mirror of
https://git.yoctoproject.org/git/poky
synced 2026-01-01 13:58:04 +00:00
9e67c38d67
>From https://lists.x.org/archives/xorg-announce/2025-October/003635.html: 1) CVE-2025-62229: Use-after-free in XPresentNotify structures creation Using the X11 Present extension, when processing and adding the notifications after presenting a pixmap, if an error occurs, a dangling pointer may be left in the error code path of the function causing a use-after-free when eventually destroying the notification structures later. Introduced in: Xorg 1.15 Fixed in: xorg-server-21.1.19 and xwayland-24.1.9 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/5a4286b1 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative. 2) CVE-2025-62230: Use-after-free in Xkb client resource removal When removing the Xkb resources for a client, the function XkbRemoveResourceClient() will free the XkbInterest data associated with the device, but not the resource associated with it. As a result, when the client terminates, the resource delete function triggers a use-after-free. Introduced in: X11R6 Fixed in: xorg-server-21.1.19 and xwayland-24.1.9 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/99790a2c https://gitlab.freedesktop.org/xorg/xserver/-/commit/10c94238 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative. 3) CVE-2025-62231: Value overflow in Xkb extension XkbSetCompatMap() The XkbCompatMap structure stores some of its values using an unsigned short, but fails to check whether the sum of the input data might overflow the maximum unsigned short value. Introduced in: X11R6 Fixed in: xorg-server-21.1.19 and xwayland-24.1.9 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/475d9f49 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative. (From OE-Core rev: 50b9c34ba932761fab9035a54e58466d72b097bf) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
93 lines
3.5 KiB
Diff
93 lines
3.5 KiB
Diff
From 32b12feb6f9f3d32532ff75c7434a7426b85e0c3 Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Wed, 10 Sep 2025 15:58:57 +0200
|
|
Subject: [PATCH 3/4] xkb: Free the XKB resource when freeing XkbInterest
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
XkbRemoveResourceClient() would free the XkbInterest data associated
|
|
with the device, but not the resource associated with it.
|
|
|
|
As a result, when the client terminates, the resource delete function
|
|
gets called and accesses already freed memory:
|
|
|
|
| Invalid read of size 8
|
|
| at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047)
|
|
| by 0x5B3391: XkbClientGone (xkb.c:7094)
|
|
| by 0x4DF138: doFreeResource (resource.c:890)
|
|
| by 0x4DFB50: FreeClientResources (resource.c:1156)
|
|
| by 0x4A9A59: CloseDownClient (dispatch.c:3550)
|
|
| by 0x5E0A53: ClientReady (connection.c:601)
|
|
| by 0x5E4FEF: ospoll_wait (ospoll.c:657)
|
|
| by 0x5DC834: WaitForSomething (WaitFor.c:206)
|
|
| by 0x4A1BA5: Dispatch (dispatch.c:491)
|
|
| by 0x4B0070: dix_main (main.c:277)
|
|
| by 0x4285E7: main (stubmain.c:34)
|
|
| Address 0x1893e278 is 184 bytes inside a block of size 928 free'd
|
|
| at 0x4842E43: free (vg_replace_malloc.c:989)
|
|
| by 0x49C1A6: CloseDevice (devices.c:1067)
|
|
| by 0x49C522: CloseOneDevice (devices.c:1193)
|
|
| by 0x49C6E4: RemoveDevice (devices.c:1244)
|
|
| by 0x5873D4: remove_master (xichangehierarchy.c:348)
|
|
| by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504)
|
|
| by 0x579BF1: ProcIDispatch (extinit.c:390)
|
|
| by 0x4A1D85: Dispatch (dispatch.c:551)
|
|
| by 0x4B0070: dix_main (main.c:277)
|
|
| by 0x4285E7: main (stubmain.c:34)
|
|
| Block was alloc'd at
|
|
| at 0x48473F3: calloc (vg_replace_malloc.c:1675)
|
|
| by 0x49A118: AddInputDevice (devices.c:262)
|
|
| by 0x4A0E58: AllocDevicePair (devices.c:2846)
|
|
| by 0x5866EE: add_master (xichangehierarchy.c:153)
|
|
| by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493)
|
|
| by 0x579BF1: ProcIDispatch (extinit.c:390)
|
|
| by 0x4A1D85: Dispatch (dispatch.c:551)
|
|
| by 0x4B0070: dix_main (main.c:277)
|
|
| by 0x4285E7: main (stubmain.c:34)
|
|
|
|
To avoid that issue, make sure to free the resources when freeing the
|
|
device XkbInterest data.
|
|
|
|
CVE-2025-62230, ZDI-CAN-27545
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
|
|
(cherry picked from commit 10c94238bdad17c11707e0bdaaa3a9cd54c504be)
|
|
|
|
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2087>
|
|
|
|
CVE: CVE-2025-62230
|
|
Upstream-Status: Backport
|
|
Signed-off-by: Ross Burton <ross.burton@arm.com>
|
|
---
|
|
xkb/xkbEvents.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/xkb/xkbEvents.c b/xkb/xkbEvents.c
|
|
index 0bbd66186..3d04ecf0c 100644
|
|
--- a/xkb/xkbEvents.c
|
|
+++ b/xkb/xkbEvents.c
|
|
@@ -1056,6 +1056,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
|
|
autoCtrls = interest->autoCtrls;
|
|
autoValues = interest->autoCtrlValues;
|
|
client = interest->client;
|
|
+ FreeResource(interest->resource, RT_XKBCLIENT);
|
|
free(interest);
|
|
found = TRUE;
|
|
}
|
|
@@ -1067,6 +1068,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
|
|
autoCtrls = victim->autoCtrls;
|
|
autoValues = victim->autoCtrlValues;
|
|
client = victim->client;
|
|
+ FreeResource(victim->resource, RT_XKBCLIENT);
|
|
free(victim);
|
|
found = TRUE;
|
|
}
|
|
--
|
|
2.43.0
|
|
|