From patchwork Wed Nov 19 11:04:37 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: yurade X-Patchwork-Id: 74947 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2D3E6CF319B for ; Wed, 19 Nov 2025 11:05:16 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4107.1763550306014213801 for ; Wed, 19 Nov 2025 03:05:07 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=ghUkD0X6; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=3418d146ba=yogita.urade@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5AJ7rvKp1456063 for ; Wed, 19 Nov 2025 03:05:05 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=PPS06212021; bh=VpzIzZf0AW1r9y2JemHe UdoafOdHck4fi++g57D6Pwg=; b=ghUkD0X6Rm5GdqO5rMYzLMHNSs3N2BS1e3c/ 3LfG/zzg2QsRRDVOPKSTY1b9kbdUgxsiVV+D7fLmgvec2qiG09p9Zg9BA70iVSsi bOOjPNgJjiMBnL76tYl83OXN3MNOnhrlFU1ZuvNxEhbQU56+C1hmqrTRjp1J06wl ZuI2SPoUdXrWQV80Eel5nn/SpgEE4xZwITC4g68/1lyMPVlsGGbjUfmvrnsTaLvp FIOulZM0S4NfCHwYWEZ8sfvBBxEcpTqmPR9BDtkq8+yWaa8uQ3W4sGLwFQBIQeTe Pc+YOcEqAvVvkJAqx5oPd/gYMDMJrtVL0tMgbgpM4lC+lTH//g== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4aeswjcq90-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 19 Nov 2025 03:05:05 -0800 (PST) Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Wed, 19 Nov 2025 03:05:03 -0800 From: yurade To: Subject: [OE-core][scarthgap][PATCH 1/5] xserver-xorg: remove redundant patch Date: Wed, 19 Nov 2025 16:34:37 +0530 Message-ID: <20251119110441.817793-1-yogita.urade@windriver.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 X-Originating-IP: [10.11.232.110] X-ClientProxiedBy: ala-exchng01.corp.ad.wrs.com (10.11.224.121) To ala-exchng01.corp.ad.wrs.com (10.11.224.121) X-Authority-Analysis: v=2.4 cv=BqiQAIX5 c=1 sm=1 tr=0 ts=691da461 cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=gmxlzscTznEA:10 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=7CQSdrXTAAAA:8 a=P-IC7800AAAA:8 a=ag1SF4gXAAAA:8 a=t7CeM3EgAAAA:8 a=pGLkceISAAAA:8 a=zrRrFjApgB7uFp7oHwQA:9 a=a-qgeE7W1pNrGK8U0ZQC:22 a=d3PnA9EDa4IxuAV0gXij:22 a=Yupwre4RP9_Eg_Bd0iYG:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-GUID: t_o1nPP4r_Yk3IIeO2hH_Ws7ntPHHgp2 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTE5MDA4NyBTYWx0ZWRfX6x//9R0LRI46 9J3/t1YiHMvy3Hgz2jw7To8YUyHbRkmozZebalw1rdniZuWO9rW83RvKF9DyBbBY1og1bgYgg1v dNyrA7LIkJcluAj514WjZDO7Hx7419SVXrdROGE14YmDq51npADLtYILQOAif9qbnoN56IqPHrW hjYV2Bmo95EapD1GKM0p/L7ZmoPN34tpUAxdYOX8tr9YR8SPUxpaONndq8TbkByIbWgJlfl69os AR+C0Xld2/dU2DVZF17y+LOUJ/O9LDldpOvhRBkyNo3ofDJqHfhs4JRII3fbaksMri+72dJ66YH hpXtKYjHe7ufNOMgq4z7EWZ4q6p5XnHEcmqC8pZ3WNvpsik1R7543VIDXyyAqh0tA+etfIQYaYk B1f+uXR3CEr4WKNv+hkSsmhWRgRdmQ== X-Proofpoint-ORIG-GUID: t_o1nPP4r_Yk3IIeO2hH_Ws7ntPHHgp2 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-19_03,2025-11-18_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 phishscore=0 priorityscore=1501 suspectscore=0 adultscore=0 lowpriorityscore=0 impostorscore=0 malwarescore=0 spamscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511190087 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Nov 2025 11:05:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226546 From: Ross Burton The underlying issue with -fno-common was resolved upstream in xserver 21.1.0 onwards[1]. [1] xserver 0148a15da ("compiler.h: don't define inb/outb and friends on mips") (From OE-Core rev: 74b77ee90efd50a703af76769fac66a0f7c394ca) Signed-off-by: Ross Burton Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie Signed-off-by: Yogita Urade --- ...-duplicate-definitions-of-IOPortBase.patch | 28 ------------------- .../xorg-xserver/xserver-xorg_21.1.18.bb | 4 +-- 2 files changed, 1 insertion(+), 31 deletions(-) delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-Avoid-duplicate-definitions-of-IOPortBase.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-Avoid-duplicate-definitions-of-IOPortBase.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-Avoid-duplicate-definitions-of-IOPortBase.patch deleted file mode 100644 index e9cbc9b4da..0000000000 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-Avoid-duplicate-definitions-of-IOPortBase.patch +++ /dev/null @@ -1,28 +0,0 @@ -From cedc797e1a0850039a25b7e387b342e54fffcc97 Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Mon, 17 Aug 2020 10:50:51 -0700 -Subject: [PATCH] Avoid duplicate definitions of IOPortBase - -This fixed build with gcc10/-fno-common - -Fixes -compiler.h:528: multiple definition of `IOPortBase'; - -Upstream-Status: Pending -Signed-off-by: Khem Raj ---- - hw/xfree86/os-support/linux/lnx_video.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/xfree86/os-support/linux/lnx_video.c b/hw/xfree86/os-support/linux/lnx_video.c -index fd83022..1d0d96e 100644 ---- a/hw/xfree86/os-support/linux/lnx_video.c -+++ b/hw/xfree86/os-support/linux/lnx_video.c -@@ -78,6 +78,7 @@ xf86OSInitVidMem(VidMemInfoPtr pVidMem) - /***************************************************************************/ - /* I/O Permissions section */ - /***************************************************************************/ -+_X_EXPORT unsigned int IOPortBase; /* Memory mapped I/O port area */ - - #if defined(__powerpc__) - volatile unsigned char *ioBase = NULL; diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb index 14c45be432..1e341553f9 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb @@ -1,8 +1,6 @@ require xserver-xorg.inc -SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \ - file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \ - " +SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch" SRC_URI[sha256sum] = "c878d1930d87725d4a5bf498c24f4be8130d5b2646a9fd0f2994deff90116352" # These extensions are now integrated into the server, so declare the migration From patchwork Wed Nov 19 11:04:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: yurade X-Patchwork-Id: 74951 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3CEDACF31A0 for ; Wed, 19 Nov 2025 11:05:16 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.4117.1763550309387624390 for ; Wed, 19 Nov 2025 03:05:09 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@windriver.com header.s=PPS06212021 header.b=iu3BFe0j; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=3418d146ba=yogita.urade@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5AJAEsIj3098031 for ; Wed, 19 Nov 2025 11:05:08 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=3IRAA5rb8sYs5WLHabwt9woAIAPTLx1IeWbxMT+eP8Y=; b=iu3BFe0jkAtT LXT0A39g4orCABp13Fn//FZMH09F7VltUa9/HnWe6ibw05Ryabv6iehfa3sKfLGW UstE3wJb/Xej3LbpCi1g1nM5uX4SNRJS/MAR5nd8oxktFANLZOVoh2Uo1JZJodOt mRuLqS6kSySCRUofyanB/EAZgRrD+DNq9XWn6pcJGhp7O0Cw0XC8UoUtdnI7CZ8g h9ovFGjsaXVd0VGYEh6MWOY9jG2kw/4/cer+DoIcQM82y86qsac5BjChCCC8AO6G ouiUTUz6Revm9VRyXtmbLCojCu/FrQQKNl9Tt/D3eVbBng0EJnOxQasUEh68SxFW 1h0QBLc0kA== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4ahayrr3ys-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 19 Nov 2025 11:05:08 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Wed, 19 Nov 2025 03:05:05 -0800 From: yurade To: Subject: [OE-core][scarthgap][PATCH 2/5] xserver-xorg: fix CVE-2025-62229 CVE-2025-62230 CVE-2025-62231 Date: Wed, 19 Nov 2025 16:34:38 +0530 Message-ID: <20251119110441.817793-2-yogita.urade@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20251119110441.817793-1-yogita.urade@windriver.com> References: <20251119110441.817793-1-yogita.urade@windriver.com> MIME-Version: 1.0 X-Originating-IP: [10.11.232.110] X-ClientProxiedBy: ala-exchng01.corp.ad.wrs.com (10.11.224.121) To ala-exchng01.corp.ad.wrs.com (10.11.224.121) X-Proofpoint-ORIG-GUID: xwNDByeasWhylbM5qOGReAI2WKuMUErp X-Authority-Analysis: v=2.4 cv=EdXFgfmC c=1 sm=1 tr=0 ts=691da464 cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=gmxlzscTznEA:10 a=IkcTkHD0fZMA:10 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=aR16PxjQAAAA:8 a=e5mUnYsNAAAA:8 a=7CQSdrXTAAAA:8 a=P-IC7800AAAA:8 a=ag1SF4gXAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=DYG1mg9BOTmvCBtl7yUA:9 a=xY0CEgiDEEJjV9c5:21 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=hDf9p9RXtSgA:10 a=zbFvvTOBjyH4ze5LlUjX:22 a=Vxmtnl_E_bksehYqCbjh:22 a=a-qgeE7W1pNrGK8U0ZQC:22 a=d3PnA9EDa4IxuAV0gXij:22 a=Yupwre4RP9_Eg_Bd0iYG:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-GUID: xwNDByeasWhylbM5qOGReAI2WKuMUErp X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTE5MDA4NyBTYWx0ZWRfX953x288Wl6fT CXlrHh//JkAa+ss57r3qta2sNwqgkfV7N07KkxtvujrvY3hclOK1Du3Gd5tWJr0WDBGt3AVPsX0 /1uKgcoKNBOzd/NKGHDNHa6RWdPPt8kXJ5rnvvxuuzdO6/WBT1pJM3pPKmswyHTkmJ/lA3E4GUY mPnYa2taQh+X/1x5KUr7QFUkyVvIz5zVeSXPWs4PjdWYrgY04zA+KX0icUUAeZa07ahavGptVmq tCwlIez6JS2pJr3iJEeVKrjj63rGhaRDj/8ep7Ur45Xu4+//yHy7IgJxy7k9mWl+OcwQODTQYsR w5trcBRVD0CQL+2FoiSV9+E03pruxtC+jlh2ySb/ehebc4Bp+Yalm4y58p/2qToae6KqB1FbfmB 3drqyGm/MHV8VfOE9e1iuyyKhN1aFg== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-19_03,2025-11-18_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 adultscore=0 suspectscore=0 bulkscore=0 impostorscore=0 phishscore=0 malwarescore=0 clxscore=1015 priorityscore=1501 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511190087 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 5AJAEsIj3098031 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Nov 2025 11:05:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226547 From: Ross Burton >From https://lists.x.org/archives/xorg-announce/2025-October/003635.html: 1) CVE-2025-62229: Use-after-free in XPresentNotify structures creation Using the X11 Present extension, when processing and adding the notifications after presenting a pixmap, if an error occurs, a dangling pointer may be left in the error code path of the function causing a use-after-free when eventually destroying the notification structures later. Introduced in: Xorg 1.15 Fixed in: xorg-server-21.1.19 and xwayland-24.1.9 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/5a4286b1 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative. 2) CVE-2025-62230: Use-after-free in Xkb client resource removal When removing the Xkb resources for a client, the function XkbRemoveResourceClient() will free the XkbInterest data associated with the device, but not the resource associated with it. As a result, when the client terminates, the resource delete function triggers a use-after-free. Introduced in: X11R6 Fixed in: xorg-server-21.1.19 and xwayland-24.1.9 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/99790a2c https://gitlab.freedesktop.org/xorg/xserver/-/commit/10c94238 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative. 3) CVE-2025-62231: Value overflow in Xkb extension XkbSetCompatMap() The XkbCompatMap structure stores some of its values using an unsigned short, but fails to check whether the sum of the input data might overflow the maximum unsigned short value. Introduced in: X11R6 Fixed in: xorg-server-21.1.19 and xwayland-24.1.9 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/475d9f49 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative. (From OE-Core rev: 50b9c34ba932761fab9035a54e58466d72b097bf) Signed-off-by: Ross Burton Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie Signed-off-by: Yogita Urade --- ...after-free-in-present_create_notifie.patch | 91 ++++++++++++++++++ ...ke-the-RT_XKBCLIENT-resource-private.patch | 63 +++++++++++++ ...KB-resource-when-freeing-XkbInterest.patch | 92 +++++++++++++++++++ ...-Prevent-overflow-in-XkbSetCompatMap.patch | 53 +++++++++++ .../xorg-xserver/xserver-xorg_21.1.18.bb | 7 +- 5 files changed, 305 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-present-Fix-use-after-free-in-present_create_notifie.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-present-Fix-use-after-free-in-present_create_notifie.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-present-Fix-use-after-free-in-present_create_notifie.patch new file mode 100644 index 0000000000..fa8bc542d8 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-present-Fix-use-after-free-in-present_create_notifie.patch @@ -0,0 +1,91 @@ +From 359c9c0478406fe00e0d4c5d52bd9bf8c2ca4081 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 2 Jul 2025 09:46:22 +0200 +Subject: [PATCH 1/4] present: Fix use-after-free in present_create_notifies() + +Using the Present extension, if an error occurs while processing and +adding the notifications after presenting a pixmap, the function +present_create_notifies() will clean up and remove the notifications +it added. + +However, there are two different code paths that can lead to an error +creating the notify, one being before the notify is being added to the +list, and another one after the notify is added. + +When the error occurs before it's been added, it removes the elements up +to the last added element, instead of the actual number of elements +which were added. + +As a result, in case of error, as with an invalid window for example, it +leaves a dangling pointer to the last element, leading to a use after +free case later: + + | Invalid write of size 8 + | at 0x5361D5: present_clear_window_notifies (present_notify.c:42) + | by 0x534A56: present_destroy_window (present_screen.c:107) + | by 0x41E441: xwl_destroy_window (xwayland-window.c:1959) + | by 0x4F9EC9: compDestroyWindow (compwindow.c:622) + | by 0x51EAC4: damageDestroyWindow (damage.c:1592) + | by 0x4FDC29: DbeDestroyWindow (dbe.c:1291) + | by 0x4EAC55: FreeWindowResources (window.c:1023) + | by 0x4EAF59: DeleteWindow (window.c:1091) + | by 0x4DE59A: doFreeResource (resource.c:890) + | by 0x4DEFB2: FreeClientResources (resource.c:1156) + | by 0x4A9AFB: CloseDownClient (dispatch.c:3567) + | by 0x5DCC78: ClientReady (connection.c:603) + | Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd + | at 0x4841E43: free (vg_replace_malloc.c:989) + | by 0x5363DD: present_destroy_notifies (present_notify.c:111) + | by 0x53638D: present_create_notifies (present_notify.c:100) + | by 0x5368E9: proc_present_pixmap_common (present_request.c:164) + | by 0x536A7D: proc_present_pixmap (present_request.c:189) + | by 0x536FA9: proc_present_dispatch (present_request.c:337) + | by 0x4A1E4E: Dispatch (dispatch.c:561) + | by 0x4B00F1: dix_main (main.c:284) + | by 0x42879D: main (stubmain.c:34) + | Block was alloc'd at + | at 0x48463F3: calloc (vg_replace_malloc.c:1675) + | by 0x5362A1: present_create_notifies (present_notify.c:81) + | by 0x5368E9: proc_present_pixmap_common (present_request.c:164) + | by 0x536A7D: proc_present_pixmap (present_request.c:189) + | by 0x536FA9: proc_present_dispatch (present_request.c:337) + | by 0x4A1E4E: Dispatch (dispatch.c:561) + | by 0x4B00F1: dix_main (main.c:284) + | by 0x42879D: main (stubmain.c:34) + +To fix the issue, count and remove the actual number of notify elements +added in case of error. + +CVE-2025-62229, ZDI-CAN-27238 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +(cherry picked from commit 5a4286b13f631b66c20f5bc8db7b68211dcbd1d0) + +Part-of: + +CVE: CVE-2025-62229 +Upstream-Status: Backport +Signed-off-by: Ross Burton +--- + present/present_notify.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/present/present_notify.c b/present/present_notify.c +index 445954998..00b3b68bd 100644 +--- a/present/present_notify.c ++++ b/present/present_notify.c +@@ -90,7 +90,7 @@ present_create_notifies(ClientPtr client, int num_notifies, xPresentNotify *x_no + if (status != Success) + goto bail; + +- added = i; ++ added++; + } + return Success; + +-- +2.43.0 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch new file mode 100644 index 0000000000..ed25f4b58e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch @@ -0,0 +1,63 @@ +From a3d5c76ee8925ef9846c72e2327674b84e3fcdb3 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 10 Sep 2025 15:55:06 +0200 +Subject: [PATCH 2/4] xkb: Make the RT_XKBCLIENT resource private +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently, the resource in only available to the xkb.c source file. + +In preparation for the next commit, to be able to free the resources +from XkbRemoveResourceClient(), make that variable private instead. + +This is related to: + +CVE-2025-62230, ZDI-CAN-27545 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Michel Dänzer +(cherry picked from commit 99790a2c9205a52fbbec01f21a92c9b7f4ed1d8f) + +Part-of: + +CVE: CVE-2025-62230 +Upstream-Status: Backport +Signed-off-by: Ross Burton +--- + include/xkbsrv.h | 2 ++ + xkb/xkb.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/include/xkbsrv.h b/include/xkbsrv.h +index fbb5427e1..b2766277c 100644 +--- a/include/xkbsrv.h ++++ b/include/xkbsrv.h +@@ -58,6 +58,8 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. + #include "inputstr.h" + #include "events.h" + ++extern RESTYPE RT_XKBCLIENT; ++ + typedef struct _XkbInterest { + DeviceIntPtr dev; + ClientPtr client; +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 5131bfcdf..26d965d48 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -51,7 +51,7 @@ int XkbKeyboardErrorCode; + CARD32 xkbDebugFlags = 0; + static CARD32 xkbDebugCtrls = 0; + +-static RESTYPE RT_XKBCLIENT; ++RESTYPE RT_XKBCLIENT = 0; + + /***====================================================================***/ + +-- +2.43.0 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch new file mode 100644 index 0000000000..f55e3d4126 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch @@ -0,0 +1,92 @@ +From 32b12feb6f9f3d32532ff75c7434a7426b85e0c3 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 10 Sep 2025 15:58:57 +0200 +Subject: [PATCH 3/4] xkb: Free the XKB resource when freeing XkbInterest +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +XkbRemoveResourceClient() would free the XkbInterest data associated +with the device, but not the resource associated with it. + +As a result, when the client terminates, the resource delete function +gets called and accesses already freed memory: + + | Invalid read of size 8 + | at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047) + | by 0x5B3391: XkbClientGone (xkb.c:7094) + | by 0x4DF138: doFreeResource (resource.c:890) + | by 0x4DFB50: FreeClientResources (resource.c:1156) + | by 0x4A9A59: CloseDownClient (dispatch.c:3550) + | by 0x5E0A53: ClientReady (connection.c:601) + | by 0x5E4FEF: ospoll_wait (ospoll.c:657) + | by 0x5DC834: WaitForSomething (WaitFor.c:206) + | by 0x4A1BA5: Dispatch (dispatch.c:491) + | by 0x4B0070: dix_main (main.c:277) + | by 0x4285E7: main (stubmain.c:34) + | Address 0x1893e278 is 184 bytes inside a block of size 928 free'd + | at 0x4842E43: free (vg_replace_malloc.c:989) + | by 0x49C1A6: CloseDevice (devices.c:1067) + | by 0x49C522: CloseOneDevice (devices.c:1193) + | by 0x49C6E4: RemoveDevice (devices.c:1244) + | by 0x5873D4: remove_master (xichangehierarchy.c:348) + | by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504) + | by 0x579BF1: ProcIDispatch (extinit.c:390) + | by 0x4A1D85: Dispatch (dispatch.c:551) + | by 0x4B0070: dix_main (main.c:277) + | by 0x4285E7: main (stubmain.c:34) + | Block was alloc'd at + | at 0x48473F3: calloc (vg_replace_malloc.c:1675) + | by 0x49A118: AddInputDevice (devices.c:262) + | by 0x4A0E58: AllocDevicePair (devices.c:2846) + | by 0x5866EE: add_master (xichangehierarchy.c:153) + | by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493) + | by 0x579BF1: ProcIDispatch (extinit.c:390) + | by 0x4A1D85: Dispatch (dispatch.c:551) + | by 0x4B0070: dix_main (main.c:277) + | by 0x4285E7: main (stubmain.c:34) + +To avoid that issue, make sure to free the resources when freeing the +device XkbInterest data. + +CVE-2025-62230, ZDI-CAN-27545 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Michel Dänzer +(cherry picked from commit 10c94238bdad17c11707e0bdaaa3a9cd54c504be) + +Part-of: + +CVE: CVE-2025-62230 +Upstream-Status: Backport +Signed-off-by: Ross Burton +--- + xkb/xkbEvents.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/xkb/xkbEvents.c b/xkb/xkbEvents.c +index 0bbd66186..3d04ecf0c 100644 +--- a/xkb/xkbEvents.c ++++ b/xkb/xkbEvents.c +@@ -1056,6 +1056,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id) + autoCtrls = interest->autoCtrls; + autoValues = interest->autoCtrlValues; + client = interest->client; ++ FreeResource(interest->resource, RT_XKBCLIENT); + free(interest); + found = TRUE; + } +@@ -1067,6 +1068,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id) + autoCtrls = victim->autoCtrls; + autoValues = victim->autoCtrlValues; + client = victim->client; ++ FreeResource(victim->resource, RT_XKBCLIENT); + free(victim); + found = TRUE; + } +-- +2.43.0 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch new file mode 100644 index 0000000000..5036f0c9f0 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch @@ -0,0 +1,53 @@ +From 364f06788f1de4edc0547c7f29d338e6deffc138 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 10 Sep 2025 16:30:29 +0200 +Subject: [PATCH 4/4] xkb: Prevent overflow in XkbSetCompatMap() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The XkbCompatMap structure stores its "num_si" and "size_si" fields +using an unsigned short. + +However, the function _XkbSetCompatMap() will store the sum of the +input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and +"size_si" without first checking if the sum overflows the maximum +unsigned short value, leading to a possible overflow. + +To avoid the issue, check whether the sum does not exceed the maximum +unsigned short value, or return a "BadValue" error otherwise. + +CVE-2025-62231, ZDI-CAN-27560 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Michel Dänzer +(cherry picked from commit 475d9f49acd0e55bc0b089ed77f732ad18585470) + +Part-of: + +CVE: CVE-2025-62231 +Upstream-Status: Backport +Signed-off-by: Ross Burton +--- + xkb/xkb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 26d965d48..137d70da2 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -2992,6 +2992,8 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, + XkbSymInterpretPtr sym; + unsigned int skipped = 0; + ++ if ((unsigned) (req->firstSI + req->nSI) > USHRT_MAX) ++ return BadValue; + if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) { + compat->num_si = compat->size_si = req->firstSI + req->nSI; + compat->sym_interpret = reallocarray(compat->sym_interpret, +-- +2.43.0 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb index 1e341553f9..7f6197a0b4 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb @@ -1,6 +1,11 @@ require xserver-xorg.inc -SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch" +SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \ + file://0001-present-Fix-use-after-free-in-present_create_notifie.patch \ + file://0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch \ + file://0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch \ + file://0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch \ + " SRC_URI[sha256sum] = "c878d1930d87725d4a5bf498c24f4be8130d5b2646a9fd0f2994deff90116352" # These extensions are now integrated into the server, so declare the migration From patchwork Wed Nov 19 11:04:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: yurade X-Patchwork-Id: 74950 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 43C64CF31A2 for ; Wed, 19 Nov 2025 11:05:16 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4108.1763550309841361567 for ; Wed, 19 Nov 2025 03:05:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=bvGe7vJ3; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=3418d146ba=yogita.urade@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5AJ7rvGk1456056 for ; Wed, 19 Nov 2025 03:05:09 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=8oxb3H01rqET6i9GCL0hoWAFW9lpAwTD5t9iUP+YqRg=; b=bvGe7vJ3LuZg W2kmqx8xGFN3KMLad+F+eaxSp/KgIDU7CFmA4O/SBTCdXyNGb6EtgXnpRRcl7s9z 0IjQ0vORZR471VprCm8g5bOvkMdMlprqsdHG+2tgyKQB00/H4js4D4f8RAI+a5ER 7Oy4C3GgH3sazoN/5Elq6CaCbagH3BJlvv+ywg+mXkww/8Af8fo+0UaPUM8/WXU7 Pd0R0gywTQ614lhTusqXoT1STczN0yH2TsiUxv2cFvnUK50lP7GZcSQgYjThGhSm Cs0Hrmqm4Ga+vVvMhRhuaBsSPfF/Ws6HwRR3SFSmLl2Zc0ftRBrI0ayfW2gCciEM d6Qf6N1SoQ== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4aeswjcq99-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 19 Nov 2025 03:05:09 -0800 (PST) Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Wed, 19 Nov 2025 03:05:07 -0800 From: yurade To: Subject: [OE-core][scarthgap][PATCH 3/5] xwayland: fix CVE-2025-62229 Date: Wed, 19 Nov 2025 16:34:39 +0530 Message-ID: <20251119110441.817793-3-yogita.urade@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20251119110441.817793-1-yogita.urade@windriver.com> References: <20251119110441.817793-1-yogita.urade@windriver.com> MIME-Version: 1.0 X-Originating-IP: [10.11.232.110] X-ClientProxiedBy: ala-exchng01.corp.ad.wrs.com (10.11.224.121) To ala-exchng01.corp.ad.wrs.com (10.11.224.121) X-Authority-Analysis: v=2.4 cv=BqiQAIX5 c=1 sm=1 tr=0 ts=691da465 cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=gmxlzscTznEA:10 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=PYnjg3YJAAAA:8 a=e5mUnYsNAAAA:8 a=aR16PxjQAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=1CSxPyHHGpsGW3RuwdMA:9 a=Vxmtnl_E_bksehYqCbjh:22 a=zbFvvTOBjyH4ze5LlUjX:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-GUID: pWTxoiwcJBaRX-cCuCFIpCfQWBOQMIdY X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTE5MDA4NyBTYWx0ZWRfX7XmjokzMLrBh ilvq2bFm6Z+6Ym6hxKxsfxiVJhZvegf8ND1i6+RVDWlZU7d6hbRGcF3PU5yhpb8ENYpsJ3Votzp pq7j10fOXNHmIUXispDRMfri+emG09Qu3a2KFS86vIj4s8TQ+FBSta1x7lhF9d4UpwwPuA8xwOZ hDWWApalHua9pD9JgQTv3jPFSIyXmdOrK0WduRHIEihe5UFJH78FiLBDhRTRfWIiKrRF2d7OuUu 8606OjQUDtxXXeNfcidtGqHqRMd4eh7Md7p36DHVJj5GZsVFR2ihrLq4Tv5N3RD+52FiCKvfgxI 0cpSm65LTaz2g+ZB7mgOUZbcPU7RLpfSPVt4wBfoNUEPxpRbCZqPSiQ+3plxSoSpo9/w8hj7egi rvo2vemwoRzev5jg9aPWw+c9DgQu/g== X-Proofpoint-ORIG-GUID: pWTxoiwcJBaRX-cCuCFIpCfQWBOQMIdY X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-19_03,2025-11-18_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 phishscore=0 priorityscore=1501 suspectscore=0 adultscore=0 lowpriorityscore=0 impostorscore=0 malwarescore=0 spamscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511190087 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Nov 2025 11:05:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226548 From: Yogita Urade A flaw was found in the X.Org X server and Xwayland when processing X11 Present extension notifications. Improper error handling during notification creation can leave dangling pointers that lead to a use-after-free condition. This can cause memory corruption or a crash, potentially allowing an attacker to execute arbitrary code or cause a denial of service. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-62229 Upstream patch: https://gitlab.freedesktop.org/xorg/xserver/-/commit/5a4286b13f631b66c20f5bc8db7b68211dcbd1d0 Signed-off-by: Yogita Urade --- .../xwayland/xwayland/CVE-2025-62229.patch | 89 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 90 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-62229.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62229.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62229.patch new file mode 100644 index 0000000000..f27bd00434 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62229.patch @@ -0,0 +1,89 @@ +From 5a4286b13f631b66c20f5bc8db7b68211dcbd1d0 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 2 Jul 2025 09:46:22 +0200 +Subject: [PATCH] present: Fix use-after-free in present_create_notifies() + +Using the Present extension, if an error occurs while processing and +adding the notifications after presenting a pixmap, the function +present_create_notifies() will clean up and remove the notifications +it added. + +However, there are two different code paths that can lead to an error +creating the notify, one being before the notify is being added to the +list, and another one after the notify is added. + +When the error occurs before it's been added, it removes the elements up +to the last added element, instead of the actual number of elements +which were added. + +As a result, in case of error, as with an invalid window for example, it +leaves a dangling pointer to the last element, leading to a use after +free case later: + + | Invalid write of size 8 + | at 0x5361D5: present_clear_window_notifies (present_notify.c:42) + | by 0x534A56: present_destroy_window (present_screen.c:107) + | by 0x41E441: xwl_destroy_window (xwayland-window.c:1959) + | by 0x4F9EC9: compDestroyWindow (compwindow.c:622) + | by 0x51EAC4: damageDestroyWindow (damage.c:1592) + | by 0x4FDC29: DbeDestroyWindow (dbe.c:1291) + | by 0x4EAC55: FreeWindowResources (window.c:1023) + | by 0x4EAF59: DeleteWindow (window.c:1091) + | by 0x4DE59A: doFreeResource (resource.c:890) + | by 0x4DEFB2: FreeClientResources (resource.c:1156) + | by 0x4A9AFB: CloseDownClient (dispatch.c:3567) + | by 0x5DCC78: ClientReady (connection.c:603) + | Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd + | at 0x4841E43: free (vg_replace_malloc.c:989) + | by 0x5363DD: present_destroy_notifies (present_notify.c:111) + | by 0x53638D: present_create_notifies (present_notify.c:100) + | by 0x5368E9: proc_present_pixmap_common (present_request.c:164) + | by 0x536A7D: proc_present_pixmap (present_request.c:189) + | by 0x536FA9: proc_present_dispatch (present_request.c:337) + | by 0x4A1E4E: Dispatch (dispatch.c:561) + | by 0x4B00F1: dix_main (main.c:284) + | by 0x42879D: main (stubmain.c:34) + | Block was alloc'd at + | at 0x48463F3: calloc (vg_replace_malloc.c:1675) + | by 0x5362A1: present_create_notifies (present_notify.c:81) + | by 0x5368E9: proc_present_pixmap_common (present_request.c:164) + | by 0x536A7D: proc_present_pixmap (present_request.c:189) + | by 0x536FA9: proc_present_dispatch (present_request.c:337) + | by 0x4A1E4E: Dispatch (dispatch.c:561) + | by 0x4B00F1: dix_main (main.c:284) + | by 0x42879D: main (stubmain.c:34) + +To fix the issue, count and remove the actual number of notify elements +added in case of error. + +CVE-2025-62229, ZDI-CAN-27238 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Part-of: + +CVE: CVE-2025-62229 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/5a4286b13f631b66c20f5bc8db7b68211dcbd1d0] + +Signed-off-by: Yogita Urade +--- + present/present_notify.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/present/present_notify.c b/present/present_notify.c +index 4459549..00b3b68 100644 +--- a/present/present_notify.c ++++ b/present/present_notify.c +@@ -90,7 +90,7 @@ present_create_notifies(ClientPtr client, int num_notifies, xPresentNotify *x_no + if (status != Success) + goto bail; + +- added = i; ++ added++; + } + return Success; + +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 49e35ca442..1ed5df8a2e 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -31,6 +31,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-49178.patch \ file://CVE-2025-49179.patch \ file://CVE-2025-49180.patch \ + file://CVE-2025-62229.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Wed Nov 19 11:04:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: yurade X-Patchwork-Id: 74949 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 480CCCF319D for ; Wed, 19 Nov 2025 11:05:16 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.4118.1763550313136589230 for ; Wed, 19 Nov 2025 03:05:13 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@windriver.com header.s=PPS06212021 header.b=GyaoB7si; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=3418d146ba=yogita.urade@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5AJ7vTqE4100545 for ; Wed, 19 Nov 2025 11:05:12 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=0Ml1Dv3i6ZwmSXy/1c2MZdPZtWLKSk50zpTFlN4pNwo=; b=GyaoB7sixcvX g1j419Mer8rFrGMV+RY4cTui1awQxSBvwySGGE/bF6kvhPMsOL1zOXWABVmZzf6o 23DGJ2/XKG5kYeUNpGnlyNnN+mB8dExd5v29oZ5WLs0cEMszq7oan+ekJWouSjFM 5bMlTr3eYm3wzlTzlBFY9u3yWO7Mz9EWVKFXiOkiBILQINraEuCzfM+rJoNC2rCG cmis+h1eFZJuRo4h5o6h1OlAmkHHim8NLFdyVeTZdQWu/xyUx3xYeQwpmjV9fv9y H9bwvXf4kLKQcrAfBL0vPeUNg/dUSpdog0Py9un/pUxUaCP/olSsd5M2wwLnZnM4 UwFi6RJOHA== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4aeeqwmyr8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 19 Nov 2025 11:05:12 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Wed, 19 Nov 2025 03:05:09 -0800 From: yurade To: Subject: [OE-core][scarthgap][PATCH 4/5] xwayland: fix CVE-2025-62230 Date: Wed, 19 Nov 2025 16:34:40 +0530 Message-ID: <20251119110441.817793-4-yogita.urade@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20251119110441.817793-1-yogita.urade@windriver.com> References: <20251119110441.817793-1-yogita.urade@windriver.com> MIME-Version: 1.0 X-Originating-IP: [10.11.232.110] X-ClientProxiedBy: ala-exchng01.corp.ad.wrs.com (10.11.224.121) To ala-exchng01.corp.ad.wrs.com (10.11.224.121) X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTE5MDA4NyBTYWx0ZWRfX/SYxTv07pAXA SaqGsulpSOKY6fEdg67yMBeU926U9jBAaJQBNoptOLv+pUHPHLKNTBu4knwckgN3WAkj1+7IHjs XpqMQE8Hvs6DajFJESB3t3YcAFEA0/2u7Kld7LMSb+dmUYAaydmxQ9TO5a8iS44rB6pAipTGOsA 00utk6wuaeTTAP7GTHZ3GgZkQ7LiMdTFEP3tqvaJd+/IAA9vFTAVffgP/HlO+FWyDmVrhn1XZ9I suRlUcu5eAN+g78OuqURwDS6FkWcW4qzVWD6xmE2QNKXI4ewThx5y7jfBhKy0Y/tC69X7sgrpF1 N3CqTtvWeeKWXrNeDEFFeWmxG3Cn8WHuNyRY4IA1sOhUc1ZNZ8JZSXAUR0dNnbBZFDEwmi58FVP 7CUOsVPAPEB3azfP1QKZQ1GZj7Gzog== X-Proofpoint-GUID: nufTXEMzWjkgkJDebKOnrwRVZL73ln_h X-Authority-Analysis: v=2.4 cv=OuxCCi/t c=1 sm=1 tr=0 ts=691da468 cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=gmxlzscTznEA:10 a=IkcTkHD0fZMA:10 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=e5mUnYsNAAAA:8 a=aR16PxjQAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=VnL-hwfQD56XgfcI8rkA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=Vxmtnl_E_bksehYqCbjh:22 a=zbFvvTOBjyH4ze5LlUjX:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: nufTXEMzWjkgkJDebKOnrwRVZL73ln_h X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-19_03,2025-11-18_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 spamscore=0 phishscore=0 bulkscore=0 malwarescore=0 lowpriorityscore=0 clxscore=1015 priorityscore=1501 suspectscore=0 adultscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511190087 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 5AJ7vTqE4100545 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Nov 2025 11:05:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226549 From: Yogita Urade A flaw was discovered in the X.Org X serverâ\x80\x99s X Keyboard (Xkb) extension when handling client resource cleanup. The software frees certain data structures without properly detaching related resources, leading to a use-after-free condition. This can cause memory corruption or a crash when affected clients disconnect. Reference: https://gitlab.freedesktop.org/xorg/xserver/-/commit/3baad99f9c15028ed8c3e3d8408e5ec35db155aa Upstream patches: https://gitlab.freedesktop.org/xorg/xserver/-/commit/865089ca70840c0f13a61df135f7b44a9782a175 https://gitlab.freedesktop.org/xorg/xserver/-/commit/87fe2553937a99fd914ad0cde999376a3adc3839 Signed-off-by: Yogita Urade --- .../xwayland/CVE-2025-62230-0001.patch | 60 +++++++++++++ .../xwayland/CVE-2025-62230-0002.patch | 89 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 2 + 3 files changed, 151 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-0001.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-0002.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-0001.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-0001.patch new file mode 100644 index 0000000000..a26d13e712 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-0001.patch @@ -0,0 +1,60 @@ +From 865089ca70840c0f13a61df135f7b44a9782a175 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 10 Sep 2025 15:55:06 +0200 +Subject: [PATCH] xkb: Make the RT_XKBCLIENT resource private + +Currently, the resource in only available to the xkb.c source file. + +In preparation for the next commit, to be able to free the resources +from XkbRemoveResourceClient(), make that variable private instead. + +This is related to: + +CVE-2025-62230, ZDI-CAN-27545 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Michel Dänzer +(cherry picked from commit 99790a2c9205a52fbbec01f21a92c9b7f4ed1d8f) + +Part-of: + +CVE: CVE-2025-62230 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/865089ca70840c0f13a61df135f7b44a9782a175] + +Signed-off-by: Yogita Urade +--- + include/xkbsrv.h | 2 ++ + xkb/xkb.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/include/xkbsrv.h b/include/xkbsrv.h +index 21cd876..24fdfb4 100644 +--- a/include/xkbsrv.h ++++ b/include/xkbsrv.h +@@ -58,6 +58,8 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. + #include "inputstr.h" + #include "events.h" + ++extern RESTYPE RT_XKBCLIENT; ++ + typedef struct _XkbInterest { + DeviceIntPtr dev; + ClientPtr client; +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 3210ff9..b7877f5 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -51,7 +51,7 @@ int XkbKeyboardErrorCode; + CARD32 xkbDebugFlags = 0; + static CARD32 xkbDebugCtrls = 0; + +-static RESTYPE RT_XKBCLIENT; ++RESTYPE RT_XKBCLIENT = 0; + + /***====================================================================***/ + +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-0002.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-0002.patch new file mode 100644 index 0000000000..b5230359ba --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-0002.patch @@ -0,0 +1,89 @@ +From 87fe2553937a99fd914ad0cde999376a3adc3839 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 10 Sep 2025 15:58:57 +0200 +Subject: [PATCH] xkb: Free the XKB resource when freeing XkbInterest + +XkbRemoveResourceClient() would free the XkbInterest data associated +with the device, but not the resource associated with it. + +As a result, when the client terminates, the resource delete function +gets called and accesses already freed memory: + + | Invalid read of size 8 + | at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047) + | by 0x5B3391: XkbClientGone (xkb.c:7094) + | by 0x4DF138: doFreeResource (resource.c:890) + | by 0x4DFB50: FreeClientResources (resource.c:1156) + | by 0x4A9A59: CloseDownClient (dispatch.c:3550) + | by 0x5E0A53: ClientReady (connection.c:601) + | by 0x5E4FEF: ospoll_wait (ospoll.c:657) + | by 0x5DC834: WaitForSomething (WaitFor.c:206) + | by 0x4A1BA5: Dispatch (dispatch.c:491) + | by 0x4B0070: dix_main (main.c:277) + | by 0x4285E7: main (stubmain.c:34) + | Address 0x1893e278 is 184 bytes inside a block of size 928 free'd + | at 0x4842E43: free (vg_replace_malloc.c:989) + | by 0x49C1A6: CloseDevice (devices.c:1067) + | by 0x49C522: CloseOneDevice (devices.c:1193) + | by 0x49C6E4: RemoveDevice (devices.c:1244) + | by 0x5873D4: remove_master (xichangehierarchy.c:348) + | by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504) + | by 0x579BF1: ProcIDispatch (extinit.c:390) + | by 0x4A1D85: Dispatch (dispatch.c:551) + | by 0x4B0070: dix_main (main.c:277) + | by 0x4285E7: main (stubmain.c:34) + | Block was alloc'd at + | at 0x48473F3: calloc (vg_replace_malloc.c:1675) + | by 0x49A118: AddInputDevice (devices.c:262) + | by 0x4A0E58: AllocDevicePair (devices.c:2846) + | by 0x5866EE: add_master (xichangehierarchy.c:153) + | by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493) + | by 0x579BF1: ProcIDispatch (extinit.c:390) + | by 0x4A1D85: Dispatch (dispatch.c:551) + | by 0x4B0070: dix_main (main.c:277) + | by 0x4285E7: main (stubmain.c:34) + +To avoid that issue, make sure to free the resources when freeing the +device XkbInterest data. + +CVE-2025-62230, ZDI-CAN-27545 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Michel Dänzer +(cherry picked from commit 10c94238bdad17c11707e0bdaaa3a9cd54c504be) + +Part-of: + +CVE: CVE-2025-62230 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/87fe2553937a99fd914ad0cde999376a3adc3839] + +Signed-off-by: Yogita Urade +--- + xkb/xkbEvents.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/xkb/xkbEvents.c b/xkb/xkbEvents.c +index f8f65d4..7c669c9 100644 +--- a/xkb/xkbEvents.c ++++ b/xkb/xkbEvents.c +@@ -1055,6 +1055,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id) + autoCtrls = interest->autoCtrls; + autoValues = interest->autoCtrlValues; + client = interest->client; ++ FreeResource(interest->resource, RT_XKBCLIENT); + free(interest); + found = TRUE; + } +@@ -1066,6 +1067,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id) + autoCtrls = victim->autoCtrls; + autoValues = victim->autoCtrlValues; + client = victim->client; ++ FreeResource(victim->resource, RT_XKBCLIENT); + free(victim); + found = TRUE; + } +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 1ed5df8a2e..9bc67f7761 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -32,6 +32,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-49179.patch \ file://CVE-2025-49180.patch \ file://CVE-2025-62229.patch \ + file://CVE-2025-62230-0001.patch \ + file://CVE-2025-62230-0002.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Wed Nov 19 11:04:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: yurade X-Patchwork-Id: 74948 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2D3A2CF3199 for ; Wed, 19 Nov 2025 11:05:16 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.4120.1763550313689282988 for ; Wed, 19 Nov 2025 03:05:13 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@windriver.com header.s=PPS06212021 header.b=MaIoBnMh; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=3418d146ba=yogita.urade@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5AJ7rvGo1456056 for ; Wed, 19 Nov 2025 03:05:13 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=AJb7k4CmBkxIECsIkNaxmTrQbRAouiVQkcneIkUeXDo=; b=MaIoBnMhamwM dPf4+mCe44L28hDH3W740hYrHfirrmeMxF1mDgoM9XZFW8qt2Gs+57Vlvuj4pxpx K9Kgh1WIG7J+COOUbyUudkavimD7Eqg1udrMSbs4Vk93AFOng2M9dA0jMf10jvs6 3USX396lx9RuMEXhN8q3CRMKhWvg1OGpuEudFQtTvRsUnLsMOBIHNWy6/+S/D4q+ TIRMGAspZjbMmzSH00J4kHBrbmQ1hrcs001sPLWTplCAjMZACSlZEEP5V9ryKPrL 1uN++/7v+oyXZeNZurrCNLvuV3kyf0AE6riD9O0rMAqjJLS2X6zmpazylI59kOu9 FkA3AtyGqw== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4aeswjcq9n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 19 Nov 2025 03:05:13 -0800 (PST) Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Wed, 19 Nov 2025 03:05:11 -0800 From: yurade To: Subject: [OE-core][scarthgap][PATCH 5/5] xwayland: fix CVE-2025-62231 Date: Wed, 19 Nov 2025 16:34:41 +0530 Message-ID: <20251119110441.817793-5-yogita.urade@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20251119110441.817793-1-yogita.urade@windriver.com> References: <20251119110441.817793-1-yogita.urade@windriver.com> MIME-Version: 1.0 X-Originating-IP: [10.11.232.110] X-ClientProxiedBy: ala-exchng01.corp.ad.wrs.com (10.11.224.121) To ala-exchng01.corp.ad.wrs.com (10.11.224.121) X-Authority-Analysis: v=2.4 cv=BqiQAIX5 c=1 sm=1 tr=0 ts=691da469 cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=gmxlzscTznEA:10 a=IkcTkHD0fZMA:10 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=PYnjg3YJAAAA:8 a=e5mUnYsNAAAA:8 a=aR16PxjQAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=3wiCy6-QTMpVeIMz6ZkA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=Vxmtnl_E_bksehYqCbjh:22 a=zbFvvTOBjyH4ze5LlUjX:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-GUID: PgVUZMAsoMIekYNGjiEVG0q1hbgshQfD X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTE5MDA4NyBTYWx0ZWRfX97xrE7QRZLOh yYGRZfdzOCzJBqQmv9hR0HqaP4nEQUxcpizke4sBaGOulfsVztSYiYukBzHMHJYp2tdt0OSHY+Y chNXG3v2y3XDaxSJQ4hAeD09wtNWFzERot1seSV3fXfXfmor0Q9Xt2vlRxuttTHfnNt6+kQ5vYz wYzlyzUPguiPIPwGqBFDNCAdJeSWy+IUcILH/8F1+ksZR8ePwIMQOXSDbJdO85Wu9ouRzGjSv+6 L9hQkQE2WQxDON6ApoIpPEn93xc/nxI8GEEDioUrXqkNAZOfGw8YG3U63LJJf/uhglcSZBnCktM 6Za+Xtsp/steZicjUVkpbgPERd+cMJkvvQ+a/jETZ7/dTWyz8qDMCPJ1Mn26bSGPO2JB34R6evJ vk97i8qDoviBdKKJ/wPwZzfAHwxWnQ== X-Proofpoint-ORIG-GUID: PgVUZMAsoMIekYNGjiEVG0q1hbgshQfD X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-19_03,2025-11-18_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 phishscore=0 priorityscore=1501 suspectscore=0 adultscore=0 lowpriorityscore=0 impostorscore=0 malwarescore=0 spamscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511190087 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 5AJ7rvGo1456056 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Nov 2025 11:05:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226550 From: Yogita Urade A flaw was identified in the X.Org X serverâ\x80\x99s X Keyboard (Xkb) extension where improper bounds checking in the XkbSetCompatMap() function can cause an unsigned short overflow. If an attacker sends specially crafted input data, the value calculation may overflow, leading to memory corruption or a crash. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-62231 Upstream patch: https://gitlab.freedesktop.org/xorg/xserver/-/commit/3baad99f9c15028ed8c3e3d8408e5ec35db155aa Signed-off-by: Yogita Urade --- .../xwayland/xwayland/CVE-2025-62231.patch | 50 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 51 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-62231.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62231.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62231.patch new file mode 100644 index 0000000000..8095c3d82c --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62231.patch @@ -0,0 +1,50 @@ +From 3baad99f9c15028ed8c3e3d8408e5ec35db155aa Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 10 Sep 2025 16:30:29 +0200 +Subject: [PATCH] xkb: Prevent overflow in XkbSetCompatMap() + +The XkbCompatMap structure stores its "num_si" and "size_si" fields +using an unsigned short. + +However, the function _XkbSetCompatMap() will store the sum of the +input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and +"size_si" without first checking if the sum overflows the maximum +unsigned short value, leading to a possible overflow. + +To avoid the issue, check whether the sum does not exceed the maximum +unsigned short value, or return a "BadValue" error otherwise. + +CVE-2025-62231, ZDI-CAN-27560 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Michel Dänzer +(cherry picked from commit 475d9f49acd0e55bc0b089ed77f732ad18585470) + +Part-of: + +CVE: CVE-2025-62231 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3baad99f9c15028ed8c3e3d8408e5ec35db155aa] + +Signed-off-by: Yogita Urade +--- + xkb/xkb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index b7877f5..4e585d1 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -2992,6 +2992,8 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, + XkbSymInterpretPtr sym; + unsigned int skipped = 0; + ++ if ((unsigned) (req->firstSI + req->nSI) > USHRT_MAX) ++ return BadValue; + if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) { + compat->num_si = compat->size_si = req->firstSI + req->nSI; + compat->sym_interpret = reallocarray(compat->sym_interpret, +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 9bc67f7761..362b110a0b 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -34,6 +34,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-62229.patch \ file://CVE-2025-62230-0001.patch \ file://CVE-2025-62230-0002.patch \ + file://CVE-2025-62231.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"