forked from pool/xorg-x11-server
Stefan Dirsch
37722e6dc6
* XkbGetKbdByName use-after-free (ZDI-CAN-19530, CVE-2022-4283, bsc#1206017) - U_0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch * Server XTestSwapFakeInput stack overflow (ZDI-CAN 19265, CVE-2022-46340, bsc#1205874) - U_0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch * Xi: return an error from XI property changes if verification failed (no ZDI-CAN id, no CVE id, bsc#1205875) - U_0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch * Server XIChangeProperty out-of-bounds access (ZDI-CAN 19405, CVE-2022-46344, bsc#1205876) - U_0004-Xi-disallow-passive-grabs-with-a-detail-255.patch * Server XIPassiveUngrabDevice out-of-bounds access (ZDI-CAN 19381, CVE-2022-46341, bsc#1205877) - U_0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch * Server ScreenSaverSetAttributes use-after-free (ZDI-CAN 19404, CVE-2022-46343, bsc#1205878) - U_0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch * Server XvdiSelectVideoNotify use-after-free (ZDI-CAN 19400, CVE-2022-46342, bsc#1205879) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=843
48 lines
1.5 KiB
Diff
48 lines
1.5 KiB
Diff
From 06eb55528bb62f7418f740152642f2066d593bbf Mon Sep 17 00:00:00 2001
|
|
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Date: Tue, 29 Nov 2022 14:53:07 +1000
|
|
Subject: [PATCH xserver 5/6] Xext: free the screen saver resource when
|
|
replacing it
|
|
|
|
This fixes a use-after-free bug:
|
|
|
|
When a client first calls ScreenSaverSetAttributes(), a struct
|
|
ScreenSaverAttrRec is allocated and added to the client's
|
|
resources.
|
|
|
|
When the same client calls ScreenSaverSetAttributes() again, a new
|
|
struct ScreenSaverAttrRec is allocated, replacing the old struct. The
|
|
old struct was freed but not removed from the clients resources.
|
|
|
|
Later, when the client is destroyed the resource system invokes
|
|
ScreenSaverFreeAttr and attempts to clean up the already freed struct.
|
|
|
|
Fix this by letting the resource system free the old attrs instead.
|
|
|
|
ZDI-CAN 19404
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
---
|
|
Xext/saver.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/Xext/saver.c b/Xext/saver.c
|
|
index f813ba08d1..fd6153c313 100644
|
|
--- a/Xext/saver.c
|
|
+++ b/Xext/saver.c
|
|
@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client)
|
|
pVlist++;
|
|
}
|
|
if (pPriv->attr)
|
|
- FreeScreenAttr(pPriv->attr);
|
|
+ FreeResource(pPriv->attr->resource, AttrType);
|
|
pPriv->attr = pAttr;
|
|
pAttr->resource = FakeClientID(client->index);
|
|
if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))
|
|
--
|
|
2.38.1
|
|
|