xorg-x11-server/U_CVE-2025-26600-0001-dix-Dequeue-pending-events-on-frozen-device-on-remov.patch

From 70ad5d36ae80f6e5a436eabfee642c2c013e51cc Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 16 Dec 2024 16:18:04 +0100
Subject: [PATCH xserver] dix: Dequeue pending events on frozen device on
 removal

When a device is removed while still frozen, the events queued for that
device remain while the device itself is freed.

As a result, replaying the events will cause a use after free.

To avoid the issue, make sure to dequeue and free any pending events on
a frozen device when removed.

CVE-2025-26600, ZDI-CAN-25871

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 dix/devices.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

Index: xorg-server-21.1.14/dix/devices.c
===================================================================
--- xorg-server-21.1.14.orig/dix/devices.c
+++ xorg-server-21.1.14/dix/devices.c
@@ -963,6 +963,23 @@ FreeAllDeviceClasses(ClassesPtr classes)
 
 }
 
+static void
+FreePendingFrozenDeviceEvents(DeviceIntPtr dev)
+{
+    QdEventPtr qe, tmp;
+
+    if (!dev->deviceGrab.sync.frozen)
+        return;
+
+    /* Dequeue any frozen pending events */
+    xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) {
+        if (qe->device == dev) {
+            xorg_list_del(&qe->next);
+            free(qe);
+        }
+    }
+}
+
 /**
  * Close down a device and free all resources.
  * Once closed down, the driver will probably not expect you that you'll ever
@@ -1027,6 +1044,7 @@ CloseDevice(DeviceIntPtr dev)
         free(dev->last.touches[j].valuators);
     free(dev->last.touches);
     dev->config_info = NULL;
+    FreePendingFrozenDeviceEvents(dev);
     dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE);
     free(dev);
 }