xwayland: Fix CVE-2026-34001

Pick patch according to [2]

[1] https://lists.x.org/archives/xorg-announce/2026-April/003679.html
[2] https://security-tracker.debian.org/tracker/CVE-2026-34001

(From OE-Core rev: 1411caa0781811b7ee452edb04ffdcf3acc92a91)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Vijay Anusuri
2026-06-19 19:37:48 +05:30
committed by Paul Barker
parent de68828aa2
commit f54d73ee0d
2 changed files with 105 additions and 0 deletions

View File

@@ -0,0 +1,104 @@
From f19ab94ba9c891d801231654267556dc7f32b5e0 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 18 Feb 2026 16:23:23 +0100
Subject: [PATCH] miext/sync: Fix use-after-free in miSyncTriggerFence()
As reported by valgrind:
== Invalid read of size 8
== at 0x568C14: miSyncTriggerFence (misync.c:140)
== by 0x540688: ProcSyncTriggerFence (sync.c:1957)
== by 0x540CCC: ProcSyncDispatch (sync.c:2152)
== by 0x4A28C5: Dispatch (dispatch.c:553)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
== Address 0x17e35488 is 8 bytes inside a block of size 16 free'd
== at 0x4843E43: free (vg_replace_malloc.c:990)
== by 0x53D683: SyncDeleteTriggerFromSyncObject (sync.c:169)
== by 0x53F14D: FreeAwait (sync.c:1208)
== by 0x4DFB06: doFreeResource (resource.c:888)
== by 0x4DFC59: FreeResource (resource.c:918)
== by 0x53E349: SyncAwaitTriggerFired (sync.c:701)
== by 0x568C52: miSyncTriggerFence (misync.c:142)
== by 0x540688: ProcSyncTriggerFence (sync.c:1957)
== by 0x540CCC: ProcSyncDispatch (sync.c:2152)
== by 0x4A28C5: Dispatch (dispatch.c:553)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
== Block was alloc'd at
== at 0x4840B26: malloc (vg_replace_malloc.c:447)
== by 0x5E50E1: XNFalloc (utils.c:1129)
== by 0x53D772: SyncAddTriggerToSyncObject (sync.c:206)
== by 0x53DCA8: SyncInitTrigger (sync.c:414)
== by 0x5409C7: ProcSyncAwaitFence (sync.c:2089)
== by 0x540D04: ProcSyncDispatch (sync.c:2160)
== by 0x4A28C5: Dispatch (dispatch.c:553)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
When walking the list of fences to trigger, miSyncTriggerFence() may
call TriggerFence() for the current trigger, which end up calling the
function SyncAwaitTriggerFired().
SyncAwaitTriggerFired() frees the entire await resource, which removes
all triggers from that await - including pNext which may be another
trigger from the same await attached to the same fence.
On the next iteration, ptl = pNext points to freed memory...
To avoid the issue, we need to restart the iteration from the beginning
of the list each time a trigger fires, since the callback can modify the
list.
CVE-2026-34001, ZDI-CAN-28706
This vulnerability was discovered by:
Jan-Niklas Sohn working with TrendAI Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2176>
Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/f19ab94ba9c891d801231654267556dc7f32b5e0]
CVE: CVE-2026-34001
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
miext/sync/misync.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/miext/sync/misync.c b/miext/sync/misync.c
index 0931803..e11eba2 100644
--- a/miext/sync/misync.c
+++ b/miext/sync/misync.c
@@ -131,16 +131,22 @@ miSyncDestroyFence(SyncFence * pFence)
void
miSyncTriggerFence(SyncFence * pFence)
{
- SyncTriggerList *ptl, *pNext;
+ SyncTriggerList *ptl;
+ Bool triggered;
pFence->funcs.SetTriggered(pFence);
/* run through triggers to see if any fired */
- for (ptl = pFence->sync.pTriglist; ptl; ptl = pNext) {
- pNext = ptl->next;
- if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0))
- (*ptl->pTrigger->TriggerFired) (ptl->pTrigger);
- }
+ do {
+ triggered = FALSE;
+ for (ptl = pFence->sync.pTriglist; ptl; ptl = ptl->next) {
+ if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0)) {
+ (*ptl->pTrigger->TriggerFired) (ptl->pTrigger);
+ triggered = TRUE;
+ break;
+ }
+ }
+ } while (triggered);
}
SyncScreenFuncsPtr
--
2.43.0

View File

@@ -37,6 +37,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
file://CVE-2025-62231.patch \
file://CVE-2026-33999.patch \
file://CVE-2026-34000.patch \
file://CVE-2026-34001.patch \
"
SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"