xserver-xorg: Fix for CVE-2025-26600

Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b (From OE-Core rev: 4227ae54a29ca8b454e56ffd27de2bbce00b6b89) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-02-27 18:02:05 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-03-04 08:46:02 -0800
commit: 7c9d09d47c628f9fec00edae5100bc459ce7949f (patch)
tree: 87f887c7dc16d6c1930b30aa26d6072b2a804e94
parent: b4512e569158c91bf609017b1a37f57a7658ebd2 (diff)
download: poky-7c9d09d47c628f9fec00edae5100bc459ce7949f.tar.gz
2 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26600.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26600.patch
new file mode 100644
index 0000000000..43b47b3ca3
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26600.patch
@@ -0,0 +1,68 @@
+From 6e0f332ba4c8b8c9a9945dc9d7989bfe06f80e14 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 16 Dec 2024 16:18:04 +0100
+Subject: [PATCH] dix: Dequeue pending events on frozen device on removal
+When a device is removed while still frozen, the events queued for that
+device remain while the device itself is freed.
+As a result, replaying the events will cause a use after free.
+To avoid the issue, make sure to dequeue and free any pending events on
+a frozen device when removed.
+CVE-2025-26600, ZDI-CAN-25871
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b]
+CVE: CVE-2025-26600
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ dix/devices.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+diff --git a/dix/devices.c b/dix/devices.c
+index 1516147..459f1ed 100644
+--- a/dix/devices.c
+++ b/dix/devices.c
+@@ -962,6 +962,23 @@ FreeAllDeviceClasses(ClassesPtr classes)
+ 
+ }
+ 
+static void
+FreePendingFrozenDeviceEvents(DeviceIntPtr dev)
+{
+    QdEventPtr qe, tmp;
+
+    if (!dev->deviceGrab.sync.frozen)
+        return;
+
+    /* Dequeue any frozen pending events */
+    xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) {
+        if (qe->device == dev) {
+            xorg_list_del(&qe->next);
+            free(qe);
+        }
+    }
+}
+
+ /**
+  * Close down a device and free all resources.
+  * Once closed down, the driver will probably not expect you that you'll ever
+@@ -1026,6 +1043,7 @@ CloseDevice(DeviceIntPtr dev)
+         free(dev->last.touches[j].valuators);
+     free(dev->last.touches);
+     dev->config_info = NULL;
+    FreePendingFrozenDeviceEvents(dev);
+     dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE);
+     free(dev);
+ }
+-- 
+2.25.1
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
index e50d7bfb9e..d7b0e7b589 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -30,6 +30,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
           file://CVE-2025-26598.patch \
           file://CVE-2025-26599-1.patch \
           file://CVE-2025-26599-2.patch \
+           file://CVE-2025-26600.patch \
           "
 SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
author	Vijay Anusuri <vanusuri@mvista.com>	2025-02-27 18:02:05 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-03-04 08:46:02 -0800
commit	7c9d09d47c628f9fec00edae5100bc459ce7949f (patch)
tree	87f887c7dc16d6c1930b30aa26d6072b2a804e94
parent	b4512e569158c91bf609017b1a37f57a7658ebd2 (diff)
download	poky-7c9d09d47c628f9fec00edae5100bc459ce7949f.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26600.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26600.patch new file mode 100644 index 0000000000..43b47b3ca3 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26600.patch
@@ -0,0 +1,68 @@
		1	From 6e0f332ba4c8b8c9a9945dc9d7989bfe06f80e14 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Mon, 16 Dec 2024 16:18:04 +0100
		4	Subject: [PATCH] dix: Dequeue pending events on frozen device on removal
		5
		6	When a device is removed while still frozen, the events queued for that
		7	device remain while the device itself is freed.
		8
		9	As a result, replaying the events will cause a use after free.
		10
		11	To avoid the issue, make sure to dequeue and free any pending events on
		12	a frozen device when removed.
		13
		14	CVE-2025-26600, ZDI-CAN-25871
		15
		16	This vulnerability was discovered by:
		17	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		18
		19	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		20	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		21	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
		22
		23	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b]
		24	CVE: CVE-2025-26600
		25	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		26	---
		27	dix/devices.c \| 18 ++++++++++++++++++
		28	1 file changed, 18 insertions(+)
		29
		30	diff --git a/dix/devices.c b/dix/devices.c
		31	index 1516147..459f1ed 100644
		32	--- a/dix/devices.c
		33	+++ b/dix/devices.c
		34	@@ -962,6 +962,23 @@ FreeAllDeviceClasses(ClassesPtr classes)
		35
		36	}
		37
		38	+static void
		39	+FreePendingFrozenDeviceEvents(DeviceIntPtr dev)
		40	+{
		41	+ QdEventPtr qe, tmp;
		42	+
		43	+ if (!dev->deviceGrab.sync.frozen)
		44	+ return;
		45	+
		46	+ /* Dequeue any frozen pending events */
		47	+ xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) {
		48	+ if (qe->device == dev) {
		49	+ xorg_list_del(&qe->next);
		50	+ free(qe);
		51	+ }
		52	+ }
		53	+}
		54	+
		55	/**
		56	* Close down a device and free all resources.
		57	* Once closed down, the driver will probably not expect you that you'll ever
		58	@@ -1026,6 +1043,7 @@ CloseDevice(DeviceIntPtr dev)
		59	free(dev->last.touches[j].valuators);
		60	free(dev->last.touches);
		61	dev->config_info = NULL;
		62	+ FreePendingFrozenDeviceEvents(dev);
		63	dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE);
		64	free(dev);
		65	}
		66	--
		67	2.25.1
		68


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index e50d7bfb9e..d7b0e7b589 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -30,6 +30,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
30	file://CVE-2025-26598.patch \	30	file://CVE-2025-26598.patch \
31	file://CVE-2025-26599-1.patch \	31	file://CVE-2025-26599-1.patch \
32	file://CVE-2025-26599-2.patch \	32	file://CVE-2025-26599-2.patch \
		33	file://CVE-2025-26600.patch \
33	"	34	"
34	SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"	35	SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
35		36