xorg-x11-server/U_CVE-2025-26601-0001-sync-Do-not-let-sync-objects-uninitialized.patch

From 573a2265aacfeaddcc1bb001905a6f7d4fa15ee6 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 20 Jan 2025 16:52:01 +0100
Subject: [PATCH xserver 1/4] sync: Do not let sync objects uninitialized

When changing an alarm, the change mask values are evaluated one after
the other, changing the trigger values as requested and eventually,
SyncInitTrigger() is called.

SyncInitTrigger() will evaluate the XSyncCACounter first and may free
the existing sync object.

Other changes are then evaluated and may trigger an error and an early
return, not adding the new sync object.

This can be used to cause a use after free when the alarm eventually
triggers.

To avoid the issue, delete the existing sync object as late as possible
only once we are sure that no further error will cause an early exit.

CVE-2025-26601, ZDI-CAN-25870

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 Xext/sync.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

Index: xwayland-22.1.5/Xext/sync.c
===================================================================
--- xwayland-22.1.5.orig/Xext/sync.c
+++ xwayland-22.1.5/Xext/sync.c
@@ -329,11 +329,6 @@ SyncInitTrigger(ClientPtr client, SyncTr
             client->errorValue = syncObject;
             return rc;
         }
-        if (pSync != pTrigger->pSync) { /* new counter for trigger */
-            SyncDeleteTriggerFromSyncObject(pTrigger);
-            pTrigger->pSync = pSync;
-            newSyncObject = TRUE;
-        }
     }
 
     /* if system counter, ask it what the current value is */
@@ -401,6 +396,14 @@ SyncInitTrigger(ClientPtr client, SyncTr
         }
     }
 
+    if (changes & XSyncCACounter) {
+        if (pSync != pTrigger->pSync) { /* new counter for trigger */
+            SyncDeleteTriggerFromSyncObject(pTrigger);
+            pTrigger->pSync = pSync;
+            newSyncObject = TRUE;
+        }
+    }
+
     /*  we wait until we're sure there are no errors before registering
      *  a new counter on a trigger
      */