rpms / xorg-x11-server

Clone
Source Code
GIT

Blame 0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch

ajax/upstream f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 main olpc2 olpc3 private-1_2-branch private-unbreak-domain-branch rawhide
  1.   f38
  2.   0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch
Blob History Raw
Peter Hutterer 75e6f92 
From 94f6fe99d87cf6ba0adadd95c595158c345b7d29 Mon Sep 17 00:00:00 2001
Peter Hutterer 75e6f92 
From: Peter Hutterer <peter.hutterer@who-t.net>
Peter Hutterer 75e6f92 
Date: Tue, 29 Nov 2022 14:53:07 +1000
Peter Hutterer 75e6f92 
Subject: [PATCH xserver 5/7] Xext: free the screen saver resource when
Peter Hutterer 75e6f92 
 replacing it
Peter Hutterer 75e6f92
Peter Hutterer 75e6f92 
This fixes a use-after-free bug:
Peter Hutterer 75e6f92
Peter Hutterer 75e6f92 
When a client first calls ScreenSaverSetAttributes(), a struct
Peter Hutterer 75e6f92 
ScreenSaverAttrRec is allocated and added to the client's
Peter Hutterer 75e6f92 
resources.
Peter Hutterer 75e6f92
Peter Hutterer 75e6f92 
When the same client calls ScreenSaverSetAttributes() again, a new
Peter Hutterer 75e6f92 
struct ScreenSaverAttrRec is allocated, replacing the old struct. The
Peter Hutterer 75e6f92 
old struct was freed but not removed from the clients resources.
Peter Hutterer 75e6f92
Peter Hutterer 75e6f92 
Later, when the client is destroyed the resource system invokes
Peter Hutterer 75e6f92 
ScreenSaverFreeAttr and attempts to clean up the already freed struct.
Peter Hutterer 75e6f92
Peter Hutterer 75e6f92 
Fix this by letting the resource system free the old attrs instead.
Peter Hutterer 75e6f92
Peter Hutterer 75e6f92 
CVE-2022-46343, ZDI-CAN 19404
Peter Hutterer 75e6f92
Peter Hutterer 75e6f92 
This vulnerability was discovered by:
Peter Hutterer 75e6f92 
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Peter Hutterer 75e6f92
Peter Hutterer 75e6f92 
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Peter Hutterer 75e6f92 
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
Peter Hutterer 75e6f92 
---
Peter Hutterer 75e6f92 
 Xext/saver.c | 2 +-
Peter Hutterer 75e6f92 
 1 file changed, 1 insertion(+), 1 deletion(-)
Peter Hutterer 75e6f92
Peter Hutterer 75e6f92 
diff --git a/Xext/saver.c b/Xext/saver.c
Peter Hutterer 75e6f92 
index f813ba08d1..fd6153c313 100644
Peter Hutterer 75e6f92 
--- a/Xext/saver.c
Peter Hutterer 75e6f92 
+++ b/Xext/saver.c
Peter Hutterer 75e6f92 
@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client)
Peter Hutterer 75e6f92 
         pVlist++;
Peter Hutterer 75e6f92 
     }
Peter Hutterer 75e6f92 
     if (pPriv->attr)
Peter Hutterer 75e6f92 
-        FreeScreenAttr(pPriv->attr);
Peter Hutterer 75e6f92 
+        FreeResource(pPriv->attr->resource, AttrType);
Peter Hutterer 75e6f92 
     pPriv->attr = pAttr;
Peter Hutterer 75e6f92 
     pAttr->resource = FakeClientID(client->index);
Peter Hutterer 75e6f92 
     if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))
Peter Hutterer 75e6f92 
--
Peter Hutterer 75e6f92 
2.38.1
Peter Hutterer 75e6f92
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.