From patchwork Tue May 12 08:59:19 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 87883 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8DB74CD4F35 for ; Tue, 12 May 2026 08:59:53 +0000 (UTC) Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.70957.1778576388879249203 for ; Tue, 12 May 2026 01:59:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=GYBoY7AM; spf=pass (domain: mvista.com, ip: 209.85.216.41, mailfrom: vanusuri@mvista.com) Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-367cbac9cb1so3139903a91.3 for ; Tue, 12 May 2026 01:59:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1778576388; x=1779181188; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=MSwkedX+xx02CuijYEttIbmEfOfIE8Z0Ne5Wp25M9Is=; b=GYBoY7AM92XJAtbqhIPoiym116nOV/jndQaPkSSwIPAHtN6e8+wYQlbxSPYszzKiOA oG8hscu9AGRkEylXHLlmKTvcffEw7tnjlUpLGg3dN43yDLe49PSlIVSCatuGu3pM8ooH LfLi+5Q0JDcwvAB95uv/L5n+Pm/17snrT0sJI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778576388; x=1779181188; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=MSwkedX+xx02CuijYEttIbmEfOfIE8Z0Ne5Wp25M9Is=; b=BmYJUK2J38ZUn53KTLeboSWJ9dgsXzgx2GVxf5+p3Td7/dEaB4/fW8WjPdVcO3QuDC YjXUMaSHw8WNd1yf1cw9HF8pRT2VzqeQALkPJJiFRST0L6L3u+uRNfyTnHSo351LNazG qSaNtioJwvfUzY5HbBQzvVR7ltzR+QviOADnkEjdq6Sc85A09ssd0yhp/vwaiBW0Ugu/ 5prTjTz7FmC19Za39XI5jgjdOPWSWdy2HsvzoqDfY9fbHp4EMnxBG53ZY4+Kdb3Nd/j/ Zciz+mZ9bbgNGuaD7QpjUIaaRaSHEjkeI4fStoPECbCfnJPDEy2xWbMO409mRyuImAgY TUnw== X-Gm-Message-State: AOJu0Yzgh4mf5YrxIkD10pAnlJkkZUduxMSxMGep7XfCBj3O8B9YHlbN Cv/dfHNHXCuQ9f5wJC9M+mRjpw84eCaTs1cplbE7ZpG5qZB1GJjkbS9lhD914PHovESGiqubS2v PGXJl X-Gm-Gg: Acq92OENvq+F6pag5PAEGZ1o1+vs4uG1TYKokAPWeQTULW+MWdM842DGu6/FLZ0xFFb fl4F1Uq5/eiBtUXbPceTEzzI+BZFJbxYyFqcxTvERRai+c5kSip8JBkjvvWkRS5FpjJDgecrKth D1MVOcvzCnkIYfiZlr/k8phOlXud2pQqs871Kh8WtlsjOQvRIQj+xLUSPd10OOAGYY8GROiGZLV 6tQaJRHbw4oHv89LgNzlIYTVuTjhw5exvEp5+tqukg3Hr+wiuZ+aZYRnTJp5EEnoSGuu2klFvBw 6BVaHNUxnF0G8PpFqxalu3x/2Z24Vdpk/dVBwalaOLsBDAGMgvSDrBOa+w81eTuWA1/IPp3IRM6 WwVYK46AR6kYez3qcDvOvCM2BuONyUWD8PP/e/ne+slRe5kqKYZE5KFdzWftricFPzXSvulpmrg WqEr66uF1obp4J0tpUTZ0KbA9c1D4= X-Received: by 2002:a17:90b:5683:b0:361:45df:f5 with SMTP id 98e67ed59e1d1-365abe8a5b2mr31325648a91.16.1778576387672; Tue, 12 May 2026 01:59:47 -0700 (PDT) Received: from MVIN00352.. ([2401:4900:1cc4:80a8:e6ce:e2c9:e8fb:6a6e]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-367d623fcfasm13591380a91.2.2026.05.12.01.59.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 May 2026 01:59:46 -0700 (PDT) From: Vijay Anusuri To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][patch 1/5] xserver-xorg: Fix CVE-2026-33999 Date: Tue, 12 May 2026 14:29:19 +0530 Message-ID: <20260512085923.820545-1-vanusuri@mvista.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 12 May 2026 08:59:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236863 Pick patch according to [1] [1] https://lists.x.org/archives/xorg-announce/2026-April/003677.html [2] https://security-tracker.debian.org/tracker/CVE-2026-33999 Signed-off-by: Vijay Anusuri --- .../xserver-xorg/CVE-2026-33999.patch | 49 +++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.18.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-33999.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-33999.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-33999.patch new file mode 100644 index 0000000000..cd3bf47397 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-33999.patch @@ -0,0 +1,49 @@ +From b024ae1749ee58c6fbf863b9a1f5dc440fee2e1b Mon Sep 17 00:00:00 2001 +From: Peter Harris +Date: Thu, 15 Jan 2026 15:54:09 -0500 +Subject: [PATCH] xkb: fix buffer re-use in _XkbSetCompatMap + +If the "compat" buffer has previously been truncated, there will be +unused space in the buffer. The code uses this space, but does not +update the number of valid entries in the buffer. + +In the best case, this leads to the new compat entries being ignored. In the +worst case, if there are any "skipped" compat entries, the number of +valid entries will be corrupted, potentially leading to a buffer read +overrun when processing a future request. + +Set the number of used "compat" entries when re-using previously +allocated space in the buffer. + +CVE-2026-33999, ZDI-CAN-28593 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with TrendAI Zero Day Initiative + +Signed-off-by: Peter Harris +Acked-by: Olivier Fourdan +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b024ae1749ee58c6fbf863b9a1f5dc440fee2e1b] +CVE: CVE-2026-33999 +Signed-off-by: Vijay Anusuri +--- + xkb/xkb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 137d70d..2b9004a 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -3004,7 +3004,7 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, + return BadAlloc; + } + } +- else if (req->truncateSI) { ++ else if (req->truncateSI || req->firstSI + req->nSI > compat->num_si) { + compat->num_si = req->firstSI + req->nSI; + } + sym = &compat->sym_interpret[req->firstSI]; +-- +2.43.0 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb index 7f6197a0b4..ef7f5c5bdb 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb @@ -5,6 +5,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch \ file://0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch \ file://0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch \ + file://CVE-2026-33999.patch \ " SRC_URI[sha256sum] = "c878d1930d87725d4a5bf498c24f4be8130d5b2646a9fd0f2994deff90116352" From patchwork Tue May 12 08:59:20 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 87884 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 73416CD4855 for ; Tue, 12 May 2026 08:59:53 +0000 (UTC) Received: from mail-pj1-f53.google.com (mail-pj1-f53.google.com [209.85.216.53]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.70958.1778576393096051298 for ; Tue, 12 May 2026 01:59:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=jLltB3Mn; spf=pass (domain: mvista.com, ip: 209.85.216.53, mailfrom: vanusuri@mvista.com) Received: by mail-pj1-f53.google.com with SMTP id 98e67ed59e1d1-36643b96b99so3328373a91.0 for ; Tue, 12 May 2026 01:59:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1778576392; x=1779181192; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=9tNFJsLcFrpBjFF4nrRInMTGwZhz6OwxoqMDzd5RdFw=; b=jLltB3Mnvdl95H1p972s0UUrYwTfOv/wWDmFTAylRLM3es2HAcoMRX8/vGLyU+LVXF +bjRcHRtsUwRnkC/cfTsitHPk3a6drQ1xvy3q7ML5rNiIgboYGb1XIyBONw7kl16hiyr vHgZ0+1JeyNnXw/nN/qPSzq8/PtAbwbTxHei4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778576392; x=1779181192; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=9tNFJsLcFrpBjFF4nrRInMTGwZhz6OwxoqMDzd5RdFw=; b=BXAwGbiFvipVsrayUPpoc/uspIlqfHqIyhdhHOG+NVQ70t+EqRJ8SlKDt8b5W/vPND hWUnwfkr4MAnzPibCiBPmuxh9Rlva8gacMzmF1d9k+dMMQ4/fsrCUSgJSjl/HdVruH58 6XwpawqN+NMTW4k7RWLdQ05WIpTATET7j7jNlNzlgZJlC8w8ArVPTHVg5g8o0qR627iN pHG01tLbvrihEimC1lqOS1HfmtPNdIjWWLel3n/nKF9bSGpPZWQsf1wjmIV9EWkZIEIJ 0jMHhWud0bK3eOR9EKvuImzhZPZEf4zQPtjISZmZWqjHtp9h61lRwVqNWxX1vFIidXmv dakA== X-Gm-Message-State: AOJu0YyYqMUVmst+ii9oX/TygrV4qxy3TdK8OUQUNt/c8UzHFTuyoZry ciMkSypROjYYqXxNxLt1aDsKXyArBYhJG5uG/pxX414pUGP/1ZrHuogfMiO6Mor5IJiimsfr4Tp vGPTP X-Gm-Gg: Acq92OG+4AUQSMxOupUgdtmqSZ8TvKnuu2AJcGebg1eKm38mjie9FrSBTu1s/dHqz/m 1QVplEaTb2O2pfOHQABwpmzH0O2q4dEfnKArwm9g0JkG08WSb0sdfLrvpqwSyg2OlXG4DMmczHk HacHLR/lFL0DFWyOeOgZ+g2AU6U/jShym9AH9rCvLGWPNR5ME9JxT3e738jnT2SMLvgNLnToUcf v+2vKUaZojs8Alf62K9MLtk/RvpnnnCrY6iiborFHIicvSvtT5o918HpoklTLxZGXpYts7fuSgF z44R6LCoz9gnyUvu6VqzbBar0IAPsXJiPIm04vCKF0vVKK1znL8zsKxdTrjDuGytt+CobQjqkz1 mWNcs83jhJ6t5UeECMvOd1DNc5fP3uJs7J5xwa4nsF4PjKqWP2S1VU/hAOmorBWfCtKVQQ2dVJY EQgmGuYhixOmNTa4U6k7kZSAFfUTg= X-Received: by 2002:a17:90b:57eb:b0:366:132:fda7 with SMTP id 98e67ed59e1d1-36601331e37mr24719508a91.10.1778576392095; Tue, 12 May 2026 01:59:52 -0700 (PDT) Received: from MVIN00352.. ([2401:4900:1cc4:80a8:e6ce:e2c9:e8fb:6a6e]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-367d623fcfasm13591380a91.2.2026.05.12.01.59.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 May 2026 01:59:51 -0700 (PDT) From: Vijay Anusuri To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][patch 2/5] xserver-xorg: Fix CVE-2026-34000 Date: Tue, 12 May 2026 14:29:20 +0530 Message-ID: <20260512085923.820545-2-vanusuri@mvista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260512085923.820545-1-vanusuri@mvista.com> References: <20260512085923.820545-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 12 May 2026 08:59:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236864 Pick patch according to [1] [1] https://lists.x.org/archives/xorg-announce/2026-April/003677.html [2] https://security-tracker.debian.org/tracker/CVE-2026-34000 Signed-off-by: Vijay Anusuri --- .../xserver-xorg/CVE-2026-34000.patch | 72 +++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.18.bb | 1 + 2 files changed, 73 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34000.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34000.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34000.patch new file mode 100644 index 0000000000..7ce7cfa80c --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34000.patch @@ -0,0 +1,72 @@ +From 81b6a34f90b28c32ad499a78a4f391b7c06daea2 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 18 Feb 2026 16:03:11 +0100 +Subject: [PATCH] xkb: Fix bounds check in _CheckSetGeom() + +As reported by valgrind: + + == Conditional jump or move depends on uninitialised value(s) + == at 0x5CBE66: SrvXkbAddGeomKeyAlias (XKBGAlloc.c:585) + == by 0x5AC7D5: _CheckSetGeom (xkb.c:5607) + == by 0x5AC952: _XkbSetGeometry (xkb.c:5643) + == by 0x5ACB58: ProcXkbSetGeometry (xkb.c:5684) + == by 0x5B0DAC: ProcXkbDispatch (xkb.c:7070) + == by 0x4A28C5: Dispatch (dispatch.c:553) + == by 0x4B0B24: dix_main (main.c:274) + == by 0x42915E: main (stubmain.c:34) + == Uninitialised value was created by a heap allocation + == at 0x4840B26: malloc (vg_replace_malloc.c:447) + == by 0x5E13B0: AllocateInputBuffer (io.c:981) + == by 0x5E05CD: InsertFakeRequest (io.c:516) + == by 0x4AA860: NextAvailableClient (dispatch.c:3629) + == by 0x5DE0D7: AllocNewConnection (connection.c:628) + == by 0x5DE2C6: EstablishNewConnections (connection.c:692) + == by 0x5DE600: HandleNotifyFd (connection.c:809) + == by 0x5E2598: ospoll_wait (ospoll.c:660) + == by 0x5DA00C: WaitForSomething (WaitFor.c:208) + == by 0x4A26E5: Dispatch (dispatch.c:493) + == by 0x4B0B24: dix_main (main.c:274) + == by 0x42915E: main (stubmain.c:34) + +Each key alias entry contains two key names (the alias and the real key +name), each of size XkbKeyNameLength. + +The current bounds check only validates the first name, allowing +XkbAddGeomKeyAlias to potentially read uninitialized memory when +accessing the second name at &wire[XkbKeyNameLength]. + +To fix this, change the value to check to use 2 * XkbKeyNameLength to +validate the bounds. + +CVE-2026-34000, ZDI-CAN-28679 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with TrendAI Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/81b6a34f90b28c32ad499a78a4f391b7c06daea2] +CVE: CVE-2026-34000 +Signed-off-by: Vijay Anusuri +--- + xkb/xkb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 2b9004a..1ba638b 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5603,7 +5603,7 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client) + } + + for (i = 0; i < req->nKeyAliases; i++) { +- if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbKeyNameLength)) ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2 * XkbKeyNameLength)) + return BadLength; + + if (XkbAddGeomKeyAlias(geom, &wire[XkbKeyNameLength], wire) == NULL) +-- +2.43.0 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb index ef7f5c5bdb..658a608b5e 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb @@ -6,6 +6,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch \ file://0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch \ file://CVE-2026-33999.patch \ + file://CVE-2026-34000.patch \ " SRC_URI[sha256sum] = "c878d1930d87725d4a5bf498c24f4be8130d5b2646a9fd0f2994deff90116352" From patchwork Tue May 12 08:59:21 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 87885 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 82111CD4855 for ; Tue, 12 May 2026 09:00:03 +0000 (UTC) Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.71355.1778576397770164453 for ; Tue, 12 May 2026 01:59:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=VFQjtpic; spf=pass (domain: mvista.com, ip: 209.85.216.46, mailfrom: vanusuri@mvista.com) Received: by mail-pj1-f46.google.com with SMTP id 98e67ed59e1d1-366375c43c2so3002949a91.2 for ; Tue, 12 May 2026 01:59:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1778576396; x=1779181196; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=SpIb1V4D85/daexIVMETbfNMPjRmjR3lq0jaBZW1ho4=; b=VFQjtpicDkNwYerqJ8D0KCJQOpqpGZZugIWwYhPDGgSqL8RleqpveP5NNS//SpG/io KWyWl95Pa8BjxzqnMEGFeUObDsWCeigOhNesFXakEh8pgc8clPaeupRazi+tELEhxiiO V6GbIJcAhq3sI0sLT11mJEZlRwtS/+fvFYn5c= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778576396; x=1779181196; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=SpIb1V4D85/daexIVMETbfNMPjRmjR3lq0jaBZW1ho4=; b=FR2mQvdws5IdCY0zz0vvsiE1GvdTvsMOuWPt/dOZ14Ht+JPQMsaDTqDttW5eHSXkZw BA3MJVIIcsoRZ5kyLFFsLD41q2EDnU+a2l9YTWKpvepjRYo7KwbRt2V4V2GGJWJhwkrl W5RpJr683Na0NJqWv9bUdRviw6NzSsnQRfqrCVx39jU2UxunCNzDIT1DrB3SSizasfvS ESdCdvwTFD1a7c68c6Mqmxt5WRFKguKjtjvEqL5HVkG9LfF1VTpV5+jQ97qhJl2BJd9Z xB88IArytkFroOHuyXt5OaWSvzBulOXPIJL/wID5S9cZdWm+wdqK8Vzp/FgVE3IaGQO2 OeLw== X-Gm-Message-State: AOJu0Yx60cW8lPsGUF4hmKT10utyVIyEJppgm+5gLTcGbkKhhDJYq7zR WZt3QM0VUfacpS/eiUj/gwPEKd0HeyTIMJy4aJ819Naoa3xv5/qg4YKbf1NQhIvnQi7HiWASW3K oGgXP X-Gm-Gg: Acq92OHDHUSO/3pkjyE4U1fAHloS2wBcXQ9GRh5i+Zm1//RYzI8l5fjPSsnBND/kwbw YO+cm1K+0wZJWxAqP4D2cEdLWcKnjOiEwX0Cfvqy0YGBz65PZheYbmxyWNnKPOjR6qHc4cGu7IS Qrcm7/zEEDAJSaob0tuC5v8CHTPdtZxMs9sikjwuRhGLiCAsNowXcS17W+ap5DcWBSJ+SEFBqCn hPIE8Khgc7WvWCZaBDl/4Gm4Ci3XKVSl3AcZMEFX0aJTXHgCl9rkwYU5xDZDTHbq1qAOJpnbU1x mNdLW26SESuQOac2/4vUR75RHM146mk57CbbXfRaIoaykWOL5UttGjCaF6QittbqxxfcS4ChvHg FmWzCvMJztjzx5tG+fSfLCFCsVSXxlkI8RA27jEl73R4aKJxJ5zq2M6rvkYX2x5GYI7uLPCKIlU mMVZ66kx3i9nw/7HL1Y0PEm2p50aI= X-Received: by 2002:a17:90b:2fcf:b0:35f:bfdd:f5a1 with SMTP id 98e67ed59e1d1-3664ccca3d8mr16781445a91.13.1778576396437; Tue, 12 May 2026 01:59:56 -0700 (PDT) Received: from MVIN00352.. ([2401:4900:1cc4:80a8:e6ce:e2c9:e8fb:6a6e]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-367d623fcfasm13591380a91.2.2026.05.12.01.59.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 May 2026 01:59:55 -0700 (PDT) From: Vijay Anusuri To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][patch 3/5] xserver-xorg: Fix CVE-2026-34001 Date: Tue, 12 May 2026 14:29:21 +0530 Message-ID: <20260512085923.820545-3-vanusuri@mvista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260512085923.820545-1-vanusuri@mvista.com> References: <20260512085923.820545-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 12 May 2026 09:00:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236865 Pick patch according to [1] [1] https://lists.x.org/archives/xorg-announce/2026-April/003677.html [2] https://security-tracker.debian.org/tracker/CVE-2026-34001 Signed-off-by: Vijay Anusuri --- .../xserver-xorg/CVE-2026-34001.patch | 104 ++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.18.bb | 1 + 2 files changed, 105 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34001.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34001.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34001.patch new file mode 100644 index 0000000000..a438f5ffcd --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34001.patch @@ -0,0 +1,104 @@ +From f19ab94ba9c891d801231654267556dc7f32b5e0 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 18 Feb 2026 16:23:23 +0100 +Subject: [PATCH] miext/sync: Fix use-after-free in miSyncTriggerFence() + +As reported by valgrind: + + == Invalid read of size 8 + == at 0x568C14: miSyncTriggerFence (misync.c:140) + == by 0x540688: ProcSyncTriggerFence (sync.c:1957) + == by 0x540CCC: ProcSyncDispatch (sync.c:2152) + == by 0x4A28C5: Dispatch (dispatch.c:553) + == by 0x4B0B24: dix_main (main.c:274) + == by 0x42915E: main (stubmain.c:34) + == Address 0x17e35488 is 8 bytes inside a block of size 16 free'd + == at 0x4843E43: free (vg_replace_malloc.c:990) + == by 0x53D683: SyncDeleteTriggerFromSyncObject (sync.c:169) + == by 0x53F14D: FreeAwait (sync.c:1208) + == by 0x4DFB06: doFreeResource (resource.c:888) + == by 0x4DFC59: FreeResource (resource.c:918) + == by 0x53E349: SyncAwaitTriggerFired (sync.c:701) + == by 0x568C52: miSyncTriggerFence (misync.c:142) + == by 0x540688: ProcSyncTriggerFence (sync.c:1957) + == by 0x540CCC: ProcSyncDispatch (sync.c:2152) + == by 0x4A28C5: Dispatch (dispatch.c:553) + == by 0x4B0B24: dix_main (main.c:274) + == by 0x42915E: main (stubmain.c:34) + == Block was alloc'd at + == at 0x4840B26: malloc (vg_replace_malloc.c:447) + == by 0x5E50E1: XNFalloc (utils.c:1129) + == by 0x53D772: SyncAddTriggerToSyncObject (sync.c:206) + == by 0x53DCA8: SyncInitTrigger (sync.c:414) + == by 0x5409C7: ProcSyncAwaitFence (sync.c:2089) + == by 0x540D04: ProcSyncDispatch (sync.c:2160) + == by 0x4A28C5: Dispatch (dispatch.c:553) + == by 0x4B0B24: dix_main (main.c:274) + == by 0x42915E: main (stubmain.c:34) + +When walking the list of fences to trigger, miSyncTriggerFence() may +call TriggerFence() for the current trigger, which end up calling the +function SyncAwaitTriggerFired(). + +SyncAwaitTriggerFired() frees the entire await resource, which removes +all triggers from that await - including pNext which may be another +trigger from the same await attached to the same fence. + +On the next iteration, ptl = pNext points to freed memory... + +To avoid the issue, we need to restart the iteration from the beginning +of the list each time a trigger fires, since the callback can modify the +list. + +CVE-2026-34001, ZDI-CAN-28706 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with TrendAI Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/f19ab94ba9c891d801231654267556dc7f32b5e0] +CVE: CVE-2026-34001 +Signed-off-by: Vijay Anusuri +--- + miext/sync/misync.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/miext/sync/misync.c b/miext/sync/misync.c +index 0931803..e11eba2 100644 +--- a/miext/sync/misync.c ++++ b/miext/sync/misync.c +@@ -131,16 +131,22 @@ miSyncDestroyFence(SyncFence * pFence) + void + miSyncTriggerFence(SyncFence * pFence) + { +- SyncTriggerList *ptl, *pNext; ++ SyncTriggerList *ptl; ++ Bool triggered; + + pFence->funcs.SetTriggered(pFence); + + /* run through triggers to see if any fired */ +- for (ptl = pFence->sync.pTriglist; ptl; ptl = pNext) { +- pNext = ptl->next; +- if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0)) +- (*ptl->pTrigger->TriggerFired) (ptl->pTrigger); +- } ++ do { ++ triggered = FALSE; ++ for (ptl = pFence->sync.pTriglist; ptl; ptl = ptl->next) { ++ if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0)) { ++ (*ptl->pTrigger->TriggerFired) (ptl->pTrigger); ++ triggered = TRUE; ++ break; ++ } ++ } ++ } while (triggered); + } + + SyncScreenFuncsPtr +-- +2.43.0 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb index 658a608b5e..dfed2c2437 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb @@ -7,6 +7,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch \ file://CVE-2026-33999.patch \ file://CVE-2026-34000.patch \ + file://CVE-2026-34001.patch \ " SRC_URI[sha256sum] = "c878d1930d87725d4a5bf498c24f4be8130d5b2646a9fd0f2994deff90116352" From patchwork Tue May 12 08:59:22 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 87886 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7111CCD4851 for ; Tue, 12 May 2026 09:00:03 +0000 (UTC) Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.71357.1778576401509922014 for ; Tue, 12 May 2026 02:00:01 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=jJVjCgJV; spf=pass (domain: mvista.com, ip: 209.85.216.51, mailfrom: vanusuri@mvista.com) Received: by mail-pj1-f51.google.com with SMTP id 98e67ed59e1d1-367c2a39fcfso1722364a91.3 for ; Tue, 12 May 2026 02:00:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1778576400; x=1779181200; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=WG1e3ECRgf9IL1mT7QDwKtQZnyHC0P63ib1yPnH5gA4=; b=jJVjCgJV6E7vY4NYGthf0XKl63cejgHeFK67OBqwFZnWRGaIGZQwMyN/ywXgLxvl0T 0NGMPLrBl6EpgsBJEWMh21urUcJUjU3CiuBSM09WGguH9GM7vKUexZrq38pYV0xNmZFO tMXoR3McIemUjmTtDF2usz/PtQCVAmVQ9nvsQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778576400; x=1779181200; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=WG1e3ECRgf9IL1mT7QDwKtQZnyHC0P63ib1yPnH5gA4=; b=PEtDKAu/ocVZVsUvz9iSZrius92Jw0BavPa2MLO9+59pFmPHVNe3MdtlmXldP0yzD0 aUvll3xnDIGodD43mCah2vkpJmPF5795JUPxOQxy+uTFL82gv1ww0ZntcGFCt0WeEcXb 3W7h+W/29ukAQvVE5vVL5lSIr5XmTC5ZelJtSz++/U3cS6GEzAgyuZFVqa5NuYSNJ8fi ShdMw6ctdLEad3rwZrRp8+UWZ28pDM73lK+Wq4cNzbw5GyxcT5WrDkIFTf/aNO4XfHIA GUGB+SqNMjw3X784T6q+1wcm0EXmveD/2pOpBjFdAoEJv7pTZyY5rNiwvSQgXImM3Zid Rx2A== X-Gm-Message-State: AOJu0Yzit9rsgm6dT5pTGo1RSjQoIBm5Hlv98sjRcfAYsL2rKCvvtVuZ gBoeXcQDY6Y4CygJtHtNrdUqLSXBqiX2Q1g1yM6Fm1md4HS67ikcTdL3gIc+OgIv5H8cc2O4i8u DUObZ X-Gm-Gg: Acq92OFdG1+QOV590iDTCFFGXzZwE7YJRoimdo/4Whx+k2B5lc7VchKiaPjmy0zGPUY /EfATBydqtXA/dssrg0/kYfoOEbMmTHQTDCEnr12FyP6FQoYcUevTh6xx7v+wPsvwxomRl/1+sH mAqOOSayWeCaCyYUcQgbnFTjxMubHYnIlv/Uy/L14y/DtUslbUtwHzJ1CesaNMNxLzMYDgOgJ91 jfqJW1f36Anrj3epsKi8GzjURMQ3EePq2dIzPFprPupEQ8o/+C9r82lpGc8KGfWuwj9HurueG7+ /tot73IxVavzGZG5V2e86tMXPQmXURl03ul+pMSPcChyYmCrGWhBmHtFHzrgGqJUI6bm3Qu+HuT pgeRjqIKvly2tOiT0sgFGMMwftdthXU3iXW7EhCOrlqWvycxXDVnYqDTFvnL4ixpP45OfoMNHPB jBP3TVO0wzw0iaXALF+ZbDBF6a9LM= X-Received: by 2002:a17:90b:5683:b0:35e:576e:5bc with SMTP id 98e67ed59e1d1-365ac79c531mr29827799a91.25.1778576400381; Tue, 12 May 2026 02:00:00 -0700 (PDT) Received: from MVIN00352.. ([2401:4900:1cc4:80a8:e6ce:e2c9:e8fb:6a6e]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-367d623fcfasm13591380a91.2.2026.05.12.01.59.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 May 2026 01:59:59 -0700 (PDT) From: Vijay Anusuri To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][patch 4/5] xserver-xorg: Fix CVE-2026-34002 Date: Tue, 12 May 2026 14:29:22 +0530 Message-ID: <20260512085923.820545-4-vanusuri@mvista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260512085923.820545-1-vanusuri@mvista.com> References: <20260512085923.820545-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 12 May 2026 09:00:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236866 Pick patch according to [1] [1] https://lists.x.org/archives/xorg-announce/2026-April/003677.html [2] https://security-tracker.debian.org/tracker/CVE-2026-34002 Signed-off-by: Vijay Anusuri --- .../xserver-xorg/CVE-2026-34002.patch | 93 +++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.18.bb | 1 + 2 files changed, 94 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34002.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34002.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34002.patch new file mode 100644 index 0000000000..131caefcd5 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34002.patch @@ -0,0 +1,93 @@ +From f056ce1cc96ed9261052c31524162c78e458f98c Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 18 Feb 2026 17:02:09 +0100 +Subject: [PATCH] xkb: Fix out-of-bounds read in CheckModifierMap() + +As reported by valgrind: + + == Conditional jump or move depends on uninitialised value(s) + == at 0x547E5B: CheckModifierMap (xkb.c:1972) + == by 0x54A086: _XkbSetMapChecks (xkb.c:2574) + == by 0x54A845: ProcXkbSetMap (xkb.c:2741) + == by 0x556EF4: ProcXkbDispatch (xkb.c:7048) + == by 0x454A8C: Dispatch (dispatch.c:553) + == by 0x462CEB: dix_main (main.c:274) + == by 0x405EA7: main (stubmain.c:34) + == Uninitialised value was created by a heap allocation + == at 0x4840B26: malloc (vg_replace_malloc.c:447) + == by 0x592D5A: AllocateInputBuffer (io.c:981) + == by 0x591F77: InsertFakeRequest (io.c:516) + == by 0x45CA27: NextAvailableClient (dispatch.c:3629) + == by 0x58FA81: AllocNewConnection (connection.c:628) + == by 0x58FC70: EstablishNewConnections (connection.c:692) + == by 0x58FFAA: HandleNotifyFd (connection.c:809) + == by 0x593F42: ospoll_wait (ospoll.c:660) + == by 0x58B9B6: WaitForSomething (WaitFor.c:208) + == by 0x4548AC: Dispatch (dispatch.c:493) + == by 0x462CEB: dix_main (main.c:274) + == by 0x405EA7: main (stubmain.c:34) + +The issue is that the loop in CheckModifierMap() reads from wire without +verifying that the data is within the request bounds. + +The req->totalModMapKeys value could exceed the actual data provided, +causing reads of uninitialized memory. + +To fix that issue, we add a bounds check using _XkbCheckRequestBounds, +but for that, we need to also pass a ClientPtr parameter, which is not +a problem since CheckModifierMap() is a private, static function. + +CVE-2026-34002, ZDI-CAN-28737 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/f056ce1cc96ed9261052c31524162c78e458f98c] +CVE: CVE-2026-34002 +Signed-off-by: Vijay Anusuri +--- + xkb/xkb.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 1ba638b..3fcc6c4 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -1940,8 +1940,8 @@ CheckKeyExplicit(XkbDescPtr xkb, + } + + static int +-CheckModifierMap(XkbDescPtr xkb, xkbSetMapReq * req, CARD8 **wireRtrn, +- int *errRtrn) ++CheckModifierMap(ClientPtr client, XkbDescPtr xkb, xkbSetMapReq * req, ++ CARD8 **wireRtrn, int *errRtrn) + { + register CARD8 *wire = *wireRtrn; + CARD8 *start; +@@ -1965,6 +1965,10 @@ CheckModifierMap(XkbDescPtr xkb, xkbSetMapReq * req, CARD8 **wireRtrn, + } + start = wire; + for (i = 0; i < req->totalModMapKeys; i++, wire += 2) { ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2)) { ++ *errRtrn = _XkbErrCode3(0x64, req->totalModMapKeys, i); ++ return 0; ++ } + if ((wire[0] < first) || (wire[0] > last)) { + *errRtrn = _XkbErrCode4(0x63, first, last, wire[0]); + return 0; +@@ -2568,7 +2572,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, + return BadValue; + } + if ((req->present & XkbModifierMapMask) && +- (!CheckModifierMap(xkb, req, (CARD8 **) &values, &error))) { ++ (!CheckModifierMap(client, xkb, req, (CARD8 **) &values, &error))) { + client->errorValue = error; + return BadValue; + } +-- +2.43.0 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb index dfed2c2437..2f7edd16a1 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb @@ -8,6 +8,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://CVE-2026-33999.patch \ file://CVE-2026-34000.patch \ file://CVE-2026-34001.patch \ + file://CVE-2026-34002.patch \ " SRC_URI[sha256sum] = "c878d1930d87725d4a5bf498c24f4be8130d5b2646a9fd0f2994deff90116352" From patchwork Tue May 12 08:59:23 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 87887 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 70733CD4855 for ; Tue, 12 May 2026 09:00:13 +0000 (UTC) Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.71362.1778576406555454458 for ; Tue, 12 May 2026 02:00:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=E6ALNeOg; spf=pass (domain: mvista.com, ip: 209.85.216.41, mailfrom: vanusuri@mvista.com) Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-367cbac9cb1so3140013a91.3 for ; Tue, 12 May 2026 02:00:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1778576405; x=1779181205; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=InJtewPQxwU7CxyQgYip1ZO0Jubnb1p79O7GMU7QOkk=; b=E6ALNeOg9T+IHuVbUW80vtJmDIn1TElIwPQ/7uui4E1GsqwQJOuXwvhCJFDHa4GXwj Wwjw4kBl7zrWYq0L6L5dETr3qN2IeYZoxodDrua/qADI3HMMEq75WS9RfuZhIJz7/Nx5 Tl9AOuHU9El2rZo70Wt6iDVlieVZY3qxAHa4s= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778576405; x=1779181205; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=InJtewPQxwU7CxyQgYip1ZO0Jubnb1p79O7GMU7QOkk=; b=lK3/XIjfw6zbpTwdNwyRtZTetI1Xu6W7jwUCGKDq62qUF7vwjZM0ryaXhU2/EXG4Rh cAR4enYOsMjoNV3jiIH5met6j21ALUNcvESgGwXo5hsmDtfTKFeJK5B4+aBKMeyxUDF6 s4BIUqYeHe8PcH04skccDF718RW/mEYBeymPu0IN92beIKqTnlPNrn+9ERhMgnRxa/LG T687iktFJXOKKn5bRyq5sCDZeW6fsWoF5gY9AuM232e3TDW1ufZ7bX52WkzfATKd5mk7 MIqbiK3HS7hz1d/QpOk1X/WFmQbwtQezWc5ZQgSi+nyIljAyH0VaMjbrX+5vuLIA86+U PvAg== X-Gm-Message-State: AOJu0YyRxpuePSm0JHX0hhUo0mRZFcyHqELJUUu83IJYvd8QuJ1/GIfZ 8VoIL8JZZXzZ32mZTeggvtlQD+XKi7JUVYXlJVoASTuemGV3+GsXH/8afL0o20rKLLr9co006tF Ocp+1 X-Gm-Gg: Acq92OFPiowKpslFRD+cLgtpAgV67vaAtdF7jqBK2w59JmGj4o4LzYyI48HwC8aANcs twNrRKmTtOYXnKVFT/i1EU/wr7Rp9S11ncGlr5Z4GvoUte5w8WoQ8FJC3gBUVwytrxk8OIiW3H4 5a2F4lFwkg8OuCjAEkPZ4id8DYqzyT3Gc/2HONXiybsxouw7Hmis3/jJcA9oUClhrHV6RFWvjtY JfX8y8qklJVO6fe6KlCDPQ1kwgEotaZRFfFXu6n2H8lAPzuLUdKwLhc1UGBK5hyX541jMmu119f Ejn/69Bv2u1UEh0E/fI80a0l4KH1kpeO4NthTCd67MakH1yOC1U/B8in2cQpbpDVio9mmScbgbQ OZhLIN6yhysiInPRp5Us4BW8QHyvWV3HYYOyTHPCwELUHpFBtulYtW4yxDeg7JeguY1F75uXyp8 V2k+zQBKyfXynxOzx0KKgLja0AjCI= X-Received: by 2002:a17:90b:134e:b0:368:1979:5e8d with SMTP id 98e67ed59e1d1-36819796535mr10895847a91.2.1778576405043; Tue, 12 May 2026 02:00:05 -0700 (PDT) Received: from MVIN00352.. ([2401:4900:1cc4:80a8:e6ce:e2c9:e8fb:6a6e]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-367d623fcfasm13591380a91.2.2026.05.12.02.00.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 May 2026 02:00:04 -0700 (PDT) From: Vijay Anusuri To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][patch 5/5] xserver-xorg: Fix CVE-2026-34003 Date: Tue, 12 May 2026 14:29:23 +0530 Message-ID: <20260512085923.820545-5-vanusuri@mvista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260512085923.820545-1-vanusuri@mvista.com> References: <20260512085923.820545-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 12 May 2026 09:00:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236867 Pick patch according to [1] [1] https://lists.x.org/archives/xorg-announce/2026-April/003677.html [2] https://security-tracker.debian.org/tracker/CVE-2026-34003 Signed-off-by: Vijay Anusuri --- .../xserver-xorg/CVE-2026-34003-1.patch | 113 +++++++++ .../xserver-xorg/CVE-2026-34003-2.patch | 223 ++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.18.bb | 2 + 3 files changed, 338 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34003-1.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34003-2.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34003-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34003-1.patch new file mode 100644 index 0000000000..3a1a9db8cb --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34003-1.patch @@ -0,0 +1,113 @@ +From b85b00dd7b9eee05e3c12e7ad1fce4fc6671507b Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 23 Feb 2026 15:52:49 +0100 +Subject: [PATCH] xkb: Add additional bound checking in CheckKeyTypes() + +The function CheckKeyTypes() will loop over the client's request but +won't perform any additional bound checking to ensure that the data +read remains within the request bounds. + +As a result, a specifically crafted request may cause CheckKeyTypes() to +read past the request data, as reported by valgrind: + + == Invalid read of size 2 + == at 0x5A3D1D: CheckKeyTypes (xkb.c:1694) + == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515) + == by 0x5A759E: ProcXkbSetMap (xkb.c:2736) + == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245) + == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501) + == by 0x4A20DF: Dispatch (dispatch.c:551) + == by 0x4B03B4: dix_main (main.c:277) + == by 0x428941: main (stubmain.c:34) + == Address is 30 bytes after a block of size 28,672 in arena "client" + == + == Invalid read of size 2 + == at 0x5A3AB6: CheckKeyTypes (xkb.c:1669) + == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515) + == by 0x5A759E: ProcXkbSetMap (xkb.c:2736) + == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245) + == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501) + == by 0x4A20DF: Dispatch (dispatch.c:551) + == by 0x4B03B4: dix_main (main.c:277) + == by 0x428941: main (stubmain.c:34) + == Address is 2 bytes after a block of size 28,672 alloc'd + == at 0x4848897: realloc (vg_replace_malloc.c:1804) + == by 0x5E357A: ReadRequestFromClient (io.c:336) + == by 0x4A1FAB: Dispatch (dispatch.c:519) + == by 0x4B03B4: dix_main (main.c:277) + == by 0x428941: main (stubmain.c:34) + == + == Invalid write of size 2 + == at 0x5A3AD7: CheckKeyTypes (xkb.c:1669) + == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515) + == by 0x5A759E: ProcXkbSetMap (xkb.c:2736) + == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245) + == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501) + == by 0x4A20DF: Dispatch (dispatch.c:551) + == by 0x4B03B4: dix_main (main.c:277) + == by 0x428941: main (stubmain.c:34) + == Address is 2 bytes after a block of size 28,672 alloc'd + == at 0x4848897: realloc (vg_replace_malloc.c:1804) + == by 0x5E357A: ReadRequestFromClient (io.c:336) + == by 0x4A1FAB: Dispatch (dispatch.c:519) + == by 0x4B03B4: dix_main (main.c:277) + == by 0x428941: main (stubmain.c:34) + == + +To avoid that issue, add additional bounds checking within the loops by +calling _XkbCheckRequestBounds() and report an error if we are to read +past the client's request. + +CVE-2026-34003, ZDI-CAN-28736 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with TrendAI Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b85b00dd7b9eee05e3c12e7ad1fce4fc6671507b] +CVE: CVE-2026-34003 +Signed-off-by: Vijay Anusuri +--- + xkb/xkb.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 3fcc6c4..0ef634b 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -1639,6 +1639,10 @@ CheckKeyTypes(ClientPtr client, + for (i = 0; i < req->nTypes; i++) { + unsigned width; + ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { ++ *nMapsRtrn = _XkbErrCode3(0x0b, req->nTypes, i); ++ return 0; ++ } + if (client->swapped && doswap) { + swaps(&wire->virtualMods); + } +@@ -1664,7 +1668,18 @@ CheckKeyTypes(ClientPtr client, + xkbModsWireDesc *preWire; + + mapWire = (xkbKTSetMapEntryWireDesc *) &wire[1]; ++ if (!_XkbCheckRequestBounds(client, req, mapWire, ++ &mapWire[wire->nMapEntries])) { ++ *nMapsRtrn = _XkbErrCode3(0x0c, i, wire->nMapEntries); ++ return 0; ++ } + preWire = (xkbModsWireDesc *) &mapWire[wire->nMapEntries]; ++ if (wire->preserve && ++ !_XkbCheckRequestBounds(client, req, preWire, ++ &preWire[wire->nMapEntries])) { ++ *nMapsRtrn = _XkbErrCode3(0x0d, i, wire->nMapEntries); ++ return 0; ++ } + for (n = 0; n < wire->nMapEntries; n++) { + if (client->swapped && doswap) { + swaps(&mapWire[n].virtualMods); +-- +2.43.0 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34003-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34003-2.patch new file mode 100644 index 0000000000..15b2b946d5 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2026-34003-2.patch @@ -0,0 +1,223 @@ +From d38c563fab5c4a554e0939da39e4d1dadef7cbae Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 2 Mar 2026 14:09:57 +0100 +Subject: [PATCH] xkb: Add more _XkbCheckRequestBounds() + +Similar to the recent fixes, add more _XkbCheckRequestBounds() to the +functions that loop over the request data, i.e.: + + * CheckKeySyms() + * CheckKeyActions() + * CheckKeyBehaviors() + * CheckVirtualMods() + * CheckKeyExplicit() + * CheckVirtualModMap() + * _XkbSetMapChecks() + +All these are static functions so we can add the client to the parameters +without breaking any API. + +See also: +CVE-2026-34003, ZDI-CAN-28736, CVE-2026-34002, ZDI-CAN-28737 + +v2: Check for "nSyms != 0" in CheckKeySyms() to avoid false positives. + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/d38c563fab5c4a554e0939da39e4d1dadef7cbae] +CVE: CVE-2026-34003 +Signed-off-by: Vijay Anusuri +--- + xkb/xkb.c | 69 ++++++++++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 55 insertions(+), 14 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 0ef634b..6320914 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -1752,6 +1752,11 @@ CheckKeySyms(ClientPtr client, + KeySym *pSyms; + register unsigned nG; + ++ /* Check we received enough data to read the next xkbSymMapWireDesc */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { ++ *errorRtrn = _XkbErrCode3(0x18, i + req->firstKeySym, i); ++ return 0; ++ } + if (client->swapped && doswap) { + swaps(&wire->nSyms); + } +@@ -1790,6 +1795,12 @@ CheckKeySyms(ClientPtr client, + return 0; + } + pSyms = (KeySym *) &wire[1]; ++ if (wire->nSyms != 0) { ++ if (!_XkbCheckRequestBounds(client, req, pSyms, &pSyms[wire->nSyms])) { ++ *errorRtrn = _XkbErrCode3(0x19, i + req->firstKeySym, wire->nSyms); ++ return 0; ++ } ++ } + wire = (xkbSymMapWireDesc *) &pSyms[wire->nSyms]; + } + +@@ -1813,11 +1824,12 @@ CheckKeySyms(ClientPtr client, + } + + static int +-CheckKeyActions(XkbDescPtr xkb, +- xkbSetMapReq * req, +- int nTypes, +- CARD8 *mapWidths, +- CARD16 *symsPerKey, CARD8 **wireRtrn, int *nActsRtrn) ++CheckKeyActions(ClientPtr client, ++ XkbDescPtr xkb, ++ xkbSetMapReq * req, ++ int nTypes, ++ CARD8 *mapWidths, ++ CARD16 *symsPerKey, CARD8 **wireRtrn, int *nActsRtrn) + { + int nActs; + CARD8 *wire = *wireRtrn; +@@ -1828,6 +1840,11 @@ CheckKeyActions(XkbDescPtr xkb, + CHK_REQ_KEY_RANGE2(0x21, req->firstKeyAct, req->nKeyActs, req, (*nActsRtrn), + 0); + for (nActs = i = 0; i < req->nKeyActs; i++) { ++ /* Check we received enough data to read the next byte on the wire */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { ++ *nActsRtrn = _XkbErrCode3(0x24, i + req->firstKeyAct, i); ++ return 0; ++ } + if (wire[0] != 0) { + if (wire[0] == symsPerKey[i + req->firstKeyAct]) + nActs += wire[0]; +@@ -1846,7 +1863,8 @@ CheckKeyActions(XkbDescPtr xkb, + } + + static int +-CheckKeyBehaviors(XkbDescPtr xkb, ++CheckKeyBehaviors(ClientPtr client, ++ XkbDescPtr xkb, + xkbSetMapReq * req, + xkbBehaviorWireDesc ** wireRtrn, int *errorRtrn) + { +@@ -1872,6 +1890,11 @@ CheckKeyBehaviors(XkbDescPtr xkb, + } + + for (i = 0; i < req->totalKeyBehaviors; i++, wire++) { ++ /* Check we received enough data to read the next behavior */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { ++ *errorRtrn = _XkbErrCode3(0x36, first, i); ++ return 0; ++ } + if ((wire->key < first) || (wire->key > last)) { + *errorRtrn = _XkbErrCode4(0x33, first, last, wire->key); + return 0; +@@ -1897,7 +1920,8 @@ CheckKeyBehaviors(XkbDescPtr xkb, + } + + static int +-CheckVirtualMods(XkbDescRec * xkb, ++CheckVirtualMods(ClientPtr client, ++ XkbDescRec * xkb, + xkbSetMapReq * req, CARD8 **wireRtrn, int *errorRtrn) + { + register CARD8 *wire = *wireRtrn; +@@ -1909,12 +1933,18 @@ CheckVirtualMods(XkbDescRec * xkb, + if (req->virtualMods & bit) + nMods++; + } ++ /* Check we received enough data for the number of virtual mods expected */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbPaddedSize(nMods))) { ++ *errorRtrn = _XkbErrCode3(0x37, nMods, i); ++ return 0; ++ } + *wireRtrn = (wire + XkbPaddedSize(nMods)); + return 1; + } + + static int +-CheckKeyExplicit(XkbDescPtr xkb, ++CheckKeyExplicit(ClientPtr client, ++ XkbDescPtr xkb, + xkbSetMapReq * req, CARD8 **wireRtrn, int *errorRtrn) + { + register CARD8 *wire = *wireRtrn; +@@ -1940,6 +1970,11 @@ CheckKeyExplicit(XkbDescPtr xkb, + } + start = wire; + for (i = 0; i < req->totalKeyExplicit; i++, wire += 2) { ++ /* Check we received enough data to read the next two bytes */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2)) { ++ *errorRtrn = _XkbErrCode4(0x54, first, last, i); ++ return 0; ++ } + if ((wire[0] < first) || (wire[0] > last)) { + *errorRtrn = _XkbErrCode4(0x53, first, last, wire[0]); + return 0; +@@ -1995,7 +2030,8 @@ CheckModifierMap(ClientPtr client, XkbDescPtr xkb, xkbSetMapReq * req, + } + + static int +-CheckVirtualModMap(XkbDescPtr xkb, ++CheckVirtualModMap(ClientPtr client, ++ XkbDescPtr xkb, + xkbSetMapReq * req, + xkbVModMapWireDesc ** wireRtrn, int *errRtrn) + { +@@ -2019,6 +2055,11 @@ CheckVirtualModMap(XkbDescPtr xkb, + return 0; + } + for (i = 0; i < req->totalVModMapKeys; i++, wire++) { ++ /* Check we received enough data to read the next virtual mod map key */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { ++ *errRtrn = _XkbErrCode3(0x74, first, i); ++ return 0; ++ } + if ((wire->key < first) || (wire->key > last)) { + *errRtrn = _XkbErrCode4(0x73, first, last, wire->key); + return 0; +@@ -2563,7 +2604,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, + } + + if ((req->present & XkbKeyActionsMask) && +- (!CheckKeyActions(xkb, req, nTypes, mapWidths, symsPerKey, ++ (!CheckKeyActions(client, xkb, req, nTypes, mapWidths, symsPerKey, + (CARD8 **) &values, &nActions))) { + client->errorValue = nActions; + return BadValue; +@@ -2571,18 +2612,18 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, + + if ((req->present & XkbKeyBehaviorsMask) && + (!CheckKeyBehaviors +- (xkb, req, (xkbBehaviorWireDesc **) &values, &error))) { ++ (client, xkb, req, (xkbBehaviorWireDesc **) &values, &error))) { + client->errorValue = error; + return BadValue; + } + + if ((req->present & XkbVirtualModsMask) && +- (!CheckVirtualMods(xkb, req, (CARD8 **) &values, &error))) { ++ (!CheckVirtualMods(client, xkb, req, (CARD8 **) &values, &error))) { + client->errorValue = error; + return BadValue; + } + if ((req->present & XkbExplicitComponentsMask) && +- (!CheckKeyExplicit(xkb, req, (CARD8 **) &values, &error))) { ++ (!CheckKeyExplicit(client, xkb, req, (CARD8 **) &values, &error))) { + client->errorValue = error; + return BadValue; + } +@@ -2593,7 +2634,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, + } + if ((req->present & XkbVirtualModMapMask) && + (!CheckVirtualModMap +- (xkb, req, (xkbVModMapWireDesc **) &values, &error))) { ++ (client, xkb, req, (xkbVModMapWireDesc **) &values, &error))) { + client->errorValue = error; + return BadValue; + } +-- +2.43.0 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb index 2f7edd16a1..110b3bbbdf 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb @@ -9,6 +9,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://CVE-2026-34000.patch \ file://CVE-2026-34001.patch \ file://CVE-2026-34002.patch \ + file://CVE-2026-34003-1.patch \ + file://CVE-2026-34003-2.patch \ " SRC_URI[sha256sum] = "c878d1930d87725d4a5bf498c24f4be8130d5b2646a9fd0f2994deff90116352"