Stefan Dirsch
64a4180db5
* Out-of-bounds access in X Rendering extension (Animated cursors)
(CVE-2025-49175, bsc#1244082)
- U_CVE-2025-49176-os-Do-not-overflow-the-integer-size-with-BigRequest.patch
* Integer overflow in Big Requests Extension
(CVE-2025-49176, bsc#1244084)
- U_CVE-2025-49177-xfixes-Check-request-length-for-SetClientDisconnectM.patch
* Data leak in XFIXES Extension 6 (XFixesSetClientDisconnectMode)
(CVE-2025-49177, bsc#1244085)
- U_CVE-2025-49178-os-Account-for-bytes-to-ignore-when-sharing-input-bu.patch
* Unprocessed client request via bytes to ignore
(CVE-2025-49178, bsc#1244087)
- U_CVE-2025-49179-record-Check-for-overflow-in-RecordSanityCheckRegist.patch
* Integer overflow in X Record extension
(CVE-2025-49179, bsc#1244089)
- U_CVE-2025-49180-randr-Check-for-overflow-in-RRChangeProviderProperty.patch
* Integer overflow in RandR extension (RRChangeProviderProperty)
(CVE-2025-49180, bsc#1244090)
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=102
81 lines
2.7 KiB
Diff
81 lines
2.7 KiB
Diff
From 7dc3f11abb51cad8a59ecbff5278c8c8a318df41 Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Mon, 20 Jan 2025 16:54:30 +0100
|
|
Subject: [PATCH xserver 2/4] sync: Check values before applying changes
|
|
|
|
In SyncInitTrigger(), we would set the CheckTrigger function before
|
|
validating the counter value.
|
|
|
|
As a result, if the counter value overflowed, we would leave the
|
|
function SyncInitTrigger() with the CheckTrigger applied but without
|
|
updating the trigger object.
|
|
|
|
To avoid that issue, move the portion of code checking for the trigger
|
|
check value before updating the CheckTrigger function.
|
|
|
|
Related to CVE-2025-26601, ZDI-CAN-25870
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
---
|
|
Xext/sync.c | 36 ++++++++++++++++++------------------
|
|
1 file changed, 18 insertions(+), 18 deletions(-)
|
|
|
|
diff --git a/Xext/sync.c b/Xext/sync.c
|
|
index 4267d3af6..4eab5a6ac 100644
|
|
--- a/Xext/sync.c
|
|
+++ b/Xext/sync.c
|
|
@@ -351,6 +351,24 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
|
|
}
|
|
}
|
|
|
|
+ if (changes & (XSyncCAValueType | XSyncCAValue)) {
|
|
+ if (pTrigger->value_type == XSyncAbsolute)
|
|
+ pTrigger->test_value = pTrigger->wait_value;
|
|
+ else { /* relative */
|
|
+ Bool overflow;
|
|
+
|
|
+ if (pCounter == NULL)
|
|
+ return BadMatch;
|
|
+
|
|
+ overflow = checked_int64_add(&pTrigger->test_value,
|
|
+ pCounter->value, pTrigger->wait_value);
|
|
+ if (overflow) {
|
|
+ client->errorValue = pTrigger->wait_value >> 32;
|
|
+ return BadValue;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
if (changes & XSyncCATestType) {
|
|
|
|
if (pSync && SYNC_FENCE == pSync->type) {
|
|
@@ -379,24 +397,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
|
|
}
|
|
}
|
|
|
|
- if (changes & (XSyncCAValueType | XSyncCAValue)) {
|
|
- if (pTrigger->value_type == XSyncAbsolute)
|
|
- pTrigger->test_value = pTrigger->wait_value;
|
|
- else { /* relative */
|
|
- Bool overflow;
|
|
-
|
|
- if (pCounter == NULL)
|
|
- return BadMatch;
|
|
-
|
|
- overflow = checked_int64_add(&pTrigger->test_value,
|
|
- pCounter->value, pTrigger->wait_value);
|
|
- if (overflow) {
|
|
- client->errorValue = pTrigger->wait_value >> 32;
|
|
- return BadValue;
|
|
- }
|
|
- }
|
|
- }
|
|
-
|
|
if (changes & XSyncCACounter) {
|
|
if (pSync != pTrigger->pSync) { /* new counter for trigger */
|
|
SyncDeleteTriggerFromSyncObject(pTrigger);
|
|
--
|
|
2.48.1
|
|
|