From 784b81e06a928446b0329acc68e71a61a46168e4 Mon Sep 17 00:00:00 2001 From: Funda Wang Date: Tue, 22 Apr 2025 09:22:30 +0800 Subject: [PATCH] add missing patches regarding CVE-2025-26594, CVE-2025-26599, CVE-2025-26601 (cherry picked from commit 512e8a0fc3422346c10cd14c2f5dd49fe70bc0c1) --- backport-CVE-2025-26594.patch | 53 +++++++++ backport-CVE-2025-26599.patch | 62 ++++++++++ backport-CVE-2025-26601.patch | 217 ++++++++++++++++++++++++++++++++-- xorg-x11-server.spec | 5 +- 4 files changed, 324 insertions(+), 13 deletions(-) diff --git a/backport-CVE-2025-26594.patch b/backport-CVE-2025-26594.patch index 486c484..505a239 100644 --- a/backport-CVE-2025-26594.patch +++ b/backport-CVE-2025-26594.patch @@ -1,3 +1,56 @@ +From 01642f263f12becf803b19be4db95a4a83f94acc Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 27 Nov 2024 11:27:05 +0100 +Subject: [PATCH] Cursor: Refuse to free the root cursor +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a cursor reference count drops to 0, the cursor is freed. + +The root cursor however is referenced with a specific global variable, +and when the root cursor is freed, the global variable may still point +to freed memory. + +Make sure to prevent the rootCursor from being explicitly freed by a +client. + +CVE-2025-26594, ZDI-CAN-25544 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer +) +v3: Return BadCursor instead of BadValue (Michel Dänzer +) + +Signed-off-by: Olivier Fourdan +Suggested-by: Peter Hutterer +Reviewed-by: Peter Hutterer +Part-of: +--- + dix/dispatch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index efb17c7346..b3e5feacc2 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -3123,6 +3123,10 @@ ProcFreeCursor(ClientPtr client) + rc = dixLookupResourceByType((void **) &pCursor, stuff->id, RT_CURSOR, + client, DixDestroyAccess); + if (rc == Success) { ++ if (pCursor == rootCursor) { ++ client->errorValue = stuff->id; ++ return BadCursor; ++ } + FreeResource(stuff->id, RT_NONE); + return Success; + } +-- +GitLab + From 9dc8beff846a127cc8754212fb654e5f66dacff4 Mon Sep 17 00:00:00 2001 From: Peter Hutterer Date: Wed, 4 Dec 2024 15:49:43 +1000 diff --git a/backport-CVE-2025-26599.patch b/backport-CVE-2025-26599.patch index cddb4ff..d390f2e 100644 --- a/backport-CVE-2025-26599.patch +++ b/backport-CVE-2025-26599.patch @@ -1,3 +1,65 @@ +From c1ff84bef2569b4ba4be59323cf575d1798ba9be Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Tue, 17 Dec 2024 15:19:45 +0100 +Subject: [PATCH] composite: Handle failure to redirect in compRedirectWindow() + +The function compCheckRedirect() may fail if it cannot allocate the +backing pixmap. + +In that case, compRedirectWindow() will return a BadAlloc error. + +However that failure code path will shortcut the validation of the +window tree marked just before, which leaves the validate data partly +initialized. + +That causes a use of uninitialized pointer later. + +The fix is to not shortcut the call to compHandleMarkedWindows() even in +the case of compCheckRedirect() returning an error. + +CVE-2025-26599, ZDI-CAN-25851 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +Part-of: +--- + composite/compalloc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/composite/compalloc.c b/composite/compalloc.c +index f7048a75b5..7cf7351e00 100644 +--- a/composite/compalloc.c ++++ b/composite/compalloc.c +@@ -138,6 +138,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update) + CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen); + WindowPtr pLayerWin; + Bool anyMarked = FALSE; ++ int status = Success; + + if (pWin == cs->pOverlayWin) { + return Success; +@@ -216,13 +217,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update) + + if (!compCheckRedirect(pWin)) { + FreeResource(ccw->id, RT_NONE); +- return BadAlloc; ++ status = BadAlloc; + } + + if (anyMarked) + compHandleMarkedWindows(pWin, pLayerWin); + +- return Success; ++ return status; + } + + void +-- +GitLab + From 9a5a5b2972539ba5ef16dbc802c4eb87c9226d4e Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Mon, 13 Jan 2025 16:09:43 +0100 diff --git a/backport-CVE-2025-26601.patch b/backport-CVE-2025-26601.patch index cdd2d77..c41c1f6 100644 --- a/backport-CVE-2025-26601.patch +++ b/backport-CVE-2025-26601.patch @@ -1,8 +1,203 @@ -From e7bca6a0933b6f0c1568cbe770740c48626f30be Mon Sep 17 00:00:00 2001 +From 16a1242d0ffc7f45ed3c595ee7564b5c04287e0b Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 16:52:01 +0100 +Subject: [PATCH] sync: Do not let sync objects uninitialized + +When changing an alarm, the change mask values are evaluated one after +the other, changing the trigger values as requested and eventually, +SyncInitTrigger() is called. + +SyncInitTrigger() will evaluate the XSyncCACounter first and may free +the existing sync object. + +Other changes are then evaluated and may trigger an error and an early +return, not adding the new sync object. + +This can be used to cause a use after free when the alarm eventually +triggers. + +To avoid the issue, delete the existing sync object as late as possible +only once we are sure that no further error will cause an early exit. + +CVE-2025-26601, ZDI-CAN-25870 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: +--- + Xext/sync.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index ee0010e657..585cfa6f68 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -360,11 +360,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + client->errorValue = syncObject; + return rc; + } +- if (pSync != pTrigger->pSync) { /* new counter for trigger */ +- SyncDeleteTriggerFromSyncObject(pTrigger); +- pTrigger->pSync = pSync; +- newSyncObject = TRUE; +- } + } + + /* if system counter, ask it what the current value is */ +@@ -432,6 +427,14 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + ++ if (changes & XSyncCACounter) { ++ if (pSync != pTrigger->pSync) { /* new counter for trigger */ ++ SyncDeleteTriggerFromSyncObject(pTrigger); ++ pTrigger->pSync = pSync; ++ newSyncObject = TRUE; ++ } ++ } ++ + /* we wait until we're sure there are no errors before registering + * a new counter on a trigger + */ +-- +GitLab + +From f52cea2f93a0c891494eb3334894442a92368030 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 16:54:30 +0100 +Subject: [PATCH] sync: Check values before applying changes + +In SyncInitTrigger(), we would set the CheckTrigger function before +validating the counter value. + +As a result, if the counter value overflowed, we would leave the +function SyncInitTrigger() with the CheckTrigger applied but without +updating the trigger object. + +To avoid that issue, move the portion of code checking for the trigger +check value before updating the CheckTrigger function. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: +--- + Xext/sync.c | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 585cfa6f68..10302160fb 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -381,6 +381,24 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + ++ if (changes & (XSyncCAValueType | XSyncCAValue)) { ++ if (pTrigger->value_type == XSyncAbsolute) ++ pTrigger->test_value = pTrigger->wait_value; ++ else { /* relative */ ++ Bool overflow; ++ ++ if (pCounter == NULL) ++ return BadMatch; ++ ++ overflow = checked_int64_add(&pTrigger->test_value, ++ pCounter->value, pTrigger->wait_value); ++ if (overflow) { ++ client->errorValue = pTrigger->wait_value >> 32; ++ return BadValue; ++ } ++ } ++ } ++ + if (changes & XSyncCATestType) { + + if (pSync && SYNC_FENCE == pSync->type) { +@@ -409,24 +427,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + +- if (changes & (XSyncCAValueType | XSyncCAValue)) { +- if (pTrigger->value_type == XSyncAbsolute) +- pTrigger->test_value = pTrigger->wait_value; +- else { /* relative */ +- Bool overflow; +- +- if (pCounter == NULL) +- return BadMatch; +- +- overflow = checked_int64_add(&pTrigger->test_value, +- pCounter->value, pTrigger->wait_value); +- if (overflow) { +- client->errorValue = pTrigger->wait_value >> 32; +- return BadValue; +- } +- } +- } +- + if (changes & XSyncCACounter) { + if (pSync != pTrigger->pSync) { /* new counter for trigger */ + SyncDeleteTriggerFromSyncObject(pTrigger); +-- +GitLab + +From 8cbc90c8817306af75a60f494ec9dbb1061e50db Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 17:06:07 +0100 +Subject: [PATCH] sync: Do not fail SyncAddTriggerToSyncObject() + +We do not want to return a failure at the very last step in +SyncInitTrigger() after having all changes applied. + +SyncAddTriggerToSyncObject() must not fail on memory allocation, if the +allocation of the SyncTriggerList fails, trigger a FatalError() instead. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: +--- + Xext/sync.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 10302160fb..65f2d43780 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -201,8 +201,8 @@ SyncAddTriggerToSyncObject(SyncTrigger * pTrigger) + return Success; + } + +- if (!(pCur = malloc(sizeof(SyncTriggerList)))) +- return BadAlloc; ++ /* Failure is not an option, it's succeed or burst! */ ++ pCur = XNFalloc(sizeof(SyncTriggerList)); + + pCur->pTrigger = pTrigger; + pCur->next = pTrigger->pSync->pTriglist; +@@ -439,8 +439,7 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + * a new counter on a trigger + */ + if (newSyncObject) { +- if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success) +- return rc; ++ SyncAddTriggerToSyncObject(pTrigger); + } + else if (pCounter && IsSystemCounter(pCounter)) { + SyncComputeBracketValues(pCounter); +-- +GitLab + +From c285798984c6bb99e454a33772cde23d394d3dcd Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Mon, 20 Jan 2025 17:10:31 +0100 -Subject: [PATCH xserver 13/13] sync: Apply changes last in - SyncChangeAlarmAttributes() +Subject: [PATCH] sync: Apply changes last in SyncChangeAlarmAttributes() SyncChangeAlarmAttributes() would apply the various changes while checking for errors. @@ -17,18 +212,16 @@ Related to CVE-2025-26601, ZDI-CAN-25870 Signed-off-by: Olivier Fourdan Reviewed-by: Peter Hutterer -(cherry picked from commit c285798984c6bb99e454a33772cde23d394d3dcd) - -Part-of: +Part-of: --- Xext/sync.c | 42 +++++++++++++++++++++++++++--------------- 1 file changed, 27 insertions(+), 15 deletions(-) diff --git a/Xext/sync.c b/Xext/sync.c -index 8def4adbf..e2f2c2774 100644 +index 65f2d43780..cab73be927 100644 --- a/Xext/sync.c +++ b/Xext/sync.c -@@ -799,8 +799,14 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, +@@ -830,8 +830,14 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, int status; XSyncCounter counter; Mask origmask = mask; @@ -44,7 +237,7 @@ index 8def4adbf..e2f2c2774 100644 while (mask) { int index2 = lowbit(mask); -@@ -816,24 +822,24 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, +@@ -847,24 +853,24 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, case XSyncCAValueType: mask &= ~XSyncCAValueType; /* sanity check in SyncInitTrigger */ @@ -73,7 +266,7 @@ index 8def4adbf..e2f2c2774 100644 values += 2; break; -@@ -843,10 +849,8 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, +@@ -874,10 +880,8 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, client->errorValue = *values; return BadValue; } @@ -86,7 +279,7 @@ index 8def4adbf..e2f2c2774 100644 break; default: -@@ -855,25 +859,33 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, +@@ -886,25 +890,33 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, } } @@ -127,5 +320,5 @@ index 8def4adbf..e2f2c2774 100644 origmask & XSyncCAAllTrigger)) != Success) return status; -- -2.48.1 +GitLab diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 24a717e..287adc2 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.11 -Release: 37 +Release: 38 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -481,6 +481,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_mandir}/man*/* %changelog +* Tue Apr 22 2025 Funda Wang - 1.20.11-38 +- add missing patches regarding CVE-2025-26594, CVE-2025-26599, CVE-2025-26601 + * Sun Mar 09 2025 Funda Wang - 1.20.11-37 - fix CVE-2025-26594, CVE-2025-26595, CVE-2025-26596, CVE-2025-26597, CVE-2025-26598, CVE-2025-26599 -- Gitee