xwayland: Fix CVE-2025-26598

Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a (From OE-Core rev: b58fe3b82168502e29f500e42ca8d140934f5b1a) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-03-05 19:02:11 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-03-08 06:22:56 -0800
commit: a797ef3ea06dcb09e0b849bb0c458715588ae1d8 (patch)
tree: 27ea0a6ffafd2d503b47d92b23f8563aba2142f6
parent: cfa84dcc1a4921cccb06fca369a8a42f376ec3e6 (diff)
download: poky-a797ef3ea06dcb09e0b849bb0c458715588ae1d8.tar.gz
2 files changed, 121 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch
new file mode 100644
index 0000000000..210a76262a
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch
@@ -0,0 +1,120 @@
+From bba9df1a9d57234c76c0b93f88dacb143d01bca2 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 16 Dec 2024 11:25:11 +0100
+Subject: [PATCH] Xi: Fix barrier device search
+The function GetBarrierDevice() would search for the pointer device
+based on its device id and return the matching value, or supposedly NULL
+if no match was found.
+Unfortunately, as written, it would return the last element of the list
+if no matching device id was found which can lead to out of bounds
+memory access.
+Fix the search function to return NULL if not matching device is found,
+and adjust the callers to handle the case where the device cannot be
+found.
+CVE-2025-26598, ZDI-CAN-25740
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a]
+CVE: CVE-2025-26598
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xi/xibarriers.c | 27 +++++++++++++++++++++++----
+ 1 file changed, 23 insertions(+), 4 deletions(-)
+diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
+index 700b2b8c53..6761bcb49a 100644
+--- a/Xi/xibarriers.c
+++ b/Xi/xibarriers.c
+@@ -132,14 +132,15 @@ static void FreePointerBarrierClient(struct PointerBarrierClient *c)
+ 
+ static struct PointerBarrierDevice *GetBarrierDevice(struct PointerBarrierClient *c, int deviceid)
+ {
+-    struct PointerBarrierDevice *pbd = NULL;
+    struct PointerBarrierDevice *p, *pbd = NULL;
+ 
+-    xorg_list_for_each_entry(pbd, &c->per_device, entry) {
+-        if (pbd->deviceid == deviceid)
+    xorg_list_for_each_entry(p, &c->per_device, entry) {
+        if (p->deviceid == deviceid) {
+            pbd = p;
+             break;
+        }
+     }
+ 
+-    BUG_WARN(!pbd);
+     return pbd;
+ }
+ 
+@@ -340,6 +341,9 @@ barrier_find_nearest(BarrierScreenPtr cs, DeviceIntPtr dev,
+         double distance;
+ 
+         pbd = GetBarrierDevice(c, dev->id);
+        if (!pbd)
+            continue;
+
+         if (pbd->seen)
+             continue;
+ 
+@@ -448,6 +452,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen,
+         nearest = &c->barrier;
+ 
+         pbd = GetBarrierDevice(c, master->id);
+        if (!pbd)
+            continue;
+
+         new_sequence = !pbd->hit;
+ 
+         pbd->seen = TRUE;
+@@ -488,6 +495,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen,
+         int flags = 0;
+ 
+         pbd = GetBarrierDevice(c, master->id);
+        if (!pbd)
+            continue;
+
+         pbd->seen = FALSE;
+         if (!pbd->hit)
+             continue;
+@@ -682,6 +692,9 @@ BarrierFreeBarrier(void *data, XID id)
+             continue;
+ 
+         pbd = GetBarrierDevice(c, dev->id);
+        if (!pbd)
+            continue;
+
+         if (!pbd->hit)
+             continue;
+ 
+@@ -741,6 +754,8 @@ static void remove_master_func(void *res, XID id, void *devid)
+     barrier = container_of(b, struct PointerBarrierClient, barrier);
+ 
+     pbd = GetBarrierDevice(barrier, *deviceid);
+    if (!pbd)
+        return;
+ 
+     if (pbd->hit) {
+         BarrierEvent ev = {
+@@ -905,6 +920,10 @@ ProcXIBarrierReleasePointer(ClientPtr client)
+         barrier = container_of(b, struct PointerBarrierClient, barrier);
+ 
+         pbd = GetBarrierDevice(barrier, dev->id);
+        if (!pbd) {
+            client->errorValue = dev->id;
+            return BadDevice;
+        }
+ 
+         if (pbd->barrier_event_id == event_id)
+             pbd->release_event_id = event_id;
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
index 7f94c5e2e2..b46a02e5c3 100644
--- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -16,6 +16,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
           file://CVE-2025-26595.patch \
           file://CVE-2025-26596.patch \
           file://CVE-2025-26597.patch \
+           file://CVE-2025-26598.patch \
 "
 SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"
author	Vijay Anusuri <vanusuri@mvista.com>	2025-03-05 19:02:11 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-03-08 06:22:56 -0800
commit	a797ef3ea06dcb09e0b849bb0c458715588ae1d8 (patch)
tree	27ea0a6ffafd2d503b47d92b23f8563aba2142f6
parent	cfa84dcc1a4921cccb06fca369a8a42f376ec3e6 (diff)
download	poky-a797ef3ea06dcb09e0b849bb0c458715588ae1d8.tar.gz

diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch new file mode 100644 index 0000000000..210a76262a --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch
@@ -0,0 +1,120 @@
		1	From bba9df1a9d57234c76c0b93f88dacb143d01bca2 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Mon, 16 Dec 2024 11:25:11 +0100
		4	Subject: [PATCH] Xi: Fix barrier device search
		5
		6	The function GetBarrierDevice() would search for the pointer device
		7	based on its device id and return the matching value, or supposedly NULL
		8	if no match was found.
		9
		10	Unfortunately, as written, it would return the last element of the list
		11	if no matching device id was found which can lead to out of bounds
		12	memory access.
		13
		14	Fix the search function to return NULL if not matching device is found,
		15	and adjust the callers to handle the case where the device cannot be
		16	found.
		17
		18	CVE-2025-26598, ZDI-CAN-25740
		19
		20	This vulnerability was discovered by:
		21	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		22
		23	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		24	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		25	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
		26
		27	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a]
		28	CVE: CVE-2025-26598
		29	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		30	---
		31	Xi/xibarriers.c \| 27 +++++++++++++++++++++++----
		32	1 file changed, 23 insertions(+), 4 deletions(-)
		33
		34	diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
		35	index 700b2b8c53..6761bcb49a 100644
		36	--- a/Xi/xibarriers.c
		37	+++ b/Xi/xibarriers.c
		38	@@ -132,14 +132,15 @@ static void FreePointerBarrierClient(struct PointerBarrierClient *c)
		39
		40	static struct PointerBarrierDevice GetBarrierDevice(struct PointerBarrierClient c, int deviceid)
		41	{
		42	- struct PointerBarrierDevice *pbd = NULL;
		43	+ struct PointerBarrierDevice p, pbd = NULL;
		44
		45	- xorg_list_for_each_entry(pbd, &c->per_device, entry) {
		46	- if (pbd->deviceid == deviceid)
		47	+ xorg_list_for_each_entry(p, &c->per_device, entry) {
		48	+ if (p->deviceid == deviceid) {
		49	+ pbd = p;
		50	break;
		51	+ }
		52	}
		53
		54	- BUG_WARN(!pbd);
		55	return pbd;
		56	}
		57
		58	@@ -340,6 +341,9 @@ barrier_find_nearest(BarrierScreenPtr cs, DeviceIntPtr dev,
		59	double distance;
		60
		61	pbd = GetBarrierDevice(c, dev->id);
		62	+ if (!pbd)
		63	+ continue;
		64	+
		65	if (pbd->seen)
		66	continue;
		67
		68	@@ -448,6 +452,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen,
		69	nearest = &c->barrier;
		70
		71	pbd = GetBarrierDevice(c, master->id);
		72	+ if (!pbd)
		73	+ continue;
		74	+
		75	new_sequence = !pbd->hit;
		76
		77	pbd->seen = TRUE;
		78	@@ -488,6 +495,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen,
		79	int flags = 0;
		80
		81	pbd = GetBarrierDevice(c, master->id);
		82	+ if (!pbd)
		83	+ continue;
		84	+
		85	pbd->seen = FALSE;
		86	if (!pbd->hit)
		87	continue;
		88	@@ -682,6 +692,9 @@ BarrierFreeBarrier(void *data, XID id)
		89	continue;
		90
		91	pbd = GetBarrierDevice(c, dev->id);
		92	+ if (!pbd)
		93	+ continue;
		94	+
		95	if (!pbd->hit)
		96	continue;
		97
		98	@@ -741,6 +754,8 @@ static void remove_master_func(void res, XID id, void devid)
		99	barrier = container_of(b, struct PointerBarrierClient, barrier);
		100
		101	pbd = GetBarrierDevice(barrier, *deviceid);
		102	+ if (!pbd)
		103	+ return;
		104
		105	if (pbd->hit) {
		106	BarrierEvent ev = {
		107	@@ -905,6 +920,10 @@ ProcXIBarrierReleasePointer(ClientPtr client)
		108	barrier = container_of(b, struct PointerBarrierClient, barrier);
		109
		110	pbd = GetBarrierDevice(barrier, dev->id);
		111	+ if (!pbd) {
		112	+ client->errorValue = dev->id;
		113	+ return BadDevice;
		114	+ }
		115
		116	if (pbd->barrier_event_id == event_id)
		117	pbd->release_event_id = event_id;
		118	--
		119	GitLab
		120


diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 7f94c5e2e2..b46a02e5c3 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -16,6 +16,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
16	file://CVE-2025-26595.patch \	16	file://CVE-2025-26595.patch \
17	file://CVE-2025-26596.patch \	17	file://CVE-2025-26596.patch \
18	file://CVE-2025-26597.patch \	18	file://CVE-2025-26597.patch \
		19	file://CVE-2025-26598.patch \
19	"	20	"
20	SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"	21	SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"
21		22