From: Vijay Anusuri <[email protected]> Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/01642f26 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/b0a09ba6
Signed-off-by: Vijay Anusuri <[email protected]> --- .../xserver-xorg/CVE-2025-26594-1.patch | 54 +++++++++++++++++++ .../xserver-xorg/CVE-2025-26594-2.patch | 51 ++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.8.bb | 2 + 3 files changed, 107 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26594-1.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26594-2.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26594-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26594-1.patch new file mode 100644 index 0000000000..f34a89e6ea --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26594-1.patch @@ -0,0 +1,54 @@ +From 01642f263f12becf803b19be4db95a4a83f94acc Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan <[email protected]> +Date: Wed, 27 Nov 2024 11:27:05 +0100 +Subject: [PATCH] Cursor: Refuse to free the root cursor + +If a cursor reference count drops to 0, the cursor is freed. + +The root cursor however is referenced with a specific global variable, +and when the root cursor is freed, the global variable may still point +to freed memory. + +Make sure to prevent the rootCursor from being explicitly freed by a +client. + +CVE-2025-26594, ZDI-CAN-25544 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer +<[email protected]>) +v3: Return BadCursor instead of BadValue (Michel Danzer +<[email protected]>) + +Signed-off-by: Olivier Fourdan <[email protected]> +Suggested-by: Peter Hutterer <[email protected]> +Reviewed-by: Peter Hutterer <[email protected]> +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/01642f26] +CVE: CVE-2025-26594 +Signed-off-by: Vijay Anusuri <[email protected]> +--- + dix/dispatch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index 4602961..30b95c1 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -3107,6 +3107,10 @@ ProcFreeCursor(ClientPtr client) + rc = dixLookupResourceByType((void **) &pCursor, stuff->id, RT_CURSOR, + client, DixDestroyAccess); + if (rc == Success) { ++ if (pCursor == rootCursor) { ++ client->errorValue = stuff->id; ++ return BadCursor; ++ } + FreeResource(stuff->id, RT_NONE); + return Success; + } +-- +2.25.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26594-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26594-2.patch new file mode 100644 index 0000000000..6ebf540ab9 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26594-2.patch @@ -0,0 +1,51 @@ +From b0a09ba6020147961acc62d9c73d807b4cccd9f7 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <[email protected]> +Date: Wed, 4 Dec 2024 15:49:43 +1000 +Subject: [PATCH] dix: keep a ref to the rootCursor + +CreateCursor returns a cursor with refcount 1 - that refcount is used by +the resource system, any caller needs to call RefCursor to get their own +reference. That happens correctly for normal cursors but for our +rootCursor we keep a variable to the cursor despite not having a ref for +ourselves. + +Fix this by reffing/unreffing the rootCursor to ensure our pointer is +valid. + +Related to CVE-2025-26594, ZDI-CAN-25544 + +Reviewed-by: Olivier Fourdan <[email protected]> +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b0a09ba6] +CVE: CVE-2025-26594 +Signed-off-by: Vijay Anusuri <[email protected]> +--- + dix/main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/dix/main.c b/dix/main.c +index bfc8add..38e29ce 100644 +--- a/dix/main.c ++++ b/dix/main.c +@@ -231,6 +231,8 @@ dix_main(int argc, char *argv[], char *envp[]) + FatalError("could not open default cursor font"); + } + ++ rootCursor = RefCursor(rootCursor); ++ + #ifdef PANORAMIX + /* + * Consolidate window and colourmap information for each screen +@@ -271,6 +273,8 @@ dix_main(int argc, char *argv[], char *envp[]) + + Dispatch(); + ++ UnrefCursor(rootCursor); ++ + UndisplayDevices(); + DisableAllDevices(); + +-- +2.25.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index a9cb1b5bde..11003db04d 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb @@ -22,6 +22,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://CVE-2024-31083-0001.patch \ file://CVE-2024-31083-0002.patch \ file://CVE-2024-9632.patch \ + file://CVE-2025-26594-1.patch \ + file://CVE-2025-26594-2.patch \ " SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152" -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#212023): https://lists.openembedded.org/g/openembedded-core/message/212023 Mute This Topic: https://lists.openembedded.org/mt/111419333/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
