From 4d07b16328bc9c9d4f6c4c1a9a522d64bf09deda Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Wed, 2 Jul 2025 09:46:22 +0200 Subject: [PATCH xserver 1/4] present: Fix use-after-free in present_create_notifies() Using the Present extension, if an error occurs while processing and adding the notifications after presenting a pixmap, the function present_create_notifies() will clean up and remove the notifications it added. However, there are two different code paths that can lead to an error creating the notify, one being before the notify is being added to the list, and another one after the notify is added. When the error occurs before it's been added, it removes the elements up to the last added element, instead of the actual number of elements which were added. As a result, in case of error, as with an invalid window for example, it leaves a dangling pointer to the last element, leading to a use after free case later: | Invalid write of size 8 | at 0x5361D5: present_clear_window_notifies (present_notify.c:42) | by 0x534A56: present_destroy_window (present_screen.c:107) | by 0x41E441: xwl_destroy_window (xwayland-window.c:1959) | by 0x4F9EC9: compDestroyWindow (compwindow.c:622) | by 0x51EAC4: damageDestroyWindow (damage.c:1592) | by 0x4FDC29: DbeDestroyWindow (dbe.c:1291) | by 0x4EAC55: FreeWindowResources (window.c:1023) | by 0x4EAF59: DeleteWindow (window.c:1091) | by 0x4DE59A: doFreeResource (resource.c:890) | by 0x4DEFB2: FreeClientResources (resource.c:1156) | by 0x4A9AFB: CloseDownClient (dispatch.c:3567) | by 0x5DCC78: ClientReady (connection.c:603) | Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd | at 0x4841E43: free (vg_replace_malloc.c:989) | by 0x5363DD: present_destroy_notifies (present_notify.c:111) | by 0x53638D: present_create_notifies (present_notify.c:100) | by 0x5368E9: proc_present_pixmap_common (present_request.c:164) | by 0x536A7D: proc_present_pixmap (present_request.c:189) | by 0x536FA9: proc_present_dispatch (present_request.c:337) | by 0x4A1E4E: Dispatch (dispatch.c:561) | by 0x4B00F1: dix_main (main.c:284) | by 0x42879D: main (stubmain.c:34) | Block was alloc'd at | at 0x48463F3: calloc (vg_replace_malloc.c:1675) | by 0x5362A1: present_create_notifies (present_notify.c:81) | by 0x5368E9: proc_present_pixmap_common (present_request.c:164) | by 0x536A7D: proc_present_pixmap (present_request.c:189) | by 0x536FA9: proc_present_dispatch (present_request.c:337) | by 0x4A1E4E: Dispatch (dispatch.c:561) | by 0x4B00F1: dix_main (main.c:284) | by 0x42879D: main (stubmain.c:34) To fix the issue, count and remove the actual number of notify elements added in case of error. CVE-2025-62229, ZDI-CAN-27238 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan (cherry picked from commit 5a4286b13f631b66c20f5bc8db7b68211dcbd1d0) Part-of: --- present/present_notify.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/present/present_notify.c b/present/present_notify.c index 445954998..00b3b68bd 100644 --- a/present/present_notify.c +++ b/present/present_notify.c @@ -90,7 +90,7 @@ present_create_notifies(ClientPtr client, int num_notifies, xPresentNotify *x_no if (status != Success) goto bail; - added = i; + added++; } return Success; -- 2.51.1