From b117556d8e8111f3e96fcf07da5bec0484e5f4db Mon Sep 17 00:00:00 2001 From: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> Date: Sat, 5 Jul 2025 16:44:53 +0800 Subject: [PATCH] [CVE] CVE-2025-49176 to #21871 add patch to fix CVE-2025-49176 Project: TC2024080204 Signed-off-by: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> --- 5-bugfix-for-CVE-2025-49176.patch | 88 +++++++++++++++++++++++++++++++ 6-bugfix-for-CVE-2025-49176.patch | 32 +++++++++++ xorg-x11-server.spec | 7 ++- 3 files changed, 126 insertions(+), 1 deletion(-) create mode 100644 5-bugfix-for-CVE-2025-49176.patch create mode 100644 6-bugfix-for-CVE-2025-49176.patch diff --git a/5-bugfix-for-CVE-2025-49176.patch b/5-bugfix-for-CVE-2025-49176.patch new file mode 100644 index 0000000..8c6251d --- /dev/null +++ b/5-bugfix-for-CVE-2025-49176.patch @@ -0,0 +1,88 @@ +From 57248c57e971bb7cc0ccae6de4c49a49ff13b45c Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 7 Apr 2025 16:13:34 +0200 +Subject: [PATCH xserver] os: Do not overflow the integer size with BigRequest +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The BigRequest extension allows request larger than the 16-bit length +limit. + +It uses integers for the request length and checks for the size not to +exceed the maxBigRequestSize limit, but does so after translating the +length to integer by multiplying the given size in bytes by 4. + +In doing so, it might overflow the integer size limit before actually +checking for the overflow, defeating the purpose of the test. + +To avoid the issue, make sure to check that the request size does not +overflow the maxBigRequestSize limit prior to any conversion. + +The caller Dispatch() function however expects the return value to be in +bytes, so we cannot just return the converted value in case of error, as +that would also overflow the integer size. + +To preserve the existing API, we use a negative value for the X11 error +code BadLength as the function only return positive values, 0 or -1 and +update the caller Dispatch() function to take that case into account to +return the error code to the offending client. + +CVE-2025-49176 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Michel Dänzer +(cherry picked from commit b380b0a6c2022fbd3115552b1cd88251b5268daa) +--- + dix/dispatch.c | 9 +++++---- + os/io.c | 4 ++++ + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index 6f4e349e0..15e63e22a 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -518,9 +518,10 @@ Dispatch(void) + + /* now, finally, deal with client requests */ + result = ReadRequestFromClient(client); +- if (result <= 0) { +- if (result < 0) +- CloseDownClient(client); ++ if (result == 0) ++ break; ++ else if (result == -1) { ++ CloseDownClient(client); + break; + } + +@@ -541,7 +542,7 @@ Dispatch(void) + client->index, + client->requestBuffer); + #endif +- if (result > (maxBigRequestSize << 2)) ++ if (result < 0 || result > (maxBigRequestSize << 2)) + result = BadLength; + else { + result = XaceHookDispatch(client, client->majorOp); +diff --git a/os/io.c b/os/io.c +index 5b7fac349..5fc05821c 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -296,6 +296,10 @@ ReadRequestFromClient(ClientPtr client) + needed = get_big_req_len(request, client); + } + client->req_len = needed; ++ if (needed > MAXINT >> 2) { ++ /* Check for potential integer overflow */ ++ return -(BadLength); ++ } + needed <<= 2; /* needed is in bytes now */ + } + if (gotnow < needed) { +-- +2.49.0 + diff --git a/6-bugfix-for-CVE-2025-49176.patch b/6-bugfix-for-CVE-2025-49176.patch new file mode 100644 index 0000000..7bd7f65 --- /dev/null +++ b/6-bugfix-for-CVE-2025-49176.patch @@ -0,0 +1,32 @@ +From 6794bf46b1c76c0a424940c97be3576dc2e7e9b1 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 18 Jun 2025 08:39:02 +0200 +Subject: [PATCH] os: Check for integer overflow on BigRequest length + +Check for another possible integer overflow once we get a complete xReq +with BigRequest. + +Related to CVE-2025-49176 + +Signed-off-by: Olivier Fourdan +Suggested-by: Peter Harris +--- + os/io.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/os/io.c b/os/io.c +index e7b76b9cea..167b40a720 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -394,6 +394,8 @@ ReadRequestFromClient(ClientPtr client) + needed = get_big_req_len(request, client); + } + client->req_len = needed; ++ if (needed > MAXINT >> 2) ++ return -(BadLength); + needed <<= 2; + } + if (gotnow < needed) { +-- +GitLab + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index bf7c7a0..669da3a 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -1,4 +1,4 @@ -%define anolis_release 14 +%define anolis_release 15 # X.org requires lazy relocations to work. %undefine _hardened_build %undefine _strict_symbol_defs_build @@ -45,6 +45,8 @@ Patch3: 0001-Fedora-hack-Make-the-suid-root-wrapper-always-start-.patch # Fix compilation error on i686 (21.1.14+) # https://gitlab.freedesktop.org/xorg/xserver/-/commit/8407181c7dfe14086d99697af0b86120320ab73e Patch4: 0001-ephyr-Fix-incompatible-pointer-type-build-error.patch +Patch5: 5-bugfix-for-CVE-2025-49176.patch +Patch6: 6-bugfix-for-CVE-2025-49176.patch BuildRequires: bison BuildRequires: flex @@ -418,6 +420,9 @@ find %{buildroot} -type f -name '*.la' -delete %changelog +* Sat Jul 05 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 21.1.13-15 +- Fix CVE-2025-49176 + * Tue Oct 8 2024 Tingyin Duan - 21.1.13-14 - initial from Fedora Rawhide -- Gitee