xwayland: Fix CVE-2025-26599

Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84be & https://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8 (From OE-Core rev: aea55eb6eb5610ef6e7d37fadcbb7e760bf80d7d) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-03-05 19:02:12 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-03-08 06:22:56 -0800
commit: 9df0c884d620de74f7a494ec9af08c47c6ce05be (patch)
tree: 826d5358ce730be54238efbb57d5f1a5cacfedce
parent: a797ef3ea06dcb09e0b849bb0c458715588ae1d8 (diff)
download: poky-9df0c884d620de74f7a494ec9af08c47c6ce05be.tar.gz
3 files changed, 197 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch
new file mode 100644
index 0000000000..60b68a0d9a
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch
@@ -0,0 +1,66 @@
+From c1ff84bef2569b4ba4be59323cf575d1798ba9be Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Tue, 17 Dec 2024 15:19:45 +0100
+Subject: [PATCH] composite: Handle failure to redirect in compRedirectWindow()
+The function compCheckRedirect() may fail if it cannot allocate the
+backing pixmap.
+In that case, compRedirectWindow() will return a BadAlloc error.
+However that failure code path will shortcut the validation of the
+window tree marked just before, which leaves the validate data partly
+initialized.
+That causes a use of uninitialized pointer later.
+The fix is to not shortcut the call to compHandleMarkedWindows() even in
+the case of compCheckRedirect() returning an error.
+CVE-2025-26599, ZDI-CAN-25851
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84be]
+CVE: CVE-2025-26599
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ composite/compalloc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/composite/compalloc.c b/composite/compalloc.c
+index eaabf0d..0bbbc55 100644
+--- a/composite/compalloc.c
+++ b/composite/compalloc.c
+@@ -140,6 +140,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
+     CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen);
+     WindowPtr pLayerWin;
+     Bool anyMarked = FALSE;
+    int status = Success;
+ 
+     if (pWin == cs->pOverlayWin) {
+         return Success;
+@@ -218,13 +219,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
+ 
+     if (!compCheckRedirect(pWin)) {
+         FreeResource(ccw->id, RT_NONE);
+-        return BadAlloc;
+        status = BadAlloc;
+     }
+ 
+     if (anyMarked)
+         compHandleMarkedWindows(pWin, pLayerWin);
+ 
+-    return Success;
+    return status;
+ }
+ 
+ void
+-- 
+2.25.1
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch
new file mode 100644
index 0000000000..252b033261
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch
@@ -0,0 +1,129 @@
+From b07192a8bedb90b039dc0f70ae69daf047ff9598 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 13 Jan 2025 16:09:43 +0100
+Subject: [PATCH] composite: initialize border clip even when pixmap alloc
+ fails
+If it fails to allocate the pixmap, the function compAllocPixmap() would
+return early and leave the borderClip region uninitialized, which may
+lead to the use of uninitialized value as reported by valgrind:
+ Conditional jump or move depends on uninitialised value(s)
+    at 0x4F9B33: compClipNotify (compwindow.c:317)
+    by 0x484FC9: miComputeClips (mivaltree.c:476)
+    by 0x48559A: miValidateTree (mivaltree.c:679)
+    by 0x4F0685: MapWindow (window.c:2693)
+    by 0x4A344A: ProcMapWindow (dispatch.c:922)
+    by 0x4A25B5: Dispatch (dispatch.c:560)
+    by 0x4B082A: dix_main (main.c:282)
+    by 0x429233: main (stubmain.c:34)
+  Uninitialised value was created by a heap allocation
+    at 0x4841866: malloc (vg_replace_malloc.c:446)
+    by 0x4F47BC: compRedirectWindow (compalloc.c:171)
+    by 0x4FA8AD: compCreateWindow (compwindow.c:592)
+    by 0x4EBB89: CreateWindow (window.c:925)
+    by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
+    by 0x4A25B5: Dispatch (dispatch.c:560)
+    by 0x4B082A: dix_main (main.c:282)
+    by 0x429233: main (stubmain.c:34)
+ Conditional jump or move depends on uninitialised value(s)
+    at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233)
+    by 0x4F9255: RegionTranslate (regionstr.h:312)
+    by 0x4F9B7E: compClipNotify (compwindow.c:319)
+    by 0x484FC9: miComputeClips (mivaltree.c:476)
+    by 0x48559A: miValidateTree (mivaltree.c:679)
+    by 0x4F0685: MapWindow (window.c:2693)
+    by 0x4A344A: ProcMapWindow (dispatch.c:922)
+    by 0x4A25B5: Dispatch (dispatch.c:560)
+    by 0x4B082A: dix_main (main.c:282)
+    by 0x429233: main (stubmain.c:34)
+  Uninitialised value was created by a heap allocation
+    at 0x4841866: malloc (vg_replace_malloc.c:446)
+    by 0x4F47BC: compRedirectWindow (compalloc.c:171)
+    by 0x4FA8AD: compCreateWindow (compwindow.c:592)
+    by 0x4EBB89: CreateWindow (window.c:925)
+    by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
+    by 0x4A25B5: Dispatch (dispatch.c:560)
+    by 0x4B082A: dix_main (main.c:282)
+    by 0x429233: main (stubmain.c:34)
+ Conditional jump or move depends on uninitialised value(s)
+    at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241)
+    by 0x48EEE33: pixman_region_translate (pixman-region.c:2225)
+    by 0x4F9255: RegionTranslate (regionstr.h:312)
+    by 0x4F9B7E: compClipNotify (compwindow.c:319)
+    by 0x484FC9: miComputeClips (mivaltree.c:476)
+    by 0x48559A: miValidateTree (mivaltree.c:679)
+    by 0x4F0685: MapWindow (window.c:2693)
+    by 0x4A344A: ProcMapWindow (dispatch.c:922)
+    by 0x4A25B5: Dispatch (dispatch.c:560)
+    by 0x4B082A: dix_main (main.c:282)
+    by 0x429233: main (stubmain.c:34)
+  Uninitialised value was created by a heap allocation
+    at 0x4841866: malloc (vg_replace_malloc.c:446)
+    by 0x4F47BC: compRedirectWindow (compalloc.c:171)
+    by 0x4FA8AD: compCreateWindow (compwindow.c:592)
+    by 0x4EBB89: CreateWindow (window.c:925)
+    by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
+    by 0x4A25B5: Dispatch (dispatch.c:560)
+    by 0x4B082A: dix_main (main.c:282)
+    by 0x429233: main (stubmain.c:34)
+Fix compAllocPixmap() to initialize the border clip even if the creation
+of the backing pixmap has failed, to avoid depending later on
+uninitialized border clip values.
+Related to CVE-2025-26599, ZDI-CAN-25851
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8]
+CVE: CVE-2025-26599
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ composite/compalloc.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+diff --git a/composite/compalloc.c b/composite/compalloc.c
+index 7cf7351e00..4a1243170d 100644
+--- a/composite/compalloc.c
+++ b/composite/compalloc.c
+@@ -605,9 +605,12 @@ compAllocPixmap(WindowPtr pWin)
+     int h = pWin->drawable.height + (bw << 1);
+     PixmapPtr pPixmap = compNewPixmap(pWin, x, y, w, h);
+     CompWindowPtr cw = GetCompWindow(pWin);
+    Bool status;
+ 
+-    if (!pPixmap)
+-        return FALSE;
+    if (!pPixmap) {
+        status = FALSE;
+        goto out;
+    }
+     if (cw->update == CompositeRedirectAutomatic)
+         pWin->redirectDraw = RedirectDrawAutomatic;
+     else
+@@ -621,14 +624,16 @@ compAllocPixmap(WindowPtr pWin)
+         DamageRegister(&pWin->drawable, cw->damage);
+         cw->damageRegistered = TRUE;
+     }
+    status = TRUE;
+ 
+out:
+     /* Make sure our borderClip is up to date */
+     RegionUninit(&cw->borderClip);
+     RegionCopy(&cw->borderClip, &pWin->borderClip);
+     cw->borderClipX = pWin->drawable.x;
+     cw->borderClipY = pWin->drawable.y;
+ 
+-    return TRUE;
+    return status;
+ }
+ 
+ void
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
index b46a02e5c3..cafddc62b5 100644
--- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -17,6 +17,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
           file://CVE-2025-26596.patch \
           file://CVE-2025-26597.patch \
           file://CVE-2025-26598.patch \
+           file://CVE-2025-26599-1.patch \
+           file://CVE-2025-26599-2.patch \
 "
 SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"
author	Vijay Anusuri <vanusuri@mvista.com>	2025-03-05 19:02:12 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-03-08 06:22:56 -0800
commit	9df0c884d620de74f7a494ec9af08c47c6ce05be (patch)
tree	826d5358ce730be54238efbb57d5f1a5cacfedce
parent	a797ef3ea06dcb09e0b849bb0c458715588ae1d8 (diff)
download	poky-9df0c884d620de74f7a494ec9af08c47c6ce05be.tar.gz

diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch new file mode 100644 index 0000000000..60b68a0d9a --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch
@@ -0,0 +1,66 @@
		1	From c1ff84bef2569b4ba4be59323cf575d1798ba9be Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Tue, 17 Dec 2024 15:19:45 +0100
		4	Subject: [PATCH] composite: Handle failure to redirect in compRedirectWindow()
		5
		6	The function compCheckRedirect() may fail if it cannot allocate the
		7	backing pixmap.
		8
		9	In that case, compRedirectWindow() will return a BadAlloc error.
		10
		11	However that failure code path will shortcut the validation of the
		12	window tree marked just before, which leaves the validate data partly
		13	initialized.
		14
		15	That causes a use of uninitialized pointer later.
		16
		17	The fix is to not shortcut the call to compHandleMarkedWindows() even in
		18	the case of compCheckRedirect() returning an error.
		19
		20	CVE-2025-26599, ZDI-CAN-25851
		21
		22	This vulnerability was discovered by:
		23	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		24
		25	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		26	Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
		27	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
		28
		29	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84be]
		30	CVE: CVE-2025-26599
		31	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		32	---
		33	composite/compalloc.c \| 5 +++--
		34	1 file changed, 3 insertions(+), 2 deletions(-)
		35
		36	diff --git a/composite/compalloc.c b/composite/compalloc.c
		37	index eaabf0d..0bbbc55 100644
		38	--- a/composite/compalloc.c
		39	+++ b/composite/compalloc.c
		40	@@ -140,6 +140,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
		41	CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen);
		42	WindowPtr pLayerWin;
		43	Bool anyMarked = FALSE;
		44	+ int status = Success;
		45
		46	if (pWin == cs->pOverlayWin) {
		47	return Success;
		48	@@ -218,13 +219,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
		49
		50	if (!compCheckRedirect(pWin)) {
		51	FreeResource(ccw->id, RT_NONE);
		52	- return BadAlloc;
		53	+ status = BadAlloc;
		54	}
		55
		56	if (anyMarked)
		57	compHandleMarkedWindows(pWin, pLayerWin);
		58
		59	- return Success;
		60	+ return status;
		61	}
		62
		63	void
		64	--
		65	2.25.1
		66


diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch new file mode 100644 index 0000000000..252b033261 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch
@@ -0,0 +1,129 @@
		1	From b07192a8bedb90b039dc0f70ae69daf047ff9598 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Mon, 13 Jan 2025 16:09:43 +0100
		4	Subject: [PATCH] composite: initialize border clip even when pixmap alloc
		5	fails
		6
		7	If it fails to allocate the pixmap, the function compAllocPixmap() would
		8	return early and leave the borderClip region uninitialized, which may
		9	lead to the use of uninitialized value as reported by valgrind:
		10
		11	Conditional jump or move depends on uninitialised value(s)
		12	at 0x4F9B33: compClipNotify (compwindow.c:317)
		13	by 0x484FC9: miComputeClips (mivaltree.c:476)
		14	by 0x48559A: miValidateTree (mivaltree.c:679)
		15	by 0x4F0685: MapWindow (window.c:2693)
		16	by 0x4A344A: ProcMapWindow (dispatch.c:922)
		17	by 0x4A25B5: Dispatch (dispatch.c:560)
		18	by 0x4B082A: dix_main (main.c:282)
		19	by 0x429233: main (stubmain.c:34)
		20	Uninitialised value was created by a heap allocation
		21	at 0x4841866: malloc (vg_replace_malloc.c:446)
		22	by 0x4F47BC: compRedirectWindow (compalloc.c:171)
		23	by 0x4FA8AD: compCreateWindow (compwindow.c:592)
		24	by 0x4EBB89: CreateWindow (window.c:925)
		25	by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
		26	by 0x4A25B5: Dispatch (dispatch.c:560)
		27	by 0x4B082A: dix_main (main.c:282)
		28	by 0x429233: main (stubmain.c:34)
		29
		30	Conditional jump or move depends on uninitialised value(s)
		31	at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233)
		32	by 0x4F9255: RegionTranslate (regionstr.h:312)
		33	by 0x4F9B7E: compClipNotify (compwindow.c:319)
		34	by 0x484FC9: miComputeClips (mivaltree.c:476)
		35	by 0x48559A: miValidateTree (mivaltree.c:679)
		36	by 0x4F0685: MapWindow (window.c:2693)
		37	by 0x4A344A: ProcMapWindow (dispatch.c:922)
		38	by 0x4A25B5: Dispatch (dispatch.c:560)
		39	by 0x4B082A: dix_main (main.c:282)
		40	by 0x429233: main (stubmain.c:34)
		41	Uninitialised value was created by a heap allocation
		42	at 0x4841866: malloc (vg_replace_malloc.c:446)
		43	by 0x4F47BC: compRedirectWindow (compalloc.c:171)
		44	by 0x4FA8AD: compCreateWindow (compwindow.c:592)
		45	by 0x4EBB89: CreateWindow (window.c:925)
		46	by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
		47	by 0x4A25B5: Dispatch (dispatch.c:560)
		48	by 0x4B082A: dix_main (main.c:282)
		49	by 0x429233: main (stubmain.c:34)
		50
		51	Conditional jump or move depends on uninitialised value(s)
		52	at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241)
		53	by 0x48EEE33: pixman_region_translate (pixman-region.c:2225)
		54	by 0x4F9255: RegionTranslate (regionstr.h:312)
		55	by 0x4F9B7E: compClipNotify (compwindow.c:319)
		56	by 0x484FC9: miComputeClips (mivaltree.c:476)
		57	by 0x48559A: miValidateTree (mivaltree.c:679)
		58	by 0x4F0685: MapWindow (window.c:2693)
		59	by 0x4A344A: ProcMapWindow (dispatch.c:922)
		60	by 0x4A25B5: Dispatch (dispatch.c:560)
		61	by 0x4B082A: dix_main (main.c:282)
		62	by 0x429233: main (stubmain.c:34)
		63	Uninitialised value was created by a heap allocation
		64	at 0x4841866: malloc (vg_replace_malloc.c:446)
		65	by 0x4F47BC: compRedirectWindow (compalloc.c:171)
		66	by 0x4FA8AD: compCreateWindow (compwindow.c:592)
		67	by 0x4EBB89: CreateWindow (window.c:925)
		68	by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
		69	by 0x4A25B5: Dispatch (dispatch.c:560)
		70	by 0x4B082A: dix_main (main.c:282)
		71	by 0x429233: main (stubmain.c:34)
		72
		73	Fix compAllocPixmap() to initialize the border clip even if the creation
		74	of the backing pixmap has failed, to avoid depending later on
		75	uninitialized border clip values.
		76
		77	Related to CVE-2025-26599, ZDI-CAN-25851
		78
		79	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		80	Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
		81	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
		82
		83	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8]
		84	CVE: CVE-2025-26599
		85	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		86	---
		87	composite/compalloc.c \| 11 ++++++++---
		88	1 file changed, 8 insertions(+), 3 deletions(-)
		89
		90	diff --git a/composite/compalloc.c b/composite/compalloc.c
		91	index 7cf7351e00..4a1243170d 100644
		92	--- a/composite/compalloc.c
		93	+++ b/composite/compalloc.c
		94	@@ -605,9 +605,12 @@ compAllocPixmap(WindowPtr pWin)
		95	int h = pWin->drawable.height + (bw << 1);
		96	PixmapPtr pPixmap = compNewPixmap(pWin, x, y, w, h);
		97	CompWindowPtr cw = GetCompWindow(pWin);
		98	+ Bool status;
		99
		100	- if (!pPixmap)
		101	- return FALSE;
		102	+ if (!pPixmap) {
		103	+ status = FALSE;
		104	+ goto out;
		105	+ }
		106	if (cw->update == CompositeRedirectAutomatic)
		107	pWin->redirectDraw = RedirectDrawAutomatic;
		108	else
		109	@@ -621,14 +624,16 @@ compAllocPixmap(WindowPtr pWin)
		110	DamageRegister(&pWin->drawable, cw->damage);
		111	cw->damageRegistered = TRUE;
		112	}
		113	+ status = TRUE;
		114
		115	+out:
		116	/* Make sure our borderClip is up to date */
		117	RegionUninit(&cw->borderClip);
		118	RegionCopy(&cw->borderClip, &pWin->borderClip);
		119	cw->borderClipX = pWin->drawable.x;
		120	cw->borderClipY = pWin->drawable.y;
		121
		122	- return TRUE;
		123	+ return status;
		124	}
		125
		126	void
		127	--
		128	GitLab
		129


diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index b46a02e5c3..cafddc62b5 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -17,6 +17,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
17	file://CVE-2025-26596.patch \	17	file://CVE-2025-26596.patch \
18	file://CVE-2025-26597.patch \	18	file://CVE-2025-26597.patch \
19	file://CVE-2025-26598.patch \	19	file://CVE-2025-26598.patch \
		20	file://CVE-2025-26599-1.patch \
		21	file://CVE-2025-26599-2.patch \
20	"	22	"
21	SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"	23	SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"
22		24