forked from pool/xorg-x11-server
Accepting request 1166666 from X11:XOrg
- U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch * fixes regression for security fix for CVE-2024-31083 (bsc#1222312, boo#1222442, gitlab xserver issue #1659) OBS-URL: https://build.opensuse.org/request/show/1166666 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xorg-x11-server?expand=0&rev=430
This commit is contained in:
commit
6a5a8cfee5
74
U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
Normal file
74
U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
Normal file
@ -0,0 +1,74 @@
|
||||
From c3c2218ab797516e4d63a93a078d77c6ce872d03 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Fri, 5 Apr 2024 15:24:49 +0200
|
||||
Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs()
|
||||
|
||||
ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
|
||||
then frees it using FreeGlyph() to decrease the reference count, after
|
||||
AddGlyph() has increased it.
|
||||
|
||||
AddGlyph() however may chose to reuse an existing glyph if it's already
|
||||
in the glyphSet, and free the glyph that was given, in which case the
|
||||
caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
|
||||
already freed glyph, as reported by ASan:
|
||||
|
||||
READ of size 4 thread T0
|
||||
#0 in FreeGlyph xserver/render/glyph.c:252
|
||||
#1 in ProcRenderAddGlyphs xserver/render/render.c:1174
|
||||
#2 in Dispatch xserver/dix/dispatch.c:546
|
||||
#3 in dix_main xserver/dix/main.c:271
|
||||
#4 in main xserver/dix/stubmain.c:34
|
||||
#5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
||||
#6 in __libc_start_main_impl ../csu/libc-start.c:360
|
||||
#7 (/usr/bin/Xwayland+0x44fe4)
|
||||
Address is located 0 bytes inside of 64-byte region
|
||||
freed by thread T0 here:
|
||||
#0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
|
||||
#1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
|
||||
#2 in AddGlyph xserver/render/glyph.c:295
|
||||
#3 in ProcRenderAddGlyphs xserver/render/render.c:1173
|
||||
#4 in Dispatch xserver/dix/dispatch.c:546
|
||||
#5 in dix_main xserver/dix/main.c:271
|
||||
#6 in main xserver/dix/stubmain.c:34
|
||||
#7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
||||
previously allocated by thread T0 here:
|
||||
#0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
|
||||
#1 in AllocateGlyph xserver/render/glyph.c:355
|
||||
#2 in ProcRenderAddGlyphs xserver/render/render.c:1085
|
||||
#3 in Dispatch xserver/dix/dispatch.c:546
|
||||
#4 in dix_main xserver/dix/main.c:271
|
||||
#5 in main xserver/dix/stubmain.c:34
|
||||
#6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
||||
SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
|
||||
|
||||
To avoid that, make sure not to free the given glyph in AddGlyph().
|
||||
|
||||
v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
|
||||
v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
|
||||
|
||||
Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
|
||||
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
(cherry picked from commit 337d8d48b618d4fc0168a7b978be4c3447650b04)
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1478>
|
||||
---
|
||||
render/glyph.c | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
diff --git a/render/glyph.c b/render/glyph.c
|
||||
index d5fc5f3c9..f5069d42f 100644
|
||||
--- a/render/glyph.c
|
||||
+++ b/render/glyph.c
|
||||
@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id)
|
||||
gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature,
|
||||
TRUE, glyph->sha1);
|
||||
if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) {
|
||||
- FreeGlyphPicture(glyph);
|
||||
- dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH);
|
||||
glyph = gr->glyph;
|
||||
}
|
||||
else if (gr->glyph != glyph) {
|
||||
--
|
||||
2.35.3
|
||||
|
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 10 13:20:43 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
|
||||
|
||||
- U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
|
||||
* fixes regression for security fix for CVE-2024-31083 (bsc#1222312,
|
||||
boo#1222442, gitlab xserver issue #1659)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Apr 4 08:13:19 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
|
||||
|
||||
|
@ -240,6 +240,7 @@ Patch1930: u_xfree86-activate-GPU-screens-on-autobind.patch
|
||||
Patch1960: u_sync-pci-ids-with-Mesa.patch
|
||||
|
||||
Patch1218176: u_miCloseScreen_check_for_null_pScreen_dev_private.patch
|
||||
Patch1222442: U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
|
||||
|
||||
%description
|
||||
This package contains the X.Org Server.
|
||||
@ -398,6 +399,8 @@ sh %{SOURCE92} --verify . %{SOURCE91}
|
||||
|
||||
%patch -P 1218176 -p1
|
||||
|
||||
%patch -P 1222442 -p1
|
||||
|
||||
%build
|
||||
# We have some -z now related errors during X default startup (boo#1197994):
|
||||
# - when loading modesetting: gbm_bo_get_plane_count
|
||||
|
Loading…
Reference in New Issue
Block a user