QSB-073: Race condition when setting override-redirect flag

             ---===[ Qubes Security Bulletin 073 ]===---

                              2021-10-15

         Race condition when setting override-redirect flag


User action required
---------------------

Users must install the following specific packages in order to address
the issues discussed in this bulletin:

  For Qubes 4.0, in dom0:
  - qubes-gui-dom0 version 4.0.17

  For Qubes 4.1, in dom0 and the template(s) of any GUI qube(s) [1]:
  - qubes-gui-daemon version 4.1.18

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [2] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [3]

The user session must be restarted afterward in order for the updates to
take effect, e.g., by logging out then logging back in.


Summary
--------

An override-redirect flag in the X11 protocol tells the window manager
not to manage a particular window. Windows with such flags do not get
their frames or title bars from the window manger, nor does the window
manager determine their positions. This feature is used for application
menus, tooltips, and similar accessory windows.

Unfortunately, some window managers get confused if the
override-redirect flag is set shortly before making the window visible.
When that happens, the window manager may try to move or resize the
window without respecting any size and position constraints imposed by
the GUI daemon. Normally, every window move and resize action requested
by the VM is validated by the GUI daemon. However, if the action is
initiated by the window manager, it doesn't require the GUI daemon's
validation.


Impact
-------

A malicious application may try to hide its unspoofable colored frame
off-screen. Hiding all four sides is prevented by another constraint
(forbidding a override-redirect window from covering more than 90% of
the screen), but hiding some sides is possible. The issue is known to
affect XFCE and KDE. Other desktop environments may also be affected.


Discussion
-----------

This is yet another corner case in handling the override-redirect flag.
In the long term, we will try to eliminate use of this flag completely.
As an immediate fix, we are adding additional validation of constraints
placed on windows with the override-redirect flag. This validation is
done whenever a window is moved or resized, regardless of what initiated
the action. If an illegal size or position is detected, the GUI daemon
will try to resize or move the window back to a legal size and position.
While this is a reactive solution (in the sense that it allows windows
to enter illegal states before correcting them), it will cover several
more cases, including the case in which another application resizes a
window behind the GUI daemon's back (which is the case being reported in
this QSB). Moreover, this solution serves as an additional safety check
in case the GUI daemon itself misses any other edge cases.


Credits
--------

This issue was discovered by Demi Marie Obenour.


Notes
------

[1] In Qubes 4.1, certain GUI functions historically served by dom0 can
    be delegated to separate template-based "GUI qubes." A single Qubes
    4.1 system can have multiple GUI qubes.
[2] https://www.qubes-os.org/doc/testing/
[3] https://www.qubes-os.org/doc/how-to-update/

--
The Qubes Security Team
https://www.qubes-os.org/security/