Compare commits
No commits in common. "c8s" and "c8-beta" have entirely different histories.
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
/xwayland-21.1.3.tar.xz
|
||||
SOURCES/xwayland-21.1.3.tar.xz
|
||||
|
||||
1
.xorg-x11-server-Xwayland.metadata
Normal file
1
.xorg-x11-server-Xwayland.metadata
Normal file
@ -0,0 +1 @@
|
||||
ae980a7deeb7cad9f3cd253f3b1ddca5bb26aafa SOURCES/xwayland-21.1.3.tar.xz
|
||||
@ -1,37 +0,0 @@
|
||||
From 4c8de123f04e80a1c14c64064ebcec5497d2ec4b Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Mon, 22 Jan 2024 14:22:12 +1000
|
||||
Subject: [PATCH xserver 1/4] dix: fix valuator copy/paste error in the
|
||||
DeviceStateNotify event
|
||||
|
||||
Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5
|
||||
|
||||
(cherry picked from commit 133e0d651c5d12bf01999d6289e84e224ba77adc)
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1452>
|
||||
---
|
||||
dix/enterleave.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/dix/enterleave.c b/dix/enterleave.c
|
||||
index 7b7ba1098..c1e6ac600 100644
|
||||
--- a/dix/enterleave.c
|
||||
+++ b/dix/enterleave.c
|
||||
@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
|
||||
ev->first_valuator = first;
|
||||
switch (ev->num_valuators) {
|
||||
case 6:
|
||||
- ev->valuator2 = v->axisVal[first + 5];
|
||||
+ ev->valuator5 = v->axisVal[first + 5];
|
||||
case 5:
|
||||
- ev->valuator2 = v->axisVal[first + 4];
|
||||
+ ev->valuator4 = v->axisVal[first + 4];
|
||||
case 4:
|
||||
- ev->valuator2 = v->axisVal[first + 3];
|
||||
+ ev->valuator3 = v->axisVal[first + 3];
|
||||
case 3:
|
||||
ev->valuator2 = v->axisVal[first + 2];
|
||||
case 2:
|
||||
--
|
||||
2.44.0
|
||||
|
||||
@ -1,87 +0,0 @@
|
||||
From 1d154fa2d5c52fa144c9cf0499affeba7be4f29e Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Fri, 28 Mar 2025 09:43:52 +0100
|
||||
Subject: [PATCH xserver 1/6] render: Avoid 0 or less animated cursors
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Animated cursors use a series of cursors that the client can set.
|
||||
|
||||
By default, the Xserver assumes at least one cursor is specified
|
||||
while a client may actually pass no cursor at all.
|
||||
|
||||
That causes an out-of-bound read creating the animated cursor and a
|
||||
crash of the Xserver:
|
||||
|
||||
| Invalid read of size 8
|
||||
| at 0x5323F4: AnimCursorCreate (animcur.c:325)
|
||||
| by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817)
|
||||
| by 0x52DC80: ProcRenderDispatch (render.c:1999)
|
||||
| by 0x4A1E9D: Dispatch (dispatch.c:560)
|
||||
| by 0x4B0169: dix_main (main.c:284)
|
||||
| by 0x4287F5: main (stubmain.c:34)
|
||||
| Address 0x59aa010 is 0 bytes after a block of size 0 alloc'd
|
||||
| at 0x48468D3: reallocarray (vg_replace_malloc.c:1803)
|
||||
| by 0x52D3DA: ProcRenderCreateAnimCursor (render.c:1802)
|
||||
| by 0x52DC80: ProcRenderDispatch (render.c:1999)
|
||||
| by 0x4A1E9D: Dispatch (dispatch.c:560)
|
||||
| by 0x4B0169: dix_main (main.c:284)
|
||||
| by 0x4287F5: main (stubmain.c:34)
|
||||
|
|
||||
| Invalid read of size 2
|
||||
| at 0x5323F7: AnimCursorCreate (animcur.c:325)
|
||||
| by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817)
|
||||
| by 0x52DC80: ProcRenderDispatch (render.c:1999)
|
||||
| by 0x4A1E9D: Dispatch (dispatch.c:560)
|
||||
| by 0x4B0169: dix_main (main.c:284)
|
||||
| by 0x4287F5: main (stubmain.c:34)
|
||||
| Address 0x8 is not stack'd, malloc'd or (recently) free'd
|
||||
|
||||
To avoid the issue, check the number of cursors specified and return a
|
||||
BadValue error in both the proc handler (early) and the animated cursor
|
||||
creation (as this is a public function) if there is 0 or less cursor.
|
||||
|
||||
CVE-2025-49175
|
||||
|
||||
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
||||
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: José Expósito <jexposit@redhat.com>
|
||||
(cherry picked from commit 9304e31035f97ddbfcc1d5f3c178da1d04a472ad)
|
||||
---
|
||||
render/animcur.c | 3 +++
|
||||
render/render.c | 2 ++
|
||||
2 files changed, 5 insertions(+)
|
||||
|
||||
diff --git a/render/animcur.c b/render/animcur.c
|
||||
index ef27bda27..77942d846 100644
|
||||
--- a/render/animcur.c
|
||||
+++ b/render/animcur.c
|
||||
@@ -304,6 +304,9 @@ AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor,
|
||||
int rc = BadAlloc, i;
|
||||
AnimCurPtr ac;
|
||||
|
||||
+ if (ncursor <= 0)
|
||||
+ return BadValue;
|
||||
+
|
||||
for (i = 0; i < screenInfo.numScreens; i++)
|
||||
if (!GetAnimCurScreen(screenInfo.screens[i]))
|
||||
return BadImplementation;
|
||||
diff --git a/render/render.c b/render/render.c
|
||||
index 456f156d4..e9bbac62d 100644
|
||||
--- a/render/render.c
|
||||
+++ b/render/render.c
|
||||
@@ -1788,6 +1788,8 @@ ProcRenderCreateAnimCursor(ClientPtr client)
|
||||
ncursor =
|
||||
(client->req_len -
|
||||
(bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1;
|
||||
+ if (ncursor <= 0)
|
||||
+ return BadValue;
|
||||
cursors = xallocarray(ncursor, sizeof(CursorPtr) + sizeof(CARD32));
|
||||
if (!cursors)
|
||||
return BadAlloc;
|
||||
--
|
||||
2.49.0
|
||||
|
||||
@ -1,75 +0,0 @@
|
||||
From c3c2218ab797516e4d63a93a078d77c6ce872d03 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Fri, 5 Apr 2024 15:24:49 +0200
|
||||
Subject: [PATCH xserver] render: Avoid possible double-free in
|
||||
ProcRenderAddGlyphs()
|
||||
|
||||
ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
|
||||
then frees it using FreeGlyph() to decrease the reference count, after
|
||||
AddGlyph() has increased it.
|
||||
|
||||
AddGlyph() however may chose to reuse an existing glyph if it's already
|
||||
in the glyphSet, and free the glyph that was given, in which case the
|
||||
caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
|
||||
already freed glyph, as reported by ASan:
|
||||
|
||||
READ of size 4 thread T0
|
||||
#0 in FreeGlyph xserver/render/glyph.c:252
|
||||
#1 in ProcRenderAddGlyphs xserver/render/render.c:1174
|
||||
#2 in Dispatch xserver/dix/dispatch.c:546
|
||||
#3 in dix_main xserver/dix/main.c:271
|
||||
#4 in main xserver/dix/stubmain.c:34
|
||||
#5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
||||
#6 in __libc_start_main_impl ../csu/libc-start.c:360
|
||||
#7 (/usr/bin/Xwayland+0x44fe4)
|
||||
Address is located 0 bytes inside of 64-byte region
|
||||
freed by thread T0 here:
|
||||
#0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
|
||||
#1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
|
||||
#2 in AddGlyph xserver/render/glyph.c:295
|
||||
#3 in ProcRenderAddGlyphs xserver/render/render.c:1173
|
||||
#4 in Dispatch xserver/dix/dispatch.c:546
|
||||
#5 in dix_main xserver/dix/main.c:271
|
||||
#6 in main xserver/dix/stubmain.c:34
|
||||
#7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
||||
previously allocated by thread T0 here:
|
||||
#0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
|
||||
#1 in AllocateGlyph xserver/render/glyph.c:355
|
||||
#2 in ProcRenderAddGlyphs xserver/render/render.c:1085
|
||||
#3 in Dispatch xserver/dix/dispatch.c:546
|
||||
#4 in dix_main xserver/dix/main.c:271
|
||||
#5 in main xserver/dix/stubmain.c:34
|
||||
#6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
||||
SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
|
||||
|
||||
To avoid that, make sure not to free the given glyph in AddGlyph().
|
||||
|
||||
v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
|
||||
v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
|
||||
|
||||
Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
|
||||
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
(cherry picked from commit 337d8d48b618d4fc0168a7b978be4c3447650b04)
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1478>
|
||||
---
|
||||
render/glyph.c | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
diff --git a/render/glyph.c b/render/glyph.c
|
||||
index d5fc5f3c9..f5069d42f 100644
|
||||
--- a/render/glyph.c
|
||||
+++ b/render/glyph.c
|
||||
@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id)
|
||||
gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature,
|
||||
TRUE, glyph->sha1);
|
||||
if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) {
|
||||
- FreeGlyphPicture(glyph);
|
||||
- dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH);
|
||||
glyph = gr->glyph;
|
||||
}
|
||||
else if (gr->glyph != glyph) {
|
||||
--
|
||||
2.44.0
|
||||
|
||||
@ -1,57 +0,0 @@
|
||||
From 26120df7aae6b5bf8086fb4d871d3b1a07ddacdb Mon Sep 17 00:00:00 2001
|
||||
From: Matthieu Herrb <matthieu@herrb.eu>
|
||||
Date: Thu, 10 Oct 2024 10:37:28 +0200
|
||||
Subject: [PATCH xserver] xkb: Fix buffer overflow in _XkbSetCompatMap()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
|
||||
buffer.
|
||||
|
||||
However, It didn't update its size properly. It updated `num_si` only,
|
||||
without updating `size_si`.
|
||||
|
||||
This may lead to local privilege escalation if the server is run as root
|
||||
or remote code execution (e.g. x11 over ssh).
|
||||
|
||||
CVE-2024-9632, ZDI-CAN-24756
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Reviewed-by: José Expósito <jexposit@redhat.com>
|
||||
(cherry picked from commit 85b776571487f52e756f68a069c768757369bfe3)
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1735>
|
||||
---
|
||||
xkb/xkb.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/xkb/xkb.c b/xkb/xkb.c
|
||||
index 8d52e25df..8b63e34b5 100644
|
||||
--- a/xkb/xkb.c
|
||||
+++ b/xkb/xkb.c
|
||||
@@ -2990,13 +2990,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
|
||||
XkbSymInterpretPtr sym;
|
||||
unsigned int skipped = 0;
|
||||
|
||||
- if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) {
|
||||
- compat->num_si = req->firstSI + req->nSI;
|
||||
+ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
|
||||
+ compat->num_si = compat->size_si = req->firstSI + req->nSI;
|
||||
compat->sym_interpret = reallocarray(compat->sym_interpret,
|
||||
- compat->num_si,
|
||||
+ compat->size_si,
|
||||
sizeof(XkbSymInterpretRec));
|
||||
if (!compat->sym_interpret) {
|
||||
- compat->num_si = 0;
|
||||
+ compat->num_si = compat->size_si = 0;
|
||||
return BadAlloc;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.47.0
|
||||
|
||||
@ -1,47 +0,0 @@
|
||||
From bd16cc8368afc6959bebfb2b15cfdb93bcac6fee Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Fri, 22 Mar 2024 18:51:45 -0700
|
||||
Subject: [PATCH xserver 2/4] Xi: ProcXIGetSelectedEvents needs to use
|
||||
unswapped length to send reply
|
||||
|
||||
CVE-2024-31080
|
||||
|
||||
Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
|
||||
Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
(cherry picked from commit 96798fc1967491c80a4d0c8d9e0a80586cb2152b)
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1464>
|
||||
---
|
||||
Xi/xiselectev.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
|
||||
index edcb8a0d3..ac1494987 100644
|
||||
--- a/Xi/xiselectev.c
|
||||
+++ b/Xi/xiselectev.c
|
||||
@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
|
||||
InputClientsPtr others = NULL;
|
||||
xXIEventMask *evmask = NULL;
|
||||
DeviceIntPtr dev;
|
||||
+ uint32_t length;
|
||||
|
||||
REQUEST(xXIGetSelectedEventsReq);
|
||||
REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
|
||||
@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
|
||||
}
|
||||
}
|
||||
|
||||
+ /* save the value before SRepXIGetSelectedEvents swaps it */
|
||||
+ length = reply.length;
|
||||
WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
|
||||
|
||||
if (reply.num_masks)
|
||||
- WriteToClient(client, reply.length * 4, buffer);
|
||||
+ WriteToClient(client, length * 4, buffer);
|
||||
|
||||
free(buffer);
|
||||
return Success;
|
||||
--
|
||||
2.44.0
|
||||
|
||||
@ -1,89 +0,0 @@
|
||||
From 6049e1b120c1aa93f23781c0976b1aad64f05f10 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Mon, 7 Apr 2025 16:13:34 +0200
|
||||
Subject: [PATCH xserver 2/6] os: Do not overflow the integer size with
|
||||
BigRequest
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The BigRequest extension allows request larger than the 16-bit length
|
||||
limit.
|
||||
|
||||
It uses integers for the request length and checks for the size not to
|
||||
exceed the maxBigRequestSize limit, but does so after translating the
|
||||
length to integer by multiplying the given size in bytes by 4.
|
||||
|
||||
In doing so, it might overflow the integer size limit before actually
|
||||
checking for the overflow, defeating the purpose of the test.
|
||||
|
||||
To avoid the issue, make sure to check that the request size does not
|
||||
overflow the maxBigRequestSize limit prior to any conversion.
|
||||
|
||||
The caller Dispatch() function however expects the return value to be in
|
||||
bytes, so we cannot just return the converted value in case of error, as
|
||||
that would also overflow the integer size.
|
||||
|
||||
To preserve the existing API, we use a negative value for the X11 error
|
||||
code BadLength as the function only return positive values, 0 or -1 and
|
||||
update the caller Dispatch() function to take that case into account to
|
||||
return the error code to the offending client.
|
||||
|
||||
CVE-2025-49176
|
||||
|
||||
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
||||
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
|
||||
(cherry picked from commit b380b0a6c2022fbd3115552b1cd88251b5268daa)
|
||||
---
|
||||
dix/dispatch.c | 9 +++++----
|
||||
os/io.c | 4 ++++
|
||||
2 files changed, 9 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/dix/dispatch.c b/dix/dispatch.c
|
||||
index ba01de6cf..c71098ce9 100644
|
||||
--- a/dix/dispatch.c
|
||||
+++ b/dix/dispatch.c
|
||||
@@ -464,9 +464,10 @@ Dispatch(void)
|
||||
|
||||
/* now, finally, deal with client requests */
|
||||
result = ReadRequestFromClient(client);
|
||||
- if (result <= 0) {
|
||||
- if (result < 0)
|
||||
- CloseDownClient(client);
|
||||
+ if (result == 0)
|
||||
+ break;
|
||||
+ else if (result == -1) {
|
||||
+ CloseDownClient(client);
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -487,7 +488,7 @@ Dispatch(void)
|
||||
client->index,
|
||||
client->requestBuffer);
|
||||
#endif
|
||||
- if (result > (maxBigRequestSize << 2))
|
||||
+ if (result < 0 || result > (maxBigRequestSize << 2))
|
||||
result = BadLength;
|
||||
else {
|
||||
result = XaceHookDispatch(client, client->majorOp);
|
||||
diff --git a/os/io.c b/os/io.c
|
||||
index 5b7fac349..5fc05821c 100644
|
||||
--- a/os/io.c
|
||||
+++ b/os/io.c
|
||||
@@ -296,6 +296,10 @@ ReadRequestFromClient(ClientPtr client)
|
||||
needed = get_big_req_len(request, client);
|
||||
}
|
||||
client->req_len = needed;
|
||||
+ if (needed > MAXINT >> 2) {
|
||||
+ /* Check for potential integer overflow */
|
||||
+ return -(BadLength);
|
||||
+ }
|
||||
needed <<= 2; /* needed is in bytes now */
|
||||
}
|
||||
if (gotnow < needed) {
|
||||
--
|
||||
2.49.0
|
||||
|
||||
@ -1,45 +0,0 @@
|
||||
From 672b26d1f8e1cbe67d289786e3ce887988052b64 Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Fri, 22 Mar 2024 18:56:27 -0700
|
||||
Subject: [PATCH xserver 3/4] Xi: ProcXIPassiveGrabDevice needs to use
|
||||
unswapped length to send reply
|
||||
|
||||
CVE-2024-31081
|
||||
|
||||
Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
(cherry picked from commit 3e77295f888c67fc7645db5d0c00926a29ffecee)
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1464>
|
||||
---
|
||||
Xi/xipassivegrab.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
|
||||
index c9ac2f855..896233bec 100644
|
||||
--- a/Xi/xipassivegrab.c
|
||||
+++ b/Xi/xipassivegrab.c
|
||||
@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
|
||||
GrabParameters param;
|
||||
void *tmp;
|
||||
int mask_len;
|
||||
+ uint32_t length;
|
||||
|
||||
REQUEST(xXIPassiveGrabDeviceReq);
|
||||
REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
|
||||
@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
|
||||
}
|
||||
}
|
||||
|
||||
+ /* save the value before SRepXIPassiveGrabDevice swaps it */
|
||||
+ length = rep.length;
|
||||
WriteReplyToClient(client, sizeof(rep), &rep);
|
||||
if (rep.num_modifiers)
|
||||
- WriteToClient(client, rep.length * 4, modifiers_failed);
|
||||
+ WriteToClient(client, length * 4, modifiers_failed);
|
||||
|
||||
out:
|
||||
free(modifiers_failed);
|
||||
--
|
||||
2.44.0
|
||||
|
||||
@ -1,35 +0,0 @@
|
||||
From 205be7f7bf6850b364e9f10fe9f27ce6360670c9 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Wed, 18 Jun 2025 08:39:02 +0200
|
||||
Subject: [PATCH xserver 3/6] os: Check for integer overflow on BigRequest
|
||||
length
|
||||
|
||||
Check for another possible integer overflow once we get a complete xReq
|
||||
with BigRequest.
|
||||
|
||||
Related to CVE-2025-49176
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Suggested-by: Peter Harris <pharris2@rocketsoftware.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2028>
|
||||
(cherry picked from commit 4fc4d76b2c7aaed61ed2653f997783a3714c4fe1)
|
||||
---
|
||||
os/io.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/os/io.c b/os/io.c
|
||||
index 5fc05821c..064d69ea3 100644
|
||||
--- a/os/io.c
|
||||
+++ b/os/io.c
|
||||
@@ -395,6 +395,8 @@ ReadRequestFromClient(ClientPtr client)
|
||||
needed = get_big_req_len(request, client);
|
||||
}
|
||||
client->req_len = needed;
|
||||
+ if (needed > MAXINT >> 2)
|
||||
+ return -(BadLength);
|
||||
needed <<= 2;
|
||||
}
|
||||
if (gotnow < needed) {
|
||||
--
|
||||
2.49.0
|
||||
|
||||
@ -1,46 +0,0 @@
|
||||
From 9cd6d7efb87d6d51a9ddce152d103ac087287c52 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Mon, 28 Apr 2025 10:46:03 +0200
|
||||
Subject: [PATCH xserver 4/6] os: Account for bytes to ignore when sharing
|
||||
input buffer
|
||||
|
||||
When reading requests from the clients, the input buffer might be shared
|
||||
and used between different clients.
|
||||
|
||||
If a given client sends a full request with non-zero bytes to ignore,
|
||||
the bytes to ignore may still be non-zero even though the request is
|
||||
full, in which case the buffer could be shared with another client who's
|
||||
request will not be processed because of those bytes to ignore, leading
|
||||
to a possible hang of the other client request.
|
||||
|
||||
To avoid the issue, make sure we have zero bytes to ignore left in the
|
||||
input request when sharing the input buffer with another client.
|
||||
|
||||
CVE-2025-49178
|
||||
|
||||
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
||||
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
(cherry picked from commit b0c1cbf4f8e6baa372b1676d2f30512de8ab4ed3)
|
||||
---
|
||||
os/io.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/os/io.c b/os/io.c
|
||||
index 064d69ea3..83986af92 100644
|
||||
--- a/os/io.c
|
||||
+++ b/os/io.c
|
||||
@@ -444,7 +444,7 @@ ReadRequestFromClient(ClientPtr client)
|
||||
*/
|
||||
|
||||
gotnow -= needed;
|
||||
- if (!gotnow)
|
||||
+ if (!gotnow && !oci->ignoreBytes)
|
||||
AvailableInput = oc;
|
||||
if (move_header) {
|
||||
if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
|
||||
--
|
||||
2.49.0
|
||||
|
||||
@ -1,116 +0,0 @@
|
||||
From 01941a831811c9fd47ffed5ea96375abeb20c9fc Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Tue, 30 Jan 2024 13:13:35 +1000
|
||||
Subject: [PATCH xserver 4/4] render: fix refcounting of glyphs during
|
||||
ProcRenderAddGlyphs
|
||||
|
||||
Previously, AllocateGlyph would return a new glyph with refcount=0 and a
|
||||
re-used glyph would end up not changing the refcount at all. The
|
||||
resulting glyph_new array would thus have multiple entries pointing to
|
||||
the same non-refcounted glyphs.
|
||||
|
||||
AddGlyph may free a glyph, resulting in a UAF when the same glyph
|
||||
pointer is then later used.
|
||||
|
||||
Fix this by returning a refcount of 1 for a new glyph and always
|
||||
incrementing the refcount for a re-used glyph, followed by dropping that
|
||||
refcount back down again when we're done with it.
|
||||
|
||||
CVE-2024-31083, ZDI-CAN-22880
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
(backported from commit bdca6c3d1f5057eeb31609b1280fc93237b00c77)
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1464>
|
||||
---
|
||||
render/glyph.c | 5 +++--
|
||||
render/glyphstr.h | 3 +++
|
||||
render/render.c | 15 +++++++++++----
|
||||
3 files changed, 17 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/render/glyph.c b/render/glyph.c
|
||||
index f3ed9cf4c..d5fc5f3c9 100644
|
||||
--- a/render/glyph.c
|
||||
+++ b/render/glyph.c
|
||||
@@ -245,10 +245,11 @@ FreeGlyphPicture(GlyphPtr glyph)
|
||||
}
|
||||
}
|
||||
|
||||
-static void
|
||||
+void
|
||||
FreeGlyph(GlyphPtr glyph, int format)
|
||||
{
|
||||
CheckDuplicates(&globalGlyphs[format], "FreeGlyph");
|
||||
+ BUG_RETURN(glyph->refcnt == 0);
|
||||
if (--glyph->refcnt == 0) {
|
||||
GlyphRefPtr gr;
|
||||
int i;
|
||||
@@ -354,7 +355,7 @@ AllocateGlyph(xGlyphInfo * gi, int fdepth)
|
||||
glyph = (GlyphPtr) malloc(size);
|
||||
if (!glyph)
|
||||
return 0;
|
||||
- glyph->refcnt = 0;
|
||||
+ glyph->refcnt = 1;
|
||||
glyph->size = size + sizeof(xGlyphInfo);
|
||||
glyph->info = *gi;
|
||||
dixInitPrivates(glyph, (char *) glyph + head_size, PRIVATE_GLYPH);
|
||||
diff --git a/render/glyphstr.h b/render/glyphstr.h
|
||||
index 2f51bd244..fb6589d3e 100644
|
||||
--- a/render/glyphstr.h
|
||||
+++ b/render/glyphstr.h
|
||||
@@ -102,6 +102,9 @@ HashGlyph(xGlyphInfo * gi,
|
||||
extern void
|
||||
AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id);
|
||||
|
||||
+extern void
|
||||
+FreeGlyph(GlyphPtr glyph, int format);
|
||||
+
|
||||
extern Bool
|
||||
DeleteGlyph(GlyphSetPtr glyphSet, Glyph id);
|
||||
|
||||
diff --git a/render/render.c b/render/render.c
|
||||
index 456f156d4..5bc2a204b 100644
|
||||
--- a/render/render.c
|
||||
+++ b/render/render.c
|
||||
@@ -1076,6 +1076,7 @@ ProcRenderAddGlyphs(ClientPtr client)
|
||||
|
||||
if (glyph_new->glyph && glyph_new->glyph != DeletedGlyph) {
|
||||
glyph_new->found = TRUE;
|
||||
+ ++glyph_new->glyph->refcnt;
|
||||
}
|
||||
else {
|
||||
GlyphPtr glyph;
|
||||
@@ -1168,8 +1169,10 @@ ProcRenderAddGlyphs(ClientPtr client)
|
||||
err = BadAlloc;
|
||||
goto bail;
|
||||
}
|
||||
- for (i = 0; i < nglyphs; i++)
|
||||
+ for (i = 0; i < nglyphs; i++) {
|
||||
AddGlyph(glyphSet, glyphs[i].glyph, glyphs[i].id);
|
||||
+ FreeGlyph(glyphs[i].glyph, glyphSet->fdepth);
|
||||
+ }
|
||||
|
||||
if (glyphsBase != glyphsLocal)
|
||||
free(glyphsBase);
|
||||
@@ -1179,9 +1182,13 @@ ProcRenderAddGlyphs(ClientPtr client)
|
||||
FreePicture((void *) pSrc, 0);
|
||||
if (pSrcPix)
|
||||
FreeScratchPixmapHeader(pSrcPix);
|
||||
- for (i = 0; i < nglyphs; i++)
|
||||
- if (glyphs[i].glyph && !glyphs[i].found)
|
||||
- free(glyphs[i].glyph);
|
||||
+ for (i = 0; i < nglyphs; i++) {
|
||||
+ if (glyphs[i].glyph) {
|
||||
+ --glyphs[i].glyph->refcnt;
|
||||
+ if (!glyphs[i].found)
|
||||
+ free(glyphs[i].glyph);
|
||||
+ }
|
||||
+ }
|
||||
if (glyphsBase != glyphsLocal)
|
||||
free(glyphsBase);
|
||||
return err;
|
||||
--
|
||||
2.44.0
|
||||
|
||||
@ -1,62 +0,0 @@
|
||||
From acc5a83e0d813403fa0377d9ed405c3ca2f9a39d Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Mon, 28 Apr 2025 11:47:15 +0200
|
||||
Subject: [PATCH xserver 5/6] record: Check for overflow in
|
||||
RecordSanityCheckRegisterClients()
|
||||
|
||||
The RecordSanityCheckRegisterClients() checks for the request length,
|
||||
but does not check for integer overflow.
|
||||
|
||||
A client might send a very large value for either the number of clients
|
||||
or the number of protocol ranges that will cause an integer overflow in
|
||||
the request length computation, defeating the check for request length.
|
||||
|
||||
To avoid the issue, explicitly check the number of clients against the
|
||||
limit of clients (which is much lower than an maximum integer value) and
|
||||
the number of protocol ranges (multiplied by the record length) do not
|
||||
exceed the maximum integer value.
|
||||
|
||||
This way, we ensure that the final computation for the request length
|
||||
will not overflow the maximum integer limit.
|
||||
|
||||
CVE-2025-49179
|
||||
|
||||
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
||||
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
(cherry picked from commit ea52403bf222f8bd6ee4c509bed5e34f0c789b00)
|
||||
---
|
||||
record/record.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/record/record.c b/record/record.c
|
||||
index e123867a7..018e53f81 100644
|
||||
--- a/record/record.c
|
||||
+++ b/record/record.c
|
||||
@@ -45,6 +45,7 @@ and Jim Haggerty of Metheus.
|
||||
#include "inputstr.h"
|
||||
#include "eventconvert.h"
|
||||
#include "scrnintstr.h"
|
||||
+#include "opaque.h"
|
||||
|
||||
#include <stdio.h>
|
||||
#include <assert.h>
|
||||
@@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client,
|
||||
int i;
|
||||
XID recordingClient;
|
||||
|
||||
+ /* LimitClients is 2048 at max, way less that MAXINT */
|
||||
+ if (stuff->nClients > LimitClients)
|
||||
+ return BadValue;
|
||||
+
|
||||
+ if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange))
|
||||
+ return BadValue;
|
||||
+
|
||||
if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) !=
|
||||
4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges)
|
||||
return BadLength;
|
||||
--
|
||||
2.49.0
|
||||
|
||||
@ -1,41 +0,0 @@
|
||||
From b33673deffe92ff7d5b4be5dd944eed2718ee3a0 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Tue, 20 May 2025 15:18:19 +0200
|
||||
Subject: [PATCH xserver 6/6] randr: Check for overflow in
|
||||
RRChangeProviderProperty()
|
||||
|
||||
A client might send a request causing an integer overflow when computing
|
||||
the total size to allocate in RRChangeProviderProperty().
|
||||
|
||||
To avoid the issue, check that total length in bytes won't exceed the
|
||||
maximum integer value.
|
||||
|
||||
CVE-2025-49180
|
||||
|
||||
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
||||
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
(cherry picked from commit 1b0bf563a3a76b06ddcd6fc4d8e72d81f6773699)
|
||||
---
|
||||
randr/rrproviderproperty.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
|
||||
index b79c17f9b..7088570ee 100644
|
||||
--- a/randr/rrproviderproperty.c
|
||||
+++ b/randr/rrproviderproperty.c
|
||||
@@ -179,7 +179,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type,
|
||||
|
||||
if (mode == PropModeReplace || len > 0) {
|
||||
void *new_data = NULL, *old_data = NULL;
|
||||
-
|
||||
+ if (total_len > MAXINT / size_in_bytes)
|
||||
+ return BadValue;
|
||||
total_size = total_len * size_in_bytes;
|
||||
new_value.data = (void *) malloc(total_size);
|
||||
if (!new_value.data && total_size) {
|
||||
--
|
||||
2.49.0
|
||||
|
||||
@ -9,7 +9,7 @@
|
||||
Summary: Xwayland
|
||||
Name: xorg-x11-server-Xwayland
|
||||
Version: 21.1.3
|
||||
Release: 18%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist}
|
||||
Release: 15%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist}
|
||||
|
||||
URL: http://www.x.org
|
||||
%if 0%{?gitdate}
|
||||
@ -81,30 +81,6 @@ Patch10037: 0007-dix-when-disabling-a-master-float-disabled-slaved-de.patch
|
||||
Patch10038: 0008-glx-Call-XACE-hooks-on-the-GLX-buffer.patch
|
||||
# Fix for CVE-2024-0409
|
||||
Patch10039: 0009-ephyr-xwayland-Use-the-proper-private-key-for-cursor.patch
|
||||
# Fix for copy/paste error in previous CVE fix
|
||||
Patch10040: 0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch
|
||||
# Fix for CVE-2024-31080
|
||||
Patch10041: 0002-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch
|
||||
# Fix for CVE-2024-31081
|
||||
Patch10042: 0003-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch
|
||||
# Fix for CVE-2024-31083, ZDI-CAN-22880
|
||||
Patch10043: 0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch
|
||||
# Fix for the fix for CVE-2024-31083
|
||||
# https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
|
||||
Patch10044: 0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
|
||||
# Fix for CVE-2024-9632
|
||||
Patch10045: 0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch
|
||||
# CVE-2025-49175: Out-of-bounds access in X Rendering extension
|
||||
Patch10046: 0001-render-Avoid-0-or-less-animated-cursors.patch
|
||||
# CVE-2025-49176: Integer overflow in Big Requests Extension
|
||||
Patch10047: 0002-os-Do-not-overflow-the-integer-size-with-BigRequest.patch
|
||||
Patch10048: 0003-os-Check-for-integer-overflow-on-BigRequest-length.patch
|
||||
# CVE-2025-49178: Unprocessed client request via bytes to ignore
|
||||
Patch10049: 0004-os-Account-for-bytes-to-ignore-when-sharing-input-bu.patch
|
||||
# CVE-2025-49179: Integer overflow in X Record extension
|
||||
Patch10050: 0005-record-Check-for-overflow-in-RecordSanityCheckRegist.patch
|
||||
# CVE-2025-49180: Integer overflow in RandR extension
|
||||
Patch10051: 0006-randr-Check-for-overflow-in-RRChangeProviderProperty.patch
|
||||
|
||||
License: MIT
|
||||
|
||||
@ -212,17 +188,6 @@ rm -Rf $RPM_BUILD_ROOT%{_localstatedir}/lib/xkb
|
||||
%{_libdir}/pkgconfig/xwayland.pc
|
||||
|
||||
%changelog
|
||||
* Wed Jun 18 2025 Olivier Fourdan <ofourdan@redhat.com> - 21.1.3-18
|
||||
- CVE fix for: CVE-2025-49175 (RHEL-97278), CVE-2025-49176 (RHEL-97299,
|
||||
CVE-2025-49178 (RHEL-97374), CVE-2025-49179 (RHEL-97417),
|
||||
CVE-2025-49180 (RHEL-97249)
|
||||
|
||||
* Wed Oct 30 2024 Olivier Fourdan <ofourdan@redhat.com> - 21.1.3-17
|
||||
- Fix for CVE-2024-9632 - (RHEL-61995)
|
||||
|
||||
* Thu Apr 4 2024 Olivier Fourdan <ofourdan@redhat.com> - 21.1.3-16
|
||||
- CVE fix for: CVE-2024-31080, CVE-2024-31081, CVE-2024-31083
|
||||
|
||||
* Tue Jan 16 2024 Olivier Fourdan <ofourdan@redhat.com> - 21.1.3-15
|
||||
Fix for CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886,
|
||||
CVE-2024-0408, CVE-2024-0409
|
||||
@ -1,6 +0,0 @@
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-8
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: desktop-qe.desktop-ci.tier1-gating.functional}
|
||||
Loading…
Reference in New Issue
Block a user