xorg-x11-server/0003-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch

From c0e295af1adca6a0258bb405c535fe04969cc178 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 27 Nov 2024 14:41:45 +0100
Subject: [PATCH xserver 03/13] xkb: Fix buffer overflow in XkbVModMaskText()

The code in XkbVModMaskText() allocates a fixed sized buffer on the
stack and copies the virtual mod name.

There's actually two issues in the code that can lead to a buffer
overflow.

First, the bound check mixes pointers and integers using misplaced
parenthesis, defeating the bound check.

But even though, if the check fails, the data is still copied, so the
stack overflow will occur regardless.

Change the logic to skip the copy entirely if the bound check fails.

CVE-2025-26595, ZDI-CAN-25545

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 11fcda8753e994e15eb915d28cf487660ec8e722)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
 xkb/xkbtext.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c
index d2a2567fc..002626450 100644
--- a/xkb/xkbtext.c
+++ b/xkb/xkbtext.c
@@ -175,14 +175,14 @@ XkbVModMaskText(XkbDescPtr xkb,
                 len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
                 if (format == XkbCFile)
                     len += 4;
-                if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) {
-                    if (str != buf) {
-                        if (format == XkbCFile)
-                            *str++ = '|';
-                        else
-                            *str++ = '+';
-                        len--;
-                    }
+                if ((str - buf) + len > VMOD_BUFFER_SIZE)
+                    continue; /* Skip */
+                if (str != buf) {
+                    if (format == XkbCFile)
+                        *str++ = '|';
+                    else
+                        *str++ = '+';
+                    len--;
                 }
                 if (format == XkbCFile)
                     sprintf(str, "%sMask", tmp);
-- 
2.48.1
CVE fix for CVE-2025-26594, CVE-2025-26595, CVE-2025-26596, CVE-2025-26597, CVE-2025-26598, CVE-2025-26599, CVE-2025-26600, CVE-2025-26601 Resolves: https://issues.redhat.com/browse/RHEL-80201 Resolves: https://issues.redhat.com/browse/RHEL-80186 Resolves: https://issues.redhat.com/browse/RHEL-80188 Resolves: https://issues.redhat.com/browse/RHEL-80191 Resolves: https://issues.redhat.com/browse/RHEL-80192 Resolves: https://issues.redhat.com/browse/RHEL-80199 Resolves: https://issues.redhat.com/browse/RHEL-80198 Resolves: https://issues.redhat.com/browse/RHEL-80200 2025-02-26 16:08:24 +00:00			`From c0e295af1adca6a0258bb405c535fe04969cc178 Mon Sep 17 00:00:00 2001`
			`From: Olivier Fourdan <ofourdan@redhat.com>`
			`Date: Wed, 27 Nov 2024 14:41:45 +0100`
			`Subject: [PATCH xserver 03/13] xkb: Fix buffer overflow in XkbVModMaskText()`

			`The code in XkbVModMaskText() allocates a fixed sized buffer on the`
			`stack and copies the virtual mod name.`

			`There's actually two issues in the code that can lead to a buffer`
			`overflow.`

			`First, the bound check mixes pointers and integers using misplaced`
			`parenthesis, defeating the bound check.`

			`But even though, if the check fails, the data is still copied, so the`
			`stack overflow will occur regardless.`

			`Change the logic to skip the copy entirely if the bound check fails.`

			`CVE-2025-26595, ZDI-CAN-25545`

			`This vulnerability was discovered by:`
			`Jan-Niklas Sohn working with Trend Micro Zero Day Initiative`

			`Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>`
			`Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>`
			`(cherry picked from commit 11fcda8753e994e15eb915d28cf487660ec8e722)`

			`Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>`
			`---`
			`xkb/xkbtext.c \| 16 ++++++++--------`
			`1 file changed, 8 insertions(+), 8 deletions(-)`

			`diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c`
			`index d2a2567fc..002626450 100644`
			`--- a/xkb/xkbtext.c`
			`+++ b/xkb/xkbtext.c`
			`@@ -175,14 +175,14 @@ XkbVModMaskText(XkbDescPtr xkb,`
			`len = strlen(tmp) + 1 + (str == buf ? 0 : 1);`
			`if (format == XkbCFile)`
			`len += 4;`
			`- if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) {`
			`- if (str != buf) {`
			`- if (format == XkbCFile)`
			`- *str++ = '\|';`
			`- else`
			`- *str++ = '+';`
			`- len--;`
			`- }`
			`+ if ((str - buf) + len > VMOD_BUFFER_SIZE)`
			`+ continue; /* Skip */`
			`+ if (str != buf) {`
			`+ if (format == XkbCFile)`
			`+ *str++ = '\|';`
			`+ else`
			`+ *str++ = '+';`
			`+ len--;`
			`}`
			`if (format == XkbCFile)`
			`sprintf(str, "%sMask", tmp);`
			`--`
			`2.48.1`