forked from pool/xorg-x11-server
Accepting request 1166666 from X11:XOrg
- U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch * fixes regression for security fix for CVE-2024-31083 (bsc#1222312, boo#1222442, gitlab xserver issue #1659) OBS-URL: https://build.opensuse.org/request/show/1166666 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xorg-x11-server?expand=0&rev=430
This commit is contained in:
commit
6a5a8cfee5
74
U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
Normal file
74
U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
Normal file
@ -0,0 +1,74 @@
|
|||||||
|
From c3c2218ab797516e4d63a93a078d77c6ce872d03 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||||
|
Date: Fri, 5 Apr 2024 15:24:49 +0200
|
||||||
|
Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs()
|
||||||
|
|
||||||
|
ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
|
||||||
|
then frees it using FreeGlyph() to decrease the reference count, after
|
||||||
|
AddGlyph() has increased it.
|
||||||
|
|
||||||
|
AddGlyph() however may chose to reuse an existing glyph if it's already
|
||||||
|
in the glyphSet, and free the glyph that was given, in which case the
|
||||||
|
caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
|
||||||
|
already freed glyph, as reported by ASan:
|
||||||
|
|
||||||
|
READ of size 4 thread T0
|
||||||
|
#0 in FreeGlyph xserver/render/glyph.c:252
|
||||||
|
#1 in ProcRenderAddGlyphs xserver/render/render.c:1174
|
||||||
|
#2 in Dispatch xserver/dix/dispatch.c:546
|
||||||
|
#3 in dix_main xserver/dix/main.c:271
|
||||||
|
#4 in main xserver/dix/stubmain.c:34
|
||||||
|
#5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
||||||
|
#6 in __libc_start_main_impl ../csu/libc-start.c:360
|
||||||
|
#7 (/usr/bin/Xwayland+0x44fe4)
|
||||||
|
Address is located 0 bytes inside of 64-byte region
|
||||||
|
freed by thread T0 here:
|
||||||
|
#0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
|
||||||
|
#1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
|
||||||
|
#2 in AddGlyph xserver/render/glyph.c:295
|
||||||
|
#3 in ProcRenderAddGlyphs xserver/render/render.c:1173
|
||||||
|
#4 in Dispatch xserver/dix/dispatch.c:546
|
||||||
|
#5 in dix_main xserver/dix/main.c:271
|
||||||
|
#6 in main xserver/dix/stubmain.c:34
|
||||||
|
#7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
||||||
|
previously allocated by thread T0 here:
|
||||||
|
#0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
|
||||||
|
#1 in AllocateGlyph xserver/render/glyph.c:355
|
||||||
|
#2 in ProcRenderAddGlyphs xserver/render/render.c:1085
|
||||||
|
#3 in Dispatch xserver/dix/dispatch.c:546
|
||||||
|
#4 in dix_main xserver/dix/main.c:271
|
||||||
|
#5 in main xserver/dix/stubmain.c:34
|
||||||
|
#6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
||||||
|
SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
|
||||||
|
|
||||||
|
To avoid that, make sure not to free the given glyph in AddGlyph().
|
||||||
|
|
||||||
|
v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
|
||||||
|
v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
|
||||||
|
|
||||||
|
Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
|
||||||
|
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
|
||||||
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||||
|
(cherry picked from commit 337d8d48b618d4fc0168a7b978be4c3447650b04)
|
||||||
|
|
||||||
|
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1478>
|
||||||
|
---
|
||||||
|
render/glyph.c | 2 --
|
||||||
|
1 file changed, 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/render/glyph.c b/render/glyph.c
|
||||||
|
index d5fc5f3c9..f5069d42f 100644
|
||||||
|
--- a/render/glyph.c
|
||||||
|
+++ b/render/glyph.c
|
||||||
|
@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id)
|
||||||
|
gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature,
|
||||||
|
TRUE, glyph->sha1);
|
||||||
|
if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) {
|
||||||
|
- FreeGlyphPicture(glyph);
|
||||||
|
- dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH);
|
||||||
|
glyph = gr->glyph;
|
||||||
|
}
|
||||||
|
else if (gr->glyph != glyph) {
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
@ -1,3 +1,10 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Apr 10 13:20:43 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
|
||||||
|
|
||||||
|
- U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
|
||||||
|
* fixes regression for security fix for CVE-2024-31083 (bsc#1222312,
|
||||||
|
boo#1222442, gitlab xserver issue #1659)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Apr 4 08:13:19 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
|
Thu Apr 4 08:13:19 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
|
||||||
|
|
||||||
|
@ -240,6 +240,7 @@ Patch1930: u_xfree86-activate-GPU-screens-on-autobind.patch
|
|||||||
Patch1960: u_sync-pci-ids-with-Mesa.patch
|
Patch1960: u_sync-pci-ids-with-Mesa.patch
|
||||||
|
|
||||||
Patch1218176: u_miCloseScreen_check_for_null_pScreen_dev_private.patch
|
Patch1218176: u_miCloseScreen_check_for_null_pScreen_dev_private.patch
|
||||||
|
Patch1222442: U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
This package contains the X.Org Server.
|
This package contains the X.Org Server.
|
||||||
@ -398,6 +399,8 @@ sh %{SOURCE92} --verify . %{SOURCE91}
|
|||||||
|
|
||||||
%patch -P 1218176 -p1
|
%patch -P 1218176 -p1
|
||||||
|
|
||||||
|
%patch -P 1222442 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# We have some -z now related errors during X default startup (boo#1197994):
|
# We have some -z now related errors during X default startup (boo#1197994):
|
||||||
# - when loading modesetting: gbm_bo_get_plane_count
|
# - when loading modesetting: gbm_bo_get_plane_count
|
||||||
|
Loading…
Reference in New Issue
Block a user