xwayland: Fix for CVE-2025-62229

Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/5a4286b13f631b66c20f5bc8db7b68211dcbd1d0 (From OE-Core rev: 5c6a07f215e00392b1831ed89ac0f8180823e124) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-11-19 13:14:06 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-11-24 06:57:39 -0800
commit: 3d559d269acb426fd2ae119446581e4a8cc54e18 (patch)
tree: 9ece8637e903ecad00ae4c038fbb814381c040c8 /meta/recipes-graphics
parent: 36037789d23df9db38fbbe5351d1a25fbe85e61d (diff)
download: poky-3d559d269acb426fd2ae119446581e4a8cc54e18.tar.gz
2 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62229.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62229.patch
new file mode 100644
index 0000000000..634e8d44f1
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62229.patch
@@ -0,0 +1,89 @@
+From 5a4286b13f631b66c20f5bc8db7b68211dcbd1d0 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 2 Jul 2025 09:46:22 +0200
+Subject: [PATCH] present: Fix use-after-free in present_create_notifies()
+Using the Present extension, if an error occurs while processing and
+adding the notifications after presenting a pixmap, the function
+present_create_notifies() will clean up and remove the notifications
+it added.
+However, there are two different code paths that can lead to an error
+creating the notify, one being before the notify is being added to the
+list, and another one after the notify is added.
+When the error occurs before it's been added, it removes the elements up
+to the last added element, instead of the actual number of elements
+which were added.
+As a result, in case of error, as with an invalid window for example, it
+leaves a dangling pointer to the last element, leading to a use after
+free case later:
+ |  Invalid write of size 8
+ |     at 0x5361D5: present_clear_window_notifies (present_notify.c:42)
+ |     by 0x534A56: present_destroy_window (present_screen.c:107)
+ |     by 0x41E441: xwl_destroy_window (xwayland-window.c:1959)
+ |     by 0x4F9EC9: compDestroyWindow (compwindow.c:622)
+ |     by 0x51EAC4: damageDestroyWindow (damage.c:1592)
+ |     by 0x4FDC29: DbeDestroyWindow (dbe.c:1291)
+ |     by 0x4EAC55: FreeWindowResources (window.c:1023)
+ |     by 0x4EAF59: DeleteWindow (window.c:1091)
+ |     by 0x4DE59A: doFreeResource (resource.c:890)
+ |     by 0x4DEFB2: FreeClientResources (resource.c:1156)
+ |     by 0x4A9AFB: CloseDownClient (dispatch.c:3567)
+ |     by 0x5DCC78: ClientReady (connection.c:603)
+ |   Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd
+ |     at 0x4841E43: free (vg_replace_malloc.c:989)
+ |     by 0x5363DD: present_destroy_notifies (present_notify.c:111)
+ |     by 0x53638D: present_create_notifies (present_notify.c:100)
+ |     by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
+ |     by 0x536A7D: proc_present_pixmap (present_request.c:189)
+ |     by 0x536FA9: proc_present_dispatch (present_request.c:337)
+ |     by 0x4A1E4E: Dispatch (dispatch.c:561)
+ |     by 0x4B00F1: dix_main (main.c:284)
+ |     by 0x42879D: main (stubmain.c:34)
+ |   Block was alloc'd at
+ |     at 0x48463F3: calloc (vg_replace_malloc.c:1675)
+ |     by 0x5362A1: present_create_notifies (present_notify.c:81)
+ |     by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
+ |     by 0x536A7D: proc_present_pixmap (present_request.c:189)
+ |     by 0x536FA9: proc_present_dispatch (present_request.c:337)
+ |     by 0x4A1E4E: Dispatch (dispatch.c:561)
+ |     by 0x4B00F1: dix_main (main.c:284)
+ |     by 0x42879D: main (stubmain.c:34)
+To fix the issue, count and remove the actual number of notify elements
+added in case of error.
+CVE-2025-62229, ZDI-CAN-27238
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/5a4286b13f631b66c20f5bc8db7b68211dcbd1d0]
+CVE: CVE-2025-62229
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ present/present_notify.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/present/present_notify.c b/present/present_notify.c
+index 7d19d9cfe1..fe84d1f070 100644
+--- a/present/present_notify.c
+++ b/present/present_notify.c
+@@ -92,7 +92,7 @@ present_create_notifies(ClientPtr client, int num_notifies, xPresentNotify *x_no
+         if (status != Success)
+             goto bail;
+ 
+-        added = i;
+        added++;
+     }
+     return Success;
+ 
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
index 73f5a05ce7..ba0ed6048e 100644
--- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -50,6 +50,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
           file://CVE-2025-49178.patch \
           file://CVE-2025-49179.patch \
           file://CVE-2025-49180.patch \
+           file://CVE-2025-62229.patch \
 "
 SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
author	Vijay Anusuri <vanusuri@mvista.com>	2025-11-19 13:14:06 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-11-24 06:57:39 -0800
commit	3d559d269acb426fd2ae119446581e4a8cc54e18 (patch)
tree	9ece8637e903ecad00ae4c038fbb814381c040c8 /meta/recipes-graphics
parent	36037789d23df9db38fbbe5351d1a25fbe85e61d (diff)
download	poky-3d559d269acb426fd2ae119446581e4a8cc54e18.tar.gz

diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62229.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62229.patch new file mode 100644 index 0000000000..634e8d44f1 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62229.patch
@@ -0,0 +1,89 @@
		1	From 5a4286b13f631b66c20f5bc8db7b68211dcbd1d0 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Wed, 2 Jul 2025 09:46:22 +0200
		4	Subject: [PATCH] present: Fix use-after-free in present_create_notifies()
		5
		6	Using the Present extension, if an error occurs while processing and
		7	adding the notifications after presenting a pixmap, the function
		8	present_create_notifies() will clean up and remove the notifications
		9	it added.
		10
		11	However, there are two different code paths that can lead to an error
		12	creating the notify, one being before the notify is being added to the
		13	list, and another one after the notify is added.
		14
		15	When the error occurs before it's been added, it removes the elements up
		16	to the last added element, instead of the actual number of elements
		17	which were added.
		18
		19	As a result, in case of error, as with an invalid window for example, it
		20	leaves a dangling pointer to the last element, leading to a use after
		21	free case later:
		22
		23	\| Invalid write of size 8
		24	\| at 0x5361D5: present_clear_window_notifies (present_notify.c:42)
		25	\| by 0x534A56: present_destroy_window (present_screen.c:107)
		26	\| by 0x41E441: xwl_destroy_window (xwayland-window.c:1959)
		27	\| by 0x4F9EC9: compDestroyWindow (compwindow.c:622)
		28	\| by 0x51EAC4: damageDestroyWindow (damage.c:1592)
		29	\| by 0x4FDC29: DbeDestroyWindow (dbe.c:1291)
		30	\| by 0x4EAC55: FreeWindowResources (window.c:1023)
		31	\| by 0x4EAF59: DeleteWindow (window.c:1091)
		32	\| by 0x4DE59A: doFreeResource (resource.c:890)
		33	\| by 0x4DEFB2: FreeClientResources (resource.c:1156)
		34	\| by 0x4A9AFB: CloseDownClient (dispatch.c:3567)
		35	\| by 0x5DCC78: ClientReady (connection.c:603)
		36	\| Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd
		37	\| at 0x4841E43: free (vg_replace_malloc.c:989)
		38	\| by 0x5363DD: present_destroy_notifies (present_notify.c:111)
		39	\| by 0x53638D: present_create_notifies (present_notify.c:100)
		40	\| by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
		41	\| by 0x536A7D: proc_present_pixmap (present_request.c:189)
		42	\| by 0x536FA9: proc_present_dispatch (present_request.c:337)
		43	\| by 0x4A1E4E: Dispatch (dispatch.c:561)
		44	\| by 0x4B00F1: dix_main (main.c:284)
		45	\| by 0x42879D: main (stubmain.c:34)
		46	\| Block was alloc'd at
		47	\| at 0x48463F3: calloc (vg_replace_malloc.c:1675)
		48	\| by 0x5362A1: present_create_notifies (present_notify.c:81)
		49	\| by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
		50	\| by 0x536A7D: proc_present_pixmap (present_request.c:189)
		51	\| by 0x536FA9: proc_present_dispatch (present_request.c:337)
		52	\| by 0x4A1E4E: Dispatch (dispatch.c:561)
		53	\| by 0x4B00F1: dix_main (main.c:284)
		54	\| by 0x42879D: main (stubmain.c:34)
		55
		56	To fix the issue, count and remove the actual number of notify elements
		57	added in case of error.
		58
		59	CVE-2025-62229, ZDI-CAN-27238
		60
		61	This vulnerability was discovered by:
		62	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		63
		64	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		65	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
		66
		67	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/5a4286b13f631b66c20f5bc8db7b68211dcbd1d0]
		68	CVE: CVE-2025-62229
		69	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		70	---
		71	present/present_notify.c \| 2 +-
		72	1 file changed, 1 insertion(+), 1 deletion(-)
		73
		74	diff --git a/present/present_notify.c b/present/present_notify.c
		75	index 7d19d9cfe1..fe84d1f070 100644
		76	--- a/present/present_notify.c
		77	+++ b/present/present_notify.c
		78	@@ -92,7 +92,7 @@ present_create_notifies(ClientPtr client, int num_notifies, xPresentNotify *x_no
		79	if (status != Success)
		80	goto bail;
		81
		82	- added = i;
		83	+ added++;
		84	}
		85	return Success;
		86
		87	--
		88	GitLab
		89


diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 73f5a05ce7..ba0ed6048e 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -50,6 +50,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
50	file://CVE-2025-49178.patch \	50	file://CVE-2025-49178.patch \
51	file://CVE-2025-49179.patch \	51	file://CVE-2025-49179.patch \
52	file://CVE-2025-49180.patch \	52	file://CVE-2025-49180.patch \
		53	file://CVE-2025-62229.patch \
53	"	54	"
54	SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"	55	SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
55		56