wok-current view xorg-server/stuff/CVE-2022-46342.patch @ rev 25634
Mass update, new toolchain gcc 8.3.0, glibc 2.28.0
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Sun Jan 14 08:12:37 2024 +0000 (20 months ago) |
| parents | |
| children |
line source
1 From b79f32b57cc0c1186b2899bce7cf89f7b325161b Mon Sep 17 00:00:00 2001
2 From: Peter Hutterer <peter.hutterer@who-t.net>
3 Date: Wed, 30 Nov 2022 11:20:40 +1000
4 Subject: [PATCH] Xext: free the XvRTVideoNotify when turning off from the same
5 client
7 This fixes a use-after-free bug:
9 When a client first calls XvdiSelectVideoNotify() on a drawable with a
10 TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct
11 is added twice to the resources:
12 - as the drawable's XvRTVideoNotifyList. This happens only once per
13 drawable, subsequent calls append to this list.
14 - as the client's XvRTVideoNotify. This happens for every client.
16 The struct keeps the ClientPtr around once it has been added for a
17 client. The idea, presumably, is that if the client disconnects we can remove
18 all structs from the drawable's list that match the client (by resetting
19 the ClientPtr to NULL), but if the drawable is destroyed we can remove
20 and free the whole list.
22 However, if the same client then calls XvdiSelectVideoNotify() on the
23 same drawable with a FALSE onoff argument, only the ClientPtr on the
24 existing struct was set to NULL. The struct itself remained in the
25 client's resources.
27 If the drawable is now destroyed, the resource system invokes
28 XvdiDestroyVideoNotifyList which frees the whole list for this drawable
29 - including our struct. This function however does not free the resource
30 for the client since our ClientPtr is NULL.
32 Later, when the client is destroyed and the resource system invokes
33 XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On
34 a struct that has been freed previously. This is generally frowned upon.
36 Fix this by calling FreeResource() on the second call instead of merely
37 setting the ClientPtr to NULL. This removes the struct from the client
38 resources (but not from the list), ensuring that it won't be accessed
39 again when the client quits.
41 Note that the assignment tpn->client = NULL; is superfluous since the
42 XvdiDestroyVideoNotify function will do this anyway. But it's left for
43 clarity and to match a similar invocation in XvdiSelectPortNotify.
45 CVE-2022-46342, ZDI-CAN 19400
47 This vulnerability was discovered by:
48 Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
50 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
51 Acked-by: Olivier Fourdan <ofourdan@redhat.com>
52 ---
53 Xext/xvmain.c | 4 +++-
54 1 file changed, 3 insertions(+), 1 deletion(-)
56 diff --git a/Xext/xvmain.c b/Xext/xvmain.c
57 index f62747193..2a08f8744 100644
58 --- a/Xext/xvmain.c
59 +++ b/Xext/xvmain.c
60 @@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff)
61 tpn = pn;
62 while (tpn) {
63 if (tpn->client == client) {
64 - if (!onoff)
65 + if (!onoff) {
66 tpn->client = NULL;
67 + FreeResource(tpn->id, XvRTVideoNotify);
68 + }
69 return Success;
70 }
71 if (!tpn->client)
72 --
73 GitLab