mirror of
https://git.yoctoproject.org/poky
synced 2026-01-29 21:08:42 +01:00
xserver-xorg: Fix for CVE-2025-62231
Upstream-Status: Backport from 3baad99f9c
(From OE-Core rev: 05fe08caa0d4bd30510b496a300731a9754f24b8)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Vijay Anusuri
committed by
Steve Sakoman
Steve Sakoman
parent
73e3da5d44
commit
748f958fd3
@@ -0,0 +1,53 @@
|
|||||||
|
From 3baad99f9c15028ed8c3e3d8408e5ec35db155aa Mon Sep 17 00:00:00 2001
|
||||||
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||||
|
Date: Wed, 10 Sep 2025 16:30:29 +0200
|
||||||
|
Subject: [PATCH] xkb: Prevent overflow in XkbSetCompatMap()
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
The XkbCompatMap structure stores its "num_si" and "size_si" fields
|
||||||
|
using an unsigned short.
|
||||||
|
|
||||||
|
However, the function _XkbSetCompatMap() will store the sum of the
|
||||||
|
input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and
|
||||||
|
"size_si" without first checking if the sum overflows the maximum
|
||||||
|
unsigned short value, leading to a possible overflow.
|
||||||
|
|
||||||
|
To avoid the issue, check whether the sum does not exceed the maximum
|
||||||
|
unsigned short value, or return a "BadValue" error otherwise.
|
||||||
|
|
||||||
|
CVE-2025-62231, ZDI-CAN-27560
|
||||||
|
|
||||||
|
This vulnerability was discovered by:
|
||||||
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||||
|
|
||||||
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||||
|
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
|
||||||
|
(cherry picked from commit 475d9f49acd0e55bc0b089ed77f732ad18585470)
|
||||||
|
|
||||||
|
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2087>
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3baad99f9c15028ed8c3e3d8408e5ec35db155aa]
|
||||||
|
CVE: CVE-2025-62231
|
||||||
|
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
|
||||||
|
---
|
||||||
|
xkb/xkb.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/xkb/xkb.c b/xkb/xkb.c
|
||||||
|
index 26d965d482..137d70da27 100644
|
||||||
|
--- a/xkb/xkb.c
|
||||||
|
+++ b/xkb/xkb.c
|
||||||
|
@@ -2992,6 +2992,8 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
|
||||||
|
XkbSymInterpretPtr sym;
|
||||||
|
unsigned int skipped = 0;
|
||||||
|
|
||||||
|
+ if ((unsigned) (req->firstSI + req->nSI) > USHRT_MAX)
|
||||||
|
+ return BadValue;
|
||||||
|
if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
|
||||||
|
compat->num_si = compat->size_si = req->firstSI + req->nSI;
|
||||||
|
compat->sym_interpret = reallocarray(compat->sym_interpret,
|
||||||
|
--
|
||||||
|
GitLab
|
||||||
|
|
||||||
@@ -47,6 +47,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
|
|||||||
file://CVE-2025-62229.patch \
|
file://CVE-2025-62229.patch \
|
||||||
file://CVE-2025-62230-1.patch \
|
file://CVE-2025-62230-1.patch \
|
||||||
file://CVE-2025-62230-2.patch \
|
file://CVE-2025-62230-2.patch \
|
||||||
|
file://CVE-2025-62231.patch \
|
||||||
"
|
"
|
||||||
SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
|
SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user