xwayland: Fix CVE-2025-26601

Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/16a1242d & https://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2f & https://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/c2857989 (From OE-Core rev: 165032003e3f7fb5fde7322c5ad64c26f286228a) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-03-05 19:02:14 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-03-08 06:22:56 -0800
commit: 1acf84103895d51a90d92fdee2eff9ce1c234028 (patch)
tree: efdbba2db9d96bd572185abdfede1e4d9f2230c1
parent: bf6991091ce519caea7220fa56a9ff6b27d49c21 (diff)
download: poky-1acf84103895d51a90d92fdee2eff9ce1c234028.tar.gz
5 files changed, 344 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch
new file mode 100644
index 0000000000..df5416a452
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch
@@ -0,0 +1,71 @@
+From 16a1242d0ffc7f45ed3c595ee7564b5c04287e0b Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 20 Jan 2025 16:52:01 +0100
+Subject: [PATCH] sync: Do not let sync objects uninitialized
+When changing an alarm, the change mask values are evaluated one after
+the other, changing the trigger values as requested and eventually,
+SyncInitTrigger() is called.
+SyncInitTrigger() will evaluate the XSyncCACounter first and may free
+the existing sync object.
+Other changes are then evaluated and may trigger an error and an early
+return, not adding the new sync object.
+This can be used to cause a use after free when the alarm eventually
+triggers.
+To avoid the issue, delete the existing sync object as late as possible
+only once we are sure that no further error will cause an early exit.
+CVE-2025-26601, ZDI-CAN-25870
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/16a1242d]
+CVE: CVE-2025-26601
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xext/sync.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+diff --git a/Xext/sync.c b/Xext/sync.c
+index ee0010e657..585cfa6f68 100644
+--- a/Xext/sync.c
+++ b/Xext/sync.c
+@@ -360,11 +360,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
+             client->errorValue = syncObject;
+             return rc;
+         }
+-        if (pSync != pTrigger->pSync) { /* new counter for trigger */
+-            SyncDeleteTriggerFromSyncObject(pTrigger);
+-            pTrigger->pSync = pSync;
+-            newSyncObject = TRUE;
+-        }
+     }
+ 
+     /* if system counter, ask it what the current value is */
+@@ -432,6 +427,14 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
+         }
+     }
+ 
+    if (changes & XSyncCACounter) {
+        if (pSync != pTrigger->pSync) { /* new counter for trigger */
+            SyncDeleteTriggerFromSyncObject(pTrigger);
+            pTrigger->pSync = pSync;
+            newSyncObject = TRUE;
+        }
+    }
+
+     /*  we wait until we're sure there are no errors before registering
+      *  a new counter on a trigger
+      */
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch
new file mode 100644
index 0000000000..22e751c017
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch
@@ -0,0 +1,85 @@
+From f52cea2f93a0c891494eb3334894442a92368030 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 20 Jan 2025 16:54:30 +0100
+Subject: [PATCH] sync: Check values before applying changes
+In SyncInitTrigger(), we would set the CheckTrigger function before
+validating the counter value.
+As a result, if the counter value overflowed, we would leave the
+function SyncInitTrigger() with the CheckTrigger applied but without
+updating the trigger object.
+To avoid that issue, move the portion of code checking for the trigger
+check value before updating the CheckTrigger function.
+Related to CVE-2025-26601, ZDI-CAN-25870
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2f]
+CVE: CVE-2025-26601
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xext/sync.c | 36 ++++++++++++++++++------------------
+ 1 file changed, 18 insertions(+), 18 deletions(-)
+diff --git a/Xext/sync.c b/Xext/sync.c
+index 585cfa6f68..10302160fb 100644
+--- a/Xext/sync.c
+++ b/Xext/sync.c
+@@ -381,6 +381,24 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
+         }
+     }
+ 
+    if (changes & (XSyncCAValueType | XSyncCAValue)) {
+        if (pTrigger->value_type == XSyncAbsolute)
+            pTrigger->test_value = pTrigger->wait_value;
+        else {                  /* relative */
+            Bool overflow;
+
+            if (pCounter == NULL)
+                return BadMatch;
+
+            overflow = checked_int64_add(&pTrigger->test_value,
+                                         pCounter->value, pTrigger->wait_value);
+            if (overflow) {
+                client->errorValue = pTrigger->wait_value >> 32;
+                return BadValue;
+            }
+        }
+    }
+
+     if (changes & XSyncCATestType) {
+ 
+         if (pSync && SYNC_FENCE == pSync->type) {
+@@ -409,24 +427,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
+         }
+     }
+ 
+-    if (changes & (XSyncCAValueType | XSyncCAValue)) {
+-        if (pTrigger->value_type == XSyncAbsolute)
+-            pTrigger->test_value = pTrigger->wait_value;
+-        else {                  /* relative */
+-            Bool overflow;
+-
+-            if (pCounter == NULL)
+-                return BadMatch;
+-
+-            overflow = checked_int64_add(&pTrigger->test_value,
+-                                         pCounter->value, pTrigger->wait_value);
+-            if (overflow) {
+-                client->errorValue = pTrigger->wait_value >> 32;
+-                return BadValue;
+-            }
+-        }
+-    }
+-
+     if (changes & XSyncCACounter) {
+         if (pSync != pTrigger->pSync) { /* new counter for trigger */
+             SyncDeleteTriggerFromSyncObject(pTrigger);
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch
new file mode 100644
index 0000000000..8d714f0302
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch
@@ -0,0 +1,52 @@
+From 8cbc90c8817306af75a60f494ec9dbb1061e50db Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 20 Jan 2025 17:06:07 +0100
+Subject: [PATCH] sync: Do not fail SyncAddTriggerToSyncObject()
+We do not want to return a failure at the very last step in
+SyncInitTrigger() after having all changes applied.
+SyncAddTriggerToSyncObject() must not fail on memory allocation, if the
+allocation of the SyncTriggerList fails, trigger a FatalError() instead.
+Related to CVE-2025-26601, ZDI-CAN-25870
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8]
+CVE: CVE-2025-26601
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xext/sync.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+diff --git a/Xext/sync.c b/Xext/sync.c
+index 10302160fb..65f2d43780 100644
+--- a/Xext/sync.c
+++ b/Xext/sync.c
+@@ -201,8 +201,8 @@ SyncAddTriggerToSyncObject(SyncTrigger * pTrigger)
+             return Success;
+     }
+ 
+-    if (!(pCur = malloc(sizeof(SyncTriggerList))))
+-        return BadAlloc;
+    /* Failure is not an option, it's succeed or burst! */
+    pCur = XNFalloc(sizeof(SyncTriggerList));
+ 
+     pCur->pTrigger = pTrigger;
+     pCur->next = pTrigger->pSync->pTriglist;
+@@ -439,8 +439,7 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
+      *  a new counter on a trigger
+      */
+     if (newSyncObject) {
+-        if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success)
+-            return rc;
+        SyncAddTriggerToSyncObject(pTrigger);
+     }
+     else if (pCounter && IsSystemCounter(pCounter)) {
+         SyncComputeBracketValues(pCounter);
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch
new file mode 100644
index 0000000000..e2261192fa
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch
@@ -0,0 +1,132 @@
+From c285798984c6bb99e454a33772cde23d394d3dcd Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 20 Jan 2025 17:10:31 +0100
+Subject: [PATCH] sync: Apply changes last in SyncChangeAlarmAttributes()
+SyncChangeAlarmAttributes() would apply the various changes while
+checking for errors.
+If one of the changes triggers an error, the changes for the trigger,
+counter or delta value would remain, possibly leading to inconsistent
+changes.
+Postpone the actual changes until we're sure nothing else can go wrong.
+Related to CVE-2025-26601, ZDI-CAN-25870
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/c2857989]
+CVE: CVE-2025-26601
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xext/sync.c | 42 +++++++++++++++++++++++++++---------------
+ 1 file changed, 27 insertions(+), 15 deletions(-)
+diff --git a/Xext/sync.c b/Xext/sync.c
+index 65f2d43780..cab73be927 100644
+--- a/Xext/sync.c
+++ b/Xext/sync.c
+@@ -830,8 +830,14 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
+     int status;
+     XSyncCounter counter;
+     Mask origmask = mask;
+    SyncTrigger trigger;
+    Bool select_events_changed = FALSE;
+    Bool select_events_value = FALSE;
+    int64_t delta;
+ 
+-    counter = pAlarm->trigger.pSync ? pAlarm->trigger.pSync->id : None;
+    trigger = pAlarm->trigger;
+    delta = pAlarm->delta;
+    counter = trigger.pSync ? trigger.pSync->id : None;
+ 
+     while (mask) {
+         int index2 = lowbit(mask);
+@@ -847,24 +853,24 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
+         case XSyncCAValueType:
+             mask &= ~XSyncCAValueType;
+             /* sanity check in SyncInitTrigger */
+-            pAlarm->trigger.value_type = *values++;
+            trigger.value_type = *values++;
+             break;
+ 
+         case XSyncCAValue:
+             mask &= ~XSyncCAValue;
+-            pAlarm->trigger.wait_value = ((int64_t)values[0] << 32) | values[1];
+            trigger.wait_value = ((int64_t)values[0] << 32) | values[1];
+             values += 2;
+             break;
+ 
+         case XSyncCATestType:
+             mask &= ~XSyncCATestType;
+             /* sanity check in SyncInitTrigger */
+-            pAlarm->trigger.test_type = *values++;
+            trigger.test_type = *values++;
+             break;
+ 
+         case XSyncCADelta:
+             mask &= ~XSyncCADelta;
+-            pAlarm->delta = ((int64_t)values[0] << 32) | values[1];
+            delta = ((int64_t)values[0] << 32) | values[1];
+             values += 2;
+             break;
+ 
+@@ -874,10 +880,8 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
+                 client->errorValue = *values;
+                 return BadValue;
+             }
+-            status = SyncEventSelectForAlarm(pAlarm, client,
+-                                             (Bool) (*values++));
+-            if (status != Success)
+-                return status;
+            select_events_value = (Bool) (*values++);
+            select_events_changed = TRUE;
+             break;
+ 
+         default:
+@@ -886,25 +890,33 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
+         }
+     }
+ 
+    if (select_events_changed) {
+        status = SyncEventSelectForAlarm(pAlarm, client, select_events_value);
+        if (status != Success)
+            return status;
+    }
+
+     /* "If the test-type is PositiveComparison or PositiveTransition
+      *  and delta is less than zero, or if the test-type is
+      *  NegativeComparison or NegativeTransition and delta is
+      *  greater than zero, a Match error is generated."
+      */
+     if (origmask & (XSyncCADelta | XSyncCATestType)) {
+-        if ((((pAlarm->trigger.test_type == XSyncPositiveComparison) ||
+-              (pAlarm->trigger.test_type == XSyncPositiveTransition))
+-             && pAlarm->delta < 0)
+        if ((((trigger.test_type == XSyncPositiveComparison) ||
+              (trigger.test_type == XSyncPositiveTransition))
+             && delta < 0)
+             ||
+-            (((pAlarm->trigger.test_type == XSyncNegativeComparison) ||
+-              (pAlarm->trigger.test_type == XSyncNegativeTransition))
+-             && pAlarm->delta > 0)
+            (((trigger.test_type == XSyncNegativeComparison) ||
+              (trigger.test_type == XSyncNegativeTransition))
+             && delta > 0)
+             ) {
+             return BadMatch;
+         }
+     }
+ 
+     /* postpone this until now, when we're sure nothing else can go wrong */
+    pAlarm->delta = delta;
+    pAlarm->trigger = trigger;
+     if ((status = SyncInitTrigger(client, &pAlarm->trigger, counter, RTCounter,
+                                   origmask & XSyncCAAllTrigger)) != Success)
+         return status;
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
index ac0408ea67..0265366393 100644
--- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -20,6 +20,10 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
           file://CVE-2025-26599-1.patch \
           file://CVE-2025-26599-2.patch \
           file://CVE-2025-26600.patch \
+           file://CVE-2025-26601-1.patch \
+           file://CVE-2025-26601-2.patch \
+           file://CVE-2025-26601-3.patch \
+           file://CVE-2025-26601-4.patch \
 "
 SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"
author	Vijay Anusuri <vanusuri@mvista.com>	2025-03-05 19:02:14 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-03-08 06:22:56 -0800
commit	1acf84103895d51a90d92fdee2eff9ce1c234028 (patch)
tree	efdbba2db9d96bd572185abdfede1e4d9f2230c1
parent	bf6991091ce519caea7220fa56a9ff6b27d49c21 (diff)
download	poky-1acf84103895d51a90d92fdee2eff9ce1c234028.tar.gz

diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch new file mode 100644 index 0000000000..df5416a452 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch
@@ -0,0 +1,71 @@
		1	From 16a1242d0ffc7f45ed3c595ee7564b5c04287e0b Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Mon, 20 Jan 2025 16:52:01 +0100
		4	Subject: [PATCH] sync: Do not let sync objects uninitialized
		5
		6	When changing an alarm, the change mask values are evaluated one after
		7	the other, changing the trigger values as requested and eventually,
		8	SyncInitTrigger() is called.
		9
		10	SyncInitTrigger() will evaluate the XSyncCACounter first and may free
		11	the existing sync object.
		12
		13	Other changes are then evaluated and may trigger an error and an early
		14	return, not adding the new sync object.
		15
		16	This can be used to cause a use after free when the alarm eventually
		17	triggers.
		18
		19	To avoid the issue, delete the existing sync object as late as possible
		20	only once we are sure that no further error will cause an early exit.
		21
		22	CVE-2025-26601, ZDI-CAN-25870
		23
		24	This vulnerability was discovered by:
		25	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		26
		27	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		28	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		29	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
		30
		31	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/16a1242d]
		32	CVE: CVE-2025-26601
		33	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		34	---
		35	Xext/sync.c \| 13 ++++++++-----
		36	1 file changed, 8 insertions(+), 5 deletions(-)
		37
		38	diff --git a/Xext/sync.c b/Xext/sync.c
		39	index ee0010e657..585cfa6f68 100644
		40	--- a/Xext/sync.c
		41	+++ b/Xext/sync.c
		42	@@ -360,11 +360,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
		43	client->errorValue = syncObject;
		44	return rc;
		45	}
		46	- if (pSync != pTrigger->pSync) { /* new counter for trigger */
		47	- SyncDeleteTriggerFromSyncObject(pTrigger);
		48	- pTrigger->pSync = pSync;
		49	- newSyncObject = TRUE;
		50	- }
		51	}
		52
		53	/* if system counter, ask it what the current value is */
		54	@@ -432,6 +427,14 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
		55	}
		56	}
		57
		58	+ if (changes & XSyncCACounter) {
		59	+ if (pSync != pTrigger->pSync) { /* new counter for trigger */
		60	+ SyncDeleteTriggerFromSyncObject(pTrigger);
		61	+ pTrigger->pSync = pSync;
		62	+ newSyncObject = TRUE;
		63	+ }
		64	+ }
		65	+
		66	/* we wait until we're sure there are no errors before registering
		67	* a new counter on a trigger
		68	*/
		69	--
		70	GitLab
		71


diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch new file mode 100644 index 0000000000..22e751c017 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch
@@ -0,0 +1,85 @@
		1	From f52cea2f93a0c891494eb3334894442a92368030 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Mon, 20 Jan 2025 16:54:30 +0100
		4	Subject: [PATCH] sync: Check values before applying changes
		5
		6	In SyncInitTrigger(), we would set the CheckTrigger function before
		7	validating the counter value.
		8
		9	As a result, if the counter value overflowed, we would leave the
		10	function SyncInitTrigger() with the CheckTrigger applied but without
		11	updating the trigger object.
		12
		13	To avoid that issue, move the portion of code checking for the trigger
		14	check value before updating the CheckTrigger function.
		15
		16	Related to CVE-2025-26601, ZDI-CAN-25870
		17
		18	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		19	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		20	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
		21
		22	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2f]
		23	CVE: CVE-2025-26601
		24	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		25	---
		26	Xext/sync.c \| 36 ++++++++++++++++++------------------
		27	1 file changed, 18 insertions(+), 18 deletions(-)
		28
		29	diff --git a/Xext/sync.c b/Xext/sync.c
		30	index 585cfa6f68..10302160fb 100644
		31	--- a/Xext/sync.c
		32	+++ b/Xext/sync.c
		33	@@ -381,6 +381,24 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
		34	}
		35	}
		36
		37	+ if (changes & (XSyncCAValueType \| XSyncCAValue)) {
		38	+ if (pTrigger->value_type == XSyncAbsolute)
		39	+ pTrigger->test_value = pTrigger->wait_value;
		40	+ else { /* relative */
		41	+ Bool overflow;
		42	+
		43	+ if (pCounter == NULL)
		44	+ return BadMatch;
		45	+
		46	+ overflow = checked_int64_add(&pTrigger->test_value,
		47	+ pCounter->value, pTrigger->wait_value);
		48	+ if (overflow) {
		49	+ client->errorValue = pTrigger->wait_value >> 32;
		50	+ return BadValue;
		51	+ }
		52	+ }
		53	+ }
		54	+
		55	if (changes & XSyncCATestType) {
		56
		57	if (pSync && SYNC_FENCE == pSync->type) {
		58	@@ -409,24 +427,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
		59	}
		60	}
		61
		62	- if (changes & (XSyncCAValueType \| XSyncCAValue)) {
		63	- if (pTrigger->value_type == XSyncAbsolute)
		64	- pTrigger->test_value = pTrigger->wait_value;
		65	- else { /* relative */
		66	- Bool overflow;
		67	-
		68	- if (pCounter == NULL)
		69	- return BadMatch;
		70	-
		71	- overflow = checked_int64_add(&pTrigger->test_value,
		72	- pCounter->value, pTrigger->wait_value);
		73	- if (overflow) {
		74	- client->errorValue = pTrigger->wait_value >> 32;
		75	- return BadValue;
		76	- }
		77	- }
		78	- }
		79	-
		80	if (changes & XSyncCACounter) {
		81	if (pSync != pTrigger->pSync) { /* new counter for trigger */
		82	SyncDeleteTriggerFromSyncObject(pTrigger);
		83	--
		84	GitLab
		85


diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch new file mode 100644 index 0000000000..8d714f0302 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch
@@ -0,0 +1,52 @@
		1	From 8cbc90c8817306af75a60f494ec9dbb1061e50db Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Mon, 20 Jan 2025 17:06:07 +0100
		4	Subject: [PATCH] sync: Do not fail SyncAddTriggerToSyncObject()
		5
		6	We do not want to return a failure at the very last step in
		7	SyncInitTrigger() after having all changes applied.
		8
		9	SyncAddTriggerToSyncObject() must not fail on memory allocation, if the
		10	allocation of the SyncTriggerList fails, trigger a FatalError() instead.
		11
		12	Related to CVE-2025-26601, ZDI-CAN-25870
		13
		14	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		15	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		16	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
		17
		18	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8]
		19	CVE: CVE-2025-26601
		20	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		21	---
		22	Xext/sync.c \| 7 +++----
		23	1 file changed, 3 insertions(+), 4 deletions(-)
		24
		25	diff --git a/Xext/sync.c b/Xext/sync.c
		26	index 10302160fb..65f2d43780 100644
		27	--- a/Xext/sync.c
		28	+++ b/Xext/sync.c
		29	@@ -201,8 +201,8 @@ SyncAddTriggerToSyncObject(SyncTrigger * pTrigger)
		30	return Success;
		31	}
		32
		33	- if (!(pCur = malloc(sizeof(SyncTriggerList))))
		34	- return BadAlloc;
		35	+ /* Failure is not an option, it's succeed or burst! */
		36	+ pCur = XNFalloc(sizeof(SyncTriggerList));
		37
		38	pCur->pTrigger = pTrigger;
		39	pCur->next = pTrigger->pSync->pTriglist;
		40	@@ -439,8 +439,7 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
		41	* a new counter on a trigger
		42	*/
		43	if (newSyncObject) {
		44	- if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success)
		45	- return rc;
		46	+ SyncAddTriggerToSyncObject(pTrigger);
		47	}
		48	else if (pCounter && IsSystemCounter(pCounter)) {
		49	SyncComputeBracketValues(pCounter);
		50	--
		51	GitLab
		52


diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch new file mode 100644 index 0000000000..e2261192fa --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch
@@ -0,0 +1,132 @@
		1	From c285798984c6bb99e454a33772cde23d394d3dcd Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Mon, 20 Jan 2025 17:10:31 +0100
		4	Subject: [PATCH] sync: Apply changes last in SyncChangeAlarmAttributes()
		5
		6	SyncChangeAlarmAttributes() would apply the various changes while
		7	checking for errors.
		8
		9	If one of the changes triggers an error, the changes for the trigger,
		10	counter or delta value would remain, possibly leading to inconsistent
		11	changes.
		12
		13	Postpone the actual changes until we're sure nothing else can go wrong.
		14
		15	Related to CVE-2025-26601, ZDI-CAN-25870
		16
		17	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		18	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		19	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
		20
		21	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/c2857989]
		22	CVE: CVE-2025-26601
		23	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		24	---
		25	Xext/sync.c \| 42 +++++++++++++++++++++++++++---------------
		26	1 file changed, 27 insertions(+), 15 deletions(-)
		27
		28	diff --git a/Xext/sync.c b/Xext/sync.c
		29	index 65f2d43780..cab73be927 100644
		30	--- a/Xext/sync.c
		31	+++ b/Xext/sync.c
		32	@@ -830,8 +830,14 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
		33	int status;
		34	XSyncCounter counter;
		35	Mask origmask = mask;
		36	+ SyncTrigger trigger;
		37	+ Bool select_events_changed = FALSE;
		38	+ Bool select_events_value = FALSE;
		39	+ int64_t delta;
		40
		41	- counter = pAlarm->trigger.pSync ? pAlarm->trigger.pSync->id : None;
		42	+ trigger = pAlarm->trigger;
		43	+ delta = pAlarm->delta;
		44	+ counter = trigger.pSync ? trigger.pSync->id : None;
		45
		46	while (mask) {
		47	int index2 = lowbit(mask);
		48	@@ -847,24 +853,24 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
		49	case XSyncCAValueType:
		50	mask &= ~XSyncCAValueType;
		51	/* sanity check in SyncInitTrigger */
		52	- pAlarm->trigger.value_type = *values++;
		53	+ trigger.value_type = *values++;
		54	break;
		55
		56	case XSyncCAValue:
		57	mask &= ~XSyncCAValue;
		58	- pAlarm->trigger.wait_value = ((int64_t)values[0] << 32) \| values[1];
		59	+ trigger.wait_value = ((int64_t)values[0] << 32) \| values[1];
		60	values += 2;
		61	break;
		62
		63	case XSyncCATestType:
		64	mask &= ~XSyncCATestType;
		65	/* sanity check in SyncInitTrigger */
		66	- pAlarm->trigger.test_type = *values++;
		67	+ trigger.test_type = *values++;
		68	break;
		69
		70	case XSyncCADelta:
		71	mask &= ~XSyncCADelta;
		72	- pAlarm->delta = ((int64_t)values[0] << 32) \| values[1];
		73	+ delta = ((int64_t)values[0] << 32) \| values[1];
		74	values += 2;
		75	break;
		76
		77	@@ -874,10 +880,8 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
		78	client->errorValue = *values;
		79	return BadValue;
		80	}
		81	- status = SyncEventSelectForAlarm(pAlarm, client,
		82	- (Bool) (*values++));
		83	- if (status != Success)
		84	- return status;
		85	+ select_events_value = (Bool) (*values++);
		86	+ select_events_changed = TRUE;
		87	break;
		88
		89	default:
		90	@@ -886,25 +890,33 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
		91	}
		92	}
		93
		94	+ if (select_events_changed) {
		95	+ status = SyncEventSelectForAlarm(pAlarm, client, select_events_value);
		96	+ if (status != Success)
		97	+ return status;
		98	+ }
		99	+
		100	/* "If the test-type is PositiveComparison or PositiveTransition
		101	* and delta is less than zero, or if the test-type is
		102	* NegativeComparison or NegativeTransition and delta is
		103	* greater than zero, a Match error is generated."
		104	*/
		105	if (origmask & (XSyncCADelta \| XSyncCATestType)) {
		106	- if ((((pAlarm->trigger.test_type == XSyncPositiveComparison) \|\|
		107	- (pAlarm->trigger.test_type == XSyncPositiveTransition))
		108	- && pAlarm->delta < 0)
		109	+ if ((((trigger.test_type == XSyncPositiveComparison) \|\|
		110	+ (trigger.test_type == XSyncPositiveTransition))
		111	+ && delta < 0)
		112	\|\|
		113	- (((pAlarm->trigger.test_type == XSyncNegativeComparison) \|\|
		114	- (pAlarm->trigger.test_type == XSyncNegativeTransition))
		115	- && pAlarm->delta > 0)
		116	+ (((trigger.test_type == XSyncNegativeComparison) \|\|
		117	+ (trigger.test_type == XSyncNegativeTransition))
		118	+ && delta > 0)
		119	) {
		120	return BadMatch;
		121	}
		122	}
		123
		124	/* postpone this until now, when we're sure nothing else can go wrong */
		125	+ pAlarm->delta = delta;
		126	+ pAlarm->trigger = trigger;
		127	if ((status = SyncInitTrigger(client, &pAlarm->trigger, counter, RTCounter,
		128	origmask & XSyncCAAllTrigger)) != Success)
		129	return status;
		130	--
		131	GitLab
		132


diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index ac0408ea67..0265366393 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -20,6 +20,10 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
20	file://CVE-2025-26599-1.patch \	20	file://CVE-2025-26599-1.patch \
21	file://CVE-2025-26599-2.patch \	21	file://CVE-2025-26599-2.patch \
22	file://CVE-2025-26600.patch \	22	file://CVE-2025-26600.patch \
		23	file://CVE-2025-26601-1.patch \
		24	file://CVE-2025-26601-2.patch \
		25	file://CVE-2025-26601-3.patch \
		26	file://CVE-2025-26601-4.patch \
23	"	27	"
24	SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"	28	SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"
25		29