From patchwork Wed Aug 20 10:52:30 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 68871 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 562E8CA0EDC for ; Wed, 20 Aug 2025 10:52:51 +0000 (UTC) Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com [209.85.215.173]) by mx.groups.io with SMTP id smtpd.web11.17130.1755687169545798094 for ; Wed, 20 Aug 2025 03:52:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=fauIg6Hs; spf=pass (domain: mvista.com, ip: 209.85.215.173, mailfrom: vanusuri@mvista.com) Received: by mail-pg1-f173.google.com with SMTP id 41be03b00d2f7-b4717390ad7so4205668a12.1 for ; Wed, 20 Aug 2025 03:52:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1755687168; x=1756291968; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=PGMYU/clxcqtc3o6ZsStmQZUIubiqGXmg0dcCg6i7eE=; b=fauIg6Hs1qWpMB6kj5t/cXPZSRxFUsDtyn2BhVO6ffXiZdI/nx+ldetvkPIHS4YhJt +kCFZbCRobMVeS1vD14DDVRopoSXwA3bphyWloamMCtPBYrPqA/fXE/M73OMAWcwJ0K0 0I5O0/WOS6GOz1v9KQwj2UkiTn/TroX6dNsCo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755687168; x=1756291968; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=PGMYU/clxcqtc3o6ZsStmQZUIubiqGXmg0dcCg6i7eE=; b=vl5KDs78qRVC5A6r2QZzfAKxDpDhsXrXdd5phkTR0utDRAZ32oVgCkDKgVHo9CMQxF j052SZUw1pCCQtMO+JSEmXWovF53NI0w6wRLHOPX+39oiGaNotohMDTB+XKOp36FGXfM DBu77JK9Evkpgn3mmS50g+WTg+eWZO6acZ37penN09WhnfY1UwyPDuGKf+b1rTXWMWHS 4Yo4vhefw4UtYUE9mLi//X4NlEInUW0hHe+u9pqac6NiIA9cnKGHROBqDY2/kdmdPA7O 1Rg0gMjbeAal9mzI9dllTjEsuKVENAxRjy+m9eScxmVUv1z+TKvuPSz05HCTXHKQNR5n LQSw== X-Gm-Message-State: AOJu0YxZVRQmG30UM/1SNxvWXTxiLW6RVgIFs4GvcwHdMOba1oTfYiCQ +EviRP0TzkdjnNWiu3p+VIwOfJU6ZqMu0vOf8r2B+vXmohur/NV6SbX9wLOBDABc2mTw06P+91w +AEjQKqk= X-Gm-Gg: ASbGncs+Iu8bThHi8m+BRZDPycarqyPWxWzHU+Zts6uuON2Ybq56KyhMvjlavlEHc44 xy78U3fKf+C98l3ZAlVRU/khMnNv22Djh3eN8SGIIkttZcxiApk0Gf9Yg03ygmQ7I56P63h/ItA SNLlkJR8ywPk/4HGT9iiyYir2Z/O4Q/ENvy4kNupFliqvwZPxzrrBi19geDa+rTtFEL0ltlbPh5 AKf/cJIwotp6aUzUkz/VOcvWiDPW880XScA3MM1qGVXPXvAXywWpsPE1OVwQgpBWNRPPPJwcNvA 1iVb3Zm2eUbTfyyl2dU+ghExGI+6y8g8Yxy9lRQxT13MNV1JbZx9yf6z7KNJm2DqduklPxIBs3G zuiGN5s14WFg9B2yfH9/WB1OKD5nxJVw= X-Google-Smtp-Source: AGHT+IFDT/RNJEgmbwOYKwbhIXNC9UrTeDr7ithkoFZMCA1mHVjBsV80PZri4PHZaTkqhbWR6R57Ng== X-Received: by 2002:a17:902:d4cf:b0:240:52c8:2564 with SMTP id d9443c01a7336-245ef22710dmr28166295ad.26.1755687168266; Wed, 20 Aug 2025 03:52:48 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.204.8]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-324e254cbd1sm1976663a91.16.2025.08.20.03.52.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Aug 2025 03:52:47 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 1/3] xserver-xorg: Fix for CVE-2025-49178 Date: Wed, 20 Aug 2025 16:22:30 +0530 Message-Id: <20250820105232.201407-1-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 Aug 2025 10:52:51 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/222169 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2 Signed-off-by: Vijay Anusuri --- .../xserver-xorg/CVE-2025-49178.patch | 49 +++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.8.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49178.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49178.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49178.patch new file mode 100644 index 0000000000..ce3e2f415f --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49178.patch @@ -0,0 +1,49 @@ +From d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 28 Apr 2025 10:46:03 +0200 +Subject: [PATCH] os: Account for bytes to ignore when sharing input buffer + +When reading requests from the clients, the input buffer might be shared +and used between different clients. + +If a given client sends a full request with non-zero bytes to ignore, +the bytes to ignore may still be non-zero even though the request is +full, in which case the buffer could be shared with another client who's +request will not be processed because of those bytes to ignore, leading +to a possible hang of the other client request. + +To avoid the issue, make sure we have zero bytes to ignore left in the +input request when sharing the input buffer with another client. + +CVE-2025-49178 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2] +CVE: CVE-2025-49178 +Signed-off-by: Vijay Anusuri +--- + os/io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/os/io.c b/os/io.c +index 3e39c10e6f..e7b76b9cea 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -441,7 +441,7 @@ ReadRequestFromClient(ClientPtr client) + */ + + gotnow -= needed; +- if (!gotnow) ++ if (!gotnow && !oci->ignoreBytes) + AvailableInput = oc; + if (move_header) { + if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) { +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index 1fceec89f7..67e146bf97 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb @@ -40,6 +40,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://CVE-2025-49176-1.patch \ file://CVE-2025-49176-2.patch \ file://CVE-2025-49177.patch \ + file://CVE-2025-49178.patch \ " SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152" From patchwork Wed Aug 20 10:52:31 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 68872 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3C8DFCA0EDC for ; Wed, 20 Aug 2025 10:53:11 +0000 (UTC) Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) by mx.groups.io with SMTP id smtpd.web10.16960.1755687182278254574 for ; Wed, 20 Aug 2025 03:53:02 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=gR4U0Ptr; spf=pass (domain: mvista.com, ip: 209.85.216.51, mailfrom: vanusuri@mvista.com) Received: by mail-pj1-f51.google.com with SMTP id 98e67ed59e1d1-32326e09f58so7049422a91.2 for ; Wed, 20 Aug 2025 03:53:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1755687181; x=1756291981; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=so09ACULOWpbGwRNgy+IMOs5wE1s1qKBKERQBioAkSk=; b=gR4U0PtrmqLpBGewSK224mSmxAAJd9jRm34yyl9peAkT3PkOKx/LI6HdaWGFjIXPJ2 ANwgx1e8fZSW2Fmk8urMDw1xww7cHjfqvMFKqEMuUN6w77zdpaXX3p154ZNqRgtFxbrr liJGDctjZ3M4BgPXYvic/2Q4bIML1WySy71pg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755687181; x=1756291981; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=so09ACULOWpbGwRNgy+IMOs5wE1s1qKBKERQBioAkSk=; b=MgT9i47Hxq4MJyZM8mFvvJGpe3sqUlP6JKpg7bg5hn/oGMk+cmRMMqTgfAeogq63Bs nhSB++MDEoOx371WEEumAOPxdxyVdjZwWLrUCfYuGWUkR1U8lzyy8yhcJ1FP6BgHLinx G9OLa1KAf+sgUwjL1fYMFSfM2CULfuHgVLBFchbcIj7Qeo3aeHvYY+IaLz33jXFKuqpH XuBPN+8dRPrbTNV3DhjlJML2f0Ku3qPNpZktV8iaRquoHval6bI2aTcriWoT11Hpzmjs g1WAgCEik7UNbxEXXQc7Op+iHV9o7N+wywn7q7XXbqS4MMRvgeM7zs0SbcOrJOMVxdZW 4mFA== X-Gm-Message-State: AOJu0Yy5tB6Tj9VG4JFNEZg8R5tx1fdZ2PjYPRis3O3a9ADWlkQi5WHV ZOeGdY56qzACRMj9EuHl8YY3LMRhqbKLe+qs85/99EBcqTmnBSFrFJKTXEjIFLrQgt7kCRN2OF6 qxipytZE= X-Gm-Gg: ASbGncsRQlyefVLGcVwkRIDd6a7vQenhhwvK5cgc2NUPR+iOQ2a1+VC9rM5jEGlS5GM DGw1zXxEMh8ZarLeoYiO/hejjYM78Qd4GsYhdZtN0XErb6UAxvyw/ywbiwObqiPDmDGAEbzmh+A tLW/QOT3eeO/hmnOtOoGi9wY7zGUjgjc0iXs3Jp+BATmXza8ra0EAY06bLzOdaG9w776ifGE/Gn QFGZ2giJjSIBW1gipSgzOPwYEIe2eXWPc301YIe4WTc61y3+dO/ESoZO3welrXpUw+nTMwlkYRD DhDP92zUlMHGf+BS5p9x/oyXLLhlUxnIWiPW1n1bHALrCcmhThS0PVUxj1EcdGPQtDUFFVcwf3D qEPjc9zGDvVUQgQbQa+MSxFkv9Ad3Iik9Ncxl/x/fMw== X-Google-Smtp-Source: AGHT+IEcR2ajjch4ScKKP8C4/Puno4BWxpYw9x66F84IAeP6/g12NQk3mOsSH9Q07OlHm74xntGzPw== X-Received: by 2002:a17:90b:4c4b:b0:31e:d2a5:c08d with SMTP id 98e67ed59e1d1-324e1453e1bmr3607790a91.33.1755687181161; Wed, 20 Aug 2025 03:53:01 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.204.8]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-324e254cbd1sm1976663a91.16.2025.08.20.03.52.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Aug 2025 03:53:00 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 2/3] xserver-xorg: Fix for CVE-2025-49179 Date: Wed, 20 Aug 2025 16:22:31 +0530 Message-Id: <20250820105232.201407-2-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250820105232.201407-1-vanusuri@mvista.com> References: <20250820105232.201407-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 Aug 2025 10:53:11 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/222170 From: Vijay Anusuri import patch from debian to fix CVE-2025-49179 Upstream-Status: Backport [import from debian xorg-server_21.1.7-3+deb12u10.diff.gz Upstream commit https://gitlab.freedesktop.org/xorg/xserver/-/commit/2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4] Signed-off-by: Vijay Anusuri --- .../xserver-xorg/CVE-2025-49179.patch | 67 +++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.8.bb | 1 + 2 files changed, 68 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49179.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49179.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49179.patch new file mode 100644 index 0000000000..a3d9ccbe16 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49179.patch @@ -0,0 +1,67 @@ +From 2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 28 Apr 2025 11:47:15 +0200 +Subject: [PATCH] record: Check for overflow in + RecordSanityCheckRegisterClients() + +The RecordSanityCheckRegisterClients() checks for the request length, +but does not check for integer overflow. + +A client might send a very large value for either the number of clients +or the number of protocol ranges that will cause an integer overflow in +the request length computation, defeating the check for request length. + +To avoid the issue, explicitly check the number of clients against the +limit of clients (which is much lower than an maximum integer value) and +the number of protocol ranges (multiplied by the record length) do not +exceed the maximum integer value. + +This way, we ensure that the final computation for the request length +will not overflow the maximum integer limit. + +CVE-2025-49179 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [import from debian xorg-server_21.1.7-3+deb12u10.diff.gz +Upstream commit https://gitlab.freedesktop.org/xorg/xserver/-/commit/2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4] +CVE: CVE-2025-49179 +Signed-off-by: Vijay Anusuri +--- + record/record.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/record/record.c b/record/record.c +index e123867..d57be5b 100644 +--- a/record/record.c ++++ b/record/record.c +@@ -45,6 +45,7 @@ and Jim Haggerty of Metheus. + #include "inputstr.h" + #include "eventconvert.h" + #include "scrnintstr.h" ++#include "opaque.h" + + #include + #include +@@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client, + int i; + XID recordingClient; + ++ /* LimitClients is 2048 at max, way less that MAXINT */ ++ if (stuff->nClients > LimitClients) ++ return BadValue; ++ ++ if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange)) ++ return BadValue; ++ + if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) != + 4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges) + return BadLength; +-- +2.25.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index 67e146bf97..279351eff1 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb @@ -41,6 +41,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://CVE-2025-49176-2.patch \ file://CVE-2025-49177.patch \ file://CVE-2025-49178.patch \ + file://CVE-2025-49179.patch \ " SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152" From patchwork Wed Aug 20 10:52:32 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 68873 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3EA12CA0EDC for ; Wed, 20 Aug 2025 10:53:21 +0000 (UTC) Received: from mail-pg1-f181.google.com (mail-pg1-f181.google.com [209.85.215.181]) by mx.groups.io with SMTP id smtpd.web11.17132.1755687192855405414 for ; Wed, 20 Aug 2025 03:53:12 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=U1ctcUyD; spf=pass (domain: mvista.com, ip: 209.85.215.181, mailfrom: vanusuri@mvista.com) Received: by mail-pg1-f181.google.com with SMTP id 41be03b00d2f7-b472fd93b4aso4070491a12.0 for ; Wed, 20 Aug 2025 03:53:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1755687192; x=1756291992; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=TZSF+w4o1wV9wM1y6srfC8any3DiS5qLr+MOl7bGZ4Y=; b=U1ctcUyDGr48HJDEGCQuviXZmPhTw1cjUH8viCB+GUEzoxw5W0py5zC1QCby36/1wU ML8x67PB47vAco4gPkV+RTaE0v4ojR3eZ04oGzJE9zSV66iq0qfuq0+ipq7ciw7PJUim sjQpoNqL57wMkF9PhBwkeOAfux2tzoYnCwGzk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755687192; x=1756291992; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TZSF+w4o1wV9wM1y6srfC8any3DiS5qLr+MOl7bGZ4Y=; b=kWR8YskHawRQPtrlNV37ueNmRAXlY9qYtkXYMPK4xAE3GBwq8dZXEOiNz2xqslZSSj 1BTIU9r2mQ49stZjZ+cGDYUkgjjuENQqIyo94k3xV6iTFMvyDgfVBlee8rupDQcBnDRo p7h+H1MMV/Rd3h7ip+FzNBHzGzwbwrbIlMgej/7GPpp+5mQOVZootv0NxMy2vDkE+dhy bbeXAQ5oAgrZOxwd+xXUqtjb91UBkVsiW082kmRGcBhI8LdbJ9INuDwpi2Mcun3AiaiN yjUeTTCAGctwxjzW/HmSB684+kN45OtmaDdbr3zi+rni4ws7MP5Ux5MyU+a56ap+Q1U0 Hplw== X-Gm-Message-State: AOJu0Yxhgck5W37kLO6lNsa5JPHmigUiDG4ZUb6iBk95C+fTv+xRFRwy 2h4XhVWDHP1oBx+N7g3xt0az3d3seBYLn9hnQLAXx4Ne1cmLuWTJmrY7VqRc1vDKCR7NQcxF/CZ hCqXezBo= X-Gm-Gg: ASbGncsZBKPjBXtAPwGi/I/+28XXDK5BOMCmiiytXJ5Fnl9BtZbF1NGJeABlO968H0M qMSIV/B91WID1Kr/YsOWDpubHlmjhiyyb/TQaXNOqselptqMT4lKBTfaUpIo/uZSQlQVH82bKFz MiZIPpCBCHRg3AEWLzrTejPEZ/XsRTfCE0ObiVrlZvmvty9qjPpq37skT3CHdPwUNLCigfb1W5g op3rh7DmXjDJ5t7X15Y25uFuizXod4MkXy2zblVJuRlLHLKK6CNglFPs5B5hCJdFmFdX5I9xNnL IpAO02vmdnVFxvVteYRc9po8yDFLqgaP4I8KLrsF5rqRE7EViOLZ47TdN2O1ShIvVbCQ9f14kHf Jz6ZK4QVqdwnYWN5nuK/w+vrUBeM3FIg= X-Google-Smtp-Source: AGHT+IHnLp8/H7+ut+EX7jvJFCLejnJXZgOJ+fnWL00amZxy+17tgb3hJUS5HzgZMqvkN75Ib6tBbQ== X-Received: by 2002:a17:903:2f92:b0:242:bba6:fc85 with SMTP id d9443c01a7336-245ef2650c7mr31612015ad.56.1755687191829; Wed, 20 Aug 2025 03:53:11 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.204.8]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-324e254cbd1sm1976663a91.16.2025.08.20.03.53.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Aug 2025 03:53:11 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 3/3] xserver-xorg: Fix for CVE-2025-49180 Date: Wed, 20 Aug 2025 16:22:32 +0530 Message-Id: <20250820105232.201407-3-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250820105232.201407-1-vanusuri@mvista.com> References: <20250820105232.201407-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 Aug 2025 10:53:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/222171 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/3c3a4b767b16174d3213055947ea7f4f88e10ec6 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/0235121c6a7a6eb247e2addb3b41ed6ef566853d Signed-off-by: Vijay Anusuri --- .../xserver-xorg/CVE-2025-49180-1.patch | 44 ++++++++++++++++ .../xserver-xorg/CVE-2025-49180-2.patch | 52 +++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.8.bb | 2 + 3 files changed, 98 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-1.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-2.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-1.patch new file mode 100644 index 0000000000..9e4e016477 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-1.patch @@ -0,0 +1,44 @@ +From 3c3a4b767b16174d3213055947ea7f4f88e10ec6 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Tue, 20 May 2025 15:18:19 +0200 +Subject: [PATCH] randr: Check for overflow in RRChangeProviderProperty() + +A client might send a request causing an integer overflow when computing +the total size to allocate in RRChangeProviderProperty(). + +To avoid the issue, check that total length in bytes won't exceed the +maximum integer value. + +CVE-2025-49180 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3c3a4b767b16174d3213055947ea7f4f88e10ec6] +CVE: CVE-2025-49180 +Signed-off-by: Vijay Anusuri +--- + randr/rrproviderproperty.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c +index 69f66ed278..0c3dcd1bc5 100644 +--- a/randr/rrproviderproperty.c ++++ b/randr/rrproviderproperty.c +@@ -182,7 +182,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type, + + if (mode == PropModeReplace || len > 0) { + void *new_data = NULL, *old_data = NULL; +- ++ if (total_len > MAXINT / size_in_bytes) ++ return BadValue; + total_size = total_len * size_in_bytes; + new_value.data = (void *) malloc(total_size); + if (!new_value.data && total_size) { +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-2.patch new file mode 100644 index 0000000000..94fda308a9 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-2.patch @@ -0,0 +1,52 @@ +From 0235121c6a7a6eb247e2addb3b41ed6ef566853d Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 28 Apr 2025 14:59:46 +0200 +Subject: [PATCH] xfree86: Check for RandR provider functions + +Changing XRandR provider properties if the driver has set no provider +function such as the modesetting driver will cause a NULL pointer +dereference and a crash of the Xorg server. + +Related to CVE-2025-49180 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0235121c6a7a6eb247e2addb3b41ed6ef566853d] +CVE: CVE-2025-49180 +Signed-off-by: Vijay Anusuri +--- + hw/xfree86/modes/xf86RandR12.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/hw/xfree86/modes/xf86RandR12.c b/hw/xfree86/modes/xf86RandR12.c +index ddcf5e748a..bf33da377a 100644 +--- a/hw/xfree86/modes/xf86RandR12.c ++++ b/hw/xfree86/modes/xf86RandR12.c +@@ -2146,7 +2146,8 @@ xf86RandR14ProviderSetProperty(ScreenPtr pScreen, + /* If we don't have any property handler, then we don't care what the + * user is setting properties to. + */ +- if (config->provider_funcs->set_property == NULL) ++ if (config->provider_funcs == NULL || ++ config->provider_funcs->set_property == NULL) + return TRUE; + + /* +@@ -2164,7 +2165,8 @@ xf86RandR14ProviderGetProperty(ScreenPtr pScreen, + ScrnInfoPtr pScrn = xf86ScreenToScrn(pScreen); + xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(pScrn); + +- if (config->provider_funcs->get_property == NULL) ++ if (config->provider_funcs == NULL || ++ config->provider_funcs->get_property == NULL) + return TRUE; + + /* Should be safe even w/o vtSema */ +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index 279351eff1..a15669a260 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb @@ -42,6 +42,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://CVE-2025-49177.patch \ file://CVE-2025-49178.patch \ file://CVE-2025-49179.patch \ + file://CVE-2025-49180-1.patch \ + file://CVE-2025-49180-2.patch \ " SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"