xorg-x11-server/U_CVE-2025-26601-0003-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch

From 4ccaa5134482b6be9c9a7f0b66cd221ef325d082 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 20 Jan 2025 17:06:07 +0100
Subject: [PATCH xserver 3/4] sync: Do not fail SyncAddTriggerToSyncObject()

We do not want to return a failure at the very last step in
SyncInitTrigger() after having all changes applied.

SyncAddTriggerToSyncObject() must not fail on memory allocation, if the
allocation of the SyncTriggerList fails, trigger a FatalError() instead.

Related to CVE-2025-26601, ZDI-CAN-25870

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 Xext/sync.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

Index: xwayland-22.1.5/Xext/sync.c
===================================================================
--- xwayland-22.1.5.orig/Xext/sync.c
+++ xwayland-22.1.5/Xext/sync.c
@@ -199,8 +199,8 @@ SyncAddTriggerToSyncObject(SyncTrigger *
             return Success;
     }
 
-    if (!(pCur = malloc(sizeof(SyncTriggerList))))
-        return BadAlloc;
+    /* Failure is not an option, it's succeed or burst! */
+    pCur = XNFalloc(sizeof(SyncTriggerList));
 
     pCur->pTrigger = pTrigger;
     pCur->next = pTrigger->pSync->pTriglist;
@@ -408,8 +408,7 @@ SyncInitTrigger(ClientPtr client, SyncTr
      *  a new counter on a trigger
      */
     if (newSyncObject) {
-        if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success)
-            return rc;
+        SyncAddTriggerToSyncObject(pTrigger);
     }
     else if (pCounter && IsSystemCounter(pCounter)) {
         SyncComputeBracketValues(pCounter);
- U_CVE-2025-26594-0001-Cursor-Refuse-to-free-the-root-cursor.patch U_CVE-2025-26594-0002-dix-keep-a-ref-to-the-rootCursor.patch * Use-after-free of the root cursor (CVE-2025-26594, bsc#1237427) - U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch * Buffer overflow in XkbVModMaskText() (CVE-2025-26595, bsc#1237429) - U_CVE-2025-26596-0001-xkb-Fix-computation-of-XkbSizeKeySyms.patch * Heap overflow in XkbWriteKeySyms() (CVE-2025-26596, bsc#1237430) - U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch * Buffer overflow in XkbChangeTypesOfKey() (CVE-2025-26597, bsc#1237431) - U_CVE-2025-26598-0001-Xi-Fix-barrier-device-search.patch * Out-of-bounds write in CreatePointerBarrierClient() (CVE-2025-26598, bsc#1237432) - U_CVE-2025-26599-0001-composite-Handle-failure-to-redirect-in-compRedirect.patch U_CVE-2025-26599-0002-composite-initialize-border-clip-even-when-pixmap-al.patch * Use of uninitialized pointer in compRedirectWindow() (CVE-2025-26599, bsc#1237433) - U_CVE-2025-26600-0001-dix-Dequeue-pending-events-on-frozen-device-on-remov.patch * Use-after-free in PlayReleasedEvents() (CVE-2025-26600, bsc#1237434) - U_CVE-2025-26601-0001-sync-Do-not-let-sync-objects-uninitialized.patch U_CVE-2025-26601-0002-sync-Check-values-before-applying-changes.patch U_CVE-2025-26601-0003-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch U_CVE-2025-26601-0004-sync-Apply-changes-last-in-SyncChangeAlarmAttributes.patch * Use-after-free in SyncInitTrigger() (CVE-2025-26601, bsc#1237435) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=907 2025-02-25 18:04:55 +00:00			`From 4ccaa5134482b6be9c9a7f0b66cd221ef325d082 Mon Sep 17 00:00:00 2001`
			`From: Olivier Fourdan <ofourdan@redhat.com>`
			`Date: Mon, 20 Jan 2025 17:06:07 +0100`
			`Subject: [PATCH xserver 3/4] sync: Do not fail SyncAddTriggerToSyncObject()`

			`We do not want to return a failure at the very last step in`
			`SyncInitTrigger() after having all changes applied.`

			`SyncAddTriggerToSyncObject() must not fail on memory allocation, if the`
			`allocation of the SyncTriggerList fails, trigger a FatalError() instead.`

			`Related to CVE-2025-26601, ZDI-CAN-25870`

			`Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>`
			`Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>`
			`---`
			`Xext/sync.c \| 7 +++----`
			`1 file changed, 3 insertions(+), 4 deletions(-)`

			`Index: xwayland-22.1.5/Xext/sync.c`
			`===================================================================`
			`--- xwayland-22.1.5.orig/Xext/sync.c`
			`+++ xwayland-22.1.5/Xext/sync.c`
			`@@ -199,8 +199,8 @@ SyncAddTriggerToSyncObject(SyncTrigger *`
			`return Success;`
			`}`

			`- if (!(pCur = malloc(sizeof(SyncTriggerList))))`
			`- return BadAlloc;`
			`+ /* Failure is not an option, it's succeed or burst! */`
			`+ pCur = XNFalloc(sizeof(SyncTriggerList));`

			`pCur->pTrigger = pTrigger;`
			`pCur->next = pTrigger->pSync->pTriglist;`
			`@@ -408,8 +408,7 @@ SyncInitTrigger(ClientPtr client, SyncTr`
			`* a new counter on a trigger`
			`*/`
			`if (newSyncObject) {`
			`- if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success)`
			`- return rc;`
			`+ SyncAddTriggerToSyncObject(pTrigger);`
			`}`
			`else if (pCounter && IsSystemCounter(pCounter)) {`
			`SyncComputeBracketValues(pCounter);`