xwayland: Fix CVE-2025-26600

Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b (From OE-Core rev: f84fd297131deda3e13377f0b3555a71e67f1d74) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-03-05 19:02:13 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-03-08 06:22:56 -0800
commit: bf6991091ce519caea7220fa56a9ff6b27d49c21 (patch)
tree: 29cf81230b63a0fab75a3075da3872a40cc93107
parent: 9df0c884d620de74f7a494ec9af08c47c6ce05be (diff)
download: poky-bf6991091ce519caea7220fa56a9ff6b27d49c21.tar.gz
2 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch
new file mode 100644
index 0000000000..43b47b3ca3
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch
@@ -0,0 +1,68 @@
+From 6e0f332ba4c8b8c9a9945dc9d7989bfe06f80e14 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 16 Dec 2024 16:18:04 +0100
+Subject: [PATCH] dix: Dequeue pending events on frozen device on removal
+When a device is removed while still frozen, the events queued for that
+device remain while the device itself is freed.
+As a result, replaying the events will cause a use after free.
+To avoid the issue, make sure to dequeue and free any pending events on
+a frozen device when removed.
+CVE-2025-26600, ZDI-CAN-25871
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b]
+CVE: CVE-2025-26600
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ dix/devices.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+diff --git a/dix/devices.c b/dix/devices.c
+index 1516147..459f1ed 100644
+--- a/dix/devices.c
+++ b/dix/devices.c
+@@ -962,6 +962,23 @@ FreeAllDeviceClasses(ClassesPtr classes)
+ 
+ }
+ 
+static void
+FreePendingFrozenDeviceEvents(DeviceIntPtr dev)
+{
+    QdEventPtr qe, tmp;
+
+    if (!dev->deviceGrab.sync.frozen)
+        return;
+
+    /* Dequeue any frozen pending events */
+    xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) {
+        if (qe->device == dev) {
+            xorg_list_del(&qe->next);
+            free(qe);
+        }
+    }
+}
+
+ /**
+  * Close down a device and free all resources.
+  * Once closed down, the driver will probably not expect you that you'll ever
+@@ -1026,6 +1043,7 @@ CloseDevice(DeviceIntPtr dev)
+         free(dev->last.touches[j].valuators);
+     free(dev->last.touches);
+     dev->config_info = NULL;
+    FreePendingFrozenDeviceEvents(dev);
+     dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE);
+     free(dev);
+ }
+-- 
+2.25.1
diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
index cafddc62b5..ac0408ea67 100644
--- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
           file://CVE-2025-26598.patch \
           file://CVE-2025-26599-1.patch \
           file://CVE-2025-26599-2.patch \
+           file://CVE-2025-26600.patch \
 "
 SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"
author	Vijay Anusuri <vanusuri@mvista.com>	2025-03-05 19:02:13 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-03-08 06:22:56 -0800
commit	bf6991091ce519caea7220fa56a9ff6b27d49c21 (patch)
tree	29cf81230b63a0fab75a3075da3872a40cc93107
parent	9df0c884d620de74f7a494ec9af08c47c6ce05be (diff)
download	poky-bf6991091ce519caea7220fa56a9ff6b27d49c21.tar.gz

diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch new file mode 100644 index 0000000000..43b47b3ca3 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch
@@ -0,0 +1,68 @@
		1	From 6e0f332ba4c8b8c9a9945dc9d7989bfe06f80e14 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Mon, 16 Dec 2024 16:18:04 +0100
		4	Subject: [PATCH] dix: Dequeue pending events on frozen device on removal
		5
		6	When a device is removed while still frozen, the events queued for that
		7	device remain while the device itself is freed.
		8
		9	As a result, replaying the events will cause a use after free.
		10
		11	To avoid the issue, make sure to dequeue and free any pending events on
		12	a frozen device when removed.
		13
		14	CVE-2025-26600, ZDI-CAN-25871
		15
		16	This vulnerability was discovered by:
		17	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		18
		19	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		20	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		21	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
		22
		23	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b]
		24	CVE: CVE-2025-26600
		25	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		26	---
		27	dix/devices.c \| 18 ++++++++++++++++++
		28	1 file changed, 18 insertions(+)
		29
		30	diff --git a/dix/devices.c b/dix/devices.c
		31	index 1516147..459f1ed 100644
		32	--- a/dix/devices.c
		33	+++ b/dix/devices.c
		34	@@ -962,6 +962,23 @@ FreeAllDeviceClasses(ClassesPtr classes)
		35
		36	}
		37
		38	+static void
		39	+FreePendingFrozenDeviceEvents(DeviceIntPtr dev)
		40	+{
		41	+ QdEventPtr qe, tmp;
		42	+
		43	+ if (!dev->deviceGrab.sync.frozen)
		44	+ return;
		45	+
		46	+ /* Dequeue any frozen pending events */
		47	+ xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) {
		48	+ if (qe->device == dev) {
		49	+ xorg_list_del(&qe->next);
		50	+ free(qe);
		51	+ }
		52	+ }
		53	+}
		54	+
		55	/**
		56	* Close down a device and free all resources.
		57	* Once closed down, the driver will probably not expect you that you'll ever
		58	@@ -1026,6 +1043,7 @@ CloseDevice(DeviceIntPtr dev)
		59	free(dev->last.touches[j].valuators);
		60	free(dev->last.touches);
		61	dev->config_info = NULL;
		62	+ FreePendingFrozenDeviceEvents(dev);
		63	dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE);
		64	free(dev);
		65	}
		66	--
		67	2.25.1
		68


diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index cafddc62b5..ac0408ea67 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
19	file://CVE-2025-26598.patch \	19	file://CVE-2025-26598.patch \
20	file://CVE-2025-26599-1.patch \	20	file://CVE-2025-26599-1.patch \
21	file://CVE-2025-26599-2.patch \	21	file://CVE-2025-26599-2.patch \
		22	file://CVE-2025-26600.patch \
22	"	23	"
23	SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"	24	SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"
24		25