From patchwork Thu Feb 27 12:31:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58029 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 62158C19F32 for ; Thu, 27 Feb 2025 12:32:29 +0000 (UTC) Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by mx.groups.io with SMTP id smtpd.web11.9464.1740659539984447251 for ; Thu, 27 Feb 2025 04:32:20 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=TrLxUraG; spf=pass (domain: mvista.com, ip: 209.85.214.182, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-2235c5818a3so8115905ad.1 for ; Thu, 27 Feb 2025 04:32:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1740659539; x=1741264339; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=fTdRz29H4DIIwPjr8RgPKGA9Nk2QE9T+Bvmrp1cu3I4=; b=TrLxUraGoTe9nuH3XkBRbMfb5YoD3a06EOmrFRPP8RvCj/sfKOsgRKCOOhpp9jFQ3s yejx1NNd51o37Z7P9s7/7W2mx6SJO4bPLt8HVVJH0RTtbtWueqQkobhSQkV206qnC6H+ C1hoCFmWzrX/uQ8V1UumrLh/CwlYp4FsuTo+4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740659539; x=1741264339; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=fTdRz29H4DIIwPjr8RgPKGA9Nk2QE9T+Bvmrp1cu3I4=; b=xAwgNkhdw5OmgkLCfADwSvKiO28SSctgAhfC0kuVQC/uZFT5noGzDvHhi/LNjEcKHH JLxdx7oTVHi8XeJK1XwjYNIpF8a9JYUwQXIp0wPQbUTA29xDcvx7eQYmSKCGiBRi6dwY 7fuddGZyY8+1lMNhE+l+r7DD9R6zMU/BOL8nhxb3QRn738WM144jh+jh44RufXeOjfJb CG11EsgCr4cVTV1ERDTqqy6GMuhPsjFbGOzQZDdmGAdUc3yeC/PFP7FxusgOz6UV+jTO LMb5Vea25TmyY5NFc8/AHC+BoQ5njhh3zKVhFV9C3KuK9f5bDpGQ6KV79iCXSwHk+/9p Fbiw== X-Gm-Message-State: AOJu0YzSvGMcO1Qr9jj6VZKTDCrVxXkA6hay/d+9171gLhwR83+9OWw8 ipKiivl7BMbtiTfrYM9Ztevxt7MahZjOWlunsNSftPZSeVr27/hrqLkL283Tv64pgX2TGWS8KQ6 8eoA= X-Gm-Gg: ASbGnctJjGnYT1qheAq24TPMg79DC/mMC86HHRTOsebediO2u5LQUsP5VpAEm+IYSks w8K3IOUrJ7ATdpKL+92Nx/Y11FvLrEmL/1e8uvkXoI4var1GBUu9eqnsa7ONEsv2IHh/9Au6io2 xEQjc76HW23rLLDJNpiuU1OX6sHhLj+aa/O9k/6nIaN7FT/v2ZLTY9CjZgaPZK8Vghjp6X8mJGA 24IV1mxcEo+JiK8oArMI45nT7jLznQLD9d5kQmm6b7FwmHxTPEG6kZ6NPv2+zCt4Lz9k3nPFhHx QcQJgOdu7Y+4scnlAFZSm/LqVdPvv0zSUI0= X-Google-Smtp-Source: AGHT+IHWCY4AdocMW1mpZ4GyUBO24j7q2W60Wb4xNErtPRzymH2XDM8UE7v993br+DAER/p3MPqvbA== X-Received: by 2002:a17:902:e852:b0:21f:7e12:5642 with SMTP id d9443c01a7336-22307b4bc06mr141282965ad.18.1740659538818; Thu, 27 Feb 2025 04:32:18 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.2]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223504c7ce2sm13082805ad.128.2025.02.27.04.32.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 04:32:18 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 1/9] xserver-xorg: Fix for CVE-2025-26594 Date: Thu, 27 Feb 2025 18:01:59 +0530 Message-Id: <20250227123207.270978-1-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 27 Feb 2025 12:32:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211992 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/01642f26 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/b0a09ba6 Signed-off-by: Vijay Anusuri --- .../xserver-xorg/CVE-2025-26594-1.patch | 54 +++++++++++++++++++ .../xserver-xorg/CVE-2025-26594-2.patch | 51 ++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.8.bb | 2 + 3 files changed, 107 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26594-1.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26594-2.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26594-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26594-1.patch new file mode 100644 index 0000000000..f34a89e6ea --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26594-1.patch @@ -0,0 +1,54 @@ +From 01642f263f12becf803b19be4db95a4a83f94acc Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 27 Nov 2024 11:27:05 +0100 +Subject: [PATCH] Cursor: Refuse to free the root cursor + +If a cursor reference count drops to 0, the cursor is freed. + +The root cursor however is referenced with a specific global variable, +and when the root cursor is freed, the global variable may still point +to freed memory. + +Make sure to prevent the rootCursor from being explicitly freed by a +client. + +CVE-2025-26594, ZDI-CAN-25544 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer +) +v3: Return BadCursor instead of BadValue (Michel Danzer +) + +Signed-off-by: Olivier Fourdan +Suggested-by: Peter Hutterer +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/01642f26] +CVE: CVE-2025-26594 +Signed-off-by: Vijay Anusuri +--- + dix/dispatch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index 4602961..30b95c1 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -3107,6 +3107,10 @@ ProcFreeCursor(ClientPtr client) + rc = dixLookupResourceByType((void **) &pCursor, stuff->id, RT_CURSOR, + client, DixDestroyAccess); + if (rc == Success) { ++ if (pCursor == rootCursor) { ++ client->errorValue = stuff->id; ++ return BadCursor; ++ } + FreeResource(stuff->id, RT_NONE); + return Success; + } +-- +2.25.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26594-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26594-2.patch new file mode 100644 index 0000000000..6ebf540ab9 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26594-2.patch @@ -0,0 +1,51 @@ +From b0a09ba6020147961acc62d9c73d807b4cccd9f7 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Wed, 4 Dec 2024 15:49:43 +1000 +Subject: [PATCH] dix: keep a ref to the rootCursor + +CreateCursor returns a cursor with refcount 1 - that refcount is used by +the resource system, any caller needs to call RefCursor to get their own +reference. That happens correctly for normal cursors but for our +rootCursor we keep a variable to the cursor despite not having a ref for +ourselves. + +Fix this by reffing/unreffing the rootCursor to ensure our pointer is +valid. + +Related to CVE-2025-26594, ZDI-CAN-25544 + +Reviewed-by: Olivier Fourdan +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b0a09ba6] +CVE: CVE-2025-26594 +Signed-off-by: Vijay Anusuri +--- + dix/main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/dix/main.c b/dix/main.c +index bfc8add..38e29ce 100644 +--- a/dix/main.c ++++ b/dix/main.c +@@ -231,6 +231,8 @@ dix_main(int argc, char *argv[], char *envp[]) + FatalError("could not open default cursor font"); + } + ++ rootCursor = RefCursor(rootCursor); ++ + #ifdef PANORAMIX + /* + * Consolidate window and colourmap information for each screen +@@ -271,6 +273,8 @@ dix_main(int argc, char *argv[], char *envp[]) + + Dispatch(); + ++ UnrefCursor(rootCursor); ++ + UndisplayDevices(); + DisableAllDevices(); + +-- +2.25.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index a9cb1b5bde..11003db04d 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb @@ -22,6 +22,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://CVE-2024-31083-0001.patch \ file://CVE-2024-31083-0002.patch \ file://CVE-2024-9632.patch \ + file://CVE-2025-26594-1.patch \ + file://CVE-2025-26594-2.patch \ " SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152" From patchwork Thu Feb 27 12:32:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58030 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 63566C1B0D9 for ; Thu, 27 Feb 2025 12:32:29 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web11.9465.1740659543930178361 for ; Thu, 27 Feb 2025 04:32:23 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=PqQMCDxM; spf=pass (domain: mvista.com, ip: 209.85.214.178, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-22356471820so7690955ad.0 for ; Thu, 27 Feb 2025 04:32:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1740659543; x=1741264343; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Vj5cwV9TE66+FGikF4flcG6cobK4Zv3qdFSGazKsM2U=; b=PqQMCDxMq/kjW5IGyHvnkv6oQ/0eHS5DvwE4agF1fJaTu6ReshnE8rhlDLCAmIxp0x NKjY4XEpNIl6EgTsWSy9EQjlqJo1t1gO/yKCCwqQpZLBqupeqgoPs9pNkgaNBUXaEchg ByKmQHSBl47G7mCRQ4oOz6umAX72jFnydeuIc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740659543; x=1741264343; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Vj5cwV9TE66+FGikF4flcG6cobK4Zv3qdFSGazKsM2U=; b=k9mQrvNQ/z/xwE0+ejDDtO9fAms0bHcUEsjLmHv8om2QHJi4w+ERiXQxDSdvkuEX63 X7PpRyv0X/PWNF1WEoaiTi3jxYw4dd5ZNnudhbHTfBQMCFXYQnVnPH02BHCURx3ZSI3T LXtv8DKWrjpeIGp5Q9ADH2VEQiPLLgvsNU0W8wuYor1s3Fnp/j+qjFohejgeVXdiiobN nsPvXlwVrAJIkjPaz59DhNt7IOTIsufQXH8vXWHBiBBo5PPZ3ybMHdiWZxLvF3dJCP9y kE16/QHFWVE61U9qbHyHWNq/LO9nR81NF7usMoMM9YiIh0vKRgTLUn4vLPe+Z+Oep5TS Bj9A== X-Gm-Message-State: AOJu0Yz1qn6V500t6mpOW24M4/8QfG0lXzXpuoHbHxhqPq7tADj+12Ru CjoKn7aD4vfZcBwOwfhIRxIoNWSK5DbLjAdsiYL/24hneMCoet1rZJMvA5GJ/0dszekmQSq3PHl LuQs= X-Gm-Gg: ASbGncsSjgT4WaNkzGYer2KzFkfemE1YbJ8Fg8V8vdtU1128wGLVWT/2XHvqtvcEALi FbXdXYU9FKYh+5NgeuujPJf7xZyUJRjh3kn4LVX7kLj9AvtpuAModuSgXzYJxNIxZeuTltzjPpf j+w36GMeTOXUxtfzdqjurYlg4w1I/iEiPicKyI1cf/PygmoutLP9DLCb+JnPI7z6OSPkTIoOkT5 sEvHvHEVgAyF4oHWa8muzGzPu5pl1eJm8U6GlKHuGYt6o2XxKcPdySXXUjUsw7X4rZ6fUQTLSG3 cXgcfoZyDDKvbYmOVt3GeYGaItfPyHal5uw= X-Google-Smtp-Source: AGHT+IHWEHhfJnW2r6hJEBJp/ZkFLkgTox8fJ0LKq7TxxG/z2pzGe9TfBLh/gzGbGE5vj8colPlvTA== X-Received: by 2002:a17:902:d508:b0:223:517c:bfa1 with SMTP id d9443c01a7336-223517cc0f1mr39534375ad.38.1740659542909; Thu, 27 Feb 2025 04:32:22 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.2]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223504c7ce2sm13082805ad.128.2025.02.27.04.32.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 04:32:22 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 2/9] xserver-xorg: Fix for CVE-2025-26595 Date: Thu, 27 Feb 2025 18:02:00 +0530 Message-Id: <20250227123207.270978-2-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250227123207.270978-1-vanusuri@mvista.com> References: <20250227123207.270978-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 27 Feb 2025 12:32:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211993 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87 Signed-off-by: Vijay Anusuri --- .../xserver-xorg/CVE-2025-26595.patch | 65 +++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.8.bb | 1 + 2 files changed, 66 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26595.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26595.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26595.patch new file mode 100644 index 0000000000..a7478d9e2a --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26595.patch @@ -0,0 +1,65 @@ +From 11fcda8753e994e15eb915d28cf487660ec8e722 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 27 Nov 2024 14:41:45 +0100 +Subject: [PATCH] xkb: Fix buffer overflow in XkbVModMaskText() + +The code in XkbVModMaskText() allocates a fixed sized buffer on the +stack and copies the virtual mod name. + +There's actually two issues in the code that can lead to a buffer +overflow. + +First, the bound check mixes pointers and integers using misplaced +parenthesis, defeating the bound check. + +But even though, if the check fails, the data is still copied, so the +stack overflow will occur regardless. + +Change the logic to skip the copy entirely if the bound check fails. + +CVE-2025-26595, ZDI-CAN-25545 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87] +CVE: CVE-2025-26595 +Signed-off-by: Vijay Anusuri +--- + xkb/xkbtext.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c +index 0184664207..93262528bb 100644 +--- a/xkb/xkbtext.c ++++ b/xkb/xkbtext.c +@@ -173,14 +173,14 @@ XkbVModMaskText(XkbDescPtr xkb, + len = strlen(tmp) + 1 + (str == buf ? 0 : 1); + if (format == XkbCFile) + len += 4; +- if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) { +- if (str != buf) { +- if (format == XkbCFile) +- *str++ = '|'; +- else +- *str++ = '+'; +- len--; +- } ++ if ((str - buf) + len > VMOD_BUFFER_SIZE) ++ continue; /* Skip */ ++ if (str != buf) { ++ if (format == XkbCFile) ++ *str++ = '|'; ++ else ++ *str++ = '+'; ++ len--; + } + if (format == XkbCFile) + sprintf(str, "%sMask", tmp); +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index 11003db04d..94381a1a16 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb @@ -24,6 +24,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://CVE-2024-9632.patch \ file://CVE-2025-26594-1.patch \ file://CVE-2025-26594-2.patch \ + file://CVE-2025-26595.patch \ " SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152" From patchwork Thu Feb 27 12:32:01 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58028 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 55365C021BE for ; Thu, 27 Feb 2025 12:32:29 +0000 (UTC) Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) by mx.groups.io with SMTP id smtpd.web10.9463.1740659547714429973 for ; Thu, 27 Feb 2025 04:32:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=ScbhGoWK; spf=pass (domain: mvista.com, ip: 209.85.216.50, mailfrom: vanusuri@mvista.com) Received: by mail-pj1-f50.google.com with SMTP id 98e67ed59e1d1-2feae68f835so525519a91.2 for ; Thu, 27 Feb 2025 04:32:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1740659547; x=1741264347; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=M4p7D7SXiZW3e748wBmm47AB0TdqyY5+Nl2hxk+t1Aw=; b=ScbhGoWKSPXbvd+RyBMQek0a3xuAddN21k1lynNaDlrXhyuGY5iISvtJLBDJ2aObid IH33A0xSkfWz4UPqk5yQHfojK7Nxf5wnQZp5zuGq0OkwFEFAa9NkfMII1rEWi9LnPbIm Lr4lppar3NosccrBuQUWj4e50XhdPBK4QqXtA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740659547; x=1741264347; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=M4p7D7SXiZW3e748wBmm47AB0TdqyY5+Nl2hxk+t1Aw=; b=p6k87juaLrQg48/x8bFKSkoqVOW99mUHGV4P8hDjBr2RHLn+GrBXXpKDh5KY9L++XZ MXEQ0eSPCYymhYmLhYWSFlpqyPj1YpqHkUuQoIWMgAV0GLOVGP3wb0prrOpbI/c1MMEH 7RfAUFzp+R0NU2fojcF4W3PPey9xNDUrth1zfF0FafIN9M/R4IFlurv5dXCDhC4Ft4Xh vwOaQMwgjC/VppszLCMFNLkoN+zGbav7VoiES1U771Q8dyPFltGR3Wk9NsIrZJqrzlgV 5e8/oKE02Uxexc6SIGpjGJYzWql8mlKPjCQlwdWIR0SMoFEWCZRbVtD8S4O6rd//4GkP yyzg== X-Gm-Message-State: AOJu0Yzr+HoCsdsvtyNC2/eIVCBCo4PlCq6Qf7IKTUmcr4fxTIq/zbuD EHH5r5wlbmS6OTZYuqq88/BoYq27EL96j/n745RyRjDrt6P2JyFRyRpw5yeXthoRP2e+yxusYmm 25IA= X-Gm-Gg: ASbGncvyySQyorQUFitjBDucgXc9ISiWGiZM2oKPGmAkw0bWQX8LBSsNQjVIkjOeGIp VnyrSuOal4IeaFNOtjPKbJ3MPt8BTMp1BH4BCkYx0ZoR+XUzakdhBUz8Q4Jc7sEsYEYN/qs4nP1 T7f6wKixJsv5TH+oG2R9IQXm+TP6BrX4P2mLpZ5lzNXPm+HL8qey6jy3uxV6SMFurZzw8MeMxW+ 8KTOIko6h9XVazjDi8u1JG4JD116fjTuNei5S3ERoR5MMHdan6X9Odj2SSUaBu8aWGvar4DXUd0 Mj4EcTlMaW++y2VtRfaz8nSGQYDUhFYzbbA= X-Google-Smtp-Source: AGHT+IEqciIq0FG9ngki1+g+w5s5aGE+ecPptXwqbqZzYin/sAaRUYP8aIZ8bQh9SR33Aomj9+3Rkg== X-Received: by 2002:a17:90b:570f:b0:2fe:ac01:8016 with SMTP id 98e67ed59e1d1-2feac01813cmr1836645a91.34.1740659546596; Thu, 27 Feb 2025 04:32:26 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.2]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223504c7ce2sm13082805ad.128.2025.02.27.04.32.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 04:32:26 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 3/9] xserver-xorg: Fix for CVE-2025-26596 Date: Thu, 27 Feb 2025 18:02:01 +0530 Message-Id: <20250227123207.270978-3-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250227123207.270978-1-vanusuri@mvista.com> References: <20250227123207.270978-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 27 Feb 2025 12:32:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211994 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/80d69f01 Signed-off-by: Vijay Anusuri --- .../xserver-xorg/CVE-2025-26596.patch | 49 +++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.8.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26596.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26596.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26596.patch new file mode 100644 index 0000000000..f9df8d75ea --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26596.patch @@ -0,0 +1,49 @@ +From 80d69f01423fc065c950e1ff4e8ddf9f675df773 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Thu, 28 Nov 2024 11:49:34 +0100 +Subject: [PATCH] xkb: Fix computation of XkbSizeKeySyms + +The computation of the length in XkbSizeKeySyms() differs from what is +actually written in XkbWriteKeySyms(), leading to a heap overflow. + +Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms() +does. + +CVE-2025-26596, ZDI-CAN-25543 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/80d69f01] +CVE: CVE-2025-26596 +Signed-off-by: Vijay Anusuri +--- + xkb/xkb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 85659382da..744dba63d7 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -1095,10 +1095,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMapReply * rep) + len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc); + symMap = &xkb->map->key_sym_map[rep->firstKeySym]; + for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) { +- if (symMap->offset != 0) { +- nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; +- nSyms += nSymsThisKey; +- } ++ nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; ++ if (nSymsThisKey == 0) ++ continue; ++ nSyms += nSymsThisKey; + } + len += nSyms * 4; + rep->totalSyms = nSyms; +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index 94381a1a16..ec6550e545 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb @@ -25,6 +25,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://CVE-2025-26594-1.patch \ file://CVE-2025-26594-2.patch \ file://CVE-2025-26595.patch \ + file://CVE-2025-26596.patch \ " SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152" From patchwork Thu Feb 27 12:32:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58031 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3F74DC19F2E for ; Thu, 27 Feb 2025 12:32:39 +0000 (UTC) Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.web11.9468.1740659551539623758 for ; Thu, 27 Feb 2025 04:32:31 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=T51YvL9D; spf=pass (domain: mvista.com, ip: 209.85.214.179, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-2211acda7f6so17709875ad.3 for ; Thu, 27 Feb 2025 04:32:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1740659550; x=1741264350; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ngZEeeSUgK70VPLU4Zo/taV2ga8C3KZS38PLzaJ/thI=; b=T51YvL9Ds3IRIaTvp44rwlIDoWXmhui2ErLcJvg3LhSWlYBxD29tbyqrJ/DrLvMNM3 7BWpKJ0JRzePcQP3JPOPkXpj4wvvXpSRsiNlwUTED0Wv9hV+KFZqyuBU7QRi1No6y5Pv iozqaAVhZWDHsrz7zG5Lh96j+jdklqpRmOpsA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740659550; x=1741264350; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ngZEeeSUgK70VPLU4Zo/taV2ga8C3KZS38PLzaJ/thI=; b=a451nSBC36uFOFFZlWnBmDEqNZkBql5SVnMNLLW9hqdSpQJ6yMs0AeQvhic/HA+48L DwR8oD5Fv7rNv6rdNjxbccgNt+tRXT4xEMUwqE2ZK/PX9Ba6+mJfu2EG/CtxUfTjUNYY lf5etWr9ZKOAN7o5OPgzoSIaBiYlk16hPQltG8+2QPYssjBQUjC5oFtXFNmQFporWof/ DstSGd9EQCsXBbdb6fj0/PbUXbs0sbKHQSLSz9DldeHyOHt6OKHp75Z4+5Kev0poizZH AHs+sUdQ47FKEgSukCMC8Wkr2c9B9Zko8bRAquoxBLmVeuU1vc7rltTmx8i4Grn/g8CQ kDow== X-Gm-Message-State: AOJu0YyTkN3KUUI5hXVr67k7IkGNsZQT0ukLna339aNKYWs/tXLsVXcW VNK/ZeAYVq6xz2uMyy7y1+JA99BgiCJsN7Q5aASDHzwlJKmUKVBVE/BwSezyPNqyQ5j7v15jqwO akLA= X-Gm-Gg: ASbGncvTktJ/j/65IRXHOmmpm9co3VNK6Xpt8o2/IWzXkutb6u/evbFTH1XNHcos9ac nFyOurASEANz3JvieYE04TST15oaBcSf2BIvnTPv3DrFvE/FvOHPEKAH1bY4Lv80voRaVrOUjaG O8ix6BZD/oz2+51b1NRIIZWib817cfWwjNDSIImQutRax5kyiFYME1HfcMM9B0mUL/AUAE0cPrc Nkz3RRjv/Jt9/gIYBKuHPcyny3YEpwox9/aDte++oWjfDsCCvIAfNqmiWufNjIjrP6ZRCpe5aNf xaKRNQCiDugYafGKaIiRC2q8Q2BYIgDel7o= X-Google-Smtp-Source: AGHT+IGjNdqGCVYju3QABMB56CS4s9Bn40RSJYsf71O9ywXx7t+STn5bg22SoYaiXjf/Go8M+oN6QQ== X-Received: by 2002:a17:902:dac5:b0:21f:8453:7484 with SMTP id d9443c01a7336-223200b52d7mr99321495ad.30.1740659550531; Thu, 27 Feb 2025 04:32:30 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.2]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223504c7ce2sm13082805ad.128.2025.02.27.04.32.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 04:32:29 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 4/9] xserver-xorg: Fix for CVE-2025-26597 Date: Thu, 27 Feb 2025 18:02:02 +0530 Message-Id: <20250227123207.270978-4-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250227123207.270978-1-vanusuri@mvista.com> References: <20250227123207.270978-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 27 Feb 2025 12:32:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211995 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949 Signed-off-by: Vijay Anusuri --- .../xserver-xorg/CVE-2025-26597.patch | 46 +++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.8.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26597.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26597.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26597.patch new file mode 100644 index 0000000000..b0735d0b46 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26597.patch @@ -0,0 +1,46 @@ +From 0e4ed94952b255c04fe910f6a1d9c852878dcd64 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Thu, 28 Nov 2024 14:09:04 +0100 +Subject: [PATCH] xkb: Fix buffer overflow in XkbChangeTypesOfKey() + +If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the +key syms to 0 but leave the key actions unchanged. + +If later, the same function is called with a non-zero value for nGroups, +this will cause a buffer overflow because the key actions are of the wrong +size. + +To avoid the issue, make sure to resize both the key syms and key actions +when nGroups is 0. + +CVE-2025-26597, ZDI-CAN-25683 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949] +CVE: CVE-2025-26597 +Signed-off-by: Vijay Anusuri +--- + xkb/XKBMisc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xkb/XKBMisc.c b/xkb/XKBMisc.c +index abbfed90eb..fd180fad2c 100644 +--- a/xkb/XKBMisc.c ++++ b/xkb/XKBMisc.c +@@ -553,6 +553,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb, + i = XkbSetNumGroups(i, 0); + xkb->map->key_sym_map[key].group_info = i; + XkbResizeKeySyms(xkb, key, 0); ++ XkbResizeKeyActions(xkb, key, 0); + return Success; + } + +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index ec6550e545..7c963e9fdf 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb @@ -26,6 +26,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://CVE-2025-26594-2.patch \ file://CVE-2025-26595.patch \ file://CVE-2025-26596.patch \ + file://CVE-2025-26597.patch \ " SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152" From patchwork Thu Feb 27 12:32:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58032 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3E279C021BE for ; Thu, 27 Feb 2025 12:32:39 +0000 (UTC) Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.web10.9467.1740659555430010253 for ; Thu, 27 Feb 2025 04:32:35 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=dm3WbDn1; spf=pass (domain: mvista.com, ip: 209.85.214.180, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-223480ea43aso19750055ad.1 for ; Thu, 27 Feb 2025 04:32:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1740659554; x=1741264354; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=JEpVl5oH8yR0AaozDODqS/0uOTrsQ+K2f97IwsDgGi4=; b=dm3WbDn1w6mK9iksUzMvMyl+dT1d7JS8lmM8hKJSM57oIwjIgf9Y84mUk0ACH9xIqW YVVrfVx/vrvWke+s9hw7uwh9izGgRyjzTcvCQ0PxNCLEvqYM/tfJvRnwobFq9bLsSpNM 5UbNhOnolSbnJ62jBVzTbMWVhnLs3AkvdrngM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740659554; x=1741264354; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JEpVl5oH8yR0AaozDODqS/0uOTrsQ+K2f97IwsDgGi4=; b=Pk19hcQAyIr5fBqyYcuxe0skeGHrveNfFVFukney6v8t6zJy8x/Vtf4d8jhBGrj8uH KWscmL2Q8He69G0kRBP5/OKiP2BsjKEmIRGYNr6BtDI3bmdE9O3al8j/BqwMsIArtaY7 rZ3hQixdaq7KhjcoqptDsil2IA8clDr8sH3f8WMlpxqLaW4yqXN+lbouYq0ySgRuexYS SlGIG12cAtWXePcrIBjyct5x9DZ2MJza+WTTId+bNynUWcUJaX59pHKfe2yQ45MLt1rk v1fWz9GcXgKaiAj554CGksliEVamMK+clU8sJ8pPIKPaFpy7/FxyGS3nRs5rKKDIyyaz FUcA== X-Gm-Message-State: AOJu0YzmitovxGHh/hLwGbkAZAcREbCo3KQBB5mUZaKN0QzlHOBeQU/J 6JKVRmRtod9khCo3pLg9x5PCHHx4ckpCzmVumPubstdwug8n7ww4u+EOAyhkJtEC4SI6c3eOB/l 7taw= X-Gm-Gg: ASbGnctFbsk9qfYxKK2nKvUXGV7F8ZKtu0y3kgIuZTSjTYnEJJyhE7ujLYXSwckxyHk GRqVRv7hYTYZcysRpTebd8PuSyKspD1VTmzBthS2/agl52jvK2ZdvZtbuVoJDt478RseDzFlSXt F6ZXhlMSJuR56Ze6pcnAwPjkYmxnZaRV8hYSLktJu5+82VfRqaXRd9jsS6z6+1byRSHgUG2NJkg Ey3u1HE8Zj7+Eut0Jv6H6gu+2o/jZ+0sjpUOKevxJ/hUAZCHGAcV1p3sEM61qT+w4lWjOUmkvdb aeYKVwqOHG31qNYWqQVvCW8FOy4/sTHnn6c= X-Google-Smtp-Source: AGHT+IEEmZmj185fYg75R9KNpXpKFQ004+ppID3KKeM0b6s193ltGbk+NW15mWf7Vil3lMtIWjpsog== X-Received: by 2002:a17:902:e80d:b0:220:f069:eab4 with SMTP id d9443c01a7336-221a0ed87cdmr446716175ad.22.1740659554381; Thu, 27 Feb 2025 04:32:34 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.2]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223504c7ce2sm13082805ad.128.2025.02.27.04.32.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 04:32:33 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 5/9] xserver-xorg: Fix for CVE-2025-26598 Date: Thu, 27 Feb 2025 18:02:03 +0530 Message-Id: <20250227123207.270978-5-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250227123207.270978-1-vanusuri@mvista.com> References: <20250227123207.270978-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 27 Feb 2025 12:32:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211996 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a Signed-off-by: Vijay Anusuri --- .../xserver-xorg/CVE-2025-26598.patch | 120 ++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.8.bb | 1 + 2 files changed, 121 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26598.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26598.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26598.patch new file mode 100644 index 0000000000..210a76262a --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26598.patch @@ -0,0 +1,120 @@ +From bba9df1a9d57234c76c0b93f88dacb143d01bca2 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 16 Dec 2024 11:25:11 +0100 +Subject: [PATCH] Xi: Fix barrier device search + +The function GetBarrierDevice() would search for the pointer device +based on its device id and return the matching value, or supposedly NULL +if no match was found. + +Unfortunately, as written, it would return the last element of the list +if no matching device id was found which can lead to out of bounds +memory access. + +Fix the search function to return NULL if not matching device is found, +and adjust the callers to handle the case where the device cannot be +found. + +CVE-2025-26598, ZDI-CAN-25740 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a] +CVE: CVE-2025-26598 +Signed-off-by: Vijay Anusuri +--- + Xi/xibarriers.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c +index 700b2b8c53..6761bcb49a 100644 +--- a/Xi/xibarriers.c ++++ b/Xi/xibarriers.c +@@ -132,14 +132,15 @@ static void FreePointerBarrierClient(struct PointerBarrierClient *c) + + static struct PointerBarrierDevice *GetBarrierDevice(struct PointerBarrierClient *c, int deviceid) + { +- struct PointerBarrierDevice *pbd = NULL; ++ struct PointerBarrierDevice *p, *pbd = NULL; + +- xorg_list_for_each_entry(pbd, &c->per_device, entry) { +- if (pbd->deviceid == deviceid) ++ xorg_list_for_each_entry(p, &c->per_device, entry) { ++ if (p->deviceid == deviceid) { ++ pbd = p; + break; ++ } + } + +- BUG_WARN(!pbd); + return pbd; + } + +@@ -340,6 +341,9 @@ barrier_find_nearest(BarrierScreenPtr cs, DeviceIntPtr dev, + double distance; + + pbd = GetBarrierDevice(c, dev->id); ++ if (!pbd) ++ continue; ++ + if (pbd->seen) + continue; + +@@ -448,6 +452,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen, + nearest = &c->barrier; + + pbd = GetBarrierDevice(c, master->id); ++ if (!pbd) ++ continue; ++ + new_sequence = !pbd->hit; + + pbd->seen = TRUE; +@@ -488,6 +495,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen, + int flags = 0; + + pbd = GetBarrierDevice(c, master->id); ++ if (!pbd) ++ continue; ++ + pbd->seen = FALSE; + if (!pbd->hit) + continue; +@@ -682,6 +692,9 @@ BarrierFreeBarrier(void *data, XID id) + continue; + + pbd = GetBarrierDevice(c, dev->id); ++ if (!pbd) ++ continue; ++ + if (!pbd->hit) + continue; + +@@ -741,6 +754,8 @@ static void remove_master_func(void *res, XID id, void *devid) + barrier = container_of(b, struct PointerBarrierClient, barrier); + + pbd = GetBarrierDevice(barrier, *deviceid); ++ if (!pbd) ++ return; + + if (pbd->hit) { + BarrierEvent ev = { +@@ -905,6 +920,10 @@ ProcXIBarrierReleasePointer(ClientPtr client) + barrier = container_of(b, struct PointerBarrierClient, barrier); + + pbd = GetBarrierDevice(barrier, dev->id); ++ if (!pbd) { ++ client->errorValue = dev->id; ++ return BadDevice; ++ } + + if (pbd->barrier_event_id == event_id) + pbd->release_event_id = event_id; +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index 7c963e9fdf..5b77dad16a 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb @@ -27,6 +27,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://CVE-2025-26595.patch \ file://CVE-2025-26596.patch \ file://CVE-2025-26597.patch \ + file://CVE-2025-26598.patch \ " SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152" From patchwork Thu Feb 27 12:32:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58034 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3EB97C19F2E for ; Thu, 27 Feb 2025 12:32:49 +0000 (UTC) Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by mx.groups.io with SMTP id smtpd.web11.9471.1740659559875157403 for ; Thu, 27 Feb 2025 04:32:39 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=UcvwCNzo; spf=pass (domain: mvista.com, ip: 209.85.214.182, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-22328dca22fso12126765ad.1 for ; Thu, 27 Feb 2025 04:32:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1740659558; x=1741264358; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Zbl/oM4Wll7eI9r4Ulc81pxLttxcsCkFGfg/DXfzvKk=; b=UcvwCNzocpB6MBWCoKHGTIwUS8Nu3LeuhhAS6OC6hrjaVFrZeaPvr39d8APaoVRZ7B OBRGcgehKllt5sYq05U3KzHesV+YJ7EdU+ZIQ9IofWPAjDnfFEl8m5IMxk+oRa9ODYIY s4bT/lNcPTosKK0GV5A9k7S5fpvNklxDzT6zk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740659558; x=1741264358; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Zbl/oM4Wll7eI9r4Ulc81pxLttxcsCkFGfg/DXfzvKk=; b=Zi6lbziRObYToj7c/cpP32h2S2JbVEqmExwjNOg3/KppwDon52Mw5ee6WKk+YT5wZ9 Ny+UxOE9Kf3Lr9QMJetZSXiRnOVoogcPZeZDQNq08Mxr1dfbu6SQCL5u07j5S6ifAcX5 o03mGI+YKApPH4rlL8aZRE5qc64BEQo3pZahH72Wa5Xp7j5q5DNpdce2iYynDHPb/UNc WAlSzUKd3nny7j3KaI1YhfIfzkMYJgzv5xebJ8ehnlhpbidlSNs2nmi0ezrSoYSlt6Bl 3GzpiIT8PRXtN2EkIQfcrqOeRv46d1XaLur94uoftHvO+YDyYMLv8dYKpgWPEG0VU9P4 3x5Q== X-Gm-Message-State: AOJu0Yy4vY7/QZpQANn5r1J9XsozEKBijGn7dSKYSPzADK1Kq7q6tB/a N33ARQ/0Lhs/3MMMvEjzG69SNz44Q0QVQzX6pgB9QdmrNUFdWsr41Nsobcid1zWj5OGg7KDc6c5 5BXQ= X-Gm-Gg: ASbGncvzvsjpPyci5ixaJOWSl0aV5R1ihRTiU4wy28UBdfyN56iyzGLs40hLQoOLnuA LNn5LZ6uVh9mdC9v6RQwH1hf1pdMWOZZXpBpcmpXaw1oDClq+4tTVbqHR8zzBvPczLj46Aetp44 CtkaDExhr4YVwV8/WZonpFs8l4TWZSTYWNFqCgUyz2GfGuhY+f+Plc0nIGuEFVZuyoyzQjsX9fw w9hv2TH03EhWTPUbwJ1FB3q5aHm0R4p2Vf5FZYwHAjjCYxZaUJTnNiZjI3oCvTytQj9pFuWu7rL B8PP1XSJBw3YH4OdcBmAJTD7DurTUZ6j+9Y= X-Google-Smtp-Source: AGHT+IHu49nuEK4oD4ZSeK9hswaNCNCxi0c9Tenfsn1o1ttHfy93qc+3lVVmw/Sz/D3/0+1JeSEULg== X-Received: by 2002:a17:902:f54a:b0:215:9bc2:42ec with SMTP id d9443c01a7336-22307e7279cmr154735085ad.47.1740659558498; Thu, 27 Feb 2025 04:32:38 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.2]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223504c7ce2sm13082805ad.128.2025.02.27.04.32.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 04:32:37 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 6/9] xserver-xorg: Fix for CVE-2025-26599 Date: Thu, 27 Feb 2025 18:02:04 +0530 Message-Id: <20250227123207.270978-6-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250227123207.270978-1-vanusuri@mvista.com> References: <20250227123207.270978-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 27 Feb 2025 12:32:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211997 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84be & https://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8 Signed-off-by: Vijay Anusuri --- .../xserver-xorg/CVE-2025-26599-1.patch | 66 +++++++++ .../xserver-xorg/CVE-2025-26599-2.patch | 129 ++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.8.bb | 2 + 3 files changed, 197 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26599-1.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26599-2.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26599-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26599-1.patch new file mode 100644 index 0000000000..60b68a0d9a --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26599-1.patch @@ -0,0 +1,66 @@ +From c1ff84bef2569b4ba4be59323cf575d1798ba9be Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Tue, 17 Dec 2024 15:19:45 +0100 +Subject: [PATCH] composite: Handle failure to redirect in compRedirectWindow() + +The function compCheckRedirect() may fail if it cannot allocate the +backing pixmap. + +In that case, compRedirectWindow() will return a BadAlloc error. + +However that failure code path will shortcut the validation of the +window tree marked just before, which leaves the validate data partly +initialized. + +That causes a use of uninitialized pointer later. + +The fix is to not shortcut the call to compHandleMarkedWindows() even in +the case of compCheckRedirect() returning an error. + +CVE-2025-26599, ZDI-CAN-25851 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84be] +CVE: CVE-2025-26599 +Signed-off-by: Vijay Anusuri +--- + composite/compalloc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/composite/compalloc.c b/composite/compalloc.c +index eaabf0d..0bbbc55 100644 +--- a/composite/compalloc.c ++++ b/composite/compalloc.c +@@ -140,6 +140,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update) + CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen); + WindowPtr pLayerWin; + Bool anyMarked = FALSE; ++ int status = Success; + + if (pWin == cs->pOverlayWin) { + return Success; +@@ -218,13 +219,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update) + + if (!compCheckRedirect(pWin)) { + FreeResource(ccw->id, RT_NONE); +- return BadAlloc; ++ status = BadAlloc; + } + + if (anyMarked) + compHandleMarkedWindows(pWin, pLayerWin); + +- return Success; ++ return status; + } + + void +-- +2.25.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26599-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26599-2.patch new file mode 100644 index 0000000000..252b033261 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26599-2.patch @@ -0,0 +1,129 @@ +From b07192a8bedb90b039dc0f70ae69daf047ff9598 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 13 Jan 2025 16:09:43 +0100 +Subject: [PATCH] composite: initialize border clip even when pixmap alloc + fails + +If it fails to allocate the pixmap, the function compAllocPixmap() would +return early and leave the borderClip region uninitialized, which may +lead to the use of uninitialized value as reported by valgrind: + + Conditional jump or move depends on uninitialised value(s) + at 0x4F9B33: compClipNotify (compwindow.c:317) + by 0x484FC9: miComputeClips (mivaltree.c:476) + by 0x48559A: miValidateTree (mivaltree.c:679) + by 0x4F0685: MapWindow (window.c:2693) + by 0x4A344A: ProcMapWindow (dispatch.c:922) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + Uninitialised value was created by a heap allocation + at 0x4841866: malloc (vg_replace_malloc.c:446) + by 0x4F47BC: compRedirectWindow (compalloc.c:171) + by 0x4FA8AD: compCreateWindow (compwindow.c:592) + by 0x4EBB89: CreateWindow (window.c:925) + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + + Conditional jump or move depends on uninitialised value(s) + at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233) + by 0x4F9255: RegionTranslate (regionstr.h:312) + by 0x4F9B7E: compClipNotify (compwindow.c:319) + by 0x484FC9: miComputeClips (mivaltree.c:476) + by 0x48559A: miValidateTree (mivaltree.c:679) + by 0x4F0685: MapWindow (window.c:2693) + by 0x4A344A: ProcMapWindow (dispatch.c:922) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + Uninitialised value was created by a heap allocation + at 0x4841866: malloc (vg_replace_malloc.c:446) + by 0x4F47BC: compRedirectWindow (compalloc.c:171) + by 0x4FA8AD: compCreateWindow (compwindow.c:592) + by 0x4EBB89: CreateWindow (window.c:925) + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + + Conditional jump or move depends on uninitialised value(s) + at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241) + by 0x48EEE33: pixman_region_translate (pixman-region.c:2225) + by 0x4F9255: RegionTranslate (regionstr.h:312) + by 0x4F9B7E: compClipNotify (compwindow.c:319) + by 0x484FC9: miComputeClips (mivaltree.c:476) + by 0x48559A: miValidateTree (mivaltree.c:679) + by 0x4F0685: MapWindow (window.c:2693) + by 0x4A344A: ProcMapWindow (dispatch.c:922) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + Uninitialised value was created by a heap allocation + at 0x4841866: malloc (vg_replace_malloc.c:446) + by 0x4F47BC: compRedirectWindow (compalloc.c:171) + by 0x4FA8AD: compCreateWindow (compwindow.c:592) + by 0x4EBB89: CreateWindow (window.c:925) + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + +Fix compAllocPixmap() to initialize the border clip even if the creation +of the backing pixmap has failed, to avoid depending later on +uninitialized border clip values. + +Related to CVE-2025-26599, ZDI-CAN-25851 + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8] +CVE: CVE-2025-26599 +Signed-off-by: Vijay Anusuri +--- + composite/compalloc.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/composite/compalloc.c b/composite/compalloc.c +index 7cf7351e00..4a1243170d 100644 +--- a/composite/compalloc.c ++++ b/composite/compalloc.c +@@ -605,9 +605,12 @@ compAllocPixmap(WindowPtr pWin) + int h = pWin->drawable.height + (bw << 1); + PixmapPtr pPixmap = compNewPixmap(pWin, x, y, w, h); + CompWindowPtr cw = GetCompWindow(pWin); ++ Bool status; + +- if (!pPixmap) +- return FALSE; ++ if (!pPixmap) { ++ status = FALSE; ++ goto out; ++ } + if (cw->update == CompositeRedirectAutomatic) + pWin->redirectDraw = RedirectDrawAutomatic; + else +@@ -621,14 +624,16 @@ compAllocPixmap(WindowPtr pWin) + DamageRegister(&pWin->drawable, cw->damage); + cw->damageRegistered = TRUE; + } ++ status = TRUE; + ++out: + /* Make sure our borderClip is up to date */ + RegionUninit(&cw->borderClip); + RegionCopy(&cw->borderClip, &pWin->borderClip); + cw->borderClipX = pWin->drawable.x; + cw->borderClipY = pWin->drawable.y; + +- return TRUE; ++ return status; + } + + void +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index 5b77dad16a..e50d7bfb9e 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb @@ -28,6 +28,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://CVE-2025-26596.patch \ file://CVE-2025-26597.patch \ file://CVE-2025-26598.patch \ + file://CVE-2025-26599-1.patch \ + file://CVE-2025-26599-2.patch \ " SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152" From patchwork Thu Feb 27 12:32:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58033 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3EB5CC021BE for ; Thu, 27 Feb 2025 12:32:49 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web11.9477.1740659568318732454 for ; Thu, 27 Feb 2025 04:32:48 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=XWrNCwSK; spf=pass (domain: mvista.com, ip: 209.85.214.178, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-220d132f16dso10886415ad.0 for ; Thu, 27 Feb 2025 04:32:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1740659567; x=1741264367; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=OEMsgJ1OBs5xQquTcFjIwo5Swkt3Pvc9RSSpvkNuOBQ=; b=XWrNCwSKbiH9BVYgBLQvdoIjQlEtsiiGVgQFU3V6yJ2rcMvr/KMP8VelPVxEzGJPVP +Je0MTXbRF+XuAbgWf4tE7dLQE3UZqJWpxRbgEZblE3K9ITY3lrNHALMNx5/lz2Sbnbs WC9ZEBHqd1/DMCQ0yHg6csmUa8z4H4ZyOGORY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740659567; x=1741264367; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OEMsgJ1OBs5xQquTcFjIwo5Swkt3Pvc9RSSpvkNuOBQ=; b=rrc6t7Ljll5JvbVRK/9QKYFDH2/0ZSq9KXlur9xf9J55p5k+JX2dhMHmDzfkYW7tiG huNKDcshuV6SkhW4JWEXzLy4GjHEuaPPX/NyMH1+BW/Z1BW0+Y9UYEOLICE4IE+ybPOS t2ViDrPlBi8nxc+nVWxItUYtp/yMUGRb2wVtfrJSFq1FLCGL+4/+trC1MV120qlUAXtm ImVZfVs7//XTpJhbfECOAuRmlau7zHUPSlYsM3McfI2K7s9JHETYMYlpmZrKHJDzBpAc CaRvuOFAU8k7gu9W4PCtT18u5BnpBpd8FN8bdao6IJw/2d4yR7b9CIZ7zm4rSFEra85a JyGw== X-Gm-Message-State: AOJu0YwbL4PAUP+vxFPa6ScG5XSgkuv5QqVfcxsgFUAuIGMDpCuP2YTP ovHbygPMU8vKFAANZVv/wfhACIV72l+LsEXZDlvH7UAVJI0k9zTK5vLrnlwHiVpqxBKj8zw57fQ DJqw= X-Gm-Gg: ASbGncvHAwD3vs1wv75IUKw3JTxnrpVqrrWTDwA268fVVcVA4FkSSMPX4zTL+rSsdZK wwuqrCWsziqM5930KCDmDxv1Hu9MYqIdw+ZdVjnS9TqDPfyyC37RlPESYO7G+x6ugH5QM0vdTfW gCH4FOdsSqXtqUyREyAWPSyHp2baHGgPGc/Ec78GnfjkVXIOv58I8nhajEzlhkjv+2jkHEsehI2 lpMVWIbaHQN2NgljEGRJ/jWCWRgrZiUCFHGFpSrYA31KlBmN8n6Ot+WGD+g+IadphwcNXotEh3G ksBN43nJyzNQUGPoD4v+8Uy4byGt/2VKX7I= X-Google-Smtp-Source: AGHT+IHAldCmyxmNJ0Bb81a/+4ofDWUkvG2hNcVEIB46RnZW/1HuaXkh2MIZBGqV5JJ1B0hIiaLt+A== X-Received: by 2002:a17:903:1c4:b0:20d:cb6:11e with SMTP id d9443c01a7336-22320094a39mr115321275ad.26.1740659567337; Thu, 27 Feb 2025 04:32:47 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.2]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223504c7ce2sm13082805ad.128.2025.02.27.04.32.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 04:32:46 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 7/9] xserver-xorg: Fix for CVE-2025-26600 Date: Thu, 27 Feb 2025 18:02:05 +0530 Message-Id: <20250227123207.270978-7-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250227123207.270978-1-vanusuri@mvista.com> References: <20250227123207.270978-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 27 Feb 2025 12:32:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211998 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b Signed-off-by: Vijay Anusuri --- .../xserver-xorg/CVE-2025-26600.patch | 68 +++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.8.bb | 1 + 2 files changed, 69 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26600.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26600.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26600.patch new file mode 100644 index 0000000000..43b47b3ca3 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26600.patch @@ -0,0 +1,68 @@ +From 6e0f332ba4c8b8c9a9945dc9d7989bfe06f80e14 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 16 Dec 2024 16:18:04 +0100 +Subject: [PATCH] dix: Dequeue pending events on frozen device on removal + +When a device is removed while still frozen, the events queued for that +device remain while the device itself is freed. + +As a result, replaying the events will cause a use after free. + +To avoid the issue, make sure to dequeue and free any pending events on +a frozen device when removed. + +CVE-2025-26600, ZDI-CAN-25871 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b] +CVE: CVE-2025-26600 +Signed-off-by: Vijay Anusuri +--- + dix/devices.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/dix/devices.c b/dix/devices.c +index 1516147..459f1ed 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -962,6 +962,23 @@ FreeAllDeviceClasses(ClassesPtr classes) + + } + ++static void ++FreePendingFrozenDeviceEvents(DeviceIntPtr dev) ++{ ++ QdEventPtr qe, tmp; ++ ++ if (!dev->deviceGrab.sync.frozen) ++ return; ++ ++ /* Dequeue any frozen pending events */ ++ xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) { ++ if (qe->device == dev) { ++ xorg_list_del(&qe->next); ++ free(qe); ++ } ++ } ++} ++ + /** + * Close down a device and free all resources. + * Once closed down, the driver will probably not expect you that you'll ever +@@ -1026,6 +1043,7 @@ CloseDevice(DeviceIntPtr dev) + free(dev->last.touches[j].valuators); + free(dev->last.touches); + dev->config_info = NULL; ++ FreePendingFrozenDeviceEvents(dev); + dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE); + free(dev); + } +-- +2.25.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index e50d7bfb9e..d7b0e7b589 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb @@ -30,6 +30,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://CVE-2025-26598.patch \ file://CVE-2025-26599-1.patch \ file://CVE-2025-26599-2.patch \ + file://CVE-2025-26600.patch \ " SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152" From patchwork Thu Feb 27 12:32:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58035 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 42045C021BE for ; Thu, 27 Feb 2025 12:32:59 +0000 (UTC) Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by mx.groups.io with SMTP id smtpd.web10.9479.1740659575753235577 for ; Thu, 27 Feb 2025 04:32:55 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=C/Kxpf5I; spf=pass (domain: mvista.com, ip: 209.85.214.171, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-22113560c57so15510795ad.2 for ; Thu, 27 Feb 2025 04:32:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1740659574; x=1741264374; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=hiQeVg9LC097Bk+9ZhwaeHQlSko8IwgemVwGJ6nAUhQ=; b=C/Kxpf5Ik/rT+ObLrls6dOhsaZnNYa/zWxNWChzLxsB+yDdz2VK1dOPhV02NNYWtg+ EY+iNPz5ZMOdrQkEfGDY0fgn5BeGt0azaca0oZ9PT0XYrqjWXryWSEkbZvLPaIxYEcT/ cXPXpihqfOjcBXMDSeUXwRs8/RXrk0mibYEwc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740659574; x=1741264374; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hiQeVg9LC097Bk+9ZhwaeHQlSko8IwgemVwGJ6nAUhQ=; b=toamRf6qBPTGQ8pBjVpRKEZt7E8djU46arRIyhSVuDC8OMTiOZ2Og+SiIZBwD3ZRBD /bNBtuOZdme5NLp69ljeWG9glIzZ05vmGN5PwOW/Ig9mVGvh0PRQ1ZYXJCMdpr/glKA5 Xcg9wD+VOCA2kQn24JogMpBbgv9bzAbW7m3CfvRSQgHA/BfIja7tUL+keQLYjpR7WiXh Jk0sxWGzaSYWSTLd45LG7BcZeiXKKP3bVKnQlr66ATkMVT5t5vJLGeZ+rLDn8umBbBQK I4RyPataqNLODt2IkWqwwJRgwRsMZM8i98/TlSEohTCJR657lvrstf4/5BtwzzB4O4CE aaEw== X-Gm-Message-State: AOJu0Yxv8sjpo5eXJ8TzuQkZ+9JifnaJWFGpIpPpwYDAF1pE0u7sIspo lU+A4VIV4KiwC+5qNI6IfwWQc9XizUahDKxSoA6Mf4D80+/BWC9bOhhKbtS6Hs3MVI00RV/2C+D lQB4= X-Gm-Gg: ASbGncu6HN+5CAZT+dIwQlLLyhq00hEFRPEJ1HddGVMYn6da6nwXgfVcUfbo5X44z/h CweAxw2RsHjnw8r6mrFNiZ7bOjgMYxTLe+nOv+3C/xV5/NYjqsyK5nXqRmiHsg+P23LXbO7fKVA NIyAH6nKox4ggClfV3pvRhZDpQp9Bn7mDrf6x6qGqAfgYslmaW5Yy8z5lIp0on1GD3FOOTXW636 lrbuUVJGcXcjRRdp4Lx7n6mu+LPhFWFQ5qhnDYBewAwzNUZBmmEig/XY2EkrEf4vWSgd/1LkctB YGV7/AF2oxaeUaHKtzBxR6Fg2TgtavDmRsw= X-Google-Smtp-Source: AGHT+IEKK4J3Lfi4J6+c/WpTs+UTr6VN0u7drnJNQi8dtp92sYD5wHEfrBajdsLT0aZAlbsiCY4m/w== X-Received: by 2002:a17:902:e5c4:b0:220:d69d:78bd with SMTP id d9443c01a7336-221a1199349mr357741315ad.51.1740659573474; Thu, 27 Feb 2025 04:32:53 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.2]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223504c7ce2sm13082805ad.128.2025.02.27.04.32.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 04:32:52 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 8/9] xserver-xorg: Fix for CVE-2025-26601 Date: Thu, 27 Feb 2025 18:02:06 +0530 Message-Id: <20250227123207.270978-8-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250227123207.270978-1-vanusuri@mvista.com> References: <20250227123207.270978-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 27 Feb 2025 12:32:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211999 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/16a1242d & https://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2f & https://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/c2857989 Signed-off-by: Vijay Anusuri --- .../xserver-xorg/CVE-2025-26601-1.patch | 71 ++++++++++ .../xserver-xorg/CVE-2025-26601-2.patch | 85 +++++++++++ .../xserver-xorg/CVE-2025-26601-3.patch | 52 +++++++ .../xserver-xorg/CVE-2025-26601-4.patch | 132 ++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.8.bb | 4 + 5 files changed, 344 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-1.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-2.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-3.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-4.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-1.patch new file mode 100644 index 0000000000..df5416a452 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-1.patch @@ -0,0 +1,71 @@ +From 16a1242d0ffc7f45ed3c595ee7564b5c04287e0b Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 16:52:01 +0100 +Subject: [PATCH] sync: Do not let sync objects uninitialized + +When changing an alarm, the change mask values are evaluated one after +the other, changing the trigger values as requested and eventually, +SyncInitTrigger() is called. + +SyncInitTrigger() will evaluate the XSyncCACounter first and may free +the existing sync object. + +Other changes are then evaluated and may trigger an error and an early +return, not adding the new sync object. + +This can be used to cause a use after free when the alarm eventually +triggers. + +To avoid the issue, delete the existing sync object as late as possible +only once we are sure that no further error will cause an early exit. + +CVE-2025-26601, ZDI-CAN-25870 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/16a1242d] +CVE: CVE-2025-26601 +Signed-off-by: Vijay Anusuri +--- + Xext/sync.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index ee0010e657..585cfa6f68 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -360,11 +360,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + client->errorValue = syncObject; + return rc; + } +- if (pSync != pTrigger->pSync) { /* new counter for trigger */ +- SyncDeleteTriggerFromSyncObject(pTrigger); +- pTrigger->pSync = pSync; +- newSyncObject = TRUE; +- } + } + + /* if system counter, ask it what the current value is */ +@@ -432,6 +427,14 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + ++ if (changes & XSyncCACounter) { ++ if (pSync != pTrigger->pSync) { /* new counter for trigger */ ++ SyncDeleteTriggerFromSyncObject(pTrigger); ++ pTrigger->pSync = pSync; ++ newSyncObject = TRUE; ++ } ++ } ++ + /* we wait until we're sure there are no errors before registering + * a new counter on a trigger + */ +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-2.patch new file mode 100644 index 0000000000..22e751c017 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-2.patch @@ -0,0 +1,85 @@ +From f52cea2f93a0c891494eb3334894442a92368030 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 16:54:30 +0100 +Subject: [PATCH] sync: Check values before applying changes + +In SyncInitTrigger(), we would set the CheckTrigger function before +validating the counter value. + +As a result, if the counter value overflowed, we would leave the +function SyncInitTrigger() with the CheckTrigger applied but without +updating the trigger object. + +To avoid that issue, move the portion of code checking for the trigger +check value before updating the CheckTrigger function. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2f] +CVE: CVE-2025-26601 +Signed-off-by: Vijay Anusuri +--- + Xext/sync.c | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 585cfa6f68..10302160fb 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -381,6 +381,24 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + ++ if (changes & (XSyncCAValueType | XSyncCAValue)) { ++ if (pTrigger->value_type == XSyncAbsolute) ++ pTrigger->test_value = pTrigger->wait_value; ++ else { /* relative */ ++ Bool overflow; ++ ++ if (pCounter == NULL) ++ return BadMatch; ++ ++ overflow = checked_int64_add(&pTrigger->test_value, ++ pCounter->value, pTrigger->wait_value); ++ if (overflow) { ++ client->errorValue = pTrigger->wait_value >> 32; ++ return BadValue; ++ } ++ } ++ } ++ + if (changes & XSyncCATestType) { + + if (pSync && SYNC_FENCE == pSync->type) { +@@ -409,24 +427,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + +- if (changes & (XSyncCAValueType | XSyncCAValue)) { +- if (pTrigger->value_type == XSyncAbsolute) +- pTrigger->test_value = pTrigger->wait_value; +- else { /* relative */ +- Bool overflow; +- +- if (pCounter == NULL) +- return BadMatch; +- +- overflow = checked_int64_add(&pTrigger->test_value, +- pCounter->value, pTrigger->wait_value); +- if (overflow) { +- client->errorValue = pTrigger->wait_value >> 32; +- return BadValue; +- } +- } +- } +- + if (changes & XSyncCACounter) { + if (pSync != pTrigger->pSync) { /* new counter for trigger */ + SyncDeleteTriggerFromSyncObject(pTrigger); +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-3.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-3.patch new file mode 100644 index 0000000000..8d714f0302 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-3.patch @@ -0,0 +1,52 @@ +From 8cbc90c8817306af75a60f494ec9dbb1061e50db Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 17:06:07 +0100 +Subject: [PATCH] sync: Do not fail SyncAddTriggerToSyncObject() + +We do not want to return a failure at the very last step in +SyncInitTrigger() after having all changes applied. + +SyncAddTriggerToSyncObject() must not fail on memory allocation, if the +allocation of the SyncTriggerList fails, trigger a FatalError() instead. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8] +CVE: CVE-2025-26601 +Signed-off-by: Vijay Anusuri +--- + Xext/sync.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 10302160fb..65f2d43780 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -201,8 +201,8 @@ SyncAddTriggerToSyncObject(SyncTrigger * pTrigger) + return Success; + } + +- if (!(pCur = malloc(sizeof(SyncTriggerList)))) +- return BadAlloc; ++ /* Failure is not an option, it's succeed or burst! */ ++ pCur = XNFalloc(sizeof(SyncTriggerList)); + + pCur->pTrigger = pTrigger; + pCur->next = pTrigger->pSync->pTriglist; +@@ -439,8 +439,7 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + * a new counter on a trigger + */ + if (newSyncObject) { +- if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success) +- return rc; ++ SyncAddTriggerToSyncObject(pTrigger); + } + else if (pCounter && IsSystemCounter(pCounter)) { + SyncComputeBracketValues(pCounter); +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-4.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-4.patch new file mode 100644 index 0000000000..e2261192fa --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-4.patch @@ -0,0 +1,132 @@ +From c285798984c6bb99e454a33772cde23d394d3dcd Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 17:10:31 +0100 +Subject: [PATCH] sync: Apply changes last in SyncChangeAlarmAttributes() + +SyncChangeAlarmAttributes() would apply the various changes while +checking for errors. + +If one of the changes triggers an error, the changes for the trigger, +counter or delta value would remain, possibly leading to inconsistent +changes. + +Postpone the actual changes until we're sure nothing else can go wrong. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/c2857989] +CVE: CVE-2025-26601 +Signed-off-by: Vijay Anusuri +--- + Xext/sync.c | 42 +++++++++++++++++++++++++++--------------- + 1 file changed, 27 insertions(+), 15 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 65f2d43780..cab73be927 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -830,8 +830,14 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + int status; + XSyncCounter counter; + Mask origmask = mask; ++ SyncTrigger trigger; ++ Bool select_events_changed = FALSE; ++ Bool select_events_value = FALSE; ++ int64_t delta; + +- counter = pAlarm->trigger.pSync ? pAlarm->trigger.pSync->id : None; ++ trigger = pAlarm->trigger; ++ delta = pAlarm->delta; ++ counter = trigger.pSync ? trigger.pSync->id : None; + + while (mask) { + int index2 = lowbit(mask); +@@ -847,24 +853,24 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + case XSyncCAValueType: + mask &= ~XSyncCAValueType; + /* sanity check in SyncInitTrigger */ +- pAlarm->trigger.value_type = *values++; ++ trigger.value_type = *values++; + break; + + case XSyncCAValue: + mask &= ~XSyncCAValue; +- pAlarm->trigger.wait_value = ((int64_t)values[0] << 32) | values[1]; ++ trigger.wait_value = ((int64_t)values[0] << 32) | values[1]; + values += 2; + break; + + case XSyncCATestType: + mask &= ~XSyncCATestType; + /* sanity check in SyncInitTrigger */ +- pAlarm->trigger.test_type = *values++; ++ trigger.test_type = *values++; + break; + + case XSyncCADelta: + mask &= ~XSyncCADelta; +- pAlarm->delta = ((int64_t)values[0] << 32) | values[1]; ++ delta = ((int64_t)values[0] << 32) | values[1]; + values += 2; + break; + +@@ -874,10 +880,8 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + client->errorValue = *values; + return BadValue; + } +- status = SyncEventSelectForAlarm(pAlarm, client, +- (Bool) (*values++)); +- if (status != Success) +- return status; ++ select_events_value = (Bool) (*values++); ++ select_events_changed = TRUE; + break; + + default: +@@ -886,25 +890,33 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + } + } + ++ if (select_events_changed) { ++ status = SyncEventSelectForAlarm(pAlarm, client, select_events_value); ++ if (status != Success) ++ return status; ++ } ++ + /* "If the test-type is PositiveComparison or PositiveTransition + * and delta is less than zero, or if the test-type is + * NegativeComparison or NegativeTransition and delta is + * greater than zero, a Match error is generated." + */ + if (origmask & (XSyncCADelta | XSyncCATestType)) { +- if ((((pAlarm->trigger.test_type == XSyncPositiveComparison) || +- (pAlarm->trigger.test_type == XSyncPositiveTransition)) +- && pAlarm->delta < 0) ++ if ((((trigger.test_type == XSyncPositiveComparison) || ++ (trigger.test_type == XSyncPositiveTransition)) ++ && delta < 0) + || +- (((pAlarm->trigger.test_type == XSyncNegativeComparison) || +- (pAlarm->trigger.test_type == XSyncNegativeTransition)) +- && pAlarm->delta > 0) ++ (((trigger.test_type == XSyncNegativeComparison) || ++ (trigger.test_type == XSyncNegativeTransition)) ++ && delta > 0) + ) { + return BadMatch; + } + } + + /* postpone this until now, when we're sure nothing else can go wrong */ ++ pAlarm->delta = delta; ++ pAlarm->trigger = trigger; + if ((status = SyncInitTrigger(client, &pAlarm->trigger, counter, RTCounter, + origmask & XSyncCAAllTrigger)) != Success) + return status; +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index d7b0e7b589..e77b81eed6 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb @@ -31,6 +31,10 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://CVE-2025-26599-1.patch \ file://CVE-2025-26599-2.patch \ file://CVE-2025-26600.patch \ + file://CVE-2025-26601-1.patch \ + file://CVE-2025-26601-2.patch \ + file://CVE-2025-26601-3.patch \ + file://CVE-2025-26601-4.patch \ " SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152" From patchwork Thu Feb 27 12:32:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58036 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 45117C021BE for ; Thu, 27 Feb 2025 12:33:09 +0000 (UTC) Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.web11.9484.1740659581232996494 for ; Thu, 27 Feb 2025 04:33:01 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=esrh8HQg; spf=pass (domain: mvista.com, ip: 209.85.214.179, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-2210d92292eso20729505ad.1 for ; Thu, 27 Feb 2025 04:33:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1740659580; x=1741264380; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=DnF2LSkFZJd3VuPsajuyMEBEay/POgWHD40riOWeAoM=; b=esrh8HQgBTUBWpY3HBZ8JzsTM3Z7dug49fx5/hJZ5nxzAt8js+wZtt/aVetKanizA6 khFV4bgq131UAxYxes55/XnbvIKmra0lbeCC8qkvjCtJskmAtaTSWe92aXgAjbaS0w8E 6A5vW8aMH+HHTm/WL6VknrUbSlQdsLcxcDXM0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740659580; x=1741264380; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DnF2LSkFZJd3VuPsajuyMEBEay/POgWHD40riOWeAoM=; b=U4lgcnH2Mgkz3LP58FKXA5AZHzW3B65TjRl6xbqSjf/WJtoK534FviZApTlyTalNw1 tTe4l4T6wB7SOMxAY4vuELXYxttcRcRazjqsdQG3zT0rMKJ7YVY75QhUUcpANt6oR62O +GdxGqzHbvuiaFqi3j2aMK01a9akVo8w9P98R+babRU3vbnRuIIpksNBFffe5zm9Kpfp +7PeDR+u19mavHPRQcOusbwhVAcTOByUvzj7S2Oa2SOrGFX/jNlJTWx0fPZkhSQ7+XLf bi3p5yV4xRMZpIlR6WiVg/4H9dW8ZmdLpok2cLpcpnAhs+T2TdQdvGjTFc70OIQ/RDZl VcsQ== X-Gm-Message-State: AOJu0Yx3LRiXOXp5xkQfeBhikju7MEyvKLeCLzSzjlcLiFvg7XjH22F/ r4w8xQ39KzTWM5GJkZiBI6i31bg+5zagkJqdogazS83DfMWrj1cFMoRkp8vCAEUiPKLUdI94Yqi LI9M= X-Gm-Gg: ASbGncsZgu395YiRScAWjsaRsiW/pRGzT2ljyDlTECjjOGpcdHAd41VMCXaoxXocHlR uiVukt0jQTgghm3syKChNQyra5wStjIBWGRWC1eR+E2AiCXWme7ZhiTimnDIhE0ujXxEb0QtXYz ktkdvMCsbgZYzfSpMRfyyVwsAPokR/3+bzjHTKEyAXv0jFk9Jhc0xXrR4C2vUXV4RYNUk+HoZQ0 rr2MCnm0ZkE7K+ZW5Z/VLiZOzGVyNCnDxTvs655AvCg/n0Zadz13QrcPNbcQvjXjfNaHjqwSqk4 2I7OLy5dfZ9qLKIatP56hzZ1IWZ2qtHjHbA= X-Google-Smtp-Source: AGHT+IHJ4/XRypuTE5hhDSXqzj61OFO7d1UYg3aE+PRUSYF+acY2csrmne7cYFlk2HI2eJuqJ+uTug== X-Received: by 2002:a17:903:186:b0:223:5c33:56b4 with SMTP id d9443c01a7336-2235c3358edmr16288095ad.20.1740659579937; Thu, 27 Feb 2025 04:32:59 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.2]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223504c7ce2sm13082805ad.128.2025.02.27.04.32.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 04:32:59 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 9/9] bind: Upgrade 9.18.28 -> 9.18.33 Date: Thu, 27 Feb 2025 18:02:07 +0530 Message-Id: <20250227123207.270978-9-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250227123207.270978-1-vanusuri@mvista.com> References: <20250227123207.270978-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 27 Feb 2025 12:33:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212000 From: Vijay Anusuri Includes security fixes for CVE-2024-12705 CVE-2024-11187 and other bug fixes Release Notes: https://downloads.isc.org/isc/bind9/9.18.33/doc/arm/html/notes.html#notes-for-bind-9-18-33 https://downloads.isc.org/isc/bind9/9.18.33/doc/arm/html/notes.html#notes-for-bind-9-18-32 https://downloads.isc.org/isc/bind9/9.18.33/doc/arm/html/notes.html#notes-for-bind-9-18-31 https://downloads.isc.org/isc/bind9/9.18.33/doc/arm/html/notes.html#notes-for-bind-9-18-30 https://downloads.isc.org/isc/bind9/9.18.33/doc/arm/html/notes.html#notes-for-bind-9-18-29 Signed-off-by: Vijay Anusuri --- .../bind/{bind_9.18.28.bb => bind_9.18.33.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-connectivity/bind/{bind_9.18.28.bb => bind_9.18.33.bb} (97%) diff --git a/meta/recipes-connectivity/bind/bind_9.18.28.bb b/meta/recipes-connectivity/bind/bind_9.18.33.bb similarity index 97% rename from meta/recipes-connectivity/bind/bind_9.18.28.bb rename to meta/recipes-connectivity/bind/bind_9.18.33.bb index 67628a8650..ceea149699 100644 --- a/meta/recipes-connectivity/bind/bind_9.18.28.bb +++ b/meta/recipes-connectivity/bind/bind_9.18.33.bb @@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \ file://0001-avoid-start-failure-with-bind-user.patch \ " -SRC_URI[sha256sum] = "e7cce9a165f7b619eefc4832f0a8dc16b005d29e3890aed6008c506ea286a5e7" +SRC_URI[sha256sum] = "fb373fac5ebbc41c645160afd5a9fb451918f6c0e69ab1d9474154e2b515de40" UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/" # follow the ESV versions divisible by 2