From 1abca0b9b5b019cda32aa92466a760660ebd952d Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 10 Sep 2025 15:58:57 +0200
Subject: [PATCH xserver 3/4] xkb: Free the XKB resource when freeing
 XkbInterest
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

XkbRemoveResourceClient() would free the XkbInterest data associated
with the device, but not the resource associated with it.

As a result, when the client terminates, the resource delete function
gets called and accesses already freed memory:

 | Invalid read of size 8
 |   at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047)
 |   by 0x5B3391: XkbClientGone (xkb.c:7094)
 |   by 0x4DF138: doFreeResource (resource.c:890)
 |   by 0x4DFB50: FreeClientResources (resource.c:1156)
 |   by 0x4A9A59: CloseDownClient (dispatch.c:3550)
 |   by 0x5E0A53: ClientReady (connection.c:601)
 |   by 0x5E4FEF: ospoll_wait (ospoll.c:657)
 |   by 0x5DC834: WaitForSomething (WaitFor.c:206)
 |   by 0x4A1BA5: Dispatch (dispatch.c:491)
 |   by 0x4B0070: dix_main (main.c:277)
 |   by 0x4285E7: main (stubmain.c:34)
 | Address 0x1893e278 is 184 bytes inside a block of size 928 free'd
 |   at 0x4842E43: free (vg_replace_malloc.c:989)
 |   by 0x49C1A6: CloseDevice (devices.c:1067)
 |   by 0x49C522: CloseOneDevice (devices.c:1193)
 |   by 0x49C6E4: RemoveDevice (devices.c:1244)
 |   by 0x5873D4: remove_master (xichangehierarchy.c:348)
 |   by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504)
 |   by 0x579BF1: ProcIDispatch (extinit.c:390)
 |   by 0x4A1D85: Dispatch (dispatch.c:551)
 |   by 0x4B0070: dix_main (main.c:277)
 |   by 0x4285E7: main (stubmain.c:34)
 | Block was alloc'd at
 |   at 0x48473F3: calloc (vg_replace_malloc.c:1675)
 |   by 0x49A118: AddInputDevice (devices.c:262)
 |   by 0x4A0E58: AllocDevicePair (devices.c:2846)
 |   by 0x5866EE: add_master (xichangehierarchy.c:153)
 |   by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493)
 |   by 0x579BF1: ProcIDispatch (extinit.c:390)
 |   by 0x4A1D85: Dispatch (dispatch.c:551)
 |   by 0x4B0070: dix_main (main.c:277)
 |   by 0x4285E7: main (stubmain.c:34)

To avoid that issue, make sure to free the resources when freeing the
device XkbInterest data.

CVE-2025-62230, ZDI-CAN-27545

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 10c94238bdad17c11707e0bdaaa3a9cd54c504be)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
---
 xkb/xkbEvents.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/xkb/xkbEvents.c b/xkb/xkbEvents.c
index f8f65d4a7..7c669c93e 100644
--- a/xkb/xkbEvents.c
+++ b/xkb/xkbEvents.c
@@ -1055,6 +1055,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
             autoCtrls = interest->autoCtrls;
             autoValues = interest->autoCtrlValues;
             client = interest->client;
+            FreeResource(interest->resource, RT_XKBCLIENT);
             free(interest);
             found = TRUE;
         }
@@ -1066,6 +1067,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
                 autoCtrls = victim->autoCtrls;
                 autoValues = victim->autoCtrlValues;
                 client = victim->client;
+                FreeResource(victim->resource, RT_XKBCLIENT);
                 free(victim);
                 found = TRUE;
             }
-- 
2.51.1