Import from CS git
This commit is contained in:
parent
2e7d0ab8e7
commit
1b39863d2a
@ -1,72 +0,0 @@
|
|||||||
From 337d8d48b618d4fc0168a7b978be4c3447650b04 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
||||||
Date: Fri, 5 Apr 2024 15:24:49 +0200
|
|
||||||
Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs()
|
|
||||||
|
|
||||||
ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
|
|
||||||
then frees it using FreeGlyph() to decrease the reference count, after
|
|
||||||
AddGlyph() has increased it.
|
|
||||||
|
|
||||||
AddGlyph() however may chose to reuse an existing glyph if it's already
|
|
||||||
in the glyphSet, and free the glyph that was given, in which case the
|
|
||||||
caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
|
|
||||||
already freed glyph, as reported by ASan:
|
|
||||||
|
|
||||||
READ of size 4 thread T0
|
|
||||||
#0 in FreeGlyph xserver/render/glyph.c:252
|
|
||||||
#1 in ProcRenderAddGlyphs xserver/render/render.c:1174
|
|
||||||
#2 in Dispatch xserver/dix/dispatch.c:546
|
|
||||||
#3 in dix_main xserver/dix/main.c:271
|
|
||||||
#4 in main xserver/dix/stubmain.c:34
|
|
||||||
#5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
||||||
#6 in __libc_start_main_impl ../csu/libc-start.c:360
|
|
||||||
#7 (/usr/bin/Xwayland+0x44fe4)
|
|
||||||
Address is located 0 bytes inside of 64-byte region
|
|
||||||
freed by thread T0 here:
|
|
||||||
#0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
|
|
||||||
#1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
|
|
||||||
#2 in AddGlyph xserver/render/glyph.c:295
|
|
||||||
#3 in ProcRenderAddGlyphs xserver/render/render.c:1173
|
|
||||||
#4 in Dispatch xserver/dix/dispatch.c:546
|
|
||||||
#5 in dix_main xserver/dix/main.c:271
|
|
||||||
#6 in main xserver/dix/stubmain.c:34
|
|
||||||
#7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
||||||
previously allocated by thread T0 here:
|
|
||||||
#0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
|
|
||||||
#1 in AllocateGlyph xserver/render/glyph.c:355
|
|
||||||
#2 in ProcRenderAddGlyphs xserver/render/render.c:1085
|
|
||||||
#3 in Dispatch xserver/dix/dispatch.c:546
|
|
||||||
#4 in dix_main xserver/dix/main.c:271
|
|
||||||
#5 in main xserver/dix/stubmain.c:34
|
|
||||||
#6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
||||||
SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
|
|
||||||
|
|
||||||
To avoid that, make sure not to free the given glyph in AddGlyph().
|
|
||||||
|
|
||||||
v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
|
|
||||||
v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
|
|
||||||
|
|
||||||
Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
|
|
||||||
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
|
|
||||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
||||||
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1476>
|
|
||||||
---
|
|
||||||
render/glyph.c | 2 --
|
|
||||||
1 file changed, 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/render/glyph.c b/render/glyph.c
|
|
||||||
index 13991f8a1..5fa7f3b5b 100644
|
|
||||||
--- a/render/glyph.c
|
|
||||||
+++ b/render/glyph.c
|
|
||||||
@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id)
|
|
||||||
gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature,
|
|
||||||
TRUE, glyph->sha1);
|
|
||||||
if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) {
|
|
||||||
- FreeGlyphPicture(glyph);
|
|
||||||
- dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH);
|
|
||||||
glyph = gr->glyph;
|
|
||||||
}
|
|
||||||
else if (gr->glyph != glyph) {
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
||||||
@ -5,7 +5,7 @@
|
|||||||
|
|
||||||
Name: tigervnc
|
Name: tigervnc
|
||||||
Version: 1.13.1
|
Version: 1.13.1
|
||||||
Release: 11%{?dist}
|
Release: 12%{?dist}
|
||||||
Summary: A TigerVNC remote display system
|
Summary: A TigerVNC remote display system
|
||||||
|
|
||||||
%global _hardened_build 1
|
%global _hardened_build 1
|
||||||
@ -40,7 +40,6 @@ Patch100: tigervnc-xserver120.patch
|
|||||||
Patch101: 0001-rpath-hack.patch
|
Patch101: 0001-rpath-hack.patch
|
||||||
|
|
||||||
# XServer patches
|
# XServer patches
|
||||||
Patch200: xorg-CVE-2024-31083-followup.patch
|
|
||||||
|
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
@ -188,7 +187,6 @@ for all in `find . -type f -perm -001`; do
|
|||||||
done
|
done
|
||||||
%patch100 -p1 -b .xserver120-rebased
|
%patch100 -p1 -b .xserver120-rebased
|
||||||
%patch101 -p1 -b .rpath
|
%patch101 -p1 -b .rpath
|
||||||
%patch200 -p1 -b .xorg-CVE-2024-31083-followup
|
|
||||||
popd
|
popd
|
||||||
|
|
||||||
%patch1 -p1 -b .use-gnome-as-default-session
|
%patch1 -p1 -b .use-gnome-as-default-session
|
||||||
@ -356,6 +354,10 @@ fi
|
|||||||
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
|
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jul 12 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-12
|
||||||
|
- Fix FTBS: drop already applied Xorg patches
|
||||||
|
Resolves: RHEL-46696
|
||||||
|
|
||||||
* Tue May 28 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-11
|
* Tue May 28 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-11
|
||||||
- vncconfig: add option to force view-only remote client connections
|
- vncconfig: add option to force view-only remote client connections
|
||||||
Resolves: RHEL-11908
|
Resolves: RHEL-11908
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user