5 files changed, 305 insertions, 1 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-present-Fix-use-after-free-in-present_create_notifie.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-present-Fix-use-after-free-in-present_create_notifie.patch
new file mode 100644
index 0000000000..fa8bc542d8
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-present-Fix-use-after-free-in-present_create_notifie.patch
@@ -0,0 +1,91 @@
+From 359c9c0478406fe00e0d4c5d52bd9bf8c2ca4081 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 2 Jul 2025 09:46:22 +0200
+Subject: [PATCH 1/4] present: Fix use-after-free in present_create_notifies()
+Using the Present extension, if an error occurs while processing and
+adding the notifications after presenting a pixmap, the function
+present_create_notifies() will clean up and remove the notifications
+it added.
+However, there are two different code paths that can lead to an error
+creating the notify, one being before the notify is being added to the
+list, and another one after the notify is added.
+When the error occurs before it's been added, it removes the elements up
+to the last added element, instead of the actual number of elements
+which were added.
+As a result, in case of error, as with an invalid window for example, it
+leaves a dangling pointer to the last element, leading to a use after
+free case later:
+ |  Invalid write of size 8
+ |     at 0x5361D5: present_clear_window_notifies (present_notify.c:42)
+ |     by 0x534A56: present_destroy_window (present_screen.c:107)
+ |     by 0x41E441: xwl_destroy_window (xwayland-window.c:1959)
+ |     by 0x4F9EC9: compDestroyWindow (compwindow.c:622)
+ |     by 0x51EAC4: damageDestroyWindow (damage.c:1592)
+ |     by 0x4FDC29: DbeDestroyWindow (dbe.c:1291)
+ |     by 0x4EAC55: FreeWindowResources (window.c:1023)
+ |     by 0x4EAF59: DeleteWindow (window.c:1091)
+ |     by 0x4DE59A: doFreeResource (resource.c:890)
+ |     by 0x4DEFB2: FreeClientResources (resource.c:1156)
+ |     by 0x4A9AFB: CloseDownClient (dispatch.c:3567)
+ |     by 0x5DCC78: ClientReady (connection.c:603)
+ |   Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd
+ |     at 0x4841E43: free (vg_replace_malloc.c:989)
+ |     by 0x5363DD: present_destroy_notifies (present_notify.c:111)
+ |     by 0x53638D: present_create_notifies (present_notify.c:100)
+ |     by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
+ |     by 0x536A7D: proc_present_pixmap (present_request.c:189)
+ |     by 0x536FA9: proc_present_dispatch (present_request.c:337)
+ |     by 0x4A1E4E: Dispatch (dispatch.c:561)
+ |     by 0x4B00F1: dix_main (main.c:284)
+ |     by 0x42879D: main (stubmain.c:34)
+ |   Block was alloc'd at
+ |     at 0x48463F3: calloc (vg_replace_malloc.c:1675)
+ |     by 0x5362A1: present_create_notifies (present_notify.c:81)
+ |     by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
+ |     by 0x536A7D: proc_present_pixmap (present_request.c:189)
+ |     by 0x536FA9: proc_present_dispatch (present_request.c:337)
+ |     by 0x4A1E4E: Dispatch (dispatch.c:561)
+ |     by 0x4B00F1: dix_main (main.c:284)
+ |     by 0x42879D: main (stubmain.c:34)
+To fix the issue, count and remove the actual number of notify elements
+added in case of error.
+CVE-2025-62229, ZDI-CAN-27238
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+(cherry picked from commit 5a4286b13f631b66c20f5bc8db7b68211dcbd1d0)
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2087>
+CVE: CVE-2025-62229
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ present/present_notify.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/present/present_notify.c b/present/present_notify.c
+index 445954998..00b3b68bd 100644
+--- a/present/present_notify.c
+++ b/present/present_notify.c
+@@ -90,7 +90,7 @@ present_create_notifies(ClientPtr client, int num_notifies, xPresentNotify *x_no
+         if (status != Success)
+             goto bail;
+ 
+-        added = i;
+        added++;
+     }
+     return Success;
+ 
+-- 
+2.43.0
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch
new file mode 100644
index 0000000000..ed25f4b58e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch
@@ -0,0 +1,63 @@
+From a3d5c76ee8925ef9846c72e2327674b84e3fcdb3 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 10 Sep 2025 15:55:06 +0200
+Subject: [PATCH 2/4] xkb: Make the RT_XKBCLIENT resource private
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Currently, the resource in only available to the xkb.c source file.
+In preparation for the next commit, to be able to free the resources
+from XkbRemoveResourceClient(), make that variable private instead.
+This is related to:
+CVE-2025-62230, ZDI-CAN-27545
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
+(cherry picked from commit 99790a2c9205a52fbbec01f21a92c9b7f4ed1d8f)
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2087>
+CVE: CVE-2025-62230
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ include/xkbsrv.h | 2 ++
+ xkb/xkb.c        | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+diff --git a/include/xkbsrv.h b/include/xkbsrv.h
+index fbb5427e1..b2766277c 100644
+--- a/include/xkbsrv.h
+++ b/include/xkbsrv.h
+@@ -58,6 +58,8 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ #include "inputstr.h"
+ #include "events.h"
+ 
+extern RESTYPE RT_XKBCLIENT;
+
+ typedef struct _XkbInterest {
+     DeviceIntPtr dev;
+     ClientPtr client;
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 5131bfcdf..26d965d48 100644
+--- a/xkb/xkb.c
+++ b/xkb/xkb.c
+@@ -51,7 +51,7 @@ int XkbKeyboardErrorCode;
+ CARD32 xkbDebugFlags = 0;
+ static CARD32 xkbDebugCtrls = 0;
+ 
+-static RESTYPE RT_XKBCLIENT;
+RESTYPE RT_XKBCLIENT = 0;
+ 
+ /***====================================================================***/
+ 
+-- 
+2.43.0
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch
new file mode 100644
index 0000000000..f55e3d4126
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch
@@ -0,0 +1,92 @@
+From 32b12feb6f9f3d32532ff75c7434a7426b85e0c3 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 10 Sep 2025 15:58:57 +0200
+Subject: [PATCH 3/4] xkb: Free the XKB resource when freeing XkbInterest
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+XkbRemoveResourceClient() would free the XkbInterest data associated
+with the device, but not the resource associated with it.
+As a result, when the client terminates, the resource delete function
+gets called and accesses already freed memory:
+ | Invalid read of size 8
+ |   at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047)
+ |   by 0x5B3391: XkbClientGone (xkb.c:7094)
+ |   by 0x4DF138: doFreeResource (resource.c:890)
+ |   by 0x4DFB50: FreeClientResources (resource.c:1156)
+ |   by 0x4A9A59: CloseDownClient (dispatch.c:3550)
+ |   by 0x5E0A53: ClientReady (connection.c:601)
+ |   by 0x5E4FEF: ospoll_wait (ospoll.c:657)
+ |   by 0x5DC834: WaitForSomething (WaitFor.c:206)
+ |   by 0x4A1BA5: Dispatch (dispatch.c:491)
+ |   by 0x4B0070: dix_main (main.c:277)
+ |   by 0x4285E7: main (stubmain.c:34)
+ | Address 0x1893e278 is 184 bytes inside a block of size 928 free'd
+ |   at 0x4842E43: free (vg_replace_malloc.c:989)
+ |   by 0x49C1A6: CloseDevice (devices.c:1067)
+ |   by 0x49C522: CloseOneDevice (devices.c:1193)
+ |   by 0x49C6E4: RemoveDevice (devices.c:1244)
+ |   by 0x5873D4: remove_master (xichangehierarchy.c:348)
+ |   by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504)
+ |   by 0x579BF1: ProcIDispatch (extinit.c:390)
+ |   by 0x4A1D85: Dispatch (dispatch.c:551)
+ |   by 0x4B0070: dix_main (main.c:277)
+ |   by 0x4285E7: main (stubmain.c:34)
+ | Block was alloc'd at
+ |   at 0x48473F3: calloc (vg_replace_malloc.c:1675)
+ |   by 0x49A118: AddInputDevice (devices.c:262)
+ |   by 0x4A0E58: AllocDevicePair (devices.c:2846)
+ |   by 0x5866EE: add_master (xichangehierarchy.c:153)
+ |   by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493)
+ |   by 0x579BF1: ProcIDispatch (extinit.c:390)
+ |   by 0x4A1D85: Dispatch (dispatch.c:551)
+ |   by 0x4B0070: dix_main (main.c:277)
+ |   by 0x4285E7: main (stubmain.c:34)
+To avoid that issue, make sure to free the resources when freeing the
+device XkbInterest data.
+CVE-2025-62230, ZDI-CAN-27545
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
+(cherry picked from commit 10c94238bdad17c11707e0bdaaa3a9cd54c504be)
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2087>
+CVE: CVE-2025-62230
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ xkb/xkbEvents.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/xkb/xkbEvents.c b/xkb/xkbEvents.c
+index 0bbd66186..3d04ecf0c 100644
+--- a/xkb/xkbEvents.c
+++ b/xkb/xkbEvents.c
+@@ -1056,6 +1056,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
+             autoCtrls = interest->autoCtrls;
+             autoValues = interest->autoCtrlValues;
+             client = interest->client;
+            FreeResource(interest->resource, RT_XKBCLIENT);
+             free(interest);
+             found = TRUE;
+         }
+@@ -1067,6 +1068,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
+                 autoCtrls = victim->autoCtrls;
+                 autoValues = victim->autoCtrlValues;
+                 client = victim->client;
+                FreeResource(victim->resource, RT_XKBCLIENT);
+                 free(victim);
+                 found = TRUE;
+             }
+-- 
+2.43.0
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch
new file mode 100644
index 0000000000..5036f0c9f0
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch
@@ -0,0 +1,53 @@
+From 364f06788f1de4edc0547c7f29d338e6deffc138 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 10 Sep 2025 16:30:29 +0200
+Subject: [PATCH 4/4] xkb: Prevent overflow in XkbSetCompatMap()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+The XkbCompatMap structure stores its "num_si" and "size_si" fields
+using an unsigned short.
+However, the function _XkbSetCompatMap() will store the sum of the
+input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and
+"size_si" without first checking if the sum overflows the maximum
+unsigned short value, leading to a possible overflow.
+To avoid the issue, check whether the sum does not exceed the maximum
+unsigned short value, or return a "BadValue" error otherwise.
+CVE-2025-62231, ZDI-CAN-27560
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
+(cherry picked from commit 475d9f49acd0e55bc0b089ed77f732ad18585470)
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2087>
+CVE: CVE-2025-62231
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ xkb/xkb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 26d965d48..137d70da2 100644
+--- a/xkb/xkb.c
+++ b/xkb/xkb.c
+@@ -2992,6 +2992,8 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
+         XkbSymInterpretPtr sym;
+         unsigned int skipped = 0;
+ 
+        if ((unsigned) (req->firstSI + req->nSI) > USHRT_MAX)
+            return BadValue;
+         if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
+             compat->num_si = compat->size_si = req->firstSI + req->nSI;
+             compat->sym_interpret = reallocarray(compat->sym_interpret,
+-- 
+2.43.0
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb
index f42f99d6c6..44ccea76f5 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb
@@ -1,6 +1,11 @@
 require xserver-xorg.inc
-SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch"
+SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
+            file://0001-present-Fix-use-after-free-in-present_create_notifie.patch \
+            file://0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch \
+            file://0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch \
+            file://0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch \
+            "
 SRC_URI[sha256sum] = "c878d1930d87725d4a5bf498c24f4be8130d5b2646a9fd0f2994deff90116352"
 # These extensions are now integrated into the server, so declare the migration

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-present-Fix-use-after-free-in-present_create_notifie.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-present-Fix-use-after-free-in-present_create_notifie.patch new file mode 100644 index 0000000000..fa8bc542d8 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-present-Fix-use-after-free-in-present_create_notifie.patch
@@ -0,0 +1,91 @@
		1	From 359c9c0478406fe00e0d4c5d52bd9bf8c2ca4081 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Wed, 2 Jul 2025 09:46:22 +0200
		4	Subject: [PATCH 1/4] present: Fix use-after-free in present_create_notifies()
		5
		6	Using the Present extension, if an error occurs while processing and
		7	adding the notifications after presenting a pixmap, the function
		8	present_create_notifies() will clean up and remove the notifications
		9	it added.
		10
		11	However, there are two different code paths that can lead to an error
		12	creating the notify, one being before the notify is being added to the
		13	list, and another one after the notify is added.
		14
		15	When the error occurs before it's been added, it removes the elements up
		16	to the last added element, instead of the actual number of elements
		17	which were added.
		18
		19	As a result, in case of error, as with an invalid window for example, it
		20	leaves a dangling pointer to the last element, leading to a use after
		21	free case later:
		22
		23	\| Invalid write of size 8
		24	\| at 0x5361D5: present_clear_window_notifies (present_notify.c:42)
		25	\| by 0x534A56: present_destroy_window (present_screen.c:107)
		26	\| by 0x41E441: xwl_destroy_window (xwayland-window.c:1959)
		27	\| by 0x4F9EC9: compDestroyWindow (compwindow.c:622)
		28	\| by 0x51EAC4: damageDestroyWindow (damage.c:1592)
		29	\| by 0x4FDC29: DbeDestroyWindow (dbe.c:1291)
		30	\| by 0x4EAC55: FreeWindowResources (window.c:1023)
		31	\| by 0x4EAF59: DeleteWindow (window.c:1091)
		32	\| by 0x4DE59A: doFreeResource (resource.c:890)
		33	\| by 0x4DEFB2: FreeClientResources (resource.c:1156)
		34	\| by 0x4A9AFB: CloseDownClient (dispatch.c:3567)
		35	\| by 0x5DCC78: ClientReady (connection.c:603)
		36	\| Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd
		37	\| at 0x4841E43: free (vg_replace_malloc.c:989)
		38	\| by 0x5363DD: present_destroy_notifies (present_notify.c:111)
		39	\| by 0x53638D: present_create_notifies (present_notify.c:100)
		40	\| by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
		41	\| by 0x536A7D: proc_present_pixmap (present_request.c:189)
		42	\| by 0x536FA9: proc_present_dispatch (present_request.c:337)
		43	\| by 0x4A1E4E: Dispatch (dispatch.c:561)
		44	\| by 0x4B00F1: dix_main (main.c:284)
		45	\| by 0x42879D: main (stubmain.c:34)
		46	\| Block was alloc'd at
		47	\| at 0x48463F3: calloc (vg_replace_malloc.c:1675)
		48	\| by 0x5362A1: present_create_notifies (present_notify.c:81)
		49	\| by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
		50	\| by 0x536A7D: proc_present_pixmap (present_request.c:189)
		51	\| by 0x536FA9: proc_present_dispatch (present_request.c:337)
		52	\| by 0x4A1E4E: Dispatch (dispatch.c:561)
		53	\| by 0x4B00F1: dix_main (main.c:284)
		54	\| by 0x42879D: main (stubmain.c:34)
		55
		56	To fix the issue, count and remove the actual number of notify elements
		57	added in case of error.
		58
		59	CVE-2025-62229, ZDI-CAN-27238
		60
		61	This vulnerability was discovered by:
		62	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		63
		64	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		65	(cherry picked from commit 5a4286b13f631b66c20f5bc8db7b68211dcbd1d0)
		66
		67	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2087>
		68
		69	CVE: CVE-2025-62229
		70	Upstream-Status: Backport
		71	Signed-off-by: Ross Burton <ross.burton@arm.com>
		72	---
		73	present/present_notify.c \| 2 +-
		74	1 file changed, 1 insertion(+), 1 deletion(-)
		75
		76	diff --git a/present/present_notify.c b/present/present_notify.c
		77	index 445954998..00b3b68bd 100644
		78	--- a/present/present_notify.c
		79	+++ b/present/present_notify.c
		80	@@ -90,7 +90,7 @@ present_create_notifies(ClientPtr client, int num_notifies, xPresentNotify *x_no
		81	if (status != Success)
		82	goto bail;
		83
		84	- added = i;
		85	+ added++;
		86	}
		87	return Success;
		88
		89	--
		90	2.43.0
		91


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch new file mode 100644 index 0000000000..ed25f4b58e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch
@@ -0,0 +1,63 @@
		1	From a3d5c76ee8925ef9846c72e2327674b84e3fcdb3 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Wed, 10 Sep 2025 15:55:06 +0200
		4	Subject: [PATCH 2/4] xkb: Make the RT_XKBCLIENT resource private
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	Currently, the resource in only available to the xkb.c source file.
		10
		11	In preparation for the next commit, to be able to free the resources
		12	from XkbRemoveResourceClient(), make that variable private instead.
		13
		14	This is related to:
		15
		16	CVE-2025-62230, ZDI-CAN-27545
		17
		18	This vulnerability was discovered by:
		19	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		20
		21	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		22	Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
		23	(cherry picked from commit 99790a2c9205a52fbbec01f21a92c9b7f4ed1d8f)
		24
		25	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2087>
		26
		27	CVE: CVE-2025-62230
		28	Upstream-Status: Backport
		29	Signed-off-by: Ross Burton <ross.burton@arm.com>
		30	---
		31	include/xkbsrv.h \| 2 ++
		32	xkb/xkb.c \| 2 +-
		33	2 files changed, 3 insertions(+), 1 deletion(-)
		34
		35	diff --git a/include/xkbsrv.h b/include/xkbsrv.h
		36	index fbb5427e1..b2766277c 100644
		37	--- a/include/xkbsrv.h
		38	+++ b/include/xkbsrv.h
		39	@@ -58,6 +58,8 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
		40	#include "inputstr.h"
		41	#include "events.h"
		42
		43	+extern RESTYPE RT_XKBCLIENT;
		44	+
		45	typedef struct _XkbInterest {
		46	DeviceIntPtr dev;
		47	ClientPtr client;
		48	diff --git a/xkb/xkb.c b/xkb/xkb.c
		49	index 5131bfcdf..26d965d48 100644
		50	--- a/xkb/xkb.c
		51	+++ b/xkb/xkb.c
		52	@@ -51,7 +51,7 @@ int XkbKeyboardErrorCode;
		53	CARD32 xkbDebugFlags = 0;
		54	static CARD32 xkbDebugCtrls = 0;
		55
		56	-static RESTYPE RT_XKBCLIENT;
		57	+RESTYPE RT_XKBCLIENT = 0;
		58
		59	/*====================================================================*/
		60
		61	--
		62	2.43.0
		63


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch new file mode 100644 index 0000000000..f55e3d4126 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch
@@ -0,0 +1,92 @@
		1	From 32b12feb6f9f3d32532ff75c7434a7426b85e0c3 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Wed, 10 Sep 2025 15:58:57 +0200
		4	Subject: [PATCH 3/4] xkb: Free the XKB resource when freeing XkbInterest
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	XkbRemoveResourceClient() would free the XkbInterest data associated
		10	with the device, but not the resource associated with it.
		11
		12	As a result, when the client terminates, the resource delete function
		13	gets called and accesses already freed memory:
		14
		15	\| Invalid read of size 8
		16	\| at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047)
		17	\| by 0x5B3391: XkbClientGone (xkb.c:7094)
		18	\| by 0x4DF138: doFreeResource (resource.c:890)
		19	\| by 0x4DFB50: FreeClientResources (resource.c:1156)
		20	\| by 0x4A9A59: CloseDownClient (dispatch.c:3550)
		21	\| by 0x5E0A53: ClientReady (connection.c:601)
		22	\| by 0x5E4FEF: ospoll_wait (ospoll.c:657)
		23	\| by 0x5DC834: WaitForSomething (WaitFor.c:206)
		24	\| by 0x4A1BA5: Dispatch (dispatch.c:491)
		25	\| by 0x4B0070: dix_main (main.c:277)
		26	\| by 0x4285E7: main (stubmain.c:34)
		27	\| Address 0x1893e278 is 184 bytes inside a block of size 928 free'd
		28	\| at 0x4842E43: free (vg_replace_malloc.c:989)
		29	\| by 0x49C1A6: CloseDevice (devices.c:1067)
		30	\| by 0x49C522: CloseOneDevice (devices.c:1193)
		31	\| by 0x49C6E4: RemoveDevice (devices.c:1244)
		32	\| by 0x5873D4: remove_master (xichangehierarchy.c:348)
		33	\| by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504)
		34	\| by 0x579BF1: ProcIDispatch (extinit.c:390)
		35	\| by 0x4A1D85: Dispatch (dispatch.c:551)
		36	\| by 0x4B0070: dix_main (main.c:277)
		37	\| by 0x4285E7: main (stubmain.c:34)
		38	\| Block was alloc'd at
		39	\| at 0x48473F3: calloc (vg_replace_malloc.c:1675)
		40	\| by 0x49A118: AddInputDevice (devices.c:262)
		41	\| by 0x4A0E58: AllocDevicePair (devices.c:2846)
		42	\| by 0x5866EE: add_master (xichangehierarchy.c:153)
		43	\| by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493)
		44	\| by 0x579BF1: ProcIDispatch (extinit.c:390)
		45	\| by 0x4A1D85: Dispatch (dispatch.c:551)
		46	\| by 0x4B0070: dix_main (main.c:277)
		47	\| by 0x4285E7: main (stubmain.c:34)
		48
		49	To avoid that issue, make sure to free the resources when freeing the
		50	device XkbInterest data.
		51
		52	CVE-2025-62230, ZDI-CAN-27545
		53
		54	This vulnerability was discovered by:
		55	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		56
		57	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		58	Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
		59	(cherry picked from commit 10c94238bdad17c11707e0bdaaa3a9cd54c504be)
		60
		61	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2087>
		62
		63	CVE: CVE-2025-62230
		64	Upstream-Status: Backport
		65	Signed-off-by: Ross Burton <ross.burton@arm.com>
		66	---
		67	xkb/xkbEvents.c \| 2 ++
		68	1 file changed, 2 insertions(+)
		69
		70	diff --git a/xkb/xkbEvents.c b/xkb/xkbEvents.c
		71	index 0bbd66186..3d04ecf0c 100644
		72	--- a/xkb/xkbEvents.c
		73	+++ b/xkb/xkbEvents.c
		74	@@ -1056,6 +1056,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
		75	autoCtrls = interest->autoCtrls;
		76	autoValues = interest->autoCtrlValues;
		77	client = interest->client;
		78	+ FreeResource(interest->resource, RT_XKBCLIENT);
		79	free(interest);
		80	found = TRUE;
		81	}
		82	@@ -1067,6 +1068,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
		83	autoCtrls = victim->autoCtrls;
		84	autoValues = victim->autoCtrlValues;
		85	client = victim->client;
		86	+ FreeResource(victim->resource, RT_XKBCLIENT);
		87	free(victim);
		88	found = TRUE;
		89	}
		90	--
		91	2.43.0
		92


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch new file mode 100644 index 0000000000..5036f0c9f0 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch
@@ -0,0 +1,53 @@
		1	From 364f06788f1de4edc0547c7f29d338e6deffc138 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Wed, 10 Sep 2025 16:30:29 +0200
		4	Subject: [PATCH 4/4] xkb: Prevent overflow in XkbSetCompatMap()
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	The XkbCompatMap structure stores its "num_si" and "size_si" fields
		10	using an unsigned short.
		11
		12	However, the function _XkbSetCompatMap() will store the sum of the
		13	input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and
		14	"size_si" without first checking if the sum overflows the maximum
		15	unsigned short value, leading to a possible overflow.
		16
		17	To avoid the issue, check whether the sum does not exceed the maximum
		18	unsigned short value, or return a "BadValue" error otherwise.
		19
		20	CVE-2025-62231, ZDI-CAN-27560
		21
		22	This vulnerability was discovered by:
		23	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		24
		25	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		26	Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
		27	(cherry picked from commit 475d9f49acd0e55bc0b089ed77f732ad18585470)
		28
		29	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2087>
		30
		31	CVE: CVE-2025-62231
		32	Upstream-Status: Backport
		33	Signed-off-by: Ross Burton <ross.burton@arm.com>
		34	---
		35	xkb/xkb.c \| 2 ++
		36	1 file changed, 2 insertions(+)
		37
		38	diff --git a/xkb/xkb.c b/xkb/xkb.c
		39	index 26d965d48..137d70da2 100644
		40	--- a/xkb/xkb.c
		41	+++ b/xkb/xkb.c
		42	@@ -2992,6 +2992,8 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
		43	XkbSymInterpretPtr sym;
		44	unsigned int skipped = 0;
		45
		46	+ if ((unsigned) (req->firstSI + req->nSI) > USHRT_MAX)
		47	+ return BadValue;
		48	if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
		49	compat->num_si = compat->size_si = req->firstSI + req->nSI;
		50	compat->sym_interpret = reallocarray(compat->sym_interpret,
		51	--
		52	2.43.0
		53


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb index f42f99d6c6..44ccea76f5 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb
@@ -1,6 +1,11 @@
1	require xserver-xorg.inc	1	require xserver-xorg.inc
2		2
3	SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch"	3	SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
		4	file://0001-present-Fix-use-after-free-in-present_create_notifie.patch \
		5	file://0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch \
		6	file://0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch \
		7	file://0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch \
		8	"
4	SRC_URI[sha256sum] = "c878d1930d87725d4a5bf498c24f4be8130d5b2646a9fd0f2994deff90116352"	9	SRC_URI[sha256sum] = "c878d1930d87725d4a5bf498c24f4be8130d5b2646a9fd0f2994deff90116352"
5		10
6	# These extensions are now integrated into the server, so declare the migration	11	# These extensions are now integrated into the server, so declare the migration