Stefan Dirsch
f15e897874
U_CVE-2025-26594-0002-dix-keep-a-ref-to-the-rootCursor.patch * Use-after-free of the root cursor (CVE-2025-26594, bsc#1237427) - U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch * Buffer overflow in XkbVModMaskText() (CVE-2025-26595, bsc#1237429) - U_CVE-2025-26596-0001-xkb-Fix-computation-of-XkbSizeKeySyms.patch * Heap overflow in XkbWriteKeySyms() (CVE-2025-26596, bsc#1237430) - U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch * Buffer overflow in XkbChangeTypesOfKey() (CVE-2025-26597, bsc#1237431) - U_CVE-2025-26598-0001-Xi-Fix-barrier-device-search.patch * Out-of-bounds write in CreatePointerBarrierClient() (CVE-2025-26598, bsc#1237432) - U_CVE-2025-26599-0001-composite-Handle-failure-to-redirect-in-compRedirect.patch U_CVE-2025-26599-0002-composite-initialize-border-clip-even-when-pixmap-al.patch * Use of uninitialized pointer in compRedirectWindow() (CVE-2025-26599, bsc#1237433) - U_CVE-2025-26600-0001-dix-Dequeue-pending-events-on-frozen-device-on-remov.patch * Use-after-free in PlayReleasedEvents() (CVE-2025-26600, bsc#1237434) - U_CVE-2025-26601-0001-sync-Do-not-let-sync-objects-uninitialized.patch U_CVE-2025-26601-0002-sync-Check-values-before-applying-changes.patch U_CVE-2025-26601-0003-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch U_CVE-2025-26601-0004-sync-Apply-changes-last-in-SyncChangeAlarmAttributes.patch * Use-after-free in SyncInitTrigger() (CVE-2025-26601, bsc#1237435) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=907
122 lines
4.7 KiB
Diff
122 lines
4.7 KiB
Diff
From f5ce639ff9d3af05e79efce6c51e084352d28ed1 Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Mon, 13 Jan 2025 16:09:43 +0100
|
|
Subject: [PATCH xserver 2/2] composite: initialize border clip even when
|
|
pixmap alloc fails
|
|
|
|
If it fails to allocate the pixmap, the function compAllocPixmap() would
|
|
return early and leave the borderClip region uninitialized, which may
|
|
lead to the use of uninitialized value as reported by valgrind:
|
|
|
|
Conditional jump or move depends on uninitialised value(s)
|
|
at 0x4F9B33: compClipNotify (compwindow.c:317)
|
|
by 0x484FC9: miComputeClips (mivaltree.c:476)
|
|
by 0x48559A: miValidateTree (mivaltree.c:679)
|
|
by 0x4F0685: MapWindow (window.c:2693)
|
|
by 0x4A344A: ProcMapWindow (dispatch.c:922)
|
|
by 0x4A25B5: Dispatch (dispatch.c:560)
|
|
by 0x4B082A: dix_main (main.c:282)
|
|
by 0x429233: main (stubmain.c:34)
|
|
Uninitialised value was created by a heap allocation
|
|
at 0x4841866: malloc (vg_replace_malloc.c:446)
|
|
by 0x4F47BC: compRedirectWindow (compalloc.c:171)
|
|
by 0x4FA8AD: compCreateWindow (compwindow.c:592)
|
|
by 0x4EBB89: CreateWindow (window.c:925)
|
|
by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
|
|
by 0x4A25B5: Dispatch (dispatch.c:560)
|
|
by 0x4B082A: dix_main (main.c:282)
|
|
by 0x429233: main (stubmain.c:34)
|
|
|
|
Conditional jump or move depends on uninitialised value(s)
|
|
at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233)
|
|
by 0x4F9255: RegionTranslate (regionstr.h:312)
|
|
by 0x4F9B7E: compClipNotify (compwindow.c:319)
|
|
by 0x484FC9: miComputeClips (mivaltree.c:476)
|
|
by 0x48559A: miValidateTree (mivaltree.c:679)
|
|
by 0x4F0685: MapWindow (window.c:2693)
|
|
by 0x4A344A: ProcMapWindow (dispatch.c:922)
|
|
by 0x4A25B5: Dispatch (dispatch.c:560)
|
|
by 0x4B082A: dix_main (main.c:282)
|
|
by 0x429233: main (stubmain.c:34)
|
|
Uninitialised value was created by a heap allocation
|
|
at 0x4841866: malloc (vg_replace_malloc.c:446)
|
|
by 0x4F47BC: compRedirectWindow (compalloc.c:171)
|
|
by 0x4FA8AD: compCreateWindow (compwindow.c:592)
|
|
by 0x4EBB89: CreateWindow (window.c:925)
|
|
by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
|
|
by 0x4A25B5: Dispatch (dispatch.c:560)
|
|
by 0x4B082A: dix_main (main.c:282)
|
|
by 0x429233: main (stubmain.c:34)
|
|
|
|
Conditional jump or move depends on uninitialised value(s)
|
|
at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241)
|
|
by 0x48EEE33: pixman_region_translate (pixman-region.c:2225)
|
|
by 0x4F9255: RegionTranslate (regionstr.h:312)
|
|
by 0x4F9B7E: compClipNotify (compwindow.c:319)
|
|
by 0x484FC9: miComputeClips (mivaltree.c:476)
|
|
by 0x48559A: miValidateTree (mivaltree.c:679)
|
|
by 0x4F0685: MapWindow (window.c:2693)
|
|
by 0x4A344A: ProcMapWindow (dispatch.c:922)
|
|
by 0x4A25B5: Dispatch (dispatch.c:560)
|
|
by 0x4B082A: dix_main (main.c:282)
|
|
by 0x429233: main (stubmain.c:34)
|
|
Uninitialised value was created by a heap allocation
|
|
at 0x4841866: malloc (vg_replace_malloc.c:446)
|
|
by 0x4F47BC: compRedirectWindow (compalloc.c:171)
|
|
by 0x4FA8AD: compCreateWindow (compwindow.c:592)
|
|
by 0x4EBB89: CreateWindow (window.c:925)
|
|
by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
|
|
by 0x4A25B5: Dispatch (dispatch.c:560)
|
|
by 0x4B082A: dix_main (main.c:282)
|
|
by 0x429233: main (stubmain.c:34)
|
|
|
|
Fix compAllocPixmap() to initialize the border clip even if the creation
|
|
of the backing pixmap has failed, to avoid depending later on
|
|
uninitialized border clip values.
|
|
|
|
Related to CVE-2025-26599, ZDI-CAN-25851
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
---
|
|
composite/compalloc.c | 11 ++++++++---
|
|
1 file changed, 8 insertions(+), 3 deletions(-)
|
|
|
|
Index: xwayland-24.1.4/composite/compalloc.c
|
|
===================================================================
|
|
--- xwayland-24.1.4.orig/composite/compalloc.c
|
|
+++ xwayland-24.1.4/composite/compalloc.c
|
|
@@ -606,9 +606,12 @@ compAllocPixmap(WindowPtr pWin)
|
|
int h = pWin->drawable.height + (bw << 1);
|
|
PixmapPtr pPixmap = compNewPixmap(pWin, x, y, w, h);
|
|
CompWindowPtr cw = GetCompWindow(pWin);
|
|
+ Bool status;
|
|
|
|
- if (!pPixmap)
|
|
- return FALSE;
|
|
+ if (!pPixmap) {
|
|
+ status = FALSE;
|
|
+ goto out;
|
|
+ }
|
|
if (cw->update == CompositeRedirectAutomatic)
|
|
pWin->redirectDraw = RedirectDrawAutomatic;
|
|
else
|
|
@@ -622,14 +625,16 @@ compAllocPixmap(WindowPtr pWin)
|
|
DamageRegister(&pWin->drawable, cw->damage);
|
|
cw->damageRegistered = TRUE;
|
|
}
|
|
+ status = TRUE;
|
|
|
|
+out:
|
|
/* Make sure our borderClip is up to date */
|
|
RegionUninit(&cw->borderClip);
|
|
RegionCopy(&cw->borderClip, &pWin->borderClip);
|
|
cw->borderClipX = pWin->drawable.x;
|
|
cw->borderClipY = pWin->drawable.y;
|
|
|
|
- return TRUE;
|
|
+ return status;
|
|
}
|
|
|
|
void
|