mirror of
https://git.yoctoproject.org/poky
synced 2026-07-01 23:13:38 +02:00
xserver-xorg: Fix CVE-2026-34001
Pick patch according to [1] [1] https://lists.x.org/archives/xorg-announce/2026-April/003677.html [2] https://security-tracker.debian.org/tracker/CVE-2026-34001 (From OE-Core rev: b85d3abfc5a1fd05c3a82f1f03579df493094719) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
committed by
Paul Barker
parent
eefcaaa556
commit
f58a56f697
@@ -0,0 +1,104 @@
|
||||
From f19ab94ba9c891d801231654267556dc7f32b5e0 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Wed, 18 Feb 2026 16:23:23 +0100
|
||||
Subject: [PATCH] miext/sync: Fix use-after-free in miSyncTriggerFence()
|
||||
|
||||
As reported by valgrind:
|
||||
|
||||
== Invalid read of size 8
|
||||
== at 0x568C14: miSyncTriggerFence (misync.c:140)
|
||||
== by 0x540688: ProcSyncTriggerFence (sync.c:1957)
|
||||
== by 0x540CCC: ProcSyncDispatch (sync.c:2152)
|
||||
== by 0x4A28C5: Dispatch (dispatch.c:553)
|
||||
== by 0x4B0B24: dix_main (main.c:274)
|
||||
== by 0x42915E: main (stubmain.c:34)
|
||||
== Address 0x17e35488 is 8 bytes inside a block of size 16 free'd
|
||||
== at 0x4843E43: free (vg_replace_malloc.c:990)
|
||||
== by 0x53D683: SyncDeleteTriggerFromSyncObject (sync.c:169)
|
||||
== by 0x53F14D: FreeAwait (sync.c:1208)
|
||||
== by 0x4DFB06: doFreeResource (resource.c:888)
|
||||
== by 0x4DFC59: FreeResource (resource.c:918)
|
||||
== by 0x53E349: SyncAwaitTriggerFired (sync.c:701)
|
||||
== by 0x568C52: miSyncTriggerFence (misync.c:142)
|
||||
== by 0x540688: ProcSyncTriggerFence (sync.c:1957)
|
||||
== by 0x540CCC: ProcSyncDispatch (sync.c:2152)
|
||||
== by 0x4A28C5: Dispatch (dispatch.c:553)
|
||||
== by 0x4B0B24: dix_main (main.c:274)
|
||||
== by 0x42915E: main (stubmain.c:34)
|
||||
== Block was alloc'd at
|
||||
== at 0x4840B26: malloc (vg_replace_malloc.c:447)
|
||||
== by 0x5E50E1: XNFalloc (utils.c:1129)
|
||||
== by 0x53D772: SyncAddTriggerToSyncObject (sync.c:206)
|
||||
== by 0x53DCA8: SyncInitTrigger (sync.c:414)
|
||||
== by 0x5409C7: ProcSyncAwaitFence (sync.c:2089)
|
||||
== by 0x540D04: ProcSyncDispatch (sync.c:2160)
|
||||
== by 0x4A28C5: Dispatch (dispatch.c:553)
|
||||
== by 0x4B0B24: dix_main (main.c:274)
|
||||
== by 0x42915E: main (stubmain.c:34)
|
||||
|
||||
When walking the list of fences to trigger, miSyncTriggerFence() may
|
||||
call TriggerFence() for the current trigger, which end up calling the
|
||||
function SyncAwaitTriggerFired().
|
||||
|
||||
SyncAwaitTriggerFired() frees the entire await resource, which removes
|
||||
all triggers from that await - including pNext which may be another
|
||||
trigger from the same await attached to the same fence.
|
||||
|
||||
On the next iteration, ptl = pNext points to freed memory...
|
||||
|
||||
To avoid the issue, we need to restart the iteration from the beginning
|
||||
of the list each time a trigger fires, since the callback can modify the
|
||||
list.
|
||||
|
||||
CVE-2026-34001, ZDI-CAN-28706
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with TrendAI Zero Day Initiative
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2176>
|
||||
|
||||
Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/f19ab94ba9c891d801231654267556dc7f32b5e0]
|
||||
CVE: CVE-2026-34001
|
||||
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
|
||||
---
|
||||
miext/sync/misync.c | 18 ++++++++++++------
|
||||
1 file changed, 12 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/miext/sync/misync.c b/miext/sync/misync.c
|
||||
index 0931803..e11eba2 100644
|
||||
--- a/miext/sync/misync.c
|
||||
+++ b/miext/sync/misync.c
|
||||
@@ -131,16 +131,22 @@ miSyncDestroyFence(SyncFence * pFence)
|
||||
void
|
||||
miSyncTriggerFence(SyncFence * pFence)
|
||||
{
|
||||
- SyncTriggerList *ptl, *pNext;
|
||||
+ SyncTriggerList *ptl;
|
||||
+ Bool triggered;
|
||||
|
||||
pFence->funcs.SetTriggered(pFence);
|
||||
|
||||
/* run through triggers to see if any fired */
|
||||
- for (ptl = pFence->sync.pTriglist; ptl; ptl = pNext) {
|
||||
- pNext = ptl->next;
|
||||
- if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0))
|
||||
- (*ptl->pTrigger->TriggerFired) (ptl->pTrigger);
|
||||
- }
|
||||
+ do {
|
||||
+ triggered = FALSE;
|
||||
+ for (ptl = pFence->sync.pTriglist; ptl; ptl = ptl->next) {
|
||||
+ if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0)) {
|
||||
+ (*ptl->pTrigger->TriggerFired) (ptl->pTrigger);
|
||||
+ triggered = TRUE;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ } while (triggered);
|
||||
}
|
||||
|
||||
SyncScreenFuncsPtr
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@@ -7,6 +7,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
|
||||
file://0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch \
|
||||
file://CVE-2026-33999.patch \
|
||||
file://CVE-2026-34000.patch \
|
||||
file://CVE-2026-34001.patch \
|
||||
"
|
||||
SRC_URI[sha256sum] = "c878d1930d87725d4a5bf498c24f4be8130d5b2646a9fd0f2994deff90116352"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user