From patchwork Tue Mar 4 12:19:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58267 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EF0DAC021B8 for ; Tue, 4 Mar 2025 12:19:44 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web10.20373.1741090776135596039 for ; Tue, 04 Mar 2025 04:19:36 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=iuvEqV3W; spf=pass (domain: mvista.com, ip: 209.85.214.178, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-223378e2b0dso79289835ad.0 for ; Tue, 04 Mar 2025 04:19:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741090775; x=1741695575; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Br+J56IXRrnYOSrAvZhSoznp5V7USZ1phT8sNcyp+XA=; b=iuvEqV3WGmthhWvqEwS+ONDfkjH/1aYBN0FlonSC5aQVY/xGFupn9GCE+TFAUO/kFs m8W/vo//Xt23Q7oZCPlfgC1jlmJauZtZUWsixRfohGTZPLzYU4fiBNfk/QREgj17A6yI kfCs4xPf35BUApFyRTVWVT4fSKsQWDtMY8v98= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741090775; x=1741695575; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Br+J56IXRrnYOSrAvZhSoznp5V7USZ1phT8sNcyp+XA=; b=w/rSfgQ2HRPaf2/sFbCwPw2jtHKzXNBvwTfI6H/iZkLKUY2sDh6INzVNvNeze3K8+l UVBDgQahN3ZYN7RTzxebU8ehWQ06EwwmCWcxwfj6g7PIUUYN3vvOUwDL0p9EDSSPQUij Cw5vK3IjQpWzkioquAZyVG2eocTqY8/xzoezbfueb4nEw5V7zwTzyNy16jzjCRxAy4Dk p8vFOKJFxedEvnDA8uBF5eexMeMo+DDhNJpSU8VAbBD6gmBt+53Mwp/pXVqLWb9ALxaB pR6222PC1E5DRWED8vkPDJ/XYmrmURJLadvl8vXQ4RKSOJPQik7okRoVxIQwnZfka4Om UJgg== X-Gm-Message-State: AOJu0YzR34y8OYf0MPzof1jgglb3egdDcpK4tJTOjq0AGyLmFo14IH+h XUmK7c6jRizEliOpjgpm0DfaZzQgv/ObdIYVsYctHhqLVHftSUNK5BnkJP5mNDj3XrIh1/AQeJb cBik= X-Gm-Gg: ASbGnctJBO5ZZS+11tSJZt27TrNN8qKZQp4OhsEGEg39gGKNfUCOnXZJNBgxauZLBla 7GzHQFAwRtVaMOuZBnEtvMM+lupycrMvkLmn/Pr7iKRLIGkEBUa4M1OwMDXpwnZpR35jrVAGoRC XdQuGi6kGnD+sAcKlrlDc7BhE44fTN6PnylYach1I99xVjH7cIhID0lSgFhhLzmh8pGyHPNXHEP 653UgIDm+mktpsJ/xAV2ss+uEnis3FTd8eS6kujorZ+FIgP+EXFTlkaMY10nGU+ScshKqKb5Mh/ I/e6UsvD5jcxFQW7Ff+cKbc8EZA+Qp6TWj6b8Abs0v75byFm38BNTQ== X-Google-Smtp-Source: AGHT+IEZjwUDbI8x/1L3Sqs+1cyOvylX8+5FLkpF3gMlQAu7KBIf8/rk7IFmHWmtJQUolqDlvsnZ0Q== X-Received: by 2002:a05:6a20:2586:b0:1f3:448b:94c3 with SMTP id adf61e73a8af0-1f3448ba1aemr984340637.5.1741090774876; Tue, 04 Mar 2025 04:19:34 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.5]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-aee7de1a488sm9859550a12.27.2025.03.04.04.19.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Mar 2025 04:19:34 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 01/14] xwayland: Fix CVE-2024-21885 Date: Tue, 4 Mar 2025 17:49:05 +0530 Message-Id: <20250304121918.147345-1-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 04 Mar 2025 12:19:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212266 From: Vijay Anusuri Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Signed-off-by: Vijay Anusuri --- .../xwayland/xwayland/CVE-2024-21885.patch | 113 ++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 114 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-21885.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-21885.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-21885.patch new file mode 100644 index 0000000000..7c8fbcc3ec --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-21885.patch @@ -0,0 +1,113 @@ +From 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Thu, 4 Jan 2024 10:01:24 +1000 +Subject: [PATCH] Xi: flush hierarchy events after adding/removing master + devices + +The `XISendDeviceHierarchyEvent()` function allocates space to store up +to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`. + +If a device with a given ID was removed and a new device with the same +ID added both in the same operation, the single device ID will lead to +two info structures being written to `info`. + +Since this case can occur for every device ID at once, a total of two +times `MAXDEVICES` info structures might be written to the allocation. + +To avoid it, once one add/remove master is processed, send out the +device hierarchy event for the current state and continue. That event +thus only ever has exactly one of either added/removed in it (and +optionally slave attached/detached). + +CVE-2024-21885, ZDI-CAN-22744 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/4a5e9b1895627d40d26045bd0b7ef3dce503cbd1] +CVE: CVE-2024-21885 +Signed-off-by: Vijay Anusuri +--- + Xi/xichangehierarchy.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c +index d2d985848d..72d00451e3 100644 +--- a/Xi/xichangehierarchy.c ++++ b/Xi/xichangehierarchy.c +@@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client) + size_t len; /* length of data remaining in request */ + int rc = Success; + int flags[MAXDEVICES] = { 0 }; ++ enum { ++ NO_CHANGE, ++ FLUSH, ++ CHANGED, ++ } changes = NO_CHANGE; + + REQUEST(xXIChangeHierarchyReq); + REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq); +@@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = add_master(client, c, flags); + if (rc != Success) + goto unwind; +- } ++ changes = FLUSH; + break; ++ } + case XIRemoveMaster: + { + xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any; +@@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = remove_master(client, r, flags); + if (rc != Success) + goto unwind; +- } ++ changes = FLUSH; + break; ++ } + case XIDetachSlave: + { + xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any; +@@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = detach_slave(client, c, flags); + if (rc != Success) + goto unwind; +- } ++ changes = CHANGED; + break; ++ } + case XIAttachSlave: + { + xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any; +@@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = attach_slave(client, c, flags); + if (rc != Success) + goto unwind; ++ changes = CHANGED; ++ break; + } ++ default: + break; + } + ++ if (changes == FLUSH) { ++ XISendDeviceHierarchyEvent(flags); ++ memset(flags, 0, sizeof(flags)); ++ changes = NO_CHANGE; ++ } ++ + len -= any->length * 4; + any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4); + } + + unwind: +- +- XISendDeviceHierarchyEvent(flags); ++ if (changes != NO_CHANGE) ++ XISendDeviceHierarchyEvent(flags); + return rc; + } +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index f639088b25..c7e5c7bd81 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -21,6 +21,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2024-0229-2.patch \ file://CVE-2024-0229-3.patch \ file://CVE-2024-0229-4.patch \ + file://CVE-2024-21885.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Tue Mar 4 12:19:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58268 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EF12CC282D3 for ; Tue, 4 Mar 2025 12:19:44 +0000 (UTC) Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by mx.groups.io with SMTP id smtpd.web11.20479.1741090782363678596 for ; Tue, 04 Mar 2025 04:19:42 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=YsZI9fgJ; spf=pass (domain: mvista.com, ip: 209.85.214.182, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-2234bec7192so89978785ad.2 for ; Tue, 04 Mar 2025 04:19:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741090781; x=1741695581; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=H4kW24YOU+BbKTqOq2WiaZG21ybEc+So84YR3Xf9eBM=; b=YsZI9fgJQrzCpvHii7IXP4/ZLGWLcJq/MZgTJ4pUbO2wPUnsW2jCsGW5PXuCYhLeUw XofFJYIwG3zgq/go/v4bxo7cB1gOIr8jRPAGdpQ+2217f9zQLIfHONgIDj1O5oPV7u1v 6cT2jG9YpAPMhwKC/u8no/qycp3PbxsY1WzG0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741090781; x=1741695581; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=H4kW24YOU+BbKTqOq2WiaZG21ybEc+So84YR3Xf9eBM=; b=L2ErHnFMrYzG0DJC3YGXlu8nU8IUX+XctUFLeyikI/nJ8MFQi5TQId5ryyX+m/SBBn wUCLrCvyq2EH2ANvOEoluzivIfo2LO+Xpeis1N6PgXgMGyi75RQtT1y15Kta9WigVmf2 WTaf4FRqk0VWDeE1uLuNm/w0Ehs9gzI5cuaVyM6DKg1guF6E6WQNkVHzgDLm2tN4ZR5g IFQcTDxdf03exGKGc1KKbFGeMdUxgUoLmEyMwYZInra2jX+XbN0VVbISxbgbh8KvFiwL 8NfdBEge7ViziehF8COMJm5j3islSBJCpqIcJJ+kSUgVa0l1nm9DPcp5iDjie+mHFhY6 PwOg== X-Gm-Message-State: AOJu0Yy0ZO3f3QawHy2tlqalKfWfjdzR1UnaVWfBST952+L1/7bkD6w9 yOfWdG6qGG+61xn7mPnfy16eXIHTzdtocXUWN1okq+B/jMTfBQ0aqTcJNbvVn0wiGEWXQCmMYou yjzQ= X-Gm-Gg: ASbGncvJzjLofUxtFaLglQ4792YbYPyTSyZx0zGzH2Avumqjjj2xHXdSpvSWzNbl6tl 4NjNqtYdCjEeM6smfss2Gjcbj8Qq2JnWgoA3oqP0JB4pLq4K9qg0EfqKXtUkHEys7h3SPNgmXG0 j/7DPA/YTeERAfNqllucgGz/TUssKdoX+d0FwuOIph/vIucGdy1mt6cKi56sHDIOxIl8vitac5k irccbVqjiYqkMhN+YeD+FI62OKWtNHfekLb9zcOTjFvYcnAkeLKqKTY9oXv5e1qBU1jFgiKOb4y 2K4u+rWtinZoQY4C1gZFMiQiKbVJ+y+BIg+rbYqBOf9DCvdhQM5t8Q== X-Google-Smtp-Source: AGHT+IHZjYnEFzi02p11zG7cZozLchZhrOIwxsbsLq2+KXw6U8dRt1MM3dBYK3BgmDQYNh+EX5rtcA== X-Received: by 2002:a05:6300:8987:b0:1f3:29a9:6197 with SMTP id adf61e73a8af0-1f329a963efmr7765314637.18.1741090781378; Tue, 04 Mar 2025 04:19:41 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.5]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-aee7de1a488sm9859550a12.27.2025.03.04.04.19.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Mar 2025 04:19:40 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 02/14] xwayland: Fix CVE-2024-21886 Date: Tue, 4 Mar 2025 17:49:06 +0530 Message-Id: <20250304121918.147345-2-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250304121918.147345-1-vanusuri@mvista.com> References: <20250304121918.147345-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 04 Mar 2025 12:19:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212267 From: Vijay Anusuri The patches are copied from xserver-xorg recipe. CVE reported for both and patches apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b & https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Signed-off-by: Vijay Anusuri --- .../xwayland/xwayland/CVE-2024-21886-1.patch | 74 +++++++++++++++++++ .../xwayland/xwayland/CVE-2024-21886-2.patch | 57 ++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 2 + 3 files changed, 133 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-21886-1.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-21886-2.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-21886-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-21886-1.patch new file mode 100644 index 0000000000..1e1c782963 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-21886-1.patch @@ -0,0 +1,74 @@ +From bc1fdbe46559dd947674375946bbef54dd0ce36b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Fri, 22 Dec 2023 18:28:31 +0100 +Subject: [PATCH] Xi: do not keep linked list pointer during recursion + +The `DisableDevice()` function is called whenever an enabled device +is disabled and it moves the device from the `inputInfo.devices` linked +list to the `inputInfo.off_devices` linked list. + +However, its link/unlink operation has an issue during the recursive +call to `DisableDevice()` due to the `prev` pointer pointing to a +removed device. + +This issue leads to a length mismatch between the total number of +devices and the number of device in the list, leading to a heap +overflow and, possibly, to local privilege escalation. + +Simplify the code that checked whether the device passed to +`DisableDevice()` was in `inputInfo.devices` or not and find the +previous device after the recursion. + +CVE-2024-21886, ZDI-CAN-22840 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b] +CVE: CVE-2024-21886 +Signed-off-by: Vijay Anusuri +--- + dix/devices.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/dix/devices.c b/dix/devices.c +index dca98c8d1b..389d28a23c 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) + { + DeviceIntPtr *prev, other; + BOOL enabled; ++ BOOL dev_in_devices_list = FALSE; + int flags[MAXDEVICES] = { 0 }; + + if (!dev->enabled) + return TRUE; + +- for (prev = &inputInfo.devices; +- *prev && (*prev != dev); prev = &(*prev)->next); +- if (*prev != dev) ++ for (other = inputInfo.devices; other; other = other->next) { ++ if (other == dev) { ++ dev_in_devices_list = TRUE; ++ break; ++ } ++ } ++ ++ if (!dev_in_devices_list) + return FALSE; + + TouchEndPhysicallyActiveTouches(dev); +@@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) + LeaveWindow(dev); + SetFocusOut(dev); + ++ for (prev = &inputInfo.devices; ++ *prev && (*prev != dev); prev = &(*prev)->next); ++ + *prev = dev->next; + dev->next = inputInfo.off_devices; + inputInfo.off_devices = dev; +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-21886-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-21886-2.patch new file mode 100644 index 0000000000..af607df4f0 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-21886-2.patch @@ -0,0 +1,57 @@ +From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Fri, 5 Jan 2024 09:40:27 +1000 +Subject: [PATCH] dix: when disabling a master, float disabled slaved devices + too + +Disabling a master device floats all slave devices but we didn't do this +to already-disabled slave devices. As a result those devices kept their +reference to the master device resulting in access to already freed +memory if the master device was removed before the corresponding slave +device. + +And to match this behavior, also forcibly reset that pointer during +CloseDownDevices(). + +Related to CVE-2024-21886, ZDI-CAN-22840 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8] +CVE: CVE-2024-21886 +Signed-off-by: Vijay Anusuri +--- + dix/devices.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/dix/devices.c b/dix/devices.c +index 389d28a23c..84a6406d13 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) + flags[other->id] |= XISlaveDetached; + } + } ++ ++ for (other = inputInfo.off_devices; other; other = other->next) { ++ if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) { ++ AttachDevice(NULL, other, NULL); ++ flags[other->id] |= XISlaveDetached; ++ } ++ } + } + else { + for (other = inputInfo.devices; other; other = other->next) { +@@ -1088,6 +1095,11 @@ CloseDownDevices(void) + dev->master = NULL; + } + ++ for (dev = inputInfo.off_devices; dev; dev = dev->next) { ++ if (!IsMaster(dev) && !IsFloating(dev)) ++ dev->master = NULL; ++ } ++ + CloseDeviceList(&inputInfo.devices); + CloseDeviceList(&inputInfo.off_devices); + +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index c7e5c7bd81..1d4e699d94 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -22,6 +22,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2024-0229-3.patch \ file://CVE-2024-0229-4.patch \ file://CVE-2024-21885.patch \ + file://CVE-2024-21886-1.patch \ + file://CVE-2024-21886-2.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Tue Mar 4 12:19:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58269 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D6588C021B8 for ; Tue, 4 Mar 2025 12:19:54 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web11.20484.1741090786891431246 for ; Tue, 04 Mar 2025 04:19:46 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=ayCZFp/g; spf=pass (domain: mvista.com, ip: 209.85.214.181, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-2232b12cd36so74190795ad.0 for ; Tue, 04 Mar 2025 04:19:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741090786; x=1741695586; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=leeTsPRBqgZ85HlDKcrbr7L1Y45qFoi56D+mceQWhhg=; b=ayCZFp/gz7BTyaAEsK2/JKkmsl7SJu5MOE44L2uHhdB+nfXdsOKqZiQjY0XOGhl93h wXpghAW84la30cucsbY0Zo877i9cDs0MeOOibwNk2mVzhcqUqTLBNPzc0Hz34EHR/CIp 0H4VX9yLjYNHKExp7mLe6WQh0pExv11rZqfJs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741090786; x=1741695586; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=leeTsPRBqgZ85HlDKcrbr7L1Y45qFoi56D+mceQWhhg=; b=C81kgYbkkXhUJiBxHznR7/SXB8KLbyLCS4Q7H4JNyd2xmoxZfhNiZPd+AVDGcTIuIU 917+xs+Hj/I+djVWBMfDjdir0OhIXJL8Daiuf5cZPt6q41rIPzDwKzBKIx/PVv24UcWD rDLC6MgxeS8fD+wrD23/21Lteq7Yj0YuiFQBm3cYFu+4Rt5uBKsuL103w0PhLkTytEd7 zxJfu7PlSvGGXLwI9pJiY6VJaI13jHqwnFqU3gIHK6CdQblBFJ/OSxZk911hkTvuxNJZ pEFYLfRvt6dNf2gd3zNhXiizkdjLk6zZI1G4Tj1d0k3ge10SvBtPIY3gV3aRe+FUvGwj OJ3g== X-Gm-Message-State: AOJu0Ywn6fIdMKkAzGMIWElGknKiqLcq5W6k6VCgZwkLhxpg1ZkX/lB0 LWyUGjQdIXaFDFGCj6QhZnzS9Os2k/s4bm681fyY+iQWjQuWn79Z1rODUNzbPqgWVa1OJTEJw8c sXkY= X-Gm-Gg: ASbGncsYjkK9Af9VkS+vYswtcK1gxy83zQbpc2I3Qx3A1hLbrMYeDD2t8mgVk7ghAR9 TZe1qnF2QnhOG6UwDvNGej2mdu5Jo1AwJImC4jvsNk9kKyniBJAz1IOdu+pu3r1rDXgF0cQOhbz 8y3bDkQk/TFjXoXI/+Fu2ayReht5HjEzCYkN1wj68PFCbRmQGadrICUMb5yVk0nR+O7iJe4gcSD IPbL5mr4uwh1kJQgLK7utYqPK7zzhod9d9YN/6nRU2kYrNWcDrX9SSyHFVhBxAUV93K+6bYIjLl Ks4sgiAnYEvg//NCOgqWhNj1fAejB6aCsadFwjBIjJR5msZHwXwh8g== X-Google-Smtp-Source: AGHT+IH21EyQm/SkolILpnd19UvUZFnB1G2He/GPHdjtga7VrpwNbYx09kah58ZWK6hWFe5cij74Bg== X-Received: by 2002:a05:6a21:6e01:b0:1f3:401f:d76f with SMTP id adf61e73a8af0-1f3401fd974mr2657642637.22.1741090785898; Tue, 04 Mar 2025 04:19:45 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.5]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-aee7de1a488sm9859550a12.27.2025.03.04.04.19.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Mar 2025 04:19:45 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 03/14] xwayland: Fix CVE-2024-31080 Date: Tue, 4 Mar 2025 17:49:07 +0530 Message-Id: <20250304121918.147345-3-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250304121918.147345-1-vanusuri@mvista.com> References: <20250304121918.147345-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 04 Mar 2025 12:19:54 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212268 From: Vijay Anusuri Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b Signed-off-by: Vijay Anusuri --- .../xwayland/xwayland/CVE-2024-31080.patch | 49 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-31080.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31080.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31080.patch new file mode 100644 index 0000000000..40296903cd --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31080.patch @@ -0,0 +1,49 @@ +From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 22 Mar 2024 18:51:45 -0700 +Subject: [PATCH] Xi: ProcXIGetSelectedEvents needs to use unswapped length to + send reply + +CVE-2024-31080 + +Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762 +Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.") +Signed-off-by: Alan Coopersmith +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b] +CVE: CVE-2024-31080 +Signed-off-by: Vijay Anusuri +--- + Xi/xiselectev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c +index edcb8a0d36..ac14949871 100644 +--- a/Xi/xiselectev.c ++++ b/Xi/xiselectev.c +@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client) + InputClientsPtr others = NULL; + xXIEventMask *evmask = NULL; + DeviceIntPtr dev; ++ uint32_t length; + + REQUEST(xXIGetSelectedEventsReq); + REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq); +@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client) + } + } + ++ /* save the value before SRepXIGetSelectedEvents swaps it */ ++ length = reply.length; + WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply); + + if (reply.num_masks) +- WriteToClient(client, reply.length * 4, buffer); ++ WriteToClient(client, length * 4, buffer); + + free(buffer); + return Success; +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 1d4e699d94..78e849b305 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -24,6 +24,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2024-21885.patch \ file://CVE-2024-21886-1.patch \ file://CVE-2024-21886-2.patch \ + file://CVE-2024-31080.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Tue Mar 4 12:19:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58270 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D6DF8C282D0 for ; Tue, 4 Mar 2025 12:19:54 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web10.20376.1741090791246234821 for ; Tue, 04 Mar 2025 04:19:51 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=drf8adxW; spf=pass (domain: mvista.com, ip: 209.85.214.176, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-22349dc31bcso95947005ad.3 for ; Tue, 04 Mar 2025 04:19:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741090790; x=1741695590; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=WXEh0yR4wF8+mUu6WaZvc3PPwbKcpyHHOMqhgCz2Ff4=; b=drf8adxW2Z180mnhDLlir+5Vjr04wFTfbQFDnn1Y2Jxg5/5Xp3oLWPkrMXDaacDoPV TzkUw5B/1GWCTrEUH3+dR3buUD3mlwz9XqAyy1fyqyB2K7daqMiB2aNZU+9CYiXf1mFs FQaIsFoLxq43YegvNjvIbjWWsbiajPD8mN0Xc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741090790; x=1741695590; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WXEh0yR4wF8+mUu6WaZvc3PPwbKcpyHHOMqhgCz2Ff4=; b=wfm7xv0I906931sm0G3dqima40OELyCMY42mY9B39guwCoqi2N1/2M6c7WCvF/flET duuPx0djlNzaQlYIHbP6g34CcYXkk/YL+TtC/4/fcDK+DeC7nr3CYLIMzqaoHc6B8Gkj be3uK2en0lPFmTFpBcB46hEcSu9sv57wJoqUuE3j1Z/+akik17sBcam1Wy/w5vDKivUB uRQh4X6QA0d62isdqtms18pFOAAX1YkzSRQkk/IAZaLWwKOQDkZUl16CUFtsT3lsTuj6 LpkjJwQR+fptebJzyu8AlbnYpG5xh76xQxdT7N1D9sxn5Dzs4E77/YxrenWoEm0b1UKY Uoig== X-Gm-Message-State: AOJu0YwY2ca0Qpui1avaHSQSPCmBTOX0QDTwSJ4paApJ2GH+rZFFgPMp FkRtwIeFWv4PyxXuxRTA80llaG/ou0AFL8KObOr2BvIvLZA2szxh/F2qRi2mtKeklI4/lFda+3I jw1w= X-Gm-Gg: ASbGnctH0jVSHa5CIeReTbW3Xo+q2uGZZkswShZgQ4JGh+xgIz+3Tx6KBq2IyqxwcT8 0djnM2WwreNcIrWvYnx63opdix4VH7CxoS8Mh5oiHog/t4cb3J+OXjmAQ8UPkj9bVxfQOruxG6x ygB7duMXMTDVXA3HiCTbPmPrWi21NZkDJ3hILXxZgJcJ2aoqtyMQ4XsdKZqgztCR5UtVUGbuZw4 qwtIJsFNtzjhlPMnm1E+HSnrpVh+g6ba/7XABuxadrA247P0m+YhdSpvW5xiepBnx9FrLT/K56q fhEPMoKeEPjnYAmDYfJ6lWA7PwCRQFCHEgGkck7uPTMmyPUNxWIUVQ== X-Google-Smtp-Source: AGHT+IE/AaDEdVNT8WDDnkEF/WhWP+6WO1mHEuv7Cr5qhD8Yfie/G2nkz9wf/KGZSMfktpRUQpkjvQ== X-Received: by 2002:a05:6a20:3943:b0:1ee:cdda:b8ea with SMTP id adf61e73a8af0-1f2f4d20979mr25780029637.19.1741090790293; Tue, 04 Mar 2025 04:19:50 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.5]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-aee7de1a488sm9859550a12.27.2025.03.04.04.19.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Mar 2025 04:19:49 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 04/14] xwayland: Fix CVE-2024-31081 Date: Tue, 4 Mar 2025 17:49:08 +0530 Message-Id: <20250304121918.147345-4-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250304121918.147345-1-vanusuri@mvista.com> References: <20250304121918.147345-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 04 Mar 2025 12:19:54 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212269 From: Vijay Anusuri Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee Signed-off-by: Vijay Anusuri --- .../xwayland/xwayland/CVE-2024-31081.patch | 47 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-31081.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31081.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31081.patch new file mode 100644 index 0000000000..4380004700 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31081.patch @@ -0,0 +1,47 @@ +From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 22 Mar 2024 18:56:27 -0700 +Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to + send reply + +CVE-2024-31081 + +Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.") +Signed-off-by: Alan Coopersmith +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee] +CVE: CVE-2024-31081 +Signed-off-by: Vijay Anusuri +--- + Xi/xipassivegrab.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c +index c9ac2f8553..896233bec2 100644 +--- a/Xi/xipassivegrab.c ++++ b/Xi/xipassivegrab.c +@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client) + GrabParameters param; + void *tmp; + int mask_len; ++ uint32_t length; + + REQUEST(xXIPassiveGrabDeviceReq); + REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, +@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client) + } + } + ++ /* save the value before SRepXIPassiveGrabDevice swaps it */ ++ length = rep.length; + WriteReplyToClient(client, sizeof(rep), &rep); + if (rep.num_modifiers) +- WriteToClient(client, rep.length * 4, modifiers_failed); ++ WriteToClient(client, length * 4, modifiers_failed); + + out: + free(modifiers_failed); +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 78e849b305..5fa2402234 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -25,6 +25,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2024-21886-1.patch \ file://CVE-2024-21886-2.patch \ file://CVE-2024-31080.patch \ + file://CVE-2024-31081.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Tue Mar 4 12:19:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58272 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8607C282D0 for ; Tue, 4 Mar 2025 12:20:04 +0000 (UTC) Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) by mx.groups.io with SMTP id smtpd.web11.20487.1741090797066748924 for ; Tue, 04 Mar 2025 04:19:57 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=Xa0vGkaJ; spf=pass (domain: mvista.com, ip: 209.85.214.169, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-2238d965199so46712845ad.2 for ; Tue, 04 Mar 2025 04:19:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741090796; x=1741695596; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=yb0bvoeCQLTs2EUz/x3NnUH0cz8/31761VtrtAhvjzM=; b=Xa0vGkaJ/eqsx1/aDggnNjqqf2Sb4jLywaa4zkTJJvWGiGcp0yYIFP8zcAk1w2zzU8 0pyxf6gHBZ7NmxP3995gjMUKp88IksFfDGGX9A55le5bZCdVHxE6RAPkM6+/YvnRMUQ1 llEedHLc50EzU+Y/zJ/oZKPHCtT+H/XdIXGPM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741090796; x=1741695596; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=yb0bvoeCQLTs2EUz/x3NnUH0cz8/31761VtrtAhvjzM=; b=IJ0fsIcZaUtihwf9C2OesJt2hCZ8bF4CRx+bKJrm0QEoA9I8pYQw0kIKe0B3X+8eCw rTLIhV52/RUxOfv+xgq6tKQCZ70Xcgte8VQcqQpbyLnBKavujYo3n0jo9Q60fzy/6Spu kVQCAs6uQm7q/1QHaCqkVVKQw0J5RahEyhum6gNTrUN9xhQDBhZJlKYFL5T5dZtGNR5x dnTJ4UrJ2jFswiSUG/alSvkbVzA5b2oFjos1aYKrgzZ2bDk6lfjr/7Med7azLjPeINxp HuQ/nZk/awKcUzwlZpnKwc0PpiwzBKgy2aH3g4SXx7fw3tX07swpXohyiixaxxyeJGMa vWdA== X-Gm-Message-State: AOJu0YznBy++/jOy7CYPX7X5QWoHeEJF7nmGB8+wAtb484sTCNEqgJYd CsgwjS/S0mG732Wxq/VYjiMpHgFrU4DZ9ReGbbuHqA2xacPAJhCtkTzT/QaaBT55lAt9HoQY0ji 9oRQ= X-Gm-Gg: ASbGncuhPm6L/QIDXxCMuLzZwKgfhKxen2KdzoGkNceLFwY95u1tl3CEpgPS8cdKErB rFvD6bUT0G6BXcp5EPge5JiQB8DxEb1sEf00H6ebPx9pL17rkou1jZ6fi6mZc4LHWijNmEdHNWZ 4rgcYREbHUz9BPcb7NeqirfmFeZgdLuWC/CWL4+6JjWUrTyYebr3s0gi60WjURz4oYecJkow1eq MsS0IfCcZ0bJzi92bz06fP707dyiimZzwZ1dDnssbzX3eK4wpostje1D1tUesX5PGnN9naA0i+c fXETJJbwGYbeRNLa5CoTkYyiKsG6i9G+YcLnOjBUsxrZXfC8VI1Mpw== X-Google-Smtp-Source: AGHT+IEgz61nTE+DHLVPvSyKMzf3S+JziQsYpsIOo/RBu1oqVab1bPQ/VVIaPR1LgYaVXY+mHB1sRQ== X-Received: by 2002:a05:6a21:150a:b0:1f3:3771:d3c with SMTP id adf61e73a8af0-1f337710ebemr7591568637.24.1741090795660; Tue, 04 Mar 2025 04:19:55 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.5]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-aee7de1a488sm9859550a12.27.2025.03.04.04.19.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Mar 2025 04:19:55 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 05/14] xwayland: Fix CVE-2024-31083 Date: Tue, 4 Mar 2025 17:49:09 +0530 Message-Id: <20250304121918.147345-5-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250304121918.147345-1-vanusuri@mvista.com> References: <20250304121918.147345-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 04 Mar 2025 12:20:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212270 From: Vijay Anusuri The patches are copied from xserver-xorg recipe. CVE reported for both and patches apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdca6c3d1f5057ee & https://gitlab.freedesktop.org/xorg/xserver/-/commit/337d8d48b618d4fc Signed-off-by: Vijay Anusuri --- .../xwayland/CVE-2024-31083-0001.patch | 118 ++++++++++++++++++ .../xwayland/CVE-2024-31083-0002.patch | 77 ++++++++++++ .../xwayland/xwayland_22.1.8.bb | 2 + 3 files changed, 197 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-31083-0001.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-31083-0002.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31083-0001.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31083-0001.patch new file mode 100644 index 0000000000..754e03961a --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31083-0001.patch @@ -0,0 +1,118 @@ +From bdca6c3d1f5057eeb31609b1280fc93237b00c77 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 30 Jan 2024 13:13:35 +1000 +Subject: [PATCH] render: fix refcounting of glyphs during ProcRenderAddGlyphs + +Previously, AllocateGlyph would return a new glyph with refcount=0 and a +re-used glyph would end up not changing the refcount at all. The +resulting glyph_new array would thus have multiple entries pointing to +the same non-refcounted glyphs. + +AddGlyph may free a glyph, resulting in a UAF when the same glyph +pointer is then later used. + +Fix this by returning a refcount of 1 for a new glyph and always +incrementing the refcount for a re-used glyph, followed by dropping that +refcount back down again when we're done with it. + +CVE-2024-31083, ZDI-CAN-22880 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Part-of: + +CVE: CVE-2024-31083 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdca6c3d1f5057ee] + +Signed-off-by: Archana Polampalli +Signed-off-by: Vijay Anusuri +--- + render/glyph.c | 5 +++-- + render/glyphstr.h | 2 ++ + render/render.c | 15 +++++++++++---- + 3 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/render/glyph.c b/render/glyph.c +index f3ed9cf..d5fc5f3 100644 +--- a/render/glyph.c ++++ b/render/glyph.c +@@ -245,10 +245,11 @@ FreeGlyphPicture(GlyphPtr glyph) + } + } + +-static void ++void + FreeGlyph(GlyphPtr glyph, int format) + { + CheckDuplicates(&globalGlyphs[format], "FreeGlyph"); ++ BUG_RETURN(glyph->refcnt == 0); + if (--glyph->refcnt == 0) { + GlyphRefPtr gr; + int i; +@@ -354,7 +355,7 @@ AllocateGlyph(xGlyphInfo * gi, int fdepth) + glyph = (GlyphPtr) malloc(size); + if (!glyph) + return 0; +- glyph->refcnt = 0; ++ glyph->refcnt = 1; + glyph->size = size + sizeof(xGlyphInfo); + glyph->info = *gi; + dixInitPrivates(glyph, (char *) glyph + head_size, PRIVATE_GLYPH); +diff --git a/render/glyphstr.h b/render/glyphstr.h +index 2f51bd2..68f8c9e 100644 +--- a/render/glyphstr.h ++++ b/render/glyphstr.h +@@ -117,6 +117,8 @@ extern GlyphSetPtr AllocateGlyphSet(int fdepth, PictFormatPtr format); + extern int + FreeGlyphSet(void *value, XID gid); + ++void FreeGlyph(GlyphPtr glyph, int format); ++ + #define GLYPH_HAS_GLYPH_PICTURE_ACCESSOR 1 /* used for api compat */ + extern _X_EXPORT PicturePtr + GetGlyphPicture(GlyphPtr glyph, ScreenPtr pScreen); +diff --git a/render/render.c b/render/render.c +index 456f156..5bc2a20 100644 +--- a/render/render.c ++++ b/render/render.c +@@ -1076,6 +1076,7 @@ ProcRenderAddGlyphs(ClientPtr client) + + if (glyph_new->glyph && glyph_new->glyph != DeletedGlyph) { + glyph_new->found = TRUE; ++ ++glyph_new->glyph->refcnt; + } + else { + GlyphPtr glyph; +@@ -1168,8 +1169,10 @@ ProcRenderAddGlyphs(ClientPtr client) + err = BadAlloc; + goto bail; + } +- for (i = 0; i < nglyphs; i++) ++ for (i = 0; i < nglyphs; i++) { + AddGlyph(glyphSet, glyphs[i].glyph, glyphs[i].id); ++ FreeGlyph(glyphs[i].glyph, glyphSet->fdepth); ++ } + + if (glyphsBase != glyphsLocal) + free(glyphsBase); +@@ -1179,9 +1182,13 @@ ProcRenderAddGlyphs(ClientPtr client) + FreePicture((void *) pSrc, 0); + if (pSrcPix) + FreeScratchPixmapHeader(pSrcPix); +- for (i = 0; i < nglyphs; i++) +- if (glyphs[i].glyph && !glyphs[i].found) +- free(glyphs[i].glyph); ++ for (i = 0; i < nglyphs; i++) { ++ if (glyphs[i].glyph) { ++ --glyphs[i].glyph->refcnt; ++ if (!glyphs[i].found) ++ free(glyphs[i].glyph); ++ } ++ } + if (glyphsBase != glyphsLocal) + free(glyphsBase); + return err; +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31083-0002.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31083-0002.patch new file mode 100644 index 0000000000..c597e9b575 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31083-0002.patch @@ -0,0 +1,77 @@ +From 337d8d48b618d4fc0168a7b978be4c3447650b04 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Fri, 5 Apr 2024 15:24:49 +0200 +Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs() + ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and + then frees it using FreeGlyph() to decrease the reference count, after + AddGlyph() has increased it. + +AddGlyph() however may chose to reuse an existing glyph if it's already +in the glyphSet, and free the glyph that was given, in which case the +caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an +already freed glyph, as reported by ASan: + + READ of size 4 thread T0 + #0 in FreeGlyph xserver/render/glyph.c:252 + #1 in ProcRenderAddGlyphs xserver/render/render.c:1174 + #2 in Dispatch xserver/dix/dispatch.c:546 + #3 in dix_main xserver/dix/main.c:271 + #4 in main xserver/dix/stubmain.c:34 + #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + #6 in __libc_start_main_impl ../csu/libc-start.c:360 + #7 (/usr/bin/Xwayland+0x44fe4) + Address is located 0 bytes inside of 64-byte region + freed by thread T0 here: + #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52 + #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538 + #2 in AddGlyph xserver/render/glyph.c:295 + #3 in ProcRenderAddGlyphs xserver/render/render.c:1173 + #4 in Dispatch xserver/dix/dispatch.c:546 + #5 in dix_main xserver/dix/main.c:271 + #6 in main xserver/dix/stubmain.c:34 + #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + previously allocated by thread T0 here: + #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69 + #1 in AllocateGlyph xserver/render/glyph.c:355 + #2 in ProcRenderAddGlyphs xserver/render/render.c:1085 + #3 in Dispatch xserver/dix/dispatch.c:546 + #4 in dix_main xserver/dix/main.c:271 + #5 in main xserver/dix/stubmain.c:34 + #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph + +To avoid that, make sure not to free the given glyph in AddGlyph(). + +v2: Simplify the test using the boolean returned from AddGlyph() (Michel) +v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter) + +Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs +Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659 +Signed-off-by: Olivier Fourdan +Part-of: + +CVE: CVE-2024-31083 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/337d8d48b618d4fc] + +Signed-off-by: Archana Polampalli +Signed-off-by: Vijay Anusuri +--- + render/glyph.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/render/glyph.c b/render/glyph.c +index d5fc5f3..f5069d4 100644 +--- a/render/glyph.c ++++ b/render/glyph.c +@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id) + gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature, + TRUE, glyph->sha1); + if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) { +- FreeGlyphPicture(glyph); +- dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH); + glyph = gr->glyph; + } + else if (gr->glyph != glyph) { +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 5fa2402234..258a875697 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -26,6 +26,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2024-21886-2.patch \ file://CVE-2024-31080.patch \ file://CVE-2024-31081.patch \ + file://CVE-2024-31083-0001.patch \ + file://CVE-2024-31083-0002.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Tue Mar 4 12:19:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58271 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D85A6C021B8 for ; Tue, 4 Mar 2025 12:20:04 +0000 (UTC) Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) by mx.groups.io with SMTP id smtpd.web10.20382.1741090800948075151 for ; Tue, 04 Mar 2025 04:20:01 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=GLFu0RYo; spf=pass (domain: mvista.com, ip: 209.85.214.169, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-22382657540so55482755ad.2 for ; Tue, 04 Mar 2025 04:20:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741090800; x=1741695600; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=QQ/QO6xESPM51D9mFs54TtAYQXj3rWbIyxePRdhSPno=; b=GLFu0RYo9fZceVndCXJ2eZ0BEP5SY9PsIASrQB5MTgS5P0LDroeDzFqEWX30hR+dFT cQdDEudLNGuk3N4G/iKmE+67OYzQXEnM5qSr+HCOhLqqVdzJ3bOpFjWyKQWcTcON2nqx yoh1qsU6k+Mnf9OWtLpmq54+b1PrAdr5fxyhg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741090800; x=1741695600; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=QQ/QO6xESPM51D9mFs54TtAYQXj3rWbIyxePRdhSPno=; b=WCiVs6qbES/hfQsbv+TLoNQyaUaxJZ1wdKAzJrG+CDX8UN/tPBn0mFfJL9yF+zN6KX j8H8UB7I4F/CqyLzxK73J2In95YxhsB2tDbxcsG+d6teqj4NGn2/1/A8UpP5EBnVCxEA f6pA6hvdLJcGuHLafkQEpOMb5SuHeoo+9DHeggQqy1hzdHW78aVKIh5pXQazNjPogmNc kjlqdH7YR7swKnu7+qGRNFjUfQIUJfQ9ooKWukRjXmsUjV68DIe6dfoV6kXW1d1bEiAW x3KZyH7jYgVzd3lk2RaHCs4gQdM0xz5Ixp1z1OMl5jtN9x4DmP+gZtt6WSJj0wZzIQwg sLmA== X-Gm-Message-State: AOJu0Yy5Lc2pQwcqx7EN4Q1ydKgg/eFhKqegI1zRFQu7eULHnS2EK6Em hSrM4RsaCSFM55Mvuy6VjVpC1KFWB7HCpmr4hwS7P97I5fnDutTJd9aKZuHiuv5Nq+Zab/DGnTd e1Qg= X-Gm-Gg: ASbGncsNeQqFzQ9j2VDgWBQBJfLo7xVutK/6otXwkpB++zP/VQlkn+ZUi7I8rotDtX8 vI3Z/i5BWrFryGbW2BL1q20rKDCxGI93c8D8bOHdCNww79/cTRlx3aGrRwLfMVLaxja7i8R4uON GfKCOB3hhSKtnrz9UO0BSZjbBtxSMoWEaSmgYHI0vAWTakJRwzV8zukDkVB0APVClQ5VXVTD1Qs WTB5SHmE0TBwjDWZlTgPe6zh++WnWeIT6yoSDSuaZudLuSXViyIbvNPPRalU+QRAc8CAbHF13NW qkFOH9jqpijmvU7BnSOjRBtnMp6pfCcwI2kjflnL5ysKXn970hiUgQ== X-Google-Smtp-Source: AGHT+IGvIDGqAGiaP306m9SBXVzBW7KcShNLJa+mQLyIdOEep6FbEq7EyPXR9nIkDxVJy1hVoulDLw== X-Received: by 2002:a05:6a21:7895:b0:1ee:e2ac:5159 with SMTP id adf61e73a8af0-1f2f4d28a3bmr25797259637.19.1741090799916; Tue, 04 Mar 2025 04:19:59 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.5]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-aee7de1a488sm9859550a12.27.2025.03.04.04.19.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Mar 2025 04:19:59 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 06/14] xwayland: Fix CVE-2024-9632 Date: Tue, 4 Mar 2025 17:49:10 +0530 Message-Id: <20250304121918.147345-6-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250304121918.147345-1-vanusuri@mvista.com> References: <20250304121918.147345-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 04 Mar 2025 12:20:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212271 From: Vijay Anusuri Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ba1d14f8eff2a123bd7ff4d48c02e1d5131358e0 Signed-off-by: Vijay Anusuri --- .../xwayland/xwayland/CVE-2024-9632.patch | 59 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 60 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch new file mode 100644 index 0000000000..54888f6347 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch @@ -0,0 +1,59 @@ +From ba1d14f8eff2a123bd7ff4d48c02e1d5131358e0 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 10 Oct 2024 10:37:28 +0200 +Subject: [PATCH] xkb: Fix buffer overflow in _XkbSetCompatMap() + +The _XkbSetCompatMap() function attempts to resize the `sym_interpret` +buffer. + +However, It didn't update its size properly. It updated `num_si` only, +without updating `size_si`. + +This may lead to local privilege escalation if the server is run as root +or remote code execution (e.g. x11 over ssh). + +CVE-2024-9632, ZDI-CAN-24756 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Reviewed-by: Peter Hutterer +Tested-by: Peter Hutterer +Reviewed-by: José Expósito +(cherry picked from commit 85b77657) + +Part-of: + +CVE: CVE-2024-9632 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ba1d14f8eff2a123bd7ff4d48c02e1d5131358e0] + +Signed-off-by: Yogita Urade +Signed-off-by: Vijay Anusuri +--- + xkb/xkb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 276dc19..7da00a0 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -2992,13 +2992,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, + XkbSymInterpretPtr sym; + unsigned int skipped = 0; + +- if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) { +- compat->num_si = req->firstSI + req->nSI; ++ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) { ++ compat->num_si = compat->size_si = req->firstSI + req->nSI; + compat->sym_interpret = reallocarray(compat->sym_interpret, +- compat->num_si, ++ compat->size_si, + sizeof(XkbSymInterpretRec)); + if (!compat->sym_interpret) { +- compat->num_si = 0; ++ compat->num_si = compat->size_si = 0; + return BadAlloc; + } + } +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 258a875697..23575b387e 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -28,6 +28,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2024-31081.patch \ file://CVE-2024-31083-0001.patch \ file://CVE-2024-31083-0002.patch \ + file://CVE-2024-9632.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Tue Mar 4 12:19:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58274 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA9D9C282D0 for ; Tue, 4 Mar 2025 12:20:14 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web10.20384.1741090805271025012 for ; Tue, 04 Mar 2025 04:20:05 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=iAGJWdqf; spf=pass (domain: mvista.com, ip: 209.85.214.176, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-2234e4b079cso99622185ad.1 for ; Tue, 04 Mar 2025 04:20:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741090804; x=1741695604; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=7UetOM94jfqba3NiNdBPDSZWLbEWfgWlOCTaRGS91Wg=; b=iAGJWdqfxFlcIxpzPNxrTVv9QaBqWviREIPCWPWLQiEfft8HqmWAuD81y3IrV64fES FtHRhGBuLuvp5lfGLozMLLGFdwDhtwG/EzgVtM+oXujkNoK7QrEbqO1qReOr0B19qNZL yL5LGpGitpmaxCXL1r5hxEZEK9rfHL15HW2ZQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741090804; x=1741695604; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7UetOM94jfqba3NiNdBPDSZWLbEWfgWlOCTaRGS91Wg=; b=ncOjU01hQOGrGzh7G6S/1aMvgsxaZUU/luiOHY6X3rF77Laj5CvXgUz+0wypl30Ih5 4rfek1ZIJMAyT2c4jh9rZ5Kp3WY1ql8djz4pN7PScY1MYw2rvFg8bguCUUhiwEyZoIUj bnnfTYtR64byfBakebbZkb3zHR9rzu0OIsVqmEdE3KKJf1judRQOpb+e00FREGp0vdMX M0D+54FV3RbHEykP+g1oOvXxqdkyeA5X355b/2Fz4ifW/1Ht3gFtq+90UNrVjkVXBU+M x1WPqNM/MU0PlBCVYmXMrtS1/n2WBFzSUKJWTNVuiYeuLUinmPY0f8sr9lc6+WxHrLja t2cg== X-Gm-Message-State: AOJu0YxbLvQkfb8Ksn935HO7zVq+PiUd5YklPU/PFocc4pKg5xTlJq++ 8E5kZMARQy7+W6snnBHvhyavVs2sWp9q3sBSAZ6TkphPCxFax8MMbpH76NSWRhsNJdrGEiSJQVF /zt4= X-Gm-Gg: ASbGncs6uIfSgr4DB5U/uq1tUSjcPU2oM9OppIdt1xoPG+IFJWGth3NLZz0tv4JwvZB Gri5a08f80mDlsZiMAcoA1U84rUvUDvb9aEEFuVrkmdKGf83zXQdferag3YEwYRNyIu6Nt4h+ha XRoNay75h83XR9nK86APt7hgOyvS2hXWbn3GeyJmVdiMY3Kzd+QWA207dHbBJqiT5tG/7uRLmQU zwDLi3TYHv/ajlmrvobUMzmGXIF1jzCAP2QRFknamqqfNB3/dRB268gnNbZM1KvkFX8faw+AvM1 DhS6uWkdtdxeL++KzCmQfmYMAdCAGMggmOrXXFSC2B1NvSkf1KPi5w== X-Google-Smtp-Source: AGHT+IHpP05g4Bw3Qt0qdUZf5lZlxCWHmPk9uq0sKZOnUwoQyRZjkGbmjRLeNFtmJwrbEyXFCgkSYg== X-Received: by 2002:a05:6a20:7347:b0:1ee:d8c8:4b79 with SMTP id adf61e73a8af0-1f2f4c9c694mr29676584637.2.1741090804158; Tue, 04 Mar 2025 04:20:04 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.5]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-aee7de1a488sm9859550a12.27.2025.03.04.04.20.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Mar 2025 04:20:03 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 07/14] xwayland: Fix CVE-2025-26594 Date: Tue, 4 Mar 2025 17:49:11 +0530 Message-Id: <20250304121918.147345-7-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250304121918.147345-1-vanusuri@mvista.com> References: <20250304121918.147345-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 04 Mar 2025 12:20:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212272 From: Vijay Anusuri The patches are copied from xserver-xorg recipe. CVE reported for both and patches apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/01642f26 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/b0a09ba6 Signed-off-by: Vijay Anusuri --- .../xwayland/xwayland/CVE-2025-26594-1.patch | 54 +++++++++++++++++++ .../xwayland/xwayland/CVE-2025-26594-2.patch | 51 ++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 2 + 3 files changed, 107 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-1.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-2.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-1.patch new file mode 100644 index 0000000000..f34a89e6ea --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-1.patch @@ -0,0 +1,54 @@ +From 01642f263f12becf803b19be4db95a4a83f94acc Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 27 Nov 2024 11:27:05 +0100 +Subject: [PATCH] Cursor: Refuse to free the root cursor + +If a cursor reference count drops to 0, the cursor is freed. + +The root cursor however is referenced with a specific global variable, +and when the root cursor is freed, the global variable may still point +to freed memory. + +Make sure to prevent the rootCursor from being explicitly freed by a +client. + +CVE-2025-26594, ZDI-CAN-25544 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer +) +v3: Return BadCursor instead of BadValue (Michel Danzer +) + +Signed-off-by: Olivier Fourdan +Suggested-by: Peter Hutterer +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/01642f26] +CVE: CVE-2025-26594 +Signed-off-by: Vijay Anusuri +--- + dix/dispatch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index 4602961..30b95c1 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -3107,6 +3107,10 @@ ProcFreeCursor(ClientPtr client) + rc = dixLookupResourceByType((void **) &pCursor, stuff->id, RT_CURSOR, + client, DixDestroyAccess); + if (rc == Success) { ++ if (pCursor == rootCursor) { ++ client->errorValue = stuff->id; ++ return BadCursor; ++ } + FreeResource(stuff->id, RT_NONE); + return Success; + } +-- +2.25.1 + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-2.patch new file mode 100644 index 0000000000..6ebf540ab9 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-2.patch @@ -0,0 +1,51 @@ +From b0a09ba6020147961acc62d9c73d807b4cccd9f7 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Wed, 4 Dec 2024 15:49:43 +1000 +Subject: [PATCH] dix: keep a ref to the rootCursor + +CreateCursor returns a cursor with refcount 1 - that refcount is used by +the resource system, any caller needs to call RefCursor to get their own +reference. That happens correctly for normal cursors but for our +rootCursor we keep a variable to the cursor despite not having a ref for +ourselves. + +Fix this by reffing/unreffing the rootCursor to ensure our pointer is +valid. + +Related to CVE-2025-26594, ZDI-CAN-25544 + +Reviewed-by: Olivier Fourdan +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b0a09ba6] +CVE: CVE-2025-26594 +Signed-off-by: Vijay Anusuri +--- + dix/main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/dix/main.c b/dix/main.c +index bfc8add..38e29ce 100644 +--- a/dix/main.c ++++ b/dix/main.c +@@ -231,6 +231,8 @@ dix_main(int argc, char *argv[], char *envp[]) + FatalError("could not open default cursor font"); + } + ++ rootCursor = RefCursor(rootCursor); ++ + #ifdef PANORAMIX + /* + * Consolidate window and colourmap information for each screen +@@ -271,6 +273,8 @@ dix_main(int argc, char *argv[], char *envp[]) + + Dispatch(); + ++ UnrefCursor(rootCursor); ++ + UndisplayDevices(); + DisableAllDevices(); + +-- +2.25.1 + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 23575b387e..814fc1ce40 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -29,6 +29,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2024-31083-0001.patch \ file://CVE-2024-31083-0002.patch \ file://CVE-2024-9632.patch \ + file://CVE-2025-26594-1.patch \ + file://CVE-2025-26594-2.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Tue Mar 4 12:19:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58273 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA572C021B8 for ; Tue, 4 Mar 2025 12:20:14 +0000 (UTC) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.web11.20496.1741090808717890988 for ; Tue, 04 Mar 2025 04:20:08 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=dYzGBbli; spf=pass (domain: mvista.com, ip: 209.85.214.170, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-22328dca22fso82327365ad.1 for ; Tue, 04 Mar 2025 04:20:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741090808; x=1741695608; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6lsnOEJ9z8GU5p1CSkE5/K6UNvV5anAfbeEBGJail18=; b=dYzGBbliUybc5+e/UZzMbbr/jwMqTTB04hAVWolZ/7861eGnmHJgmF9xW9udOmpmSh 2X098sFpp4fUc0LJnuZrnov+09hK3H1eLN7TJZg8+HuH7O81ahrlN4dzY/sGuCLefbLe v2vXYwQcz0Qi72zwLWd9fzjzh+DvX6P/fVKvM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741090808; x=1741695608; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6lsnOEJ9z8GU5p1CSkE5/K6UNvV5anAfbeEBGJail18=; b=e8M6vhdKQJidySjD+qPdkMjOPBEmXnosRZHlCAmsgiU46fK8NlrVngK6u9QteTgjMf V69cr6cKD++5xCIP0P31h8jmCdiZP2hIPpCPeHjdvRMeu2IINAOX4tT+XTC+Je3nm+xq g2xmj50R3B65y/aq5QLiw+9NwiFdICvh9NWknMXF/KGGo6NRyXkK029xUBWBWHV/LCVC VPOXg6hHxgJ4yN64mLnajlmxXfuWuA7nf2Hz+NUwG4EMxq/pNZcJOjpITygTkrphT8mO n2d0zS07Nhfwd8ejKyQmhA2avAC0VBItUQwr0lhp2I22+rcjXrNMjU89cqVhd7QUHS2y 0NzA== X-Gm-Message-State: AOJu0YwllnkkE565mktsFwoAM1UOdTyv2zsY7JTfTnHSb0SmwMBCTc81 YabSoa7yg3TJxGkVELvPawGSGTYhp5V7265AZkXHrTOActIlv6ydwg9yzhXpNXDKGjQ8Dd7gP91 bqxE= X-Gm-Gg: ASbGncsvqRzOJJR/EzP+wPm+1CKYxp23CDchbCibfkVLPxsPt4bfRo0CFHxmKIUD86V 6FFysExAl3V7yqD5Exrh8/HzYuBY/lCX5Ik95Rb+kJlQZs2Ep8ibqYCy/j3L3saLH5pff7yJ2ve H/ydpQg7WXNQesBqEjU++jbiquXUgaJTpbClQjvVrstxHyxB3WWwbNBwgCRw2+hRDpqEjsVAws8 HqDkrIKbETPBG2LXgZqLLfesnZ5w0caZJudFFp+IAcqlkU2Z+xcpn4FhyJPFJXXfe604KrjSMOR 5q9/Myax//U0p+jU58M6gCRpbFyEicXPs7EmVYmk7V1mPCaB2ZXq7w== X-Google-Smtp-Source: AGHT+IEHphGXRilH0oGN8tkIa5rWxFV3srs5Jv3ajmLq7/JXOxPQnVqBWVw3hYpKPKzUtbcuDAaD4Q== X-Received: by 2002:a05:6a20:9151:b0:1f3:4108:eed2 with SMTP id adf61e73a8af0-1f34108ef94mr2390225637.15.1741090807742; Tue, 04 Mar 2025 04:20:07 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.5]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-aee7de1a488sm9859550a12.27.2025.03.04.04.20.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Mar 2025 04:20:07 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 08/14] xwayland: Fix CVE-2025-26595 Date: Tue, 4 Mar 2025 17:49:12 +0530 Message-Id: <20250304121918.147345-8-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250304121918.147345-1-vanusuri@mvista.com> References: <20250304121918.147345-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 04 Mar 2025 12:20:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212273 From: Vijay Anusuri Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87 Signed-off-by: Vijay Anusuri --- .../xwayland/xwayland/CVE-2025-26595.patch | 65 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 66 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch new file mode 100644 index 0000000000..a7478d9e2a --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch @@ -0,0 +1,65 @@ +From 11fcda8753e994e15eb915d28cf487660ec8e722 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 27 Nov 2024 14:41:45 +0100 +Subject: [PATCH] xkb: Fix buffer overflow in XkbVModMaskText() + +The code in XkbVModMaskText() allocates a fixed sized buffer on the +stack and copies the virtual mod name. + +There's actually two issues in the code that can lead to a buffer +overflow. + +First, the bound check mixes pointers and integers using misplaced +parenthesis, defeating the bound check. + +But even though, if the check fails, the data is still copied, so the +stack overflow will occur regardless. + +Change the logic to skip the copy entirely if the bound check fails. + +CVE-2025-26595, ZDI-CAN-25545 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87] +CVE: CVE-2025-26595 +Signed-off-by: Vijay Anusuri +--- + xkb/xkbtext.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c +index 0184664207..93262528bb 100644 +--- a/xkb/xkbtext.c ++++ b/xkb/xkbtext.c +@@ -173,14 +173,14 @@ XkbVModMaskText(XkbDescPtr xkb, + len = strlen(tmp) + 1 + (str == buf ? 0 : 1); + if (format == XkbCFile) + len += 4; +- if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) { +- if (str != buf) { +- if (format == XkbCFile) +- *str++ = '|'; +- else +- *str++ = '+'; +- len--; +- } ++ if ((str - buf) + len > VMOD_BUFFER_SIZE) ++ continue; /* Skip */ ++ if (str != buf) { ++ if (format == XkbCFile) ++ *str++ = '|'; ++ else ++ *str++ = '+'; ++ len--; + } + if (format == XkbCFile) + sprintf(str, "%sMask", tmp); +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 814fc1ce40..452bae8c8d 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -31,6 +31,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2024-9632.patch \ file://CVE-2025-26594-1.patch \ file://CVE-2025-26594-2.patch \ + file://CVE-2025-26595.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Tue Mar 4 12:19:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58275 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DF905C282D6 for ; Tue, 4 Mar 2025 12:20:14 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web10.20387.1741090812846310489 for ; Tue, 04 Mar 2025 04:20:12 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=CpfU3K1v; spf=pass (domain: mvista.com, ip: 209.85.214.181, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-2234e4b079cso99624045ad.1 for ; Tue, 04 Mar 2025 04:20:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741090812; x=1741695612; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=uW0UI/s0nyAhTyDkV309ZDzvPWQUoOxHiYohZjFaqh4=; b=CpfU3K1vt/rtpldhEGtAiX+K8HSVU8eg6h/kHGXJDJPt+1kDvQc1uxnwxA0aW2EhAs RPJE68YWM1V7jYuQ8P/dKRlCvSlh9z+x03UAN/dQtjssbI/9+aRizO9vJV0IFrDLovbB lEdPkDt0tC9Jmh9GMP6vhcxgwu2TbiOQy/L/g= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741090812; x=1741695612; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uW0UI/s0nyAhTyDkV309ZDzvPWQUoOxHiYohZjFaqh4=; b=Pg04QDG+UtphTEEsmUZG+lF5801U3NF6g6MmCIak7G5s3m700StiBXb2te9N5XF6ML gCbE4NPTsl4EMQWqvMLFTpDZz04v2h29DUTBFKBhAGWWzA57WzoDfaCJXj1I/BSEPMgr E014vbSMREMQsCgkzmW/nNlt9X8hF8yqCIOB53lbCAhWHBnwxhN7hglBTcqoIhmWrV65 GHoeof4ndsbjAvOjWQPMWaNma7eDa86QSoSXJUFZb7my8G4anHoGQP0EPEHLM6b8IrAK ted7d3ftP1Cxp1JNdbs3680/751BiEiytBWd5pWKZhyaquw+7fjlpt9TCyw1iDgpHpUp 6MIA== X-Gm-Message-State: AOJu0YzGe01mLSVuQyy7dlpeTdnc4exQguapuSi4HoEuPLg0jN9b1KTs lFyrKIhgONMcvOJJi5ZIWJ+gOyQtBKAynh7BktASxDu/HIKv84s3dRF7enZW3YhM1ea4MbZyF1Z Xvzo= X-Gm-Gg: ASbGncukoYHc7bf+IYMjM7XxFs+wyuxJKkhUe/rsQz75DWM9unAE96Nb4BbvmRtkrsP g0s+2D7qWNuZeFFrdcZ5jKZGPQS7rxJ4ZCY2yIYSXI8OsQLupf0gvStB+kJh0VUbXOK805O10if Ql+vlxdwJKxyevlquYVM1s0ZLC/69V4dOVrLqDFmla1dAumsrHNRgajdpAEdNjCCmo3HZ75hsl3 HDRriCpOJBtt+kBKxeqy9lrDEFybtlqcJWfvaUJ6EX0877vrk2laKgWIxkHbwPYFgDG4ft1AwFu 7B/kn09eSzf29wqChffoy+E+inLXHH+wJ9hlHPXMTN3krt5pAs01ew== X-Google-Smtp-Source: AGHT+IEpFsSUiz+Vs8Gfx6C+PteV6QSzigSkk9fa9GAqocm6/D5hv51Af0KstVAO6B4YJvHJcwrxww== X-Received: by 2002:a05:6a21:99a5:b0:1ee:e808:732c with SMTP id adf61e73a8af0-1f2f4cc65aamr28333827637.14.1741090811817; Tue, 04 Mar 2025 04:20:11 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.5]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-aee7de1a488sm9859550a12.27.2025.03.04.04.20.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Mar 2025 04:20:11 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 09/14] xwayland: Fix CVE-2025-26596 Date: Tue, 4 Mar 2025 17:49:13 +0530 Message-Id: <20250304121918.147345-9-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250304121918.147345-1-vanusuri@mvista.com> References: <20250304121918.147345-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 04 Mar 2025 12:20:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212274 From: Vijay Anusuri Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/80d69f01 Signed-off-by: Vijay Anusuri --- .../xwayland/xwayland/CVE-2025-26596.patch | 49 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26596.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26596.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26596.patch new file mode 100644 index 0000000000..f9df8d75ea --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26596.patch @@ -0,0 +1,49 @@ +From 80d69f01423fc065c950e1ff4e8ddf9f675df773 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Thu, 28 Nov 2024 11:49:34 +0100 +Subject: [PATCH] xkb: Fix computation of XkbSizeKeySyms + +The computation of the length in XkbSizeKeySyms() differs from what is +actually written in XkbWriteKeySyms(), leading to a heap overflow. + +Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms() +does. + +CVE-2025-26596, ZDI-CAN-25543 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/80d69f01] +CVE: CVE-2025-26596 +Signed-off-by: Vijay Anusuri +--- + xkb/xkb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 85659382da..744dba63d7 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -1095,10 +1095,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMapReply * rep) + len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc); + symMap = &xkb->map->key_sym_map[rep->firstKeySym]; + for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) { +- if (symMap->offset != 0) { +- nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; +- nSyms += nSymsThisKey; +- } ++ nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; ++ if (nSymsThisKey == 0) ++ continue; ++ nSyms += nSymsThisKey; + } + len += nSyms * 4; + rep->totalSyms = nSyms; +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 452bae8c8d..18fe2dbc98 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -32,6 +32,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26594-1.patch \ file://CVE-2025-26594-2.patch \ file://CVE-2025-26595.patch \ + file://CVE-2025-26596.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Tue Mar 4 12:19:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58276 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D81D3C282D0 for ; Tue, 4 Mar 2025 12:20:24 +0000 (UTC) Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) by mx.groups.io with SMTP id smtpd.web10.20390.1741090816718504607 for ; Tue, 04 Mar 2025 04:20:16 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=d/ZXNHLh; spf=pass (domain: mvista.com, ip: 209.85.214.169, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-2234bec7192so89989385ad.2 for ; Tue, 04 Mar 2025 04:20:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741090816; x=1741695616; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=E+JmaMEKUz8wQsYPjITgyxGGXg0xiYT3TWEqdIBcsG8=; b=d/ZXNHLhMG+BWiW8rVZAGsNHVHEbg+MhfDLP3mm2vtyFQ6qnCiabgdFo7Mpk0BawGR ZtP3/10tFSEl++PfsJ+PdQypcarw38JIeEFX1QEPMP9JqQNUO2R98GaB83kJzQfiiHfG MgduXWMHpdBmctbErEGUhjDuWiiFU3q/IuToA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741090816; x=1741695616; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=E+JmaMEKUz8wQsYPjITgyxGGXg0xiYT3TWEqdIBcsG8=; b=nZ/daFznfPWqdJ9qJ5Bx7zFHSnydOFORrw1qlSSe2KT2uDcWHZdQhGgqbh6XT9Q8Ar 8AKPNS//dWMQWukWHrddzQZAp6rWoufNP+KFCt+b0gVKbjtdmkz1UAEELR4Cgd/D9ycL 1kHmtv5+rGZoEV7hRe44DmUU+GYO3ZllLMOZxcyGH40RTOIS4he4WIal4CGXmqOMBpO5 5i9E8Vh1/RU3QL71u0lkRXWq5x/vkDla3Jm48wCoQ4PzrVvkfRdCz8VhlVY/rwDrI2Sz ZqJkYXN+q3dtu+vdhZlugYc0kN8CwDzGudqtO1vOlsKkU3M9KIUD2iUwKiBRZha3Hiu/ L2xQ== X-Gm-Message-State: AOJu0YxcyM99hEW7uZIUL39ZqBK/Plq5HvDamayo1zVUqzK1AIegmtpC wR0e6rWxptWsZcPpb3vUdmWAQXltMDNuVvxjmxzNJOt8Tq9ShOOG5jsxkAgkmZBr8oYtjbkruvF ZFws= X-Gm-Gg: ASbGnctTL7IoXCac6joY75XjNk7nwva/dy+3pgM1BodlDgzFyK78d21nJD//EJTvysB hyUingc/P0SfEtMf08o9wc7GKZ7KmuF9K5pv7hhU/T8imDhTSjj1E6aoF9NrVEA9UYxEiTsaryX bK3wrmEqKC0lcrcnpxdIjpSq1iqOyFWN+9mMVhKlq5Q9uImhXKsde9PApIaA9VbelJehLdeEusC XdP8HVgv+58t4MDikPVBBSpB+w4NNofA99S3uzNA5krj2wN64+sbJuL88naADjn5KA9O0TOlV6J lM7pI1yDP4Lp8sQCBy4cCGP5+cuWa7Sz7H5yg0HBpPhukSp5MzpE4w== X-Google-Smtp-Source: AGHT+IG0HuxcuQaQdoG/wGWigYN7fsk/VPmjWILOU0OsQZ8AObIXSVWs8LxsUfsP/v2QX+08JK4yyQ== X-Received: by 2002:a05:6a21:2d85:b0:1ee:64c4:89bb with SMTP id adf61e73a8af0-1f2f4e4de61mr27038781637.42.1741090815688; Tue, 04 Mar 2025 04:20:15 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.5]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-aee7de1a488sm9859550a12.27.2025.03.04.04.20.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Mar 2025 04:20:15 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 10/14] xwayland: Fix CVE-2025-26597 Date: Tue, 4 Mar 2025 17:49:14 +0530 Message-Id: <20250304121918.147345-10-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250304121918.147345-1-vanusuri@mvista.com> References: <20250304121918.147345-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 04 Mar 2025 12:20:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212275 From: Vijay Anusuri Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949 Signed-off-by: Vijay Anusuri --- .../xwayland/xwayland/CVE-2025-26597.patch | 46 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch new file mode 100644 index 0000000000..b0735d0b46 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch @@ -0,0 +1,46 @@ +From 0e4ed94952b255c04fe910f6a1d9c852878dcd64 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Thu, 28 Nov 2024 14:09:04 +0100 +Subject: [PATCH] xkb: Fix buffer overflow in XkbChangeTypesOfKey() + +If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the +key syms to 0 but leave the key actions unchanged. + +If later, the same function is called with a non-zero value for nGroups, +this will cause a buffer overflow because the key actions are of the wrong +size. + +To avoid the issue, make sure to resize both the key syms and key actions +when nGroups is 0. + +CVE-2025-26597, ZDI-CAN-25683 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949] +CVE: CVE-2025-26597 +Signed-off-by: Vijay Anusuri +--- + xkb/XKBMisc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xkb/XKBMisc.c b/xkb/XKBMisc.c +index abbfed90eb..fd180fad2c 100644 +--- a/xkb/XKBMisc.c ++++ b/xkb/XKBMisc.c +@@ -553,6 +553,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb, + i = XkbSetNumGroups(i, 0); + xkb->map->key_sym_map[key].group_info = i; + XkbResizeKeySyms(xkb, key, 0); ++ XkbResizeKeyActions(xkb, key, 0); + return Success; + } + +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 18fe2dbc98..0303e39de4 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -33,6 +33,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26594-2.patch \ file://CVE-2025-26595.patch \ file://CVE-2025-26596.patch \ + file://CVE-2025-26597.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Tue Mar 4 12:19:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58277 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D819EC021B8 for ; Tue, 4 Mar 2025 12:20:24 +0000 (UTC) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.web10.20392.1741090820653994078 for ; Tue, 04 Mar 2025 04:20:20 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=Tr4Y72PK; spf=pass (domain: mvista.com, ip: 209.85.214.170, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-2239aa5da08so40954175ad.3 for ; Tue, 04 Mar 2025 04:20:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741090820; x=1741695620; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=nyJG0KXsKxF/XwzpP42LUVm4e186Tkt3CnYsQbpUGlY=; b=Tr4Y72PKNmG17nu6zOy3tZxyeqbopzHHWDHSNSW4Rq3hgCY2dXstbbVW97uo87hmQi sXADsqbryH/GmjvuCPBYx2FW62sqmKd8WAqkr+I/Pd4RtqTyopDdH/Wd/f9M1x7xwy/B FP3lRAfSQTxzOiwv7dn49JbMn9qt7QAN4M/jo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741090820; x=1741695620; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nyJG0KXsKxF/XwzpP42LUVm4e186Tkt3CnYsQbpUGlY=; b=dlDmCJaH8yssZksiNAAfatWOP9j2jWK5AJJKHAQN/tAbM/w6+0lW57gimwBdcQL+Br TXihQmjCTGbKJXYDoyZpDut4bzk5aQDkMQKdebQsEQngV1PWTdfW4mAV2jyLO13biLWB ltqSuJwUnGWw4Qf0qX0RI5m6QGhnd4soWPbaZAcuuYZCzRPM4Us1P8t9Z7y1O+HrJ1HG UULXRmDbbas/eMDRxJO6IBm2NKhX7RTs++h657y6lQJ76tZnwUGuL8dXSVJXw2bQ4vA0 FyegGKad6aeC0TxqM8ygwtypK4MVTnGa/MScQMZ9b4lHuB3pGM9wFOFaNEwOqh9epBA/ SsAQ== X-Gm-Message-State: AOJu0Ywlw2nIyU60kMoy1z8gJa2pMafIrQ4FCKy1ncxdacxJFzB/85Qi 96HcQwMKHTxTSwcSMEIBykxf1waLTuGTtPbxtTU9WTisH1wf8WCceSHwt+Zh3ot/0tZyk8CR9qz Bvn8= X-Gm-Gg: ASbGncsoc4O7riPPpdXrG9WU0TB1M+gTpvIY4pllkmW/E5tege3AQDfop+Wjld/I3Cw 2Q5LW7uZhV9L9AiwVwrvVaQXIGm5cutPo+cLb6yKyKlYXf4CsRUEsZIaIV/5h1yeE9PdekgwJRk Cy5xT4f4RmBrqPUatS4SG75GpH3GVrPccLHVhGYwvNdJ/bFuVsJQErqe6qTqlc1BEGPAacR0cdF o+8qf0lIDe4JaXNk/cOUdg6w+wdo5yElG07CdRJeN+oxMMJpBpk9t46bdMf5GXlFSzc4mHTLbzy tvzYsCU+HtO5Om1Nc5LPtQHrSuJKOUb6MQY+xe9C+tdEH0ckq0PyXA== X-Google-Smtp-Source: AGHT+IE6DJmbCVK6g/27g2o42+sJw/E/gMb6jT7PloMWXVQSRw3oNb5fp0TI8lCxo9DM32RIk9pqfQ== X-Received: by 2002:a05:6a21:789b:b0:1ee:e2e8:45bb with SMTP id adf61e73a8af0-1f2f4cc6570mr24751536637.11.1741090819634; Tue, 04 Mar 2025 04:20:19 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.5]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-aee7de1a488sm9859550a12.27.2025.03.04.04.20.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Mar 2025 04:20:18 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 11/14] xwayland: Fix CVE-2025-26598 Date: Tue, 4 Mar 2025 17:49:15 +0530 Message-Id: <20250304121918.147345-11-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250304121918.147345-1-vanusuri@mvista.com> References: <20250304121918.147345-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 04 Mar 2025 12:20:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212276 From: Vijay Anusuri Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a Signed-off-by: Vijay Anusuri --- .../xwayland/xwayland/CVE-2025-26598.patch | 120 ++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 121 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch new file mode 100644 index 0000000000..210a76262a --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch @@ -0,0 +1,120 @@ +From bba9df1a9d57234c76c0b93f88dacb143d01bca2 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 16 Dec 2024 11:25:11 +0100 +Subject: [PATCH] Xi: Fix barrier device search + +The function GetBarrierDevice() would search for the pointer device +based on its device id and return the matching value, or supposedly NULL +if no match was found. + +Unfortunately, as written, it would return the last element of the list +if no matching device id was found which can lead to out of bounds +memory access. + +Fix the search function to return NULL if not matching device is found, +and adjust the callers to handle the case where the device cannot be +found. + +CVE-2025-26598, ZDI-CAN-25740 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a] +CVE: CVE-2025-26598 +Signed-off-by: Vijay Anusuri +--- + Xi/xibarriers.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c +index 700b2b8c53..6761bcb49a 100644 +--- a/Xi/xibarriers.c ++++ b/Xi/xibarriers.c +@@ -132,14 +132,15 @@ static void FreePointerBarrierClient(struct PointerBarrierClient *c) + + static struct PointerBarrierDevice *GetBarrierDevice(struct PointerBarrierClient *c, int deviceid) + { +- struct PointerBarrierDevice *pbd = NULL; ++ struct PointerBarrierDevice *p, *pbd = NULL; + +- xorg_list_for_each_entry(pbd, &c->per_device, entry) { +- if (pbd->deviceid == deviceid) ++ xorg_list_for_each_entry(p, &c->per_device, entry) { ++ if (p->deviceid == deviceid) { ++ pbd = p; + break; ++ } + } + +- BUG_WARN(!pbd); + return pbd; + } + +@@ -340,6 +341,9 @@ barrier_find_nearest(BarrierScreenPtr cs, DeviceIntPtr dev, + double distance; + + pbd = GetBarrierDevice(c, dev->id); ++ if (!pbd) ++ continue; ++ + if (pbd->seen) + continue; + +@@ -448,6 +452,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen, + nearest = &c->barrier; + + pbd = GetBarrierDevice(c, master->id); ++ if (!pbd) ++ continue; ++ + new_sequence = !pbd->hit; + + pbd->seen = TRUE; +@@ -488,6 +495,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen, + int flags = 0; + + pbd = GetBarrierDevice(c, master->id); ++ if (!pbd) ++ continue; ++ + pbd->seen = FALSE; + if (!pbd->hit) + continue; +@@ -682,6 +692,9 @@ BarrierFreeBarrier(void *data, XID id) + continue; + + pbd = GetBarrierDevice(c, dev->id); ++ if (!pbd) ++ continue; ++ + if (!pbd->hit) + continue; + +@@ -741,6 +754,8 @@ static void remove_master_func(void *res, XID id, void *devid) + barrier = container_of(b, struct PointerBarrierClient, barrier); + + pbd = GetBarrierDevice(barrier, *deviceid); ++ if (!pbd) ++ return; + + if (pbd->hit) { + BarrierEvent ev = { +@@ -905,6 +920,10 @@ ProcXIBarrierReleasePointer(ClientPtr client) + barrier = container_of(b, struct PointerBarrierClient, barrier); + + pbd = GetBarrierDevice(barrier, dev->id); ++ if (!pbd) { ++ client->errorValue = dev->id; ++ return BadDevice; ++ } + + if (pbd->barrier_event_id == event_id) + pbd->release_event_id = event_id; +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 0303e39de4..9138e1dd0e 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -34,6 +34,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26595.patch \ file://CVE-2025-26596.patch \ file://CVE-2025-26597.patch \ + file://CVE-2025-26598.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Tue Mar 4 12:19:16 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58278 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D6AD7C021B8 for ; Tue, 4 Mar 2025 12:20:34 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web11.20503.1741090825853967329 for ; Tue, 04 Mar 2025 04:20:25 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=gPUBpnSW; spf=pass (domain: mvista.com, ip: 209.85.214.174, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-22355618fd9so94060895ad.3 for ; Tue, 04 Mar 2025 04:20:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741090825; x=1741695625; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/bJeje5CwcwjMjX/a94zisPn8KD3gQQ0Z5yFXU7j5h8=; b=gPUBpnSWhi0J4ph3nUY7vr0mBEq+wpFYSDu/sFahDw+uWsN2ULVfBROhWtenwI/Xr0 XsA6cQb/U7ZImOclaN20S3+PygygFsKxgqsTSC9l7rzUICAMKaleT8/8w3yuKK/h72PF 3F95oxhvHfWFyfdZhN+Tcj/WhWLcRT0T5QM2M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741090825; x=1741695625; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/bJeje5CwcwjMjX/a94zisPn8KD3gQQ0Z5yFXU7j5h8=; b=QRmROzvre0yn1mQ5ttmlmxuyBpyUes8o4cDT13/cLv+Bpe60GkLq9NzuB/bNv+BDXq PTlj2cFREQBkUVDY+TJ3Bbd9L8UR7E0JZydpqrRimkqd3NXIgkE917xJ/Zyw7Xj9Qk4B dzxHZ4RhhgMbDlRYbxt6pUpxONEYfmngIDbAxB7cTX8kbAcx1xPUOg+FWBj1aSA/0i+t e3QDHHlTwdyBo+9Fzy+ML8LhHKPdMvn5725KOh8ngdYC+zFQGePwnkA1hL5gOYT9HI7J y/vhGvdNOAJJUMCWUCuXAI3QyMUGuDULe2RrdQmHhW3jSuNK5+4K8lGDEP380Ws/Ql8b ai1g== X-Gm-Message-State: AOJu0YzSJ9mM8eJdeWdQKrQWf41usKq3wbtr7MokwoPdCAbL8DBL9arL OpOn2xDbs9sEBV2AlKR+gxVAprSmxbwBHPIRNA8eFyPQvzNlbNLVWqEYjbaANGFs5rPfuNSoFn9 xNsU= X-Gm-Gg: ASbGncslNraXK7KjH8VJES7CLZBKDEhJ+tJN4CLjyVAGo09ZH9ZQ6k8WtZtAaXwoxlF o2NpJfkatNWQ0ltmo9ZcC0LAXFoxYroL6cSRHDeMGp4zTgJo85jaMA3+OhWC/tjFoVqAngMZ8ft FQIi87DNLdo6JLSEUuGCN8IxAoopODTgIeVuh2EJK1lnmXb/xICzTPdryJ+gfigEhkaKTxaR8Jw YwXR6VCuS819t6/XSPdWOma3dSjcwrVg/RNRpKk52CD9H7MPRtPt+BTgYC5ZuU0/saoVFx+Y3iU IGKKvann2wUIU1HXfWlKQRBUB64ajoNUA7ZyHpzQ3KeWNhbqC06j/Q== X-Google-Smtp-Source: AGHT+IENJ6/i8JMAtMtisIXGniNylM0uARhXg/jkepo6qygjtsoT4oTr45idDBvtcacS08MeBhVPnQ== X-Received: by 2002:a05:6a20:729c:b0:1ee:db10:a4e1 with SMTP id adf61e73a8af0-1f2f4cacc9dmr28163508637.9.1741090823294; Tue, 04 Mar 2025 04:20:23 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.5]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-aee7de1a488sm9859550a12.27.2025.03.04.04.20.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Mar 2025 04:20:22 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 12/14] xwayland: Fix CVE-2025-26599 Date: Tue, 4 Mar 2025 17:49:16 +0530 Message-Id: <20250304121918.147345-12-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250304121918.147345-1-vanusuri@mvista.com> References: <20250304121918.147345-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 04 Mar 2025 12:20:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212277 From: Vijay Anusuri The patches are copied from xserver-xorg recipe. CVE reported for both and patches apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84be & https://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8 Signed-off-by: Vijay Anusuri --- .../xwayland/xwayland/CVE-2025-26599-1.patch | 66 +++++++++ .../xwayland/xwayland/CVE-2025-26599-2.patch | 129 ++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 2 + 3 files changed, 197 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch new file mode 100644 index 0000000000..60b68a0d9a --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch @@ -0,0 +1,66 @@ +From c1ff84bef2569b4ba4be59323cf575d1798ba9be Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Tue, 17 Dec 2024 15:19:45 +0100 +Subject: [PATCH] composite: Handle failure to redirect in compRedirectWindow() + +The function compCheckRedirect() may fail if it cannot allocate the +backing pixmap. + +In that case, compRedirectWindow() will return a BadAlloc error. + +However that failure code path will shortcut the validation of the +window tree marked just before, which leaves the validate data partly +initialized. + +That causes a use of uninitialized pointer later. + +The fix is to not shortcut the call to compHandleMarkedWindows() even in +the case of compCheckRedirect() returning an error. + +CVE-2025-26599, ZDI-CAN-25851 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84be] +CVE: CVE-2025-26599 +Signed-off-by: Vijay Anusuri +--- + composite/compalloc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/composite/compalloc.c b/composite/compalloc.c +index eaabf0d..0bbbc55 100644 +--- a/composite/compalloc.c ++++ b/composite/compalloc.c +@@ -140,6 +140,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update) + CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen); + WindowPtr pLayerWin; + Bool anyMarked = FALSE; ++ int status = Success; + + if (pWin == cs->pOverlayWin) { + return Success; +@@ -218,13 +219,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update) + + if (!compCheckRedirect(pWin)) { + FreeResource(ccw->id, RT_NONE); +- return BadAlloc; ++ status = BadAlloc; + } + + if (anyMarked) + compHandleMarkedWindows(pWin, pLayerWin); + +- return Success; ++ return status; + } + + void +-- +2.25.1 + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch new file mode 100644 index 0000000000..252b033261 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch @@ -0,0 +1,129 @@ +From b07192a8bedb90b039dc0f70ae69daf047ff9598 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 13 Jan 2025 16:09:43 +0100 +Subject: [PATCH] composite: initialize border clip even when pixmap alloc + fails + +If it fails to allocate the pixmap, the function compAllocPixmap() would +return early and leave the borderClip region uninitialized, which may +lead to the use of uninitialized value as reported by valgrind: + + Conditional jump or move depends on uninitialised value(s) + at 0x4F9B33: compClipNotify (compwindow.c:317) + by 0x484FC9: miComputeClips (mivaltree.c:476) + by 0x48559A: miValidateTree (mivaltree.c:679) + by 0x4F0685: MapWindow (window.c:2693) + by 0x4A344A: ProcMapWindow (dispatch.c:922) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + Uninitialised value was created by a heap allocation + at 0x4841866: malloc (vg_replace_malloc.c:446) + by 0x4F47BC: compRedirectWindow (compalloc.c:171) + by 0x4FA8AD: compCreateWindow (compwindow.c:592) + by 0x4EBB89: CreateWindow (window.c:925) + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + + Conditional jump or move depends on uninitialised value(s) + at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233) + by 0x4F9255: RegionTranslate (regionstr.h:312) + by 0x4F9B7E: compClipNotify (compwindow.c:319) + by 0x484FC9: miComputeClips (mivaltree.c:476) + by 0x48559A: miValidateTree (mivaltree.c:679) + by 0x4F0685: MapWindow (window.c:2693) + by 0x4A344A: ProcMapWindow (dispatch.c:922) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + Uninitialised value was created by a heap allocation + at 0x4841866: malloc (vg_replace_malloc.c:446) + by 0x4F47BC: compRedirectWindow (compalloc.c:171) + by 0x4FA8AD: compCreateWindow (compwindow.c:592) + by 0x4EBB89: CreateWindow (window.c:925) + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + + Conditional jump or move depends on uninitialised value(s) + at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241) + by 0x48EEE33: pixman_region_translate (pixman-region.c:2225) + by 0x4F9255: RegionTranslate (regionstr.h:312) + by 0x4F9B7E: compClipNotify (compwindow.c:319) + by 0x484FC9: miComputeClips (mivaltree.c:476) + by 0x48559A: miValidateTree (mivaltree.c:679) + by 0x4F0685: MapWindow (window.c:2693) + by 0x4A344A: ProcMapWindow (dispatch.c:922) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + Uninitialised value was created by a heap allocation + at 0x4841866: malloc (vg_replace_malloc.c:446) + by 0x4F47BC: compRedirectWindow (compalloc.c:171) + by 0x4FA8AD: compCreateWindow (compwindow.c:592) + by 0x4EBB89: CreateWindow (window.c:925) + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + +Fix compAllocPixmap() to initialize the border clip even if the creation +of the backing pixmap has failed, to avoid depending later on +uninitialized border clip values. + +Related to CVE-2025-26599, ZDI-CAN-25851 + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8] +CVE: CVE-2025-26599 +Signed-off-by: Vijay Anusuri +--- + composite/compalloc.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/composite/compalloc.c b/composite/compalloc.c +index 7cf7351e00..4a1243170d 100644 +--- a/composite/compalloc.c ++++ b/composite/compalloc.c +@@ -605,9 +605,12 @@ compAllocPixmap(WindowPtr pWin) + int h = pWin->drawable.height + (bw << 1); + PixmapPtr pPixmap = compNewPixmap(pWin, x, y, w, h); + CompWindowPtr cw = GetCompWindow(pWin); ++ Bool status; + +- if (!pPixmap) +- return FALSE; ++ if (!pPixmap) { ++ status = FALSE; ++ goto out; ++ } + if (cw->update == CompositeRedirectAutomatic) + pWin->redirectDraw = RedirectDrawAutomatic; + else +@@ -621,14 +624,16 @@ compAllocPixmap(WindowPtr pWin) + DamageRegister(&pWin->drawable, cw->damage); + cw->damageRegistered = TRUE; + } ++ status = TRUE; + ++out: + /* Make sure our borderClip is up to date */ + RegionUninit(&cw->borderClip); + RegionCopy(&cw->borderClip, &pWin->borderClip); + cw->borderClipX = pWin->drawable.x; + cw->borderClipY = pWin->drawable.y; + +- return TRUE; ++ return status; + } + + void +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 9138e1dd0e..1e4a96f86f 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -35,6 +35,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26596.patch \ file://CVE-2025-26597.patch \ file://CVE-2025-26598.patch \ + file://CVE-2025-26599-1.patch \ + file://CVE-2025-26599-2.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Tue Mar 4 12:19:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58280 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D7306C282D0 for ; Tue, 4 Mar 2025 12:20:34 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web10.20395.1741090828089483306 for ; Tue, 04 Mar 2025 04:20:28 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=aJUpiC/T; spf=pass (domain: mvista.com, ip: 209.85.214.181, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-223480ea43aso136519395ad.1 for ; Tue, 04 Mar 2025 04:20:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741090827; x=1741695627; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=J+SV7Std4CuAP+EAbwPXoCKBT0TzpmAAG4KJ5dKG98k=; b=aJUpiC/T4ZtY56+QX0B88e4/k1T8jHNu6hKCEhJMGet9eOZz/A7iXLxg2BXbL3ASW/ ekefCS9AdvVnuUu10G3UgWOarPJaBNBDWDmj02yXU8x67N7nshsNMSwCa/CzTgJ+ilZx rP2wCgwe3TGPdggPQettGsf671tHJ4DYDmMoI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741090827; x=1741695627; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=J+SV7Std4CuAP+EAbwPXoCKBT0TzpmAAG4KJ5dKG98k=; b=grL4iUV8ri+O0e9xhEACV9ugBegrJEOiyT6ITGc+i+N/EPCCQeuUl9+jp/EisFhflr 7ezwF/vCW3JfitMvb4BetRL4X4O/loVcVLYDwS/NkzXTBt7Z8VbM+4/5lU8iijC0+ZH4 anJ03geqBqha/1AygMWKI8A2xKEsLgTVF5zxaKWuRN0ge1kB7XvldFSoGNsmSBBaD6ro 8oEVDJGk8hOiffgufYqe2h+lHxeEOjH3O3o53bn6rs90t4bq6PBvDEMmAKWAtXzcU25Y ZMwdgc53I+SUm6C4N9lpSMe31NX09CVw78EhfDzskAPnkt+PxfjAWp/6j1U3Yx6/8sN/ zeDw== X-Gm-Message-State: AOJu0YxaWnrlF2dOZ7a7R8F0Q2zuTPFJOs5boGMnf5yNHibrH3jasEoH rLqox1178UMDgTUK852kj8vGl0/9dCpxPLFziq0RdEsbbgaiLx8ah1fSuZtwvEvEIVKk3VRT8UR LZcg= X-Gm-Gg: ASbGnct07dAoGTnfBkOH8GqzWim6mTD4JnM5aXQf+6hJdTteEZ7jkw40bJ9sfMxzanF UaX/26R/8u6Bkc1ph3WxTbgYxWpGNtVQQzvKDndtT1NaJiAUOYwnqWIq66xquzAmST2lW2AmqFw oWaaLDsfcQsulYG386oeRbHsSGtEkaB6fho/fKy6CKnsXKFWhmqH70QFfAzPSYg6PdNBHBBdhk/ /1kzfBNynqFQtZnG20HIKFVcGswRWNXdEFSmAtzs0xTHH6GHnT4/SUyqVDdePjMsMMzW5LmXUwu P74+lthCLwpRKm1DnCj+S1nDpSiD4gjibwxOFqNiaNplEqrgCifSNA== X-Google-Smtp-Source: AGHT+IG4Wi5l0/BU3NPh64PKE0Vw6dExtKWyP8JTRHS7RLyHASCRS3u91XH4hPej8cTvkVCLBoplhg== X-Received: by 2002:a05:6a20:6a1a:b0:1f0:e3ce:4d3 with SMTP id adf61e73a8af0-1f2f4e013admr28262009637.33.1741090827078; Tue, 04 Mar 2025 04:20:27 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.5]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-aee7de1a488sm9859550a12.27.2025.03.04.04.20.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Mar 2025 04:20:26 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 13/14] xwayland: Fix CVE-2025-26600 Date: Tue, 4 Mar 2025 17:49:17 +0530 Message-Id: <20250304121918.147345-13-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250304121918.147345-1-vanusuri@mvista.com> References: <20250304121918.147345-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 04 Mar 2025 12:20:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212278 From: Vijay Anusuri Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b Signed-off-by: Vijay Anusuri --- .../xwayland/xwayland/CVE-2025-26600.patch | 68 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 69 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch new file mode 100644 index 0000000000..43b47b3ca3 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch @@ -0,0 +1,68 @@ +From 6e0f332ba4c8b8c9a9945dc9d7989bfe06f80e14 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 16 Dec 2024 16:18:04 +0100 +Subject: [PATCH] dix: Dequeue pending events on frozen device on removal + +When a device is removed while still frozen, the events queued for that +device remain while the device itself is freed. + +As a result, replaying the events will cause a use after free. + +To avoid the issue, make sure to dequeue and free any pending events on +a frozen device when removed. + +CVE-2025-26600, ZDI-CAN-25871 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b] +CVE: CVE-2025-26600 +Signed-off-by: Vijay Anusuri +--- + dix/devices.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/dix/devices.c b/dix/devices.c +index 1516147..459f1ed 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -962,6 +962,23 @@ FreeAllDeviceClasses(ClassesPtr classes) + + } + ++static void ++FreePendingFrozenDeviceEvents(DeviceIntPtr dev) ++{ ++ QdEventPtr qe, tmp; ++ ++ if (!dev->deviceGrab.sync.frozen) ++ return; ++ ++ /* Dequeue any frozen pending events */ ++ xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) { ++ if (qe->device == dev) { ++ xorg_list_del(&qe->next); ++ free(qe); ++ } ++ } ++} ++ + /** + * Close down a device and free all resources. + * Once closed down, the driver will probably not expect you that you'll ever +@@ -1026,6 +1043,7 @@ CloseDevice(DeviceIntPtr dev) + free(dev->last.touches[j].valuators); + free(dev->last.touches); + dev->config_info = NULL; ++ FreePendingFrozenDeviceEvents(dev); + dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE); + free(dev); + } +-- +2.25.1 + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 1e4a96f86f..d90f9970b5 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -37,6 +37,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26598.patch \ file://CVE-2025-26599-1.patch \ file://CVE-2025-26599-2.patch \ + file://CVE-2025-26600.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Tue Mar 4 12:19:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58279 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DE53AC3DA4A for ; Tue, 4 Mar 2025 12:20:34 +0000 (UTC) Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by mx.groups.io with SMTP id smtpd.web10.20397.1741090832116237424 for ; Tue, 04 Mar 2025 04:20:32 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=h1vv8wlJ; spf=pass (domain: mvista.com, ip: 209.85.214.175, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-2239aa5da08so40956835ad.3 for ; Tue, 04 Mar 2025 04:20:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741090831; x=1741695631; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=wKvy0wPPcxAslCXxyXpBye6c78c/EwEpCxoN6UJQ7ks=; b=h1vv8wlJ6mJzVDwTbUPRNw9UPrdMUwO7JyLotZAgzmKOlL4vN/Ye/hUBtud8Tkg3hf 3NDsvvZaW1YYVr6JPkHRjUCkgP2b1NNDY+tEMNS4+iNWbD9PG2cl+mVPpBdN/NR3fPKM 27af2ZmjLG4S3RDL271J3J+A7BIncANHaKzj8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741090831; x=1741695631; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wKvy0wPPcxAslCXxyXpBye6c78c/EwEpCxoN6UJQ7ks=; b=PypztMInteHkXjC/kx83NcsN6yEMuWXJS289c4gz4BkRyie3Rgi4HtvO3z29nkjkLr QVRMsHGBEw34osVW7AwMFz0Bi/VHoiOT0MZrSybIM8nT7x7ZKwzyxn/fy9YdDO+QhUPH mznVP97QZiGol9AXer1nZ5JbSlcCh9MxzWhH8wFxW241PaHNvOMr/cwrGdahry0SfjaI qGAJG4Yhu07d2zOvRxvWWJz0u9I9O0uJvg88fpIVLwNzyI6q2QeGH11Z361nuZmS+Czb y8G3tV8gW4akzsihn0mkHmv3RE4unDvjmNmiGfkm7OYunmSnfO+JXk1d64CoH7bN6cU1 gc0w== X-Gm-Message-State: AOJu0Yw+7jOfWGHjz4o/eihJGg2mzjDOitk6XZAM/Uxp+tG9ML/ImwCh +EiNG0acsI83MhVw+L6cDqnAbhdFhuvofKnL/97UyGlP4Xs/ovQBojlCcvxh8HI/sSfyFIJDkKJ cI9g= X-Gm-Gg: ASbGnct3uccOSPlWXN2dGh+D7SGFxtlIdgGmPjceKYHyIA1xpwsvDCpCnWkHUoWnSlv yGmXhtAHaQS91utixX5prrzFjGGrq/AgHQk+pT4LQd0MLx39MaZMiHNV88K9JlJooNa1PxGyXPo u8WZAk7BTS5zKGXDYvlWA+kgEKH483riTOQE5tIvSNv/fPywzg3DEdlIR1SAtDjFltQxFO3v3pm EZ0OdZQwswOZ5GbJOhHyckeo7pTO6fSSjQm/6x4kWqj+kwctzRULOLTMHCfUL7KiA2irv5pNsOF up+n/Ubi1XCuii8F6upRM3nYwvbnYsLZKObSTfpk+j0EEMk8hInKkA== X-Google-Smtp-Source: AGHT+IEaP9M5XH6majufkj1zKCRUHOov0kkfsk+TOPYF+hZQoPBnstM64LU3D8rbmjYFsxyswNnfMw== X-Received: by 2002:a05:6a20:7347:b0:1ee:d8c8:4b79 with SMTP id adf61e73a8af0-1f2f4c9c694mr29679260637.2.1741090831003; Tue, 04 Mar 2025 04:20:31 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.225.5]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-aee7de1a488sm9859550a12.27.2025.03.04.04.20.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Mar 2025 04:20:30 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 14/14] xwayland: Fix CVE-2025-26601 Date: Tue, 4 Mar 2025 17:49:18 +0530 Message-Id: <20250304121918.147345-14-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250304121918.147345-1-vanusuri@mvista.com> References: <20250304121918.147345-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 04 Mar 2025 12:20:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212279 From: Vijay Anusuri The patches are copied from xserver-xorg recipe. CVE reported for both and patches apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/16a1242d & https://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2f & https://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/c2857989 Signed-off-by: Vijay Anusuri --- .../xwayland/xwayland/CVE-2025-26601-1.patch | 71 ++++++++++ .../xwayland/xwayland/CVE-2025-26601-2.patch | 85 +++++++++++ .../xwayland/xwayland/CVE-2025-26601-3.patch | 52 +++++++ .../xwayland/xwayland/CVE-2025-26601-4.patch | 132 ++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 4 + 5 files changed, 344 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch new file mode 100644 index 0000000000..df5416a452 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch @@ -0,0 +1,71 @@ +From 16a1242d0ffc7f45ed3c595ee7564b5c04287e0b Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 16:52:01 +0100 +Subject: [PATCH] sync: Do not let sync objects uninitialized + +When changing an alarm, the change mask values are evaluated one after +the other, changing the trigger values as requested and eventually, +SyncInitTrigger() is called. + +SyncInitTrigger() will evaluate the XSyncCACounter first and may free +the existing sync object. + +Other changes are then evaluated and may trigger an error and an early +return, not adding the new sync object. + +This can be used to cause a use after free when the alarm eventually +triggers. + +To avoid the issue, delete the existing sync object as late as possible +only once we are sure that no further error will cause an early exit. + +CVE-2025-26601, ZDI-CAN-25870 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/16a1242d] +CVE: CVE-2025-26601 +Signed-off-by: Vijay Anusuri +--- + Xext/sync.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index ee0010e657..585cfa6f68 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -360,11 +360,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + client->errorValue = syncObject; + return rc; + } +- if (pSync != pTrigger->pSync) { /* new counter for trigger */ +- SyncDeleteTriggerFromSyncObject(pTrigger); +- pTrigger->pSync = pSync; +- newSyncObject = TRUE; +- } + } + + /* if system counter, ask it what the current value is */ +@@ -432,6 +427,14 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + ++ if (changes & XSyncCACounter) { ++ if (pSync != pTrigger->pSync) { /* new counter for trigger */ ++ SyncDeleteTriggerFromSyncObject(pTrigger); ++ pTrigger->pSync = pSync; ++ newSyncObject = TRUE; ++ } ++ } ++ + /* we wait until we're sure there are no errors before registering + * a new counter on a trigger + */ +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch new file mode 100644 index 0000000000..22e751c017 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch @@ -0,0 +1,85 @@ +From f52cea2f93a0c891494eb3334894442a92368030 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 16:54:30 +0100 +Subject: [PATCH] sync: Check values before applying changes + +In SyncInitTrigger(), we would set the CheckTrigger function before +validating the counter value. + +As a result, if the counter value overflowed, we would leave the +function SyncInitTrigger() with the CheckTrigger applied but without +updating the trigger object. + +To avoid that issue, move the portion of code checking for the trigger +check value before updating the CheckTrigger function. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2f] +CVE: CVE-2025-26601 +Signed-off-by: Vijay Anusuri +--- + Xext/sync.c | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 585cfa6f68..10302160fb 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -381,6 +381,24 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + ++ if (changes & (XSyncCAValueType | XSyncCAValue)) { ++ if (pTrigger->value_type == XSyncAbsolute) ++ pTrigger->test_value = pTrigger->wait_value; ++ else { /* relative */ ++ Bool overflow; ++ ++ if (pCounter == NULL) ++ return BadMatch; ++ ++ overflow = checked_int64_add(&pTrigger->test_value, ++ pCounter->value, pTrigger->wait_value); ++ if (overflow) { ++ client->errorValue = pTrigger->wait_value >> 32; ++ return BadValue; ++ } ++ } ++ } ++ + if (changes & XSyncCATestType) { + + if (pSync && SYNC_FENCE == pSync->type) { +@@ -409,24 +427,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + +- if (changes & (XSyncCAValueType | XSyncCAValue)) { +- if (pTrigger->value_type == XSyncAbsolute) +- pTrigger->test_value = pTrigger->wait_value; +- else { /* relative */ +- Bool overflow; +- +- if (pCounter == NULL) +- return BadMatch; +- +- overflow = checked_int64_add(&pTrigger->test_value, +- pCounter->value, pTrigger->wait_value); +- if (overflow) { +- client->errorValue = pTrigger->wait_value >> 32; +- return BadValue; +- } +- } +- } +- + if (changes & XSyncCACounter) { + if (pSync != pTrigger->pSync) { /* new counter for trigger */ + SyncDeleteTriggerFromSyncObject(pTrigger); +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch new file mode 100644 index 0000000000..8d714f0302 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch @@ -0,0 +1,52 @@ +From 8cbc90c8817306af75a60f494ec9dbb1061e50db Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 17:06:07 +0100 +Subject: [PATCH] sync: Do not fail SyncAddTriggerToSyncObject() + +We do not want to return a failure at the very last step in +SyncInitTrigger() after having all changes applied. + +SyncAddTriggerToSyncObject() must not fail on memory allocation, if the +allocation of the SyncTriggerList fails, trigger a FatalError() instead. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8] +CVE: CVE-2025-26601 +Signed-off-by: Vijay Anusuri +--- + Xext/sync.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 10302160fb..65f2d43780 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -201,8 +201,8 @@ SyncAddTriggerToSyncObject(SyncTrigger * pTrigger) + return Success; + } + +- if (!(pCur = malloc(sizeof(SyncTriggerList)))) +- return BadAlloc; ++ /* Failure is not an option, it's succeed or burst! */ ++ pCur = XNFalloc(sizeof(SyncTriggerList)); + + pCur->pTrigger = pTrigger; + pCur->next = pTrigger->pSync->pTriglist; +@@ -439,8 +439,7 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + * a new counter on a trigger + */ + if (newSyncObject) { +- if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success) +- return rc; ++ SyncAddTriggerToSyncObject(pTrigger); + } + else if (pCounter && IsSystemCounter(pCounter)) { + SyncComputeBracketValues(pCounter); +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch new file mode 100644 index 0000000000..e2261192fa --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch @@ -0,0 +1,132 @@ +From c285798984c6bb99e454a33772cde23d394d3dcd Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 17:10:31 +0100 +Subject: [PATCH] sync: Apply changes last in SyncChangeAlarmAttributes() + +SyncChangeAlarmAttributes() would apply the various changes while +checking for errors. + +If one of the changes triggers an error, the changes for the trigger, +counter or delta value would remain, possibly leading to inconsistent +changes. + +Postpone the actual changes until we're sure nothing else can go wrong. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/c2857989] +CVE: CVE-2025-26601 +Signed-off-by: Vijay Anusuri +--- + Xext/sync.c | 42 +++++++++++++++++++++++++++--------------- + 1 file changed, 27 insertions(+), 15 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 65f2d43780..cab73be927 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -830,8 +830,14 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + int status; + XSyncCounter counter; + Mask origmask = mask; ++ SyncTrigger trigger; ++ Bool select_events_changed = FALSE; ++ Bool select_events_value = FALSE; ++ int64_t delta; + +- counter = pAlarm->trigger.pSync ? pAlarm->trigger.pSync->id : None; ++ trigger = pAlarm->trigger; ++ delta = pAlarm->delta; ++ counter = trigger.pSync ? trigger.pSync->id : None; + + while (mask) { + int index2 = lowbit(mask); +@@ -847,24 +853,24 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + case XSyncCAValueType: + mask &= ~XSyncCAValueType; + /* sanity check in SyncInitTrigger */ +- pAlarm->trigger.value_type = *values++; ++ trigger.value_type = *values++; + break; + + case XSyncCAValue: + mask &= ~XSyncCAValue; +- pAlarm->trigger.wait_value = ((int64_t)values[0] << 32) | values[1]; ++ trigger.wait_value = ((int64_t)values[0] << 32) | values[1]; + values += 2; + break; + + case XSyncCATestType: + mask &= ~XSyncCATestType; + /* sanity check in SyncInitTrigger */ +- pAlarm->trigger.test_type = *values++; ++ trigger.test_type = *values++; + break; + + case XSyncCADelta: + mask &= ~XSyncCADelta; +- pAlarm->delta = ((int64_t)values[0] << 32) | values[1]; ++ delta = ((int64_t)values[0] << 32) | values[1]; + values += 2; + break; + +@@ -874,10 +880,8 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + client->errorValue = *values; + return BadValue; + } +- status = SyncEventSelectForAlarm(pAlarm, client, +- (Bool) (*values++)); +- if (status != Success) +- return status; ++ select_events_value = (Bool) (*values++); ++ select_events_changed = TRUE; + break; + + default: +@@ -886,25 +890,33 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + } + } + ++ if (select_events_changed) { ++ status = SyncEventSelectForAlarm(pAlarm, client, select_events_value); ++ if (status != Success) ++ return status; ++ } ++ + /* "If the test-type is PositiveComparison or PositiveTransition + * and delta is less than zero, or if the test-type is + * NegativeComparison or NegativeTransition and delta is + * greater than zero, a Match error is generated." + */ + if (origmask & (XSyncCADelta | XSyncCATestType)) { +- if ((((pAlarm->trigger.test_type == XSyncPositiveComparison) || +- (pAlarm->trigger.test_type == XSyncPositiveTransition)) +- && pAlarm->delta < 0) ++ if ((((trigger.test_type == XSyncPositiveComparison) || ++ (trigger.test_type == XSyncPositiveTransition)) ++ && delta < 0) + || +- (((pAlarm->trigger.test_type == XSyncNegativeComparison) || +- (pAlarm->trigger.test_type == XSyncNegativeTransition)) +- && pAlarm->delta > 0) ++ (((trigger.test_type == XSyncNegativeComparison) || ++ (trigger.test_type == XSyncNegativeTransition)) ++ && delta > 0) + ) { + return BadMatch; + } + } + + /* postpone this until now, when we're sure nothing else can go wrong */ ++ pAlarm->delta = delta; ++ pAlarm->trigger = trigger; + if ((status = SyncInitTrigger(client, &pAlarm->trigger, counter, RTCounter, + origmask & XSyncCAAllTrigger)) != Success) + return status; +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index d90f9970b5..6affd80e22 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -38,6 +38,10 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26599-1.patch \ file://CVE-2025-26599-2.patch \ file://CVE-2025-26600.patch \ + file://CVE-2025-26601-1.patch \ + file://CVE-2025-26601-2.patch \ + file://CVE-2025-26601-3.patch \ + file://CVE-2025-26601-4.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"