xorg-x11-server/U_CVE-2025-26594-0001-Cursor-Refuse-to-free-the-root-cursor.patch

From efca605c45ff51b57f136222b966ce1d610ebc33 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 27 Nov 2024 11:27:05 +0100
Subject: [PATCH xserver 1/2] Cursor: Refuse to free the root cursor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If a cursor reference count drops to 0, the cursor is freed.

The root cursor however is referenced with a specific global variable,
and when the root cursor is freed, the global variable may still point
to freed memory.

Make sure to prevent the rootCursor from being explicitly freed by a
client.

CVE-2025-26594, ZDI-CAN-25544

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer
<peter.hutterer@who-t.net>)
v3: Return BadCursor instead of BadValue (Michel Dänzer
<michel@daenzer.net>)

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Suggested-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 dix/dispatch.c | 4 ++++
 1 file changed, 4 insertions(+)

Index: xwayland-22.1.5/dix/dispatch.c
===================================================================
--- xwayland-22.1.5.orig/dix/dispatch.c
+++ xwayland-22.1.5/dix/dispatch.c
@@ -3107,6 +3107,10 @@ ProcFreeCursor(ClientPtr client)
     rc = dixLookupResourceByType((void **) &pCursor, stuff->id, RT_CURSOR,
                                  client, DixDestroyAccess);
     if (rc == Success) {
+        if (pCursor == rootCursor) {
+            client->errorValue = stuff->id;
+            return BadCursor;
+        }
         FreeResource(stuff->id, RT_NONE);
         return Success;
     }
- U_CVE-2025-26594-0001-Cursor-Refuse-to-free-the-root-cursor.patch U_CVE-2025-26594-0002-dix-keep-a-ref-to-the-rootCursor.patch * Use-after-free of the root cursor (CVE-2025-26594, bsc#1237427) - U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch * Buffer overflow in XkbVModMaskText() (CVE-2025-26595, bsc#1237429) - U_CVE-2025-26596-0001-xkb-Fix-computation-of-XkbSizeKeySyms.patch * Heap overflow in XkbWriteKeySyms() (CVE-2025-26596, bsc#1237430) - U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch * Buffer overflow in XkbChangeTypesOfKey() (CVE-2025-26597, bsc#1237431) - U_CVE-2025-26598-0001-Xi-Fix-barrier-device-search.patch * Out-of-bounds write in CreatePointerBarrierClient() (CVE-2025-26598, bsc#1237432) - U_CVE-2025-26599-0001-composite-Handle-failure-to-redirect-in-compRedirect.patch U_CVE-2025-26599-0002-composite-initialize-border-clip-even-when-pixmap-al.patch * Use of uninitialized pointer in compRedirectWindow() (CVE-2025-26599, bsc#1237433) - U_CVE-2025-26600-0001-dix-Dequeue-pending-events-on-frozen-device-on-remov.patch * Use-after-free in PlayReleasedEvents() (CVE-2025-26600, bsc#1237434) - U_CVE-2025-26601-0001-sync-Do-not-let-sync-objects-uninitialized.patch U_CVE-2025-26601-0002-sync-Check-values-before-applying-changes.patch U_CVE-2025-26601-0003-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch U_CVE-2025-26601-0004-sync-Apply-changes-last-in-SyncChangeAlarmAttributes.patch * Use-after-free in SyncInitTrigger() (CVE-2025-26601, bsc#1237435) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=907 2025-02-25 18:04:55 +00:00			`From efca605c45ff51b57f136222b966ce1d610ebc33 Mon Sep 17 00:00:00 2001`
			`From: Olivier Fourdan <ofourdan@redhat.com>`
			`Date: Wed, 27 Nov 2024 11:27:05 +0100`
			`Subject: [PATCH xserver 1/2] Cursor: Refuse to free the root cursor`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`If a cursor reference count drops to 0, the cursor is freed.`

			`The root cursor however is referenced with a specific global variable,`
			`and when the root cursor is freed, the global variable may still point`
			`to freed memory.`

			`Make sure to prevent the rootCursor from being explicitly freed by a`
			`client.`

			`CVE-2025-26594, ZDI-CAN-25544`

			`This vulnerability was discovered by:`
			`Jan-Niklas Sohn working with Trend Micro Zero Day Initiative`

			`v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer`
			`<peter.hutterer@who-t.net>)`
			`v3: Return BadCursor instead of BadValue (Michel Dänzer`
			`<michel@daenzer.net>)`

			`Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>`
			`Suggested-by: Peter Hutterer <peter.hutterer@who-t.net>`
			`Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>`
			`---`
			`dix/dispatch.c \| 4 ++++`
			`1 file changed, 4 insertions(+)`

			`Index: xwayland-22.1.5/dix/dispatch.c`
			`===================================================================`
			`--- xwayland-22.1.5.orig/dix/dispatch.c`
			`+++ xwayland-22.1.5/dix/dispatch.c`
			`@@ -3107,6 +3107,10 @@ ProcFreeCursor(ClientPtr client)`
			`rc = dixLookupResourceByType((void **) &pCursor, stuff->id, RT_CURSOR,`
			`client, DixDestroyAccess);`
			`if (rc == Success) {`
			`+ if (pCursor == rootCursor) {`
			`+ client->errorValue = stuff->id;`
			`+ return BadCursor;`
			`+ }`
			`FreeResource(stuff->id, RT_NONE);`
			`return Success;`
			`}`