bool
++DefaultCloseScreen(ScreenPtr screen)
++{
++    return TRUE;
++}
++
+ /*
+ 	grow the array of screenRecs if necessary.
+ 	call the device-supplied initialization procedure
+@@ -3949,6 +3955,9 @@ static int init_screen(ScreenPtr pScreen, int i, Bool gpu)
+             PixmapWidthPaddingInfo[depth].notPower2 = 0;
+         }
+     }
++
++    pScreen->CloseScreen = DefaultCloseScreen;
++
+     return 0;
+ }
+ 
+-- 
+GitLab
+

backport-CVE-2024-9632.patch

@@ -0,0 +1,57 @@
+From 85b776571487f52e756f68a069c768757369bfe3 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Thu, 10 Oct 2024 10:37:28 +0200
+Subject: [PATCH] xkb: Fix buffer overflow in _XkbSetCompatMap()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+origin: https://gitlab.freedesktop.org/xorg/xserver/-/commit/85b776571487f52e756f68a069c768757369bfe3
+
+The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
+buffer.
+
+However, It didn't update its size properly. It updated `num_si` only,
+without updating `size_si`.
+
+This may lead to local privilege escalation if the server is run as root
+or remote code execution (e.g. x11 over ssh).
+
+CVE-2024-9632, ZDI-CAN-24756
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: José Expósito <jexposit@redhat.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1733>
+---
+ xkb/xkb.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 868d7c1e64..aaf9716b36 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -2990,13 +2990,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
+         XkbSymInterpretPtr sym;
+         unsigned int skipped = 0;
+ 
+-        if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) {
+-            compat->num_si = req->firstSI + req->nSI;
++        if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
++            compat->num_si = compat->size_si = req->firstSI + req->nSI;
+             compat->sym_interpret = reallocarray(compat->sym_interpret,
+-                                                 compat->num_si,
++                                                 compat->size_si,
+                                                  sizeof(XkbSymInterpretRec));
+             if (!compat->sym_interpret) {
+-                compat->num_si = 0;
++                compat->num_si = compat->size_si = 0;
+                 return BadAlloc;
+             }
+         }
+-- 
+GitLab
+

backport-dix-Fix-use-after-free-in-input-device-shutdown.patch

@@ -0,0 +1,81 @@
+From 1801fe0ac3926882d47d7e1ad6c0518a2cdffd41 Mon Sep 17 00:00:00 2001
+From: Povilas Kanapickas <povilas@radix.lt>
+Date: Sun, 19 Dec 2021 18:11:07 +0200
+Subject: [PATCH] dix: Fix use after free in input device shutdown
+
+This fixes access to freed heap memory via dev->master. E.g. when
+running BarrierNotify.ReceivesNotifyEvents/7 test from
+xorg-integration-tests:
+
+==24736==ERROR: AddressSanitizer: heap-use-after-free on address
+0x619000065020 at pc 0x55c450e2b9cf bp 0x7fffc532fd20 sp 0x7fffc532fd10
+READ of size 4 at 0x619000065020 thread T0
+    #0 0x55c450e2b9ce in GetMaster ../../../dix/devices.c:2722
+    #1 0x55c450e9d035 in IsFloating ../../../dix/events.c:346
+    #2 0x55c4513209c6 in GetDeviceUse ../../../Xi/xiquerydevice.c:525
+../../../Xi/xichangehierarchy.c:95
+    #4 0x55c450e3455c in RemoveDevice ../../../dix/devices.c:1204
+../../../hw/xfree86/common/xf86Xinput.c:1142
+    #6 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
+    #7 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
+    #8 0x55c450e837ef in dix_main ../../../dix/main.c:302
+    #9 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
+(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
+    #11 0x55c450d0113d in _start (/usr/lib/xorg/Xorg+0x117713d)
+
+0x619000065020 is located 160 bytes inside of 912-byte region
+[0x619000064f80,0x619000065310)
+freed by thread T0 here:
+(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
+    #1 0x55c450e19f1c in CloseDevice ../../../dix/devices.c:1014
+    #2 0x55c450e343a4 in RemoveDevice ../../../dix/devices.c:1186
+../../../hw/xfree86/common/xf86Xinput.c:1142
+    #4 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
+    #5 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
+    #6 0x55c450e837ef in dix_main ../../../dix/main.c:302
+    #7 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
+(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
+
+previously allocated by thread T0 here:
+(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
+    #1 0x55c450e1c57b in AddInputDevice ../../../dix/devices.c:259
+    #2 0x55c450e34840 in AllocDevicePair ../../../dix/devices.c:2755
+    #3 0x55c45130318f in add_master ../../../Xi/xichangehierarchy.c:152
+../../../Xi/xichangehierarchy.c:465
+    #5 0x55c4512cb9f5 in ProcIDispatch ../../../Xi/extinit.c:390
+    #6 0x55c450e6a92b in Dispatch ../../../dix/dispatch.c:551
+    #7 0x55c450e834b7 in dix_main ../../../dix/main.c:272
+    #8 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
+(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
+
+The problem is caused by dev->master being not reset when disabling the
+device, which then causes dangling pointer when the master device itself
+is being deleted when exiting whole server.
+
+Note that RecalculateMasterButtons() requires dev->master to be still
+valid, so we can reset it only at the end of function.
+
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
+
+Reference:https://gitlab.freedesktop.org/xorg/xserver/-/commit/1801fe0ac3926882d47d7e1ad6c0518a2cdffd41
+Conflict:NA
+
+---
+ dix/devices.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/dix/devices.c b/dix/devices.c
+index e62c34c55e..5f9ce1678f 100644
+--- a/dix/devices.c
++++ b/dix/devices.c
+@@ -520,6 +520,7 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
+     }
+ 
+     RecalculateMasterButtons(dev);
++    dev->master = NULL;
+ 
+     return TRUE;
+ }
+-- 
+GitLab
+

backport-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch

@@ -0,0 +1,36 @@
+From 133e0d651c5d12bf01999d6289e84e224ba77adc Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 22 Jan 2024 14:22:12 +1000
+Subject: [PATCH] dix: fix valuator copy/paste error in the DeviceStateNotify
+ event
+
+Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5
+
+Conflict:NA
+Reference:https://gitlab.freedesktop.org/xorg/xserver/-/commit/133e0d651c5d12bf01999d6289e84e224ba77adc
+---
+ dix/enterleave.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index 7b7ba1098b..c1e6ac600e 100644
+--- a/dix/enterleave.c
++++ b/dix/enterleave.c
+@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
+     ev->first_valuator = first;
+     switch (ev->num_valuators) {
+     case 6:
+-        ev->valuator2 = v->axisVal[first + 5];
++        ev->valuator5 = v->axisVal[first + 5];
+     case 5:
+-        ev->valuator2 = v->axisVal[first + 4];
++        ev->valuator4 = v->axisVal[first + 4];
+     case 4:
+-        ev->valuator2 = v->axisVal[first + 3];
++        ev->valuator3 = v->axisVal[first + 3];
+     case 3:
+         ev->valuator2 = v->axisVal[first + 2];
+     case 2:
+-- 
+GitLab
+

xorg-x11-server.spec

@@ -16,7 +16,7 @@
 
 Name:           xorg-x11-server
 Version:        1.20.8
-Release:        27
+Release:        31
 Summary:        X.Org X11 X server
 License:        MIT and GPLv2
 URL:            https://www.x.org
@@ -86,6 +86,9 @@ Patch0034: backport-CVE-2020-25712.patch
 Patch0035: backport-CVE-2020-14360.patch
 Patch0036: backport-CVE-2020-14347.patch
 Patch0037: backport-CVE-2021-3472.patch
+
+Patch0100: 0025-phytium-xfree86-Fixed-display-error-for-ps23xx-when-.patch
+
 Patch6000: backport-CVE-2021-4008.patch
 Patch6001: backport-CVE-2021-4009.patch
 Patch6002: backport-CVE-2021-4010.patch
@@ -124,6 +127,12 @@ Patch6034: backport-CVE-2024-31081.patch
 Patch6035: backport-CVE-2024-31082.patch
 Patch6036: backport-CVE-2024-31083.patch
 Patch6037: backport-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
+Patch6038: backport-dix-Fix-use-after-free-in-input-device-shutdown.patch
+Patch6039: backport-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch
+Patch6040: backport-0001-CVE-2023-5574.patch
+Patch6041: backport-0002-CVE-2023-5574.patch
+Patch6042: backport-0003-CVE-2023-5574.patch
+Patch6043: backport-CVE-2024-9632.patch
 
 BuildRequires:  audit-libs-devel autoconf automake bison dbus-devel flex flex-devel git gcc
 BuildRequires:  systemtap-sdt-devel libtool pkgconfig 
@@ -367,6 +376,28 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
 %{_libdir}/xorg/protocol.txt
 
 %changelog
+* Mon Nov 04 2024 wangkai <13474090681@163.com> - 1.20.8-31
+- Fix CVE-2024-9632
+
+* Fri Oct 25 2024 lingsheng <lingsheng1@h-partners.com> - 1.20.8-30
+- Type:CVE
+- CVE:CVE-2023-5574
+- SUG:NA
+- DESC:fix CVE-2023-5574
+
+* Thu May 30 2024 shuaijiakun <shuaijiakun1288@phytium.com.cn> -1.20.8-29
+- Type:feature
+- CVE:NA
+- SUG:NA
+- DESC:fix display error for ps23xx when using ast and pe2201 bmc card.
+
+* Fri Apr 26 2024 yanglu <yanglu72@h-partners.com> -1.20.8-28
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fix regression caused by the fix for CVE-2024-0229
+       fix use after free related to CVE-2024-21886
+
 * Wed Apr 17 2024 yanglu <yanglu72@h-partners.com> -1.20.8-27
 - fix regression caused by the fix for CVE-2024-31083