mirror of
https://git.yoctoproject.org/poky
synced 2026-07-16 15:57:04 +00:00
xserver-xorg: Fix for CVE-2025-49180
Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/3c3a4b767b16174d3213055947ea7f4f88e10ec6 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/0235121c6a7a6eb247e2addb3b41ed6ef566853d (From OE-Core rev: 88abe8ec73f822b461670557539a7df0875325cc) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
committed by
Steve Sakoman
parent
d0fd4d9160
commit
96973ede70
@@ -0,0 +1,44 @@
|
|||||||
|
From 3c3a4b767b16174d3213055947ea7f4f88e10ec6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||||
|
Date: Tue, 20 May 2025 15:18:19 +0200
|
||||||
|
Subject: [PATCH] randr: Check for overflow in RRChangeProviderProperty()
|
||||||
|
|
||||||
|
A client might send a request causing an integer overflow when computing
|
||||||
|
the total size to allocate in RRChangeProviderProperty().
|
||||||
|
|
||||||
|
To avoid the issue, check that total length in bytes won't exceed the
|
||||||
|
maximum integer value.
|
||||||
|
|
||||||
|
CVE-2025-49180
|
||||||
|
|
||||||
|
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
||||||
|
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
||||||
|
|
||||||
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||||
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||||
|
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3c3a4b767b16174d3213055947ea7f4f88e10ec6]
|
||||||
|
CVE: CVE-2025-49180
|
||||||
|
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
|
||||||
|
---
|
||||||
|
randr/rrproviderproperty.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
|
||||||
|
index 69f66ed278..0c3dcd1bc5 100644
|
||||||
|
--- a/randr/rrproviderproperty.c
|
||||||
|
+++ b/randr/rrproviderproperty.c
|
||||||
|
@@ -182,7 +182,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type,
|
||||||
|
|
||||||
|
if (mode == PropModeReplace || len > 0) {
|
||||||
|
void *new_data = NULL, *old_data = NULL;
|
||||||
|
-
|
||||||
|
+ if (total_len > MAXINT / size_in_bytes)
|
||||||
|
+ return BadValue;
|
||||||
|
total_size = total_len * size_in_bytes;
|
||||||
|
new_value.data = (void *) malloc(total_size);
|
||||||
|
if (!new_value.data && total_size) {
|
||||||
|
--
|
||||||
|
GitLab
|
||||||
|
|
||||||
@@ -0,0 +1,52 @@
|
|||||||
|
From 0235121c6a7a6eb247e2addb3b41ed6ef566853d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||||
|
Date: Mon, 28 Apr 2025 14:59:46 +0200
|
||||||
|
Subject: [PATCH] xfree86: Check for RandR provider functions
|
||||||
|
|
||||||
|
Changing XRandR provider properties if the driver has set no provider
|
||||||
|
function such as the modesetting driver will cause a NULL pointer
|
||||||
|
dereference and a crash of the Xorg server.
|
||||||
|
|
||||||
|
Related to CVE-2025-49180
|
||||||
|
|
||||||
|
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
||||||
|
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
||||||
|
|
||||||
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||||
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||||
|
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0235121c6a7a6eb247e2addb3b41ed6ef566853d]
|
||||||
|
CVE: CVE-2025-49180
|
||||||
|
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
|
||||||
|
---
|
||||||
|
hw/xfree86/modes/xf86RandR12.c | 6 ++++--
|
||||||
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/xfree86/modes/xf86RandR12.c b/hw/xfree86/modes/xf86RandR12.c
|
||||||
|
index ddcf5e748a..bf33da377a 100644
|
||||||
|
--- a/hw/xfree86/modes/xf86RandR12.c
|
||||||
|
+++ b/hw/xfree86/modes/xf86RandR12.c
|
||||||
|
@@ -2146,7 +2146,8 @@ xf86RandR14ProviderSetProperty(ScreenPtr pScreen,
|
||||||
|
/* If we don't have any property handler, then we don't care what the
|
||||||
|
* user is setting properties to.
|
||||||
|
*/
|
||||||
|
- if (config->provider_funcs->set_property == NULL)
|
||||||
|
+ if (config->provider_funcs == NULL ||
|
||||||
|
+ config->provider_funcs->set_property == NULL)
|
||||||
|
return TRUE;
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -2164,7 +2165,8 @@ xf86RandR14ProviderGetProperty(ScreenPtr pScreen,
|
||||||
|
ScrnInfoPtr pScrn = xf86ScreenToScrn(pScreen);
|
||||||
|
xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(pScrn);
|
||||||
|
|
||||||
|
- if (config->provider_funcs->get_property == NULL)
|
||||||
|
+ if (config->provider_funcs == NULL ||
|
||||||
|
+ config->provider_funcs->get_property == NULL)
|
||||||
|
return TRUE;
|
||||||
|
|
||||||
|
/* Should be safe even w/o vtSema */
|
||||||
|
--
|
||||||
|
GitLab
|
||||||
|
|
||||||
@@ -42,6 +42,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
|
|||||||
file://CVE-2025-49177.patch \
|
file://CVE-2025-49177.patch \
|
||||||
file://CVE-2025-49178.patch \
|
file://CVE-2025-49178.patch \
|
||||||
file://CVE-2025-49179.patch \
|
file://CVE-2025-49179.patch \
|
||||||
|
file://CVE-2025-49180-1.patch \
|
||||||
|
file://CVE-2025-49180-2.patch \
|
||||||
"
|
"
|
||||||
SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
|
SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user