From c1ff84bef2569b4ba4be59323cf575d1798ba9be Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Tue, 17 Dec 2024 15:19:45 +0100 Subject: [PATCH] composite: Handle failure to redirect in compRedirectWindow() The function compCheckRedirect() may fail if it cannot allocate the backing pixmap. In that case, compRedirectWindow() will return a BadAlloc error. However that failure code path will shortcut the validation of the window tree marked just before, which leaves the validate data partly initialized. That causes a use of uninitialized pointer later. The fix is to not shortcut the call to compHandleMarkedWindows() even in the case of compCheckRedirect() returning an error. CVE-2025-26599, ZDI-CAN-25851 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan Acked-by: Peter Hutterer Part-of: --- composite/compalloc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/composite/compalloc.c b/composite/compalloc.c index f7048a75b5..7cf7351e00 100644 --- a/composite/compalloc.c +++ b/composite/compalloc.c @@ -138,6 +138,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update) CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen); WindowPtr pLayerWin; Bool anyMarked = FALSE; + int status = Success; if (pWin == cs->pOverlayWin) { return Success; @@ -216,13 +217,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update) if (!compCheckRedirect(pWin)) { FreeResource(ccw->id, RT_NONE); - return BadAlloc; + status = BadAlloc; } if (anyMarked) compHandleMarkedWindows(pWin, pLayerWin); - return Success; + return status; } void -- GitLab From 9a5a5b2972539ba5ef16dbc802c4eb87c9226d4e Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Mon, 13 Jan 2025 16:09:43 +0100 Subject: [PATCH xserver 08/13] composite: initialize border clip even when pixmap alloc fails If it fails to allocate the pixmap, the function compAllocPixmap() would return early and leave the borderClip region uninitialized, which may lead to the use of uninitialized value as reported by valgrind: Conditional jump or move depends on uninitialised value(s) at 0x4F9B33: compClipNotify (compwindow.c:317) by 0x484FC9: miComputeClips (mivaltree.c:476) by 0x48559A: miValidateTree (mivaltree.c:679) by 0x4F0685: MapWindow (window.c:2693) by 0x4A344A: ProcMapWindow (dispatch.c:922) by 0x4A25B5: Dispatch (dispatch.c:560) by 0x4B082A: dix_main (main.c:282) by 0x429233: main (stubmain.c:34) Uninitialised value was created by a heap allocation at 0x4841866: malloc (vg_replace_malloc.c:446) by 0x4F47BC: compRedirectWindow (compalloc.c:171) by 0x4FA8AD: compCreateWindow (compwindow.c:592) by 0x4EBB89: CreateWindow (window.c:925) by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) by 0x4A25B5: Dispatch (dispatch.c:560) by 0x4B082A: dix_main (main.c:282) by 0x429233: main (stubmain.c:34) Conditional jump or move depends on uninitialised value(s) at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233) by 0x4F9255: RegionTranslate (regionstr.h:312) by 0x4F9B7E: compClipNotify (compwindow.c:319) by 0x484FC9: miComputeClips (mivaltree.c:476) by 0x48559A: miValidateTree (mivaltree.c:679) by 0x4F0685: MapWindow (window.c:2693) by 0x4A344A: ProcMapWindow (dispatch.c:922) by 0x4A25B5: Dispatch (dispatch.c:560) by 0x4B082A: dix_main (main.c:282) by 0x429233: main (stubmain.c:34) Uninitialised value was created by a heap allocation at 0x4841866: malloc (vg_replace_malloc.c:446) by 0x4F47BC: compRedirectWindow (compalloc.c:171) by 0x4FA8AD: compCreateWindow (compwindow.c:592) by 0x4EBB89: CreateWindow (window.c:925) by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) by 0x4A25B5: Dispatch (dispatch.c:560) by 0x4B082A: dix_main (main.c:282) by 0x429233: main (stubmain.c:34) Conditional jump or move depends on uninitialised value(s) at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241) by 0x48EEE33: pixman_region_translate (pixman-region.c:2225) by 0x4F9255: RegionTranslate (regionstr.h:312) by 0x4F9B7E: compClipNotify (compwindow.c:319) by 0x484FC9: miComputeClips (mivaltree.c:476) by 0x48559A: miValidateTree (mivaltree.c:679) by 0x4F0685: MapWindow (window.c:2693) by 0x4A344A: ProcMapWindow (dispatch.c:922) by 0x4A25B5: Dispatch (dispatch.c:560) by 0x4B082A: dix_main (main.c:282) by 0x429233: main (stubmain.c:34) Uninitialised value was created by a heap allocation at 0x4841866: malloc (vg_replace_malloc.c:446) by 0x4F47BC: compRedirectWindow (compalloc.c:171) by 0x4FA8AD: compCreateWindow (compwindow.c:592) by 0x4EBB89: CreateWindow (window.c:925) by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) by 0x4A25B5: Dispatch (dispatch.c:560) by 0x4B082A: dix_main (main.c:282) by 0x429233: main (stubmain.c:34) Fix compAllocPixmap() to initialize the border clip even if the creation of the backing pixmap has failed, to avoid depending later on uninitialized border clip values. Related to CVE-2025-26599, ZDI-CAN-25851 Signed-off-by: Olivier Fourdan Acked-by: Peter Hutterer (cherry picked from commit b07192a8bedb90b039dc0f70ae69daf047ff9598) Part-of: --- composite/compalloc.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/composite/compalloc.c b/composite/compalloc.c index 55a1b725a..d1c205ca0 100644 --- a/composite/compalloc.c +++ b/composite/compalloc.c @@ -604,9 +604,12 @@ compAllocPixmap(WindowPtr pWin) int h = pWin->drawable.height + (bw << 1); PixmapPtr pPixmap = compNewPixmap(pWin, x, y, w, h); CompWindowPtr cw = GetCompWindow(pWin); + Bool status; - if (!pPixmap) - return FALSE; + if (!pPixmap) { + status = FALSE; + goto out; + } if (cw->update == CompositeRedirectAutomatic) pWin->redirectDraw = RedirectDrawAutomatic; else @@ -620,14 +623,16 @@ compAllocPixmap(WindowPtr pWin) DamageRegister(&pWin->drawable, cw->damage); cw->damageRegistered = TRUE; } + status = TRUE; +out: /* Make sure our borderClip is up to date */ RegionUninit(&cw->borderClip); RegionCopy(&cw->borderClip, &pWin->borderClip); cw->borderClipX = pWin->drawable.x; cw->borderClipY = pWin->drawable.y; - return TRUE; + return status; } void -- 2.48.1