From patchwork Wed Mar 5 13:32:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58323 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AE447C19F32 for ; Wed, 5 Mar 2025 13:32:33 +0000 (UTC) Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.web10.13072.1741181552323987596 for ; Wed, 05 Mar 2025 05:32:32 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=CVYHJ3l8; spf=pass (domain: mvista.com, ip: 209.85.214.172, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-22334203781so15501905ad.0 for ; Wed, 05 Mar 2025 05:32:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741181551; x=1741786351; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=NWRsD41zV7uqT0ql8U5vK/MU7sf6ugibZddNJ2uW0rU=; b=CVYHJ3l8+It+y7vNsa+4a/PCUhgRQxdpSvxPPJqQfTl9YRlnIcNQjBc79ePTCFmiA4 LEiX+H82XEU50waUPqfrmRj1t6bGfUbfPVJaDGC7UUm7gx/xOIzghtQ5r+3M7EtSs5pT 2oq1I6iRgrVjS4I2ub60GhmwnrzlQ9PVo7uVc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741181551; x=1741786351; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=NWRsD41zV7uqT0ql8U5vK/MU7sf6ugibZddNJ2uW0rU=; b=tJKQNeJbqy8HTZzl7TUGyTFoqSER6BGQp0MwfKbu4ffmg0rVKjYdhDZIKXob+pMFzx ThDh9/6dgh6Mizv1LCQStQvlbNI3xJJGiuYPxpJF3shzC6KdJDycb2MHXsG/jOq97TGG zmEgmAyg1Y1qJTOMobkUrhMK8nJNlubH0RIVVbEcAmVhs6lBwGssme3WrWw1bb15cklu Xiyz2rfGyNNmGxxtfdKKTidC9eEY4W894M3E2Ko28M4u9moC5kSO/j97kaGWWa9uzEIo LamEeZlHE5vF8H2pg7dO35/oFXPBzyXmU3AvSfRVxSwMp0gIotj4f6iqK/CBBMoW4BGv 6dmQ== X-Gm-Message-State: AOJu0YzF+32cMOXYNcGGktvoaWPAUiXEQoSyyfg2K5DKlDyZ95LW3CDS X6DRJhwMDaFbp1q9S9ysNsa6mFRJyRk4nqF7ELvgOtOMJxxbDqINNNhRULvbfCsyxFt/ryuXEZN Ps+k= X-Gm-Gg: ASbGncs43dd5Or/xDICJCEWh8MAH+MJEXycXaUyLyRjNdHmrsZZ//83bvMw9B47savv JcHKQImGrEcVUluEFw8sMTSNrznT2UNLBo+kuZcFFERqeKFcuxCBCTwAtvh28xVmcpelkPDuMA9 tcq/kv1ya/DqkzjZAct0MGgOVAjDW7NwvKI8hUtTCsFlIBbGVLvQOnIk9ULE3F0swCFb1WPCudo 4WrrY9hi6mUx9fF/zlmpgElV7ts4E6I9yD4udQ3wg18XK08Koq/7TO5dDUtK31Up48lOGcXBLpP bOEeEXY1weGEEyQSt4IimYL72ajXzNTugXhVCcxHGjdmbJqTW+l7XXE= X-Google-Smtp-Source: AGHT+IFob4AMa403Ry5OGxhqxtrjYuHdZE1iHFWJZ5KEQ6duBtg1BHJ/jIvfZqhfMca+/5RTWmjdbA== X-Received: by 2002:a05:6a00:14d6:b0:736:4e14:8ec5 with SMTP id d2e1a72fcca58-73681ebc979mr4149312b3a.11.1741181550742; Wed, 05 Mar 2025 05:32:30 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.221.18]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-734a0024c04sm13314501b3a.105.2025.03.05.05.32.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 05:32:30 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 1/9] xwayland: Fix CVE-2024-9632 Date: Wed, 5 Mar 2025 19:02:06 +0530 Message-Id: <20250305133214.169364-1-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 13:32:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212307 From: Vijay Anusuri Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-9632 Upstream patch: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ba1d14f8eff2a123bd7ff4d48c02e1d5131358e0 Signed-off-by: Vijay Anusuri --- .../xwayland/xwayland/CVE-2024-9632.patch | 59 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 4 +- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch new file mode 100644 index 0000000000..54888f6347 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch @@ -0,0 +1,59 @@ +From ba1d14f8eff2a123bd7ff4d48c02e1d5131358e0 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 10 Oct 2024 10:37:28 +0200 +Subject: [PATCH] xkb: Fix buffer overflow in _XkbSetCompatMap() + +The _XkbSetCompatMap() function attempts to resize the `sym_interpret` +buffer. + +However, It didn't update its size properly. It updated `num_si` only, +without updating `size_si`. + +This may lead to local privilege escalation if the server is run as root +or remote code execution (e.g. x11 over ssh). + +CVE-2024-9632, ZDI-CAN-24756 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Reviewed-by: Peter Hutterer +Tested-by: Peter Hutterer +Reviewed-by: José Expósito +(cherry picked from commit 85b77657) + +Part-of: + +CVE: CVE-2024-9632 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ba1d14f8eff2a123bd7ff4d48c02e1d5131358e0] + +Signed-off-by: Yogita Urade +Signed-off-by: Vijay Anusuri +--- + xkb/xkb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 276dc19..7da00a0 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -2992,13 +2992,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, + XkbSymInterpretPtr sym; + unsigned int skipped = 0; + +- if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) { +- compat->num_si = req->firstSI + req->nSI; ++ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) { ++ compat->num_si = compat->size_si = req->firstSI + req->nSI; + compat->sym_interpret = reallocarray(compat->sym_interpret, +- compat->num_si, ++ compat->size_si, + sizeof(XkbSymInterpretRec)); + if (!compat->sym_interpret) { +- compat->num_si = 0; ++ compat->num_si = compat->size_si = 0; + return BadAlloc; + } + } +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index b934a873d1..c88fdb6e9f 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -9,7 +9,9 @@ HOMEPAGE = "https://fedoraproject.org/wiki/Changes/XwaylandStandalone" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=5df87950af51ac2c5822094553ea1880" -SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz" +SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ + file://CVE-2024-9632.patch \ +" SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" UPSTREAM_CHECK_REGEX = "xwayland-(?P\d+(\.(?!90\d)\d+)+)\.tar" From patchwork Wed Mar 5 13:32:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58325 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 94788C28B22 for ; Wed, 5 Mar 2025 13:32:43 +0000 (UTC) Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.web11.13029.1741181557349109143 for ; Wed, 05 Mar 2025 05:32:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=Y2scmxbS; spf=pass (domain: mvista.com, ip: 209.85.214.172, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-223fb0f619dso9105995ad.1 for ; Wed, 05 Mar 2025 05:32:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741181556; x=1741786356; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Bmf5IcNrJgPC8ZpWY/citiLdCyizjAS5MKxttyAaHUI=; b=Y2scmxbSTIDwovL5WnrPiwBVmwMDO0WdW7wRZ5TNBVebFvGetYzh8wyDF4vobMGHc/ d6TRKK8avPs7rSPsAHBmQUx7s35QdMpexxaKeb3j30CsQRPf8WS0AaRtB9dl6Fm709Os tC4r9XGBCcZvO/Jui3k1IPLbcxnGjXqbxmB8s= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741181556; x=1741786356; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Bmf5IcNrJgPC8ZpWY/citiLdCyizjAS5MKxttyAaHUI=; b=R24FdXOthJFIZZjQjDYd1knaZyMk3BtK4hnttSQCAzjxli/dL8Q9l6PUHXmLVulT8U LmCN+DxbqIQzm9dRW6/9vMTOzjPQzLYG33GUz1H1QCgzlOY7ewLhnqSUxhdI0BuJ1MfN ctfG2x4Gc+J/wvlrMfVko8WrdLRRexLmdOhWO0d9IKX9N/wnQNp/fP9k2FdPaXm2SyP1 3ecI68oxGkVgEODfwRQoXRJxu0X3JSrghxFrhu1tQBSR1bjlarUWJmyh8NSyQLP51rbv n05GdpXOvesOI4VfsamcYLvU3DlTr7LkswA5EO13vSb1LLCtO5fpnR5M1gYbAwJby6jZ HFLg== X-Gm-Message-State: AOJu0YxCZNYLrpa/qJS/KZ5UAt8MqykmxNRt3vbUR3cq1wSImR9LG5GM 6LONityMnzm64WzzZqnKFMwvb/pgn4NBJhXnMojqvZnrRb1RMd3ODghziioQYgfr/J9c8d1ir+a 1/HU= X-Gm-Gg: ASbGncvuDXQEgsZMmFz9RvT4TCNjflYVv3n524HhoLHbSRodhhlNWqESr76iUQB9ZY+ xre2NJlATgjTLGT6P1gxDto3EzQ9odsWG5E3KP3wEBipK23BAooZRc6tZp88sJK2RKtCFcVmvi8 Ly0HyMG/yeCNORW3VSN7Q2DdU0/YFWikK/a7+5HX0a8L92Szsga44L5slovAykkCWx9faiCLZCZ WOtQd836AUhf8Q+sRck7YqDLfNm728xp4cW2pKq1U4/C6yULdfdnUteq7xhya4kRWc9N28hjf75 oNMzYxHR0CyZh6jwXEtpxJt8RbbQjy6GpGNSHxPAG6/ycI/4IOFRpPQ= X-Google-Smtp-Source: AGHT+IEO0HcwXnTgDscgQR3XWWCZNkfnCPdQuvtxVeiH83SAj57jsnTXe1qs0HweaQPBtAM4QEPqBw== X-Received: by 2002:a05:6a00:4b10:b0:730:927c:d451 with SMTP id d2e1a72fcca58-73682ce10bcmr4539230b3a.20.1741181556282; Wed, 05 Mar 2025 05:32:36 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.221.18]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-734a0024c04sm13314501b3a.105.2025.03.05.05.32.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 05:32:35 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 2/9] xwayland: Fix CVE-2025-26594 Date: Wed, 5 Mar 2025 19:02:07 +0530 Message-Id: <20250305133214.169364-2-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250305133214.169364-1-vanusuri@mvista.com> References: <20250305133214.169364-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 13:32:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212308 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/01642f26 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/b0a09ba6 Signed-off-by: Vijay Anusuri --- .../xwayland/xwayland/CVE-2025-26594-1.patch | 54 +++++++++++++++++++ .../xwayland/xwayland/CVE-2025-26594-2.patch | 51 ++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 2 + 3 files changed, 107 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-1.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-2.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-1.patch new file mode 100644 index 0000000000..f34a89e6ea --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-1.patch @@ -0,0 +1,54 @@ +From 01642f263f12becf803b19be4db95a4a83f94acc Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 27 Nov 2024 11:27:05 +0100 +Subject: [PATCH] Cursor: Refuse to free the root cursor + +If a cursor reference count drops to 0, the cursor is freed. + +The root cursor however is referenced with a specific global variable, +and when the root cursor is freed, the global variable may still point +to freed memory. + +Make sure to prevent the rootCursor from being explicitly freed by a +client. + +CVE-2025-26594, ZDI-CAN-25544 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer +) +v3: Return BadCursor instead of BadValue (Michel Danzer +) + +Signed-off-by: Olivier Fourdan +Suggested-by: Peter Hutterer +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/01642f26] +CVE: CVE-2025-26594 +Signed-off-by: Vijay Anusuri +--- + dix/dispatch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index 4602961..30b95c1 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -3107,6 +3107,10 @@ ProcFreeCursor(ClientPtr client) + rc = dixLookupResourceByType((void **) &pCursor, stuff->id, RT_CURSOR, + client, DixDestroyAccess); + if (rc == Success) { ++ if (pCursor == rootCursor) { ++ client->errorValue = stuff->id; ++ return BadCursor; ++ } + FreeResource(stuff->id, RT_NONE); + return Success; + } +-- +2.25.1 + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-2.patch new file mode 100644 index 0000000000..6ebf540ab9 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-2.patch @@ -0,0 +1,51 @@ +From b0a09ba6020147961acc62d9c73d807b4cccd9f7 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Wed, 4 Dec 2024 15:49:43 +1000 +Subject: [PATCH] dix: keep a ref to the rootCursor + +CreateCursor returns a cursor with refcount 1 - that refcount is used by +the resource system, any caller needs to call RefCursor to get their own +reference. That happens correctly for normal cursors but for our +rootCursor we keep a variable to the cursor despite not having a ref for +ourselves. + +Fix this by reffing/unreffing the rootCursor to ensure our pointer is +valid. + +Related to CVE-2025-26594, ZDI-CAN-25544 + +Reviewed-by: Olivier Fourdan +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b0a09ba6] +CVE: CVE-2025-26594 +Signed-off-by: Vijay Anusuri +--- + dix/main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/dix/main.c b/dix/main.c +index bfc8add..38e29ce 100644 +--- a/dix/main.c ++++ b/dix/main.c +@@ -231,6 +231,8 @@ dix_main(int argc, char *argv[], char *envp[]) + FatalError("could not open default cursor font"); + } + ++ rootCursor = RefCursor(rootCursor); ++ + #ifdef PANORAMIX + /* + * Consolidate window and colourmap information for each screen +@@ -271,6 +273,8 @@ dix_main(int argc, char *argv[], char *envp[]) + + Dispatch(); + ++ UnrefCursor(rootCursor); ++ + UndisplayDevices(); + DisableAllDevices(); + +-- +2.25.1 + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index c88fdb6e9f..3af0bb9012 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -11,6 +11,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=5df87950af51ac2c5822094553ea1880" SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2024-9632.patch \ + file://CVE-2025-26594-1.patch \ + file://CVE-2025-26594-2.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Wed Mar 5 13:32:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58324 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 94983C28B23 for ; Wed, 5 Mar 2025 13:32:43 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web11.13033.1741181561268632438 for ; Wed, 05 Mar 2025 05:32:41 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=dYVumk3E; spf=pass (domain: mvista.com, ip: 209.85.214.176, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-223cc017ef5so49323925ad.0 for ; Wed, 05 Mar 2025 05:32:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741181560; x=1741786360; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ZgqpEcX0i9NAHqmB1xnjvMa50a9r/feAKoXm+zR7/dE=; b=dYVumk3EliQ3vtosJC3CxiT4Ew1gr1Pw3ATtp9jz7ik6gCx+lJ/yaYBAf3B88AojbI FTXyMpywjGakb1eZANYZrd7Rv/C07b01HLiizzfizO/HxgTTIYVrUWCTHtnTJVZit2Xu lSTnVMtQE89aAON6u6jCAj/5N77pgApPJjjWo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741181560; x=1741786360; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZgqpEcX0i9NAHqmB1xnjvMa50a9r/feAKoXm+zR7/dE=; b=g9w7Opv9UeC+a7br09Ft2FDNhXPb5UyPmFr/zEK6GZ2ZVoXZClS22w4Fm+OB2Vqhlx MCcwHqoljyb0zOCMlEJsJjY5zIXpl99YJJJqc20vofHHSJUtUtuVys2ROF9yMb6In8tz oAP1W2T9Di56tSn9tp7IL+hxJ7KmPFbgkXKmZCXBVvo4T2QlHf/4xulLX/T7jC2eBKuM fQG786phodUUzwEIT96ARCaOuZ/jQ0vjofAnCvUsMJLw1ViJTrBZGyWLjofJHGNbInAL I2WEyonArMd1/Xeq/f5VJx+ceEM2LQFQwd+/C5jjLOHLxcJQ8/Yj4EZEtGdNgNIGvyYC /h+Q== X-Gm-Message-State: AOJu0YyGCRrXZMdmjBYynZPtobsZ/yArbQsnprm26JOBRaCcCgMEhBEG 3cur1yxtKZ5MZO0ZTHkdtOF86nlKjr2TXX8JVELjs0MHaThpvqM/E5xjaLNb58vHPiVikucSYlW yGCs= X-Gm-Gg: ASbGncuMk9HZlZc/JzI7GCuIXmhgWntgFqbNnHuKC1PmxmVTZ6gddPLLdWRj4tpIIjV cHs4QYjxLUrenNUK9XS9tinDappADmwzkt72x0UzB/ak3jxx83CxuhTIzlm9mIU/SSNHjxRW0kO Hw0C/AvA3KfQJWig1VFuAgPHn9ogKcWKzsequtuLeIdNso69ppdbM3cx9cxS8YqcKm0qrb4w31D Fouq7uHNAE8bjj1aeAJWI7ZqUNK7lan4J4OESaLSVavxJEA5MP2Mq4V+IDtOU6PHPkc4ZSflFUS Vf6HA28bJT3l7JFMKAOLd1QQb/z7zY5AUXokltxdnOoDT3Zj9CtrFvQ= X-Google-Smtp-Source: AGHT+IEIYkHJAIuPJrj7hvY9GloP5PgBY6whFxOPrjJ/TQt3sLFBUtz3SA/GRaaRVhS5Aoj3h16Z8w== X-Received: by 2002:a05:6a00:cd5:b0:728:e2cc:bfd6 with SMTP id d2e1a72fcca58-73682cc4027mr4831021b3a.18.1741181560264; Wed, 05 Mar 2025 05:32:40 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.221.18]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-734a0024c04sm13314501b3a.105.2025.03.05.05.32.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 05:32:39 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 3/9] xwayland: Fix CVE-2025-26595 Date: Wed, 5 Mar 2025 19:02:08 +0530 Message-Id: <20250305133214.169364-3-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250305133214.169364-1-vanusuri@mvista.com> References: <20250305133214.169364-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 13:32:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212309 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87 Signed-off-by: Vijay Anusuri --- .../xwayland/xwayland/CVE-2025-26595.patch | 65 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 66 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch new file mode 100644 index 0000000000..a7478d9e2a --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch @@ -0,0 +1,65 @@ +From 11fcda8753e994e15eb915d28cf487660ec8e722 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 27 Nov 2024 14:41:45 +0100 +Subject: [PATCH] xkb: Fix buffer overflow in XkbVModMaskText() + +The code in XkbVModMaskText() allocates a fixed sized buffer on the +stack and copies the virtual mod name. + +There's actually two issues in the code that can lead to a buffer +overflow. + +First, the bound check mixes pointers and integers using misplaced +parenthesis, defeating the bound check. + +But even though, if the check fails, the data is still copied, so the +stack overflow will occur regardless. + +Change the logic to skip the copy entirely if the bound check fails. + +CVE-2025-26595, ZDI-CAN-25545 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87] +CVE: CVE-2025-26595 +Signed-off-by: Vijay Anusuri +--- + xkb/xkbtext.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c +index 0184664207..93262528bb 100644 +--- a/xkb/xkbtext.c ++++ b/xkb/xkbtext.c +@@ -173,14 +173,14 @@ XkbVModMaskText(XkbDescPtr xkb, + len = strlen(tmp) + 1 + (str == buf ? 0 : 1); + if (format == XkbCFile) + len += 4; +- if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) { +- if (str != buf) { +- if (format == XkbCFile) +- *str++ = '|'; +- else +- *str++ = '+'; +- len--; +- } ++ if ((str - buf) + len > VMOD_BUFFER_SIZE) ++ continue; /* Skip */ ++ if (str != buf) { ++ if (format == XkbCFile) ++ *str++ = '|'; ++ else ++ *str++ = '+'; ++ len--; + } + if (format == XkbCFile) + sprintf(str, "%sMask", tmp); +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 3af0bb9012..2215d2fe4d 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -13,6 +13,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2024-9632.patch \ file://CVE-2025-26594-1.patch \ file://CVE-2025-26594-2.patch \ + file://CVE-2025-26595.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Wed Mar 5 13:32:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58327 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97683C282EC for ; Wed, 5 Mar 2025 13:32:53 +0000 (UTC) Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.web10.13076.1741181565383948877 for ; Wed, 05 Mar 2025 05:32:45 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=MRNvAvuk; spf=pass (domain: mvista.com, ip: 209.85.214.180, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-22374f56453so129694535ad.0 for ; Wed, 05 Mar 2025 05:32:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741181564; x=1741786364; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=T7et6C9DGOkTtjR2NwZapPXoI78MEw2RnzR6usoZn08=; b=MRNvAvukvuj33qtVVZy6DXRrpLggNLGW0xjqcZat5ZbePj+wQJK/otQV+z4Eyh+H1+ sRlW3CZqwkwghXWk29plCWESdw55fEU47AwUEccofXK+mWVrdyGo9VdjJyvUK1VLh7M1 NTsf2b8mzBpkWZwIC+b1QK0yhjU7tAnCiM7kA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741181564; x=1741786364; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=T7et6C9DGOkTtjR2NwZapPXoI78MEw2RnzR6usoZn08=; b=ePbVvXwzL40g5dr+VtKxt1KLDvnEWF4YcorQ7L8PAPELlRr6A8LJPgemCUhxSWbG1N vYN09BkEU2WWepmmPu9H2SM2ln4dAS6qVxQIn0iAiI/ozrkzJWz/kyEhCGH761BMIiUr B/N259vaRERyLVk2rOlv0+xyS1+1fuseerGQAWg7kD35gZHwU0RoW4vN4bc0DCVQwaCR 2MvJrp2z0QA0T/sK/jZJvlrGnWld0ajh2Ap0LRzb2wnLtOG4jhTiat6eLUOVX9CtyQba xe/ypnthDO2iRBDwSl15E/D+81YFO36LYEvMU5gl/4IbTzoPv+sETd0eOK9ypUk/0d5e Qu2Q== X-Gm-Message-State: AOJu0Yw7aVHbGljmZ7LZrmTfYIyQjnYEGKakZt4FBr9K631yGPN4j/qU 4aYWLOFgbrf+xViZYt5nN78tUqSdDZ0JZA2ko1ZAaYn/w0+I9bjAa2PiV66A2PHhn8PFcYiaOlg A7T8= X-Gm-Gg: ASbGncttmsUs5Bp8QVGOHrXIfD2L7EhbBwIcff/iqmzSa+3qLBvZsLEQdRuIxMiUG15 B9LRBdJiugzyJjVvWMTG9YGFRJnUzGFKTHT5JI1FOB8VgOtRE9NJP2VXSYNQGy6N3YfPUxrm4bp lfZMUwUvcd66cuQJgvVSzZ7sbaX5eacOnJdr2AE2/gvb5SHA5IxFsDdyeZcxs/2wgZc7qqpMPaw o48bl9fa3QBKzTLo6JHU+O6ilAxVoF290ErSDtzeFRNEGfaPP76cJGl42ursZzyezK3iRvwXdHx ka03ANFUUQ87vMSOOyCya6chq0aquzGWJ0FnFXVITOtia6rOLrzAJcQ= X-Google-Smtp-Source: AGHT+IGdyUgz48uG21ZVSr7f/h41+Al2h1vV/uqiXGV2wmRxo0FWkgVQHZfHrQQifbfd+1CEQgi5gQ== X-Received: by 2002:a05:6a00:c93:b0:735:7bc0:dcda with SMTP id d2e1a72fcca58-73682b4ad83mr3986498b3a.5.1741181564391; Wed, 05 Mar 2025 05:32:44 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.221.18]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-734a0024c04sm13314501b3a.105.2025.03.05.05.32.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 05:32:43 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 4/9] xwayland: Fix CVE-2025-26596 Date: Wed, 5 Mar 2025 19:02:09 +0530 Message-Id: <20250305133214.169364-4-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250305133214.169364-1-vanusuri@mvista.com> References: <20250305133214.169364-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 13:32:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212310 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/80d69f01 Signed-off-by: Vijay Anusuri --- .../xwayland/xwayland/CVE-2025-26596.patch | 49 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26596.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26596.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26596.patch new file mode 100644 index 0000000000..f9df8d75ea --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26596.patch @@ -0,0 +1,49 @@ +From 80d69f01423fc065c950e1ff4e8ddf9f675df773 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Thu, 28 Nov 2024 11:49:34 +0100 +Subject: [PATCH] xkb: Fix computation of XkbSizeKeySyms + +The computation of the length in XkbSizeKeySyms() differs from what is +actually written in XkbWriteKeySyms(), leading to a heap overflow. + +Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms() +does. + +CVE-2025-26596, ZDI-CAN-25543 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/80d69f01] +CVE: CVE-2025-26596 +Signed-off-by: Vijay Anusuri +--- + xkb/xkb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 85659382da..744dba63d7 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -1095,10 +1095,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMapReply * rep) + len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc); + symMap = &xkb->map->key_sym_map[rep->firstKeySym]; + for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) { +- if (symMap->offset != 0) { +- nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; +- nSyms += nSymsThisKey; +- } ++ nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; ++ if (nSymsThisKey == 0) ++ continue; ++ nSyms += nSymsThisKey; + } + len += nSyms * 4; + rep->totalSyms = nSyms; +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 2215d2fe4d..63803a7a44 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -14,6 +14,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26594-1.patch \ file://CVE-2025-26594-2.patch \ file://CVE-2025-26595.patch \ + file://CVE-2025-26596.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Wed Mar 5 13:32:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58326 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9779CC28B22 for ; Wed, 5 Mar 2025 13:32:53 +0000 (UTC) Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by mx.groups.io with SMTP id smtpd.web11.13035.1741181569829754203 for ; Wed, 05 Mar 2025 05:32:49 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=hJKegPQR; spf=pass (domain: mvista.com, ip: 209.85.214.171, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-224019ad9edso6791635ad.1 for ; Wed, 05 Mar 2025 05:32:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741181568; x=1741786368; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=cTEuEBhJei1iViHf32h06QQ4HURSE6XxQS9INj2oris=; b=hJKegPQRGAfn8m+16JtJi7wMxfzUPSgnJBN2Htv1VanBIp4KNalBGOov6cg4qNsU8n eHwP+l137iUpSWTSBOkhK3zb5a99Op9xe9aydvpqGYcUQKKDGkCnGLY9SkVNQc/ONUPj +khatn5qOZVBfwxu+IX1q0gghAA1yWn6zzLJs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741181568; x=1741786368; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=cTEuEBhJei1iViHf32h06QQ4HURSE6XxQS9INj2oris=; b=MkUPmw8PMBbnTQ/rafrV1gHjE+BQQyHFMxp7s9s1d7cUU+gLLa8h+aNrhs0NYKy97k ELujNxOffU99qCDLzRqHk5VN3JlVKJX1XLcHK13wpowh+MBeBUcmvT/sbb3jzph+DPxA N9mZELVSMXUsL17s/ZCOl88Af2w4Jw9vG3NRO+6M9UMXV9dcEbJlE0MXy9L9pD4TMgyT GzRvA/LDJss3TgDg62XEEUhmsb1P0JvTHmlpYKLe6z5hawMUppp4Dzwx9pXhnNaiYNIQ QZgUY9iev1vAbUdz7zwIgtyjYn71Nkgv+LqzADnV791JqCR5Ej6bTLXs3+KRQlm4tiDW mDWQ== X-Gm-Message-State: AOJu0YxACTY98qU89SPb7wXAKJ9yRfa7A/XHuj5jfjGYyHqpPAJNv34F 0YwF+5CrJThcXVHP0sP8MEsdopKGXMKBAHxk4nm/DvflwIaWYGR6tqjyeDMVV4k+5Z4QGH8cHSg kDEM= X-Gm-Gg: ASbGnctd1lpbEtY45hRW6gZvC2jWrW3teS/h4OXcvVeUD2MQLWahY9T7KNK0ZI2T0Dv 3M7hw/AdPANHVcwOd818x8uRiRZ1FXafsHAavPIIKTq4738SZSQ052OQKJYDifhRQYmzgdHUVpR MRkUAAVKuAiHi/i/99uK53s7RaTl+cyppzHwWj8P/RsCopv/W+i7jT494TnruW9rQdERF5aDMCC J08ejpKQDwAMfYWEPVoJFpa+xtJVGwMV7Z/7tkEc3NLSjrdMB6sszSyoSb7WoIoeCzuJweNNwUe 106TB91qfrhfyZSVpNY7oVd2dF4Jxw/pUVzUF/bGnJe0UGUVw4sEelk= X-Google-Smtp-Source: AGHT+IHjqzI7cSYNqj0e0z2eyQx2rCsat6szPqV4IiUXKwWHHrth+lN9kBYD5tzfnWV8ty+drVisng== X-Received: by 2002:a05:6a00:928a:b0:736:5504:e8af with SMTP id d2e1a72fcca58-73682ca9b16mr5017401b3a.24.1741181568318; Wed, 05 Mar 2025 05:32:48 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.221.18]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-734a0024c04sm13314501b3a.105.2025.03.05.05.32.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 05:32:47 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 5/9] xwayland: Fix CVE-2025-26597 Date: Wed, 5 Mar 2025 19:02:10 +0530 Message-Id: <20250305133214.169364-5-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250305133214.169364-1-vanusuri@mvista.com> References: <20250305133214.169364-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 13:32:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212311 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949 Signed-off-by: Vijay Anusuri --- .../xwayland/xwayland/CVE-2025-26597.patch | 46 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch new file mode 100644 index 0000000000..b0735d0b46 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch @@ -0,0 +1,46 @@ +From 0e4ed94952b255c04fe910f6a1d9c852878dcd64 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Thu, 28 Nov 2024 14:09:04 +0100 +Subject: [PATCH] xkb: Fix buffer overflow in XkbChangeTypesOfKey() + +If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the +key syms to 0 but leave the key actions unchanged. + +If later, the same function is called with a non-zero value for nGroups, +this will cause a buffer overflow because the key actions are of the wrong +size. + +To avoid the issue, make sure to resize both the key syms and key actions +when nGroups is 0. + +CVE-2025-26597, ZDI-CAN-25683 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949] +CVE: CVE-2025-26597 +Signed-off-by: Vijay Anusuri +--- + xkb/XKBMisc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xkb/XKBMisc.c b/xkb/XKBMisc.c +index abbfed90eb..fd180fad2c 100644 +--- a/xkb/XKBMisc.c ++++ b/xkb/XKBMisc.c +@@ -553,6 +553,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb, + i = XkbSetNumGroups(i, 0); + xkb->map->key_sym_map[key].group_info = i; + XkbResizeKeySyms(xkb, key, 0); ++ XkbResizeKeyActions(xkb, key, 0); + return Success; + } + +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 63803a7a44..7f94c5e2e2 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -15,6 +15,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26594-2.patch \ file://CVE-2025-26595.patch \ file://CVE-2025-26596.patch \ + file://CVE-2025-26597.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Wed Mar 5 13:32:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58328 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 99FACC19F32 for ; Wed, 5 Mar 2025 13:32:53 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web10.13079.1741181573178275546 for ; Wed, 05 Mar 2025 05:32:53 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=fj/3eo6L; spf=pass (domain: mvista.com, ip: 209.85.214.181, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-22356471820so110059325ad.0 for ; Wed, 05 Mar 2025 05:32:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741181572; x=1741786372; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=hCQK2NMQ3TC3mnm9MP0qfhLDnzIsdd9npzj0q0/Znqw=; b=fj/3eo6L7y8TNdZ/l7p624sro2CnMrfCk2ARTWeEqBQZrDQVKdJ8LqCughrwMkAlmE OyzTdEQrWlZdlHkqx2eV+UAswfSOhihI0hoXFSwokAOFgqcUv3sHzzIfwtRGP04cFBkE o5iVUUU+4K2b9qZAj94DInEbR/7cEkCMXWuU4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741181572; x=1741786372; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hCQK2NMQ3TC3mnm9MP0qfhLDnzIsdd9npzj0q0/Znqw=; b=UphzLDlcWEzZ+yBqvKJHKFsJZ0UMvoBjs60uNFXcuczNNg0tL7rfsYCFtWMhSUoYVg 8khfPAv8uDUTOG8woHuuaczWaIe2JosEV+RbkA0c5SvxRlZheHEsif3zWjKB+hBPKFoF 7HWkN2osU0pNq7Vng2BaG6Ct/XL5za8dxXmDtYRrEXhJCGcg3HwY4Ql7YL0vhaothUll r80IJ0RKx74NGxifpknOm/oPVq9AzfTsYsRyo1CIsuqP/GfA5ghKv9O22SCMQzt1kzYd l6xS/Rs/IelbhYsicOJR8ccDDv1f3A+Kkb0GZ6bDxIiZTGkg9bESfr3UC2yCZrIFmuL6 POMQ== X-Gm-Message-State: AOJu0YzDMatMiP5SgjBkuI3TyD47hyjoLATfmA9yyxD3VWffFUCH+jM9 0hzYva3cW/4o9JfeAwNPZogblarcdoWrc+LVCUJQ0b3PjfGWk7OKkkgrCyHjvPIy6ZwfH0sHkcw ids4= X-Gm-Gg: ASbGncst/NIegDTDkQiCV1kmOjFNwDFlejciiKN3phwrhnSItxv2AnbrTJEUov29DqJ UznjEHE8vCZuloFJD01tpxB+EXHeU8ArAX/ELWCN/YnSJhxa/0j2vhqncl+WtOH27VLbOQTw9Dm kMol/Vs0eqxLOpAWIe76VSfOmPsE5A/YDYlL4rQOF0Bloz7cTGNH8TMmdE/Ref6+e8KEcDDeM7d 0HbosZkvldulT7YegR8i2g6Am2JGCoA7eI1nkxj42eq+IGVaRVNxI2f+XBwhCryzg3daV8+/AQR b7dJ3QSXSCtU5BAsC5lcVyYXkemwxJVMNZX6HMEsyFyXDOlopMyJsKw= X-Google-Smtp-Source: AGHT+IFQZNVsnE4JnsB7kVf8Vdv4yfW5rci/TWiEU4P3zqz6cuqCmkg1YEat+Dsx5AY1F4aPYErB+w== X-Received: by 2002:a05:6a00:2e92:b0:736:5753:12f7 with SMTP id d2e1a72fcca58-73682b6c1b8mr5025632b3a.3.1741181572158; Wed, 05 Mar 2025 05:32:52 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.221.18]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-734a0024c04sm13314501b3a.105.2025.03.05.05.32.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 05:32:51 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 6/9] xwayland: Fix CVE-2025-26598 Date: Wed, 5 Mar 2025 19:02:11 +0530 Message-Id: <20250305133214.169364-6-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250305133214.169364-1-vanusuri@mvista.com> References: <20250305133214.169364-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 13:32:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212312 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a Signed-off-by: Vijay Anusuri --- .../xwayland/xwayland/CVE-2025-26598.patch | 120 ++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 121 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch new file mode 100644 index 0000000000..210a76262a --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch @@ -0,0 +1,120 @@ +From bba9df1a9d57234c76c0b93f88dacb143d01bca2 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 16 Dec 2024 11:25:11 +0100 +Subject: [PATCH] Xi: Fix barrier device search + +The function GetBarrierDevice() would search for the pointer device +based on its device id and return the matching value, or supposedly NULL +if no match was found. + +Unfortunately, as written, it would return the last element of the list +if no matching device id was found which can lead to out of bounds +memory access. + +Fix the search function to return NULL if not matching device is found, +and adjust the callers to handle the case where the device cannot be +found. + +CVE-2025-26598, ZDI-CAN-25740 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a] +CVE: CVE-2025-26598 +Signed-off-by: Vijay Anusuri +--- + Xi/xibarriers.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c +index 700b2b8c53..6761bcb49a 100644 +--- a/Xi/xibarriers.c ++++ b/Xi/xibarriers.c +@@ -132,14 +132,15 @@ static void FreePointerBarrierClient(struct PointerBarrierClient *c) + + static struct PointerBarrierDevice *GetBarrierDevice(struct PointerBarrierClient *c, int deviceid) + { +- struct PointerBarrierDevice *pbd = NULL; ++ struct PointerBarrierDevice *p, *pbd = NULL; + +- xorg_list_for_each_entry(pbd, &c->per_device, entry) { +- if (pbd->deviceid == deviceid) ++ xorg_list_for_each_entry(p, &c->per_device, entry) { ++ if (p->deviceid == deviceid) { ++ pbd = p; + break; ++ } + } + +- BUG_WARN(!pbd); + return pbd; + } + +@@ -340,6 +341,9 @@ barrier_find_nearest(BarrierScreenPtr cs, DeviceIntPtr dev, + double distance; + + pbd = GetBarrierDevice(c, dev->id); ++ if (!pbd) ++ continue; ++ + if (pbd->seen) + continue; + +@@ -448,6 +452,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen, + nearest = &c->barrier; + + pbd = GetBarrierDevice(c, master->id); ++ if (!pbd) ++ continue; ++ + new_sequence = !pbd->hit; + + pbd->seen = TRUE; +@@ -488,6 +495,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen, + int flags = 0; + + pbd = GetBarrierDevice(c, master->id); ++ if (!pbd) ++ continue; ++ + pbd->seen = FALSE; + if (!pbd->hit) + continue; +@@ -682,6 +692,9 @@ BarrierFreeBarrier(void *data, XID id) + continue; + + pbd = GetBarrierDevice(c, dev->id); ++ if (!pbd) ++ continue; ++ + if (!pbd->hit) + continue; + +@@ -741,6 +754,8 @@ static void remove_master_func(void *res, XID id, void *devid) + barrier = container_of(b, struct PointerBarrierClient, barrier); + + pbd = GetBarrierDevice(barrier, *deviceid); ++ if (!pbd) ++ return; + + if (pbd->hit) { + BarrierEvent ev = { +@@ -905,6 +920,10 @@ ProcXIBarrierReleasePointer(ClientPtr client) + barrier = container_of(b, struct PointerBarrierClient, barrier); + + pbd = GetBarrierDevice(barrier, dev->id); ++ if (!pbd) { ++ client->errorValue = dev->id; ++ return BadDevice; ++ } + + if (pbd->barrier_event_id == event_id) + pbd->release_event_id = event_id; +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 7f94c5e2e2..b46a02e5c3 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -16,6 +16,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26595.patch \ file://CVE-2025-26596.patch \ file://CVE-2025-26597.patch \ + file://CVE-2025-26598.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Wed Mar 5 13:32:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58329 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 96B72C28B23 for ; Wed, 5 Mar 2025 13:33:03 +0000 (UTC) Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) by mx.groups.io with SMTP id smtpd.web10.13084.1741181577019256443 for ; Wed, 05 Mar 2025 05:32:57 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=Z83xI70z; spf=pass (domain: mvista.com, ip: 209.85.214.169, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-224019ad9edso6795795ad.1 for ; Wed, 05 Mar 2025 05:32:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741181576; x=1741786376; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=kZI33fPh6TpmZYMEH7rUgV3mMWciFpMl3O3OzC5u93A=; b=Z83xI70z8TMC2vIbocgsEmUlqsOgBYNZZ81EbBVI9PKRgEr7Qpqqr5rmmBd2gb0+aN ITBY4oTguBpF7TX1AIC2kWgvs0Z7JuD1CARkW0ANdX12UpDvgVqP9hlxCVLuP+qJi185 p92gDTWMboToYRr654QABphoJBobi4qL/fFqw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741181576; x=1741786376; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kZI33fPh6TpmZYMEH7rUgV3mMWciFpMl3O3OzC5u93A=; b=s3JQEloncIoA/8zGnCvoPKNTCX5Vv5FsPgEpnrO3J6dKGMvAegcD4G+YftOUJU1zhX Rgoh6e9AWUW+Z0xr7QIls2fJkVKtTrLUQKzp586xYLEvHkzkhjwrzb428uzC1oPYFo9d p0+f1+fi+L91aB+RALqCq/TGXV+BpFiJaMmwpC+wlW8NKIcin+wX72RMaUnpce9ivnjo 3AM18NoKV5ir8SRdlHBqEmY4arOeIG81lCDX7dCMQ6Odky67Wl+g5v05eJgHUGZw55u/ S35kaUMb/mXYAsOCjj5YqtmOdbCMEb/Jp/90E80Os9+FlTzoPaA7kprYSIcOKY3MaO9N AK/g== X-Gm-Message-State: AOJu0Yz5O4iS7EBeRt1Fzhw5p6bUKNJXG+wZJvlBwE2zKSLe2YzH6rfU zO8lFOXv1ixAmiMH9aK0GzbBw+nGGb+I/940kieGqNJ8g0yk+lX7ZnXq+78x3Sg5coEMBGlhL9e PNhI= X-Gm-Gg: ASbGncuGT1/UazSwBXtUpQXR2DEd7hcXC0jowS/JyQ7DeIGSFPNAyp/8HnrQ3+oh3fZ 2LmaLmBiGvrhBl6MWGupTeIFFTYO06DLKjXeWgZch72XQIdd9bcKMABh81Xrj312Lsa7VY6sl96 30B+dXKNigjOG0ScadpVCx9wqO81w6tlUOiS2WE99LH6tAt4shygWpSlTaxayj4rPk8Te148YrA ikQJ8HCb0dxzE6Udy/SbEXVWRdCEhWEziR+b7XqwgDg4cK2+BWig4zch+rjKbf2Oo272Pm8DIla X0W3dx5MDpJtiQBtzK61UiB7/dsh11M3aSpVsiDeyXxnPWOUa4yVo3c= X-Google-Smtp-Source: AGHT+IEM8PiHItSyEw4Zd89JwFoH+q9DoaiYC/HsFOe/PDd9nVb7w91TIXgI3M0HRoLoOISSqx3lbA== X-Received: by 2002:a05:6a00:21cc:b0:736:457b:9858 with SMTP id d2e1a72fcca58-73682b7405dmr4386344b3a.10.1741181575913; Wed, 05 Mar 2025 05:32:55 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.221.18]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-734a0024c04sm13314501b3a.105.2025.03.05.05.32.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 05:32:55 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 7/9] xwayland: Fix CVE-2025-26599 Date: Wed, 5 Mar 2025 19:02:12 +0530 Message-Id: <20250305133214.169364-7-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250305133214.169364-1-vanusuri@mvista.com> References: <20250305133214.169364-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 13:33:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212313 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84be & https://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8 Signed-off-by: Vijay Anusuri --- .../xwayland/xwayland/CVE-2025-26599-1.patch | 66 +++++++++ .../xwayland/xwayland/CVE-2025-26599-2.patch | 129 ++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 2 + 3 files changed, 197 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch new file mode 100644 index 0000000000..60b68a0d9a --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch @@ -0,0 +1,66 @@ +From c1ff84bef2569b4ba4be59323cf575d1798ba9be Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Tue, 17 Dec 2024 15:19:45 +0100 +Subject: [PATCH] composite: Handle failure to redirect in compRedirectWindow() + +The function compCheckRedirect() may fail if it cannot allocate the +backing pixmap. + +In that case, compRedirectWindow() will return a BadAlloc error. + +However that failure code path will shortcut the validation of the +window tree marked just before, which leaves the validate data partly +initialized. + +That causes a use of uninitialized pointer later. + +The fix is to not shortcut the call to compHandleMarkedWindows() even in +the case of compCheckRedirect() returning an error. + +CVE-2025-26599, ZDI-CAN-25851 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84be] +CVE: CVE-2025-26599 +Signed-off-by: Vijay Anusuri +--- + composite/compalloc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/composite/compalloc.c b/composite/compalloc.c +index eaabf0d..0bbbc55 100644 +--- a/composite/compalloc.c ++++ b/composite/compalloc.c +@@ -140,6 +140,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update) + CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen); + WindowPtr pLayerWin; + Bool anyMarked = FALSE; ++ int status = Success; + + if (pWin == cs->pOverlayWin) { + return Success; +@@ -218,13 +219,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update) + + if (!compCheckRedirect(pWin)) { + FreeResource(ccw->id, RT_NONE); +- return BadAlloc; ++ status = BadAlloc; + } + + if (anyMarked) + compHandleMarkedWindows(pWin, pLayerWin); + +- return Success; ++ return status; + } + + void +-- +2.25.1 + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch new file mode 100644 index 0000000000..252b033261 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch @@ -0,0 +1,129 @@ +From b07192a8bedb90b039dc0f70ae69daf047ff9598 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 13 Jan 2025 16:09:43 +0100 +Subject: [PATCH] composite: initialize border clip even when pixmap alloc + fails + +If it fails to allocate the pixmap, the function compAllocPixmap() would +return early and leave the borderClip region uninitialized, which may +lead to the use of uninitialized value as reported by valgrind: + + Conditional jump or move depends on uninitialised value(s) + at 0x4F9B33: compClipNotify (compwindow.c:317) + by 0x484FC9: miComputeClips (mivaltree.c:476) + by 0x48559A: miValidateTree (mivaltree.c:679) + by 0x4F0685: MapWindow (window.c:2693) + by 0x4A344A: ProcMapWindow (dispatch.c:922) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + Uninitialised value was created by a heap allocation + at 0x4841866: malloc (vg_replace_malloc.c:446) + by 0x4F47BC: compRedirectWindow (compalloc.c:171) + by 0x4FA8AD: compCreateWindow (compwindow.c:592) + by 0x4EBB89: CreateWindow (window.c:925) + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + + Conditional jump or move depends on uninitialised value(s) + at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233) + by 0x4F9255: RegionTranslate (regionstr.h:312) + by 0x4F9B7E: compClipNotify (compwindow.c:319) + by 0x484FC9: miComputeClips (mivaltree.c:476) + by 0x48559A: miValidateTree (mivaltree.c:679) + by 0x4F0685: MapWindow (window.c:2693) + by 0x4A344A: ProcMapWindow (dispatch.c:922) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + Uninitialised value was created by a heap allocation + at 0x4841866: malloc (vg_replace_malloc.c:446) + by 0x4F47BC: compRedirectWindow (compalloc.c:171) + by 0x4FA8AD: compCreateWindow (compwindow.c:592) + by 0x4EBB89: CreateWindow (window.c:925) + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + + Conditional jump or move depends on uninitialised value(s) + at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241) + by 0x48EEE33: pixman_region_translate (pixman-region.c:2225) + by 0x4F9255: RegionTranslate (regionstr.h:312) + by 0x4F9B7E: compClipNotify (compwindow.c:319) + by 0x484FC9: miComputeClips (mivaltree.c:476) + by 0x48559A: miValidateTree (mivaltree.c:679) + by 0x4F0685: MapWindow (window.c:2693) + by 0x4A344A: ProcMapWindow (dispatch.c:922) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + Uninitialised value was created by a heap allocation + at 0x4841866: malloc (vg_replace_malloc.c:446) + by 0x4F47BC: compRedirectWindow (compalloc.c:171) + by 0x4FA8AD: compCreateWindow (compwindow.c:592) + by 0x4EBB89: CreateWindow (window.c:925) + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + +Fix compAllocPixmap() to initialize the border clip even if the creation +of the backing pixmap has failed, to avoid depending later on +uninitialized border clip values. + +Related to CVE-2025-26599, ZDI-CAN-25851 + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8] +CVE: CVE-2025-26599 +Signed-off-by: Vijay Anusuri +--- + composite/compalloc.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/composite/compalloc.c b/composite/compalloc.c +index 7cf7351e00..4a1243170d 100644 +--- a/composite/compalloc.c ++++ b/composite/compalloc.c +@@ -605,9 +605,12 @@ compAllocPixmap(WindowPtr pWin) + int h = pWin->drawable.height + (bw << 1); + PixmapPtr pPixmap = compNewPixmap(pWin, x, y, w, h); + CompWindowPtr cw = GetCompWindow(pWin); ++ Bool status; + +- if (!pPixmap) +- return FALSE; ++ if (!pPixmap) { ++ status = FALSE; ++ goto out; ++ } + if (cw->update == CompositeRedirectAutomatic) + pWin->redirectDraw = RedirectDrawAutomatic; + else +@@ -621,14 +624,16 @@ compAllocPixmap(WindowPtr pWin) + DamageRegister(&pWin->drawable, cw->damage); + cw->damageRegistered = TRUE; + } ++ status = TRUE; + ++out: + /* Make sure our borderClip is up to date */ + RegionUninit(&cw->borderClip); + RegionCopy(&cw->borderClip, &pWin->borderClip); + cw->borderClipX = pWin->drawable.x; + cw->borderClipY = pWin->drawable.y; + +- return TRUE; ++ return status; + } + + void +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index b46a02e5c3..cafddc62b5 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -17,6 +17,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26596.patch \ file://CVE-2025-26597.patch \ file://CVE-2025-26598.patch \ + file://CVE-2025-26599-1.patch \ + file://CVE-2025-26599-2.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Wed Mar 5 13:32:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58330 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 96B09C28B22 for ; Wed, 5 Mar 2025 13:33:03 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web11.13039.1741181581582268764 for ; Wed, 05 Mar 2025 05:33:01 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=fbDpt8X+; spf=pass (domain: mvista.com, ip: 209.85.214.176, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-223959039f4so80574205ad.3 for ; Wed, 05 Mar 2025 05:33:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741181580; x=1741786380; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0StgYofBEI8iacj6Ymv3Xf9T2sdBcszuv7R8GFKCZBY=; b=fbDpt8X+2yG5pEPNsxp/HcApugu4PGp0WbBW0DLzO+mHlkYedTskhUHrfEi35mB9Z+ eO5cy12MFlS/VHaUcQevMB0cYUec0uoKQLi+OkAvRoes2/Dqmn+hmWEsBPfLFUsuVgcu oES+MYlvopYiyRYGPk6b4XOTEYyi3kVT/xy4s= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741181580; x=1741786380; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0StgYofBEI8iacj6Ymv3Xf9T2sdBcszuv7R8GFKCZBY=; b=j1g7JR01S/MFcxLfFBFPIBChXtvBjpB0AZTdQwInVV+Xw/PT0ceu1/ATWz0POVddah uEV+zatqtUZkrLZ5EXRNjpRGLkE44z/h+AhrzmLe8hY8lujIwTZNjL6+6e0IW1Wyhh/i aBxwrZDc3s9zYS1++BgBh0Ve2xc1RMZ2As6xicmuIQhg2PvXdnNYKFPpXCRBUxj3lfPB oXbBJu8rx5EBZMGj+nuDyXZVpPrfT2VJo8baTdNla2ordvq2yB8YYk3MbsmYggyUvXam Bq4UMVcYm99oo16wZ98OqjZOFdKFiYpMKw4W7yjwiuCescEj4k557Qr5U2EZ1YK9ZDC1 UnbA== X-Gm-Message-State: AOJu0YwqUVBmFCnHA0EtALm43gZlr0/rASYlc/bwVKFl2yIq4IdmDGvN u+kSVmrHmqV/fMlR+Ipn+adkRhN5p/JJEtxZtxCVwfqIHeTXrXpu+fUMtlBWMVhGK3NShBHM+5F VXJ4= X-Gm-Gg: ASbGncs0daeHK4G+5FLrBg1qTVI8o/aG0Ih8fJRI1IWSO/Kkeuc+DX9OFD5TJZ8oxVz jaRNsILC1WSQgKPjVdxoqQMH7U1jEXiQPTJgkWjToWBTMT9V7bVMUPMgIOigzkUfXlicRRNe+Vb YB0h2ac2S1fjI+aS+RUkgRBFONshHe6IbP6q0Qu4FE3SR75LZPCQ4qwfzvSVYtQ5ZmGYidVT23C tXGrUdiWSqac2qWzL6DYNAGR0MREHfwa0r920a/P627O5CrcukD1Ttd9kv0RQkSe3jvrAnNAeBV uvlcv06FOHsiwVtOnNqQzYpA4GUbWK7fbO+zaRQ3/houpSGCaRhctxU= X-Google-Smtp-Source: AGHT+IGTEtQUn/z5tTZ0yYDH9XhWJQj7K8oO5B5myjBljpijLYymk5gfT37vV6C9niviF8oULC+C1A== X-Received: by 2002:aa7:88c1:0:b0:736:6279:ca25 with SMTP id d2e1a72fcca58-73682cda337mr5344937b3a.24.1741181580178; Wed, 05 Mar 2025 05:33:00 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.221.18]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-734a0024c04sm13314501b3a.105.2025.03.05.05.32.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 05:32:59 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 8/9] xwayland: Fix CVE-2025-26600 Date: Wed, 5 Mar 2025 19:02:13 +0530 Message-Id: <20250305133214.169364-8-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250305133214.169364-1-vanusuri@mvista.com> References: <20250305133214.169364-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 13:33:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212314 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b Signed-off-by: Vijay Anusuri --- .../xwayland/xwayland/CVE-2025-26600.patch | 68 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 69 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch new file mode 100644 index 0000000000..43b47b3ca3 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch @@ -0,0 +1,68 @@ +From 6e0f332ba4c8b8c9a9945dc9d7989bfe06f80e14 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 16 Dec 2024 16:18:04 +0100 +Subject: [PATCH] dix: Dequeue pending events on frozen device on removal + +When a device is removed while still frozen, the events queued for that +device remain while the device itself is freed. + +As a result, replaying the events will cause a use after free. + +To avoid the issue, make sure to dequeue and free any pending events on +a frozen device when removed. + +CVE-2025-26600, ZDI-CAN-25871 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b] +CVE: CVE-2025-26600 +Signed-off-by: Vijay Anusuri +--- + dix/devices.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/dix/devices.c b/dix/devices.c +index 1516147..459f1ed 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -962,6 +962,23 @@ FreeAllDeviceClasses(ClassesPtr classes) + + } + ++static void ++FreePendingFrozenDeviceEvents(DeviceIntPtr dev) ++{ ++ QdEventPtr qe, tmp; ++ ++ if (!dev->deviceGrab.sync.frozen) ++ return; ++ ++ /* Dequeue any frozen pending events */ ++ xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) { ++ if (qe->device == dev) { ++ xorg_list_del(&qe->next); ++ free(qe); ++ } ++ } ++} ++ + /** + * Close down a device and free all resources. + * Once closed down, the driver will probably not expect you that you'll ever +@@ -1026,6 +1043,7 @@ CloseDevice(DeviceIntPtr dev) + free(dev->last.touches[j].valuators); + free(dev->last.touches); + dev->config_info = NULL; ++ FreePendingFrozenDeviceEvents(dev); + dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE); + free(dev); + } +-- +2.25.1 + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index cafddc62b5..ac0408ea67 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -19,6 +19,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26598.patch \ file://CVE-2025-26599-1.patch \ file://CVE-2025-26599-2.patch \ + file://CVE-2025-26600.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Wed Mar 5 13:32:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 58331 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9677CC19F32 for ; Wed, 5 Mar 2025 13:33:13 +0000 (UTC) Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by mx.groups.io with SMTP id smtpd.web11.13043.1741181586649795707 for ; Wed, 05 Mar 2025 05:33:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=fmQXs138; spf=pass (domain: mvista.com, ip: 209.85.214.175, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-22401f4d35aso4707795ad.2 for ; Wed, 05 Mar 2025 05:33:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1741181586; x=1741786386; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=vOriHYwlRmAuVWJMAm92zLg/f6EkhmISaHFljj3oMFQ=; b=fmQXs138Igaawr+gxdqsXzUWnym0rTyA83kVFe00b73BI2kBq1ndYPyko/YYeZd8I+ g7OYJum+ovB7SblZMxw3UhXy/IMBnvJU+suMStL47oJzk6rLE3H8/+mU/sRtHN1/1Sqa cBaBeK+LagjHkGGiUMx1McCHRvwhyNlWHDghw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741181586; x=1741786386; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vOriHYwlRmAuVWJMAm92zLg/f6EkhmISaHFljj3oMFQ=; b=trA9NoZBNKkejjcTGl7QCCYEsp6Uw1PY8/NNytjQ/oBmv0O4SPh/lAOle6hlHLt118 2dXfsoxPcE1ToDrXD/x3WgmuxGbbE83nqvGsXzOYnVG1fiA8UeCzhdwfYf9dpFYf19Ci ibXw7VP7j+iQCYYJM+2M+aWhhpCbnEtuI7RW6znk66f/LX1PfEuCrHUhRrOv3gtVvMHs tT/I7uuzjh9VvwxXXivkjT4LUWSRettGJy+boSRVZcjqL3nqygSe5v5jKsNXcmd8l9xT lO4ksF4CkC2Ui41gXgStDQc/JOUYL/OnR94a6qDFMkW1DRB0SJgcHinFgOmcxGH4GoZD VZDA== X-Gm-Message-State: AOJu0YzIFALry2aRNvgEST74cCKZtnOWoMG/oxtF+9fH2E1MUcJhCtRR NSXm4ML1VepAni9nD4feagjQ9iE5n0x9zkThUEoa5tzAnJM2XbGf0xQKJIn6R511DnKEZwn6fNr cZU8= X-Gm-Gg: ASbGncuHgyPER8RPFDmfcDYNEPFKnDENKz3YMVky8AiEqF6/Uzxqp3Rjkg/QxT1zTrG kIgNF5KJB72WtM7r00eUff8RTdmvNyDwOtOO1+FBRjhWyhXnTcLZnxXmO9tDwNcK7yVVufU0uSF a+ct2yT0HADgcOzhgzmmwQBDJIogX3HNZUIVisnG9cM2n60a8X/EgMejlNOlpgE93qN4ZHeQuJE v7tbyXh8+XNkicVHStF7N1zUCdNjF0Fp4uNVzOoHtMs+85HGlXXtbB87EtMN39dg+8WzRdvv2gs r3QMhCR0Oeg6roVR8wNbpUoxD+IgwC7Acti83nmEizS9/nH9H6sODug= X-Google-Smtp-Source: AGHT+IE3pdZIZpcVoEt6AfzETaPEnUGHgngqQCvo5LlHxXyS6YCFgoroOVCNZv1JOLkfZDpYXyf98A== X-Received: by 2002:a05:6a00:3d14:b0:736:53ce:a32c with SMTP id d2e1a72fcca58-73682c86ca9mr4491898b3a.17.1741181585608; Wed, 05 Mar 2025 05:33:05 -0800 (PST) Received: from MVIN00020.mvista.com ([49.207.221.18]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-734a0024c04sm13314501b3a.105.2025.03.05.05.33.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 05:33:05 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 9/9] xwayland: Fix CVE-2025-26601 Date: Wed, 5 Mar 2025 19:02:14 +0530 Message-Id: <20250305133214.169364-9-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250305133214.169364-1-vanusuri@mvista.com> References: <20250305133214.169364-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 13:33:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212315 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/16a1242d & https://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2f & https://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/c2857989 Signed-off-by: Vijay Anusuri --- .../xwayland/xwayland/CVE-2025-26601-1.patch | 71 ++++++++++ .../xwayland/xwayland/CVE-2025-26601-2.patch | 85 +++++++++++ .../xwayland/xwayland/CVE-2025-26601-3.patch | 52 +++++++ .../xwayland/xwayland/CVE-2025-26601-4.patch | 132 ++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 4 + 5 files changed, 344 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch new file mode 100644 index 0000000000..df5416a452 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch @@ -0,0 +1,71 @@ +From 16a1242d0ffc7f45ed3c595ee7564b5c04287e0b Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 16:52:01 +0100 +Subject: [PATCH] sync: Do not let sync objects uninitialized + +When changing an alarm, the change mask values are evaluated one after +the other, changing the trigger values as requested and eventually, +SyncInitTrigger() is called. + +SyncInitTrigger() will evaluate the XSyncCACounter first and may free +the existing sync object. + +Other changes are then evaluated and may trigger an error and an early +return, not adding the new sync object. + +This can be used to cause a use after free when the alarm eventually +triggers. + +To avoid the issue, delete the existing sync object as late as possible +only once we are sure that no further error will cause an early exit. + +CVE-2025-26601, ZDI-CAN-25870 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/16a1242d] +CVE: CVE-2025-26601 +Signed-off-by: Vijay Anusuri +--- + Xext/sync.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index ee0010e657..585cfa6f68 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -360,11 +360,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + client->errorValue = syncObject; + return rc; + } +- if (pSync != pTrigger->pSync) { /* new counter for trigger */ +- SyncDeleteTriggerFromSyncObject(pTrigger); +- pTrigger->pSync = pSync; +- newSyncObject = TRUE; +- } + } + + /* if system counter, ask it what the current value is */ +@@ -432,6 +427,14 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + ++ if (changes & XSyncCACounter) { ++ if (pSync != pTrigger->pSync) { /* new counter for trigger */ ++ SyncDeleteTriggerFromSyncObject(pTrigger); ++ pTrigger->pSync = pSync; ++ newSyncObject = TRUE; ++ } ++ } ++ + /* we wait until we're sure there are no errors before registering + * a new counter on a trigger + */ +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch new file mode 100644 index 0000000000..22e751c017 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch @@ -0,0 +1,85 @@ +From f52cea2f93a0c891494eb3334894442a92368030 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 16:54:30 +0100 +Subject: [PATCH] sync: Check values before applying changes + +In SyncInitTrigger(), we would set the CheckTrigger function before +validating the counter value. + +As a result, if the counter value overflowed, we would leave the +function SyncInitTrigger() with the CheckTrigger applied but without +updating the trigger object. + +To avoid that issue, move the portion of code checking for the trigger +check value before updating the CheckTrigger function. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2f] +CVE: CVE-2025-26601 +Signed-off-by: Vijay Anusuri +--- + Xext/sync.c | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 585cfa6f68..10302160fb 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -381,6 +381,24 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + ++ if (changes & (XSyncCAValueType | XSyncCAValue)) { ++ if (pTrigger->value_type == XSyncAbsolute) ++ pTrigger->test_value = pTrigger->wait_value; ++ else { /* relative */ ++ Bool overflow; ++ ++ if (pCounter == NULL) ++ return BadMatch; ++ ++ overflow = checked_int64_add(&pTrigger->test_value, ++ pCounter->value, pTrigger->wait_value); ++ if (overflow) { ++ client->errorValue = pTrigger->wait_value >> 32; ++ return BadValue; ++ } ++ } ++ } ++ + if (changes & XSyncCATestType) { + + if (pSync && SYNC_FENCE == pSync->type) { +@@ -409,24 +427,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + +- if (changes & (XSyncCAValueType | XSyncCAValue)) { +- if (pTrigger->value_type == XSyncAbsolute) +- pTrigger->test_value = pTrigger->wait_value; +- else { /* relative */ +- Bool overflow; +- +- if (pCounter == NULL) +- return BadMatch; +- +- overflow = checked_int64_add(&pTrigger->test_value, +- pCounter->value, pTrigger->wait_value); +- if (overflow) { +- client->errorValue = pTrigger->wait_value >> 32; +- return BadValue; +- } +- } +- } +- + if (changes & XSyncCACounter) { + if (pSync != pTrigger->pSync) { /* new counter for trigger */ + SyncDeleteTriggerFromSyncObject(pTrigger); +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch new file mode 100644 index 0000000000..8d714f0302 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch @@ -0,0 +1,52 @@ +From 8cbc90c8817306af75a60f494ec9dbb1061e50db Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 17:06:07 +0100 +Subject: [PATCH] sync: Do not fail SyncAddTriggerToSyncObject() + +We do not want to return a failure at the very last step in +SyncInitTrigger() after having all changes applied. + +SyncAddTriggerToSyncObject() must not fail on memory allocation, if the +allocation of the SyncTriggerList fails, trigger a FatalError() instead. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8] +CVE: CVE-2025-26601 +Signed-off-by: Vijay Anusuri +--- + Xext/sync.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 10302160fb..65f2d43780 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -201,8 +201,8 @@ SyncAddTriggerToSyncObject(SyncTrigger * pTrigger) + return Success; + } + +- if (!(pCur = malloc(sizeof(SyncTriggerList)))) +- return BadAlloc; ++ /* Failure is not an option, it's succeed or burst! */ ++ pCur = XNFalloc(sizeof(SyncTriggerList)); + + pCur->pTrigger = pTrigger; + pCur->next = pTrigger->pSync->pTriglist; +@@ -439,8 +439,7 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + * a new counter on a trigger + */ + if (newSyncObject) { +- if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success) +- return rc; ++ SyncAddTriggerToSyncObject(pTrigger); + } + else if (pCounter && IsSystemCounter(pCounter)) { + SyncComputeBracketValues(pCounter); +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch new file mode 100644 index 0000000000..e2261192fa --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch @@ -0,0 +1,132 @@ +From c285798984c6bb99e454a33772cde23d394d3dcd Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 17:10:31 +0100 +Subject: [PATCH] sync: Apply changes last in SyncChangeAlarmAttributes() + +SyncChangeAlarmAttributes() would apply the various changes while +checking for errors. + +If one of the changes triggers an error, the changes for the trigger, +counter or delta value would remain, possibly leading to inconsistent +changes. + +Postpone the actual changes until we're sure nothing else can go wrong. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/c2857989] +CVE: CVE-2025-26601 +Signed-off-by: Vijay Anusuri +--- + Xext/sync.c | 42 +++++++++++++++++++++++++++--------------- + 1 file changed, 27 insertions(+), 15 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 65f2d43780..cab73be927 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -830,8 +830,14 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + int status; + XSyncCounter counter; + Mask origmask = mask; ++ SyncTrigger trigger; ++ Bool select_events_changed = FALSE; ++ Bool select_events_value = FALSE; ++ int64_t delta; + +- counter = pAlarm->trigger.pSync ? pAlarm->trigger.pSync->id : None; ++ trigger = pAlarm->trigger; ++ delta = pAlarm->delta; ++ counter = trigger.pSync ? trigger.pSync->id : None; + + while (mask) { + int index2 = lowbit(mask); +@@ -847,24 +853,24 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + case XSyncCAValueType: + mask &= ~XSyncCAValueType; + /* sanity check in SyncInitTrigger */ +- pAlarm->trigger.value_type = *values++; ++ trigger.value_type = *values++; + break; + + case XSyncCAValue: + mask &= ~XSyncCAValue; +- pAlarm->trigger.wait_value = ((int64_t)values[0] << 32) | values[1]; ++ trigger.wait_value = ((int64_t)values[0] << 32) | values[1]; + values += 2; + break; + + case XSyncCATestType: + mask &= ~XSyncCATestType; + /* sanity check in SyncInitTrigger */ +- pAlarm->trigger.test_type = *values++; ++ trigger.test_type = *values++; + break; + + case XSyncCADelta: + mask &= ~XSyncCADelta; +- pAlarm->delta = ((int64_t)values[0] << 32) | values[1]; ++ delta = ((int64_t)values[0] << 32) | values[1]; + values += 2; + break; + +@@ -874,10 +880,8 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + client->errorValue = *values; + return BadValue; + } +- status = SyncEventSelectForAlarm(pAlarm, client, +- (Bool) (*values++)); +- if (status != Success) +- return status; ++ select_events_value = (Bool) (*values++); ++ select_events_changed = TRUE; + break; + + default: +@@ -886,25 +890,33 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + } + } + ++ if (select_events_changed) { ++ status = SyncEventSelectForAlarm(pAlarm, client, select_events_value); ++ if (status != Success) ++ return status; ++ } ++ + /* "If the test-type is PositiveComparison or PositiveTransition + * and delta is less than zero, or if the test-type is + * NegativeComparison or NegativeTransition and delta is + * greater than zero, a Match error is generated." + */ + if (origmask & (XSyncCADelta | XSyncCATestType)) { +- if ((((pAlarm->trigger.test_type == XSyncPositiveComparison) || +- (pAlarm->trigger.test_type == XSyncPositiveTransition)) +- && pAlarm->delta < 0) ++ if ((((trigger.test_type == XSyncPositiveComparison) || ++ (trigger.test_type == XSyncPositiveTransition)) ++ && delta < 0) + || +- (((pAlarm->trigger.test_type == XSyncNegativeComparison) || +- (pAlarm->trigger.test_type == XSyncNegativeTransition)) +- && pAlarm->delta > 0) ++ (((trigger.test_type == XSyncNegativeComparison) || ++ (trigger.test_type == XSyncNegativeTransition)) ++ && delta > 0) + ) { + return BadMatch; + } + } + + /* postpone this until now, when we're sure nothing else can go wrong */ ++ pAlarm->delta = delta; ++ pAlarm->trigger = trigger; + if ((status = SyncInitTrigger(client, &pAlarm->trigger, counter, RTCounter, + origmask & XSyncCAAllTrigger)) != Success) + return status; +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index ac0408ea67..0265366393 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -20,6 +20,10 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26599-1.patch \ file://CVE-2025-26599-2.patch \ file://CVE-2025-26600.patch \ + file://CVE-2025-26601-1.patch \ + file://CVE-2025-26601-2.patch \ + file://CVE-2025-26601-3.patch \ + file://CVE-2025-26601-4.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"