Stefan Dirsch
f15e897874
U_CVE-2025-26594-0002-dix-keep-a-ref-to-the-rootCursor.patch * Use-after-free of the root cursor (CVE-2025-26594, bsc#1237427) - U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch * Buffer overflow in XkbVModMaskText() (CVE-2025-26595, bsc#1237429) - U_CVE-2025-26596-0001-xkb-Fix-computation-of-XkbSizeKeySyms.patch * Heap overflow in XkbWriteKeySyms() (CVE-2025-26596, bsc#1237430) - U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch * Buffer overflow in XkbChangeTypesOfKey() (CVE-2025-26597, bsc#1237431) - U_CVE-2025-26598-0001-Xi-Fix-barrier-device-search.patch * Out-of-bounds write in CreatePointerBarrierClient() (CVE-2025-26598, bsc#1237432) - U_CVE-2025-26599-0001-composite-Handle-failure-to-redirect-in-compRedirect.patch U_CVE-2025-26599-0002-composite-initialize-border-clip-even-when-pixmap-al.patch * Use of uninitialized pointer in compRedirectWindow() (CVE-2025-26599, bsc#1237433) - U_CVE-2025-26600-0001-dix-Dequeue-pending-events-on-frozen-device-on-remov.patch * Use-after-free in PlayReleasedEvents() (CVE-2025-26600, bsc#1237434) - U_CVE-2025-26601-0001-sync-Do-not-let-sync-objects-uninitialized.patch U_CVE-2025-26601-0002-sync-Check-values-before-applying-changes.patch U_CVE-2025-26601-0003-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch U_CVE-2025-26601-0004-sync-Apply-changes-last-in-SyncChangeAlarmAttributes.patch * Use-after-free in SyncInitTrigger() (CVE-2025-26601, bsc#1237435) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=907
78 lines
2.6 KiB
Diff
78 lines
2.6 KiB
Diff
From 7dc3f11abb51cad8a59ecbff5278c8c8a318df41 Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Mon, 20 Jan 2025 16:54:30 +0100
|
|
Subject: [PATCH xserver 2/4] sync: Check values before applying changes
|
|
|
|
In SyncInitTrigger(), we would set the CheckTrigger function before
|
|
validating the counter value.
|
|
|
|
As a result, if the counter value overflowed, we would leave the
|
|
function SyncInitTrigger() with the CheckTrigger applied but without
|
|
updating the trigger object.
|
|
|
|
To avoid that issue, move the portion of code checking for the trigger
|
|
check value before updating the CheckTrigger function.
|
|
|
|
Related to CVE-2025-26601, ZDI-CAN-25870
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
---
|
|
Xext/sync.c | 36 ++++++++++++++++++------------------
|
|
1 file changed, 18 insertions(+), 18 deletions(-)
|
|
|
|
Index: xwayland-22.1.5/Xext/sync.c
|
|
===================================================================
|
|
--- xwayland-22.1.5.orig/Xext/sync.c
|
|
+++ xwayland-22.1.5/Xext/sync.c
|
|
@@ -350,6 +350,24 @@ SyncInitTrigger(ClientPtr client, SyncTr
|
|
}
|
|
}
|
|
|
|
+ if (changes & (XSyncCAValueType | XSyncCAValue)) {
|
|
+ if (pTrigger->value_type == XSyncAbsolute)
|
|
+ pTrigger->test_value = pTrigger->wait_value;
|
|
+ else { /* relative */
|
|
+ Bool overflow;
|
|
+
|
|
+ if (pCounter == NULL)
|
|
+ return BadMatch;
|
|
+
|
|
+ overflow = checked_int64_add(&pTrigger->test_value,
|
|
+ pCounter->value, pTrigger->wait_value);
|
|
+ if (overflow) {
|
|
+ client->errorValue = pTrigger->wait_value >> 32;
|
|
+ return BadValue;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
if (changes & XSyncCATestType) {
|
|
|
|
if (pSync && SYNC_FENCE == pSync->type) {
|
|
@@ -376,24 +394,6 @@ SyncInitTrigger(ClientPtr client, SyncTr
|
|
return BadValue;
|
|
}
|
|
}
|
|
- }
|
|
-
|
|
- if (changes & (XSyncCAValueType | XSyncCAValue)) {
|
|
- if (pTrigger->value_type == XSyncAbsolute)
|
|
- pTrigger->test_value = pTrigger->wait_value;
|
|
- else { /* relative */
|
|
- Bool overflow;
|
|
-
|
|
- if (pCounter == NULL)
|
|
- return BadMatch;
|
|
-
|
|
- overflow = checked_int64_add(&pTrigger->test_value,
|
|
- pCounter->value, pTrigger->wait_value);
|
|
- if (overflow) {
|
|
- client->errorValue = pTrigger->wait_value >> 32;
|
|
- return BadValue;
|
|
- }
|
|
- }
|
|
}
|
|
|
|
if (changes & XSyncCACounter) {
|