xorg-x11-server/0007-composite-Handle-failure-to-redirect-in-compRedirect.patch

From 04d8041534d40e975d11a8a58ea7e8b1f09b519d Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Tue, 17 Dec 2024 15:19:45 +0100
Subject: [PATCH xserver 07/13] composite: Handle failure to redirect in
 compRedirectWindow()

The function compCheckRedirect() may fail if it cannot allocate the
backing pixmap.

In that case, compRedirectWindow() will return a BadAlloc error.

However that failure code path will shortcut the validation of the
window tree marked just before, which leaves the validate data partly
initialized.

That causes a use of uninitialized pointer later.

The fix is to not shortcut the call to compHandleMarkedWindows() even in
the case of compCheckRedirect() returning an error.

CVE-2025-26599, ZDI-CAN-25851

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit c1ff84bef2569b4ba4be59323cf575d1798ba9be)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
 composite/compalloc.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/composite/compalloc.c b/composite/compalloc.c
index 3e2f14fb0..55a1b725a 100644
--- a/composite/compalloc.c
+++ b/composite/compalloc.c
@@ -138,6 +138,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
     CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen);
     WindowPtr pLayerWin;
     Bool anyMarked = FALSE;
+    int status = Success;
 
     if (pWin == cs->pOverlayWin) {
         return Success;
@@ -216,13 +217,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
 
     if (!compCheckRedirect(pWin)) {
         FreeResource(ccw->id, RT_NONE);
-        return BadAlloc;
+        status = BadAlloc;
     }
 
     if (anyMarked)
         compHandleMarkedWindows(pWin, pLayerWin);
 
-    return Success;
+    return status;
 }
 
 void
-- 
2.48.1
CVE fix for CVE-2025-26594, CVE-2025-26595, CVE-2025-26596, CVE-2025-26597, CVE-2025-26598, CVE-2025-26599, CVE-2025-26600, CVE-2025-26601 Resolves: https://issues.redhat.com/browse/RHEL-80201 Resolves: https://issues.redhat.com/browse/RHEL-80186 Resolves: https://issues.redhat.com/browse/RHEL-80188 Resolves: https://issues.redhat.com/browse/RHEL-80191 Resolves: https://issues.redhat.com/browse/RHEL-80192 Resolves: https://issues.redhat.com/browse/RHEL-80199 Resolves: https://issues.redhat.com/browse/RHEL-80198 Resolves: https://issues.redhat.com/browse/RHEL-80200 2025-02-26 16:08:24 +00:00			`From 04d8041534d40e975d11a8a58ea7e8b1f09b519d Mon Sep 17 00:00:00 2001`
			`From: Olivier Fourdan <ofourdan@redhat.com>`
			`Date: Tue, 17 Dec 2024 15:19:45 +0100`
			`Subject: [PATCH xserver 07/13] composite: Handle failure to redirect in`
			`compRedirectWindow()`

			`The function compCheckRedirect() may fail if it cannot allocate the`
			`backing pixmap.`

			`In that case, compRedirectWindow() will return a BadAlloc error.`

			`However that failure code path will shortcut the validation of the`
			`window tree marked just before, which leaves the validate data partly`
			`initialized.`

			`That causes a use of uninitialized pointer later.`

			`The fix is to not shortcut the call to compHandleMarkedWindows() even in`
			`the case of compCheckRedirect() returning an error.`

			`CVE-2025-26599, ZDI-CAN-25851`

			`This vulnerability was discovered by:`
			`Jan-Niklas Sohn working with Trend Micro Zero Day Initiative`

			`Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>`
			`Acked-by: Peter Hutterer <peter.hutterer@who-t.net>`
			`(cherry picked from commit c1ff84bef2569b4ba4be59323cf575d1798ba9be)`

			`Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>`
			`---`
			`composite/compalloc.c \| 5 +++--`
			`1 file changed, 3 insertions(+), 2 deletions(-)`

			`diff --git a/composite/compalloc.c b/composite/compalloc.c`
			`index 3e2f14fb0..55a1b725a 100644`
			`--- a/composite/compalloc.c`
			`+++ b/composite/compalloc.c`
			`@@ -138,6 +138,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)`
			`CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen);`
			`WindowPtr pLayerWin;`
			`Bool anyMarked = FALSE;`
			`+ int status = Success;`

			`if (pWin == cs->pOverlayWin) {`
			`return Success;`
			`@@ -216,13 +217,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)`

			`if (!compCheckRedirect(pWin)) {`
			`FreeResource(ccw->id, RT_NONE);`
			`- return BadAlloc;`
			`+ status = BadAlloc;`
			`}`

			`if (anyMarked)`
			`compHandleMarkedWindows(pWin, pLayerWin);`

			`- return Success;`
			`+ return status;`
			`}`

			`void`
			`--`
			`2.48.1`