90 lines
3.4 KiB
Diff
90 lines
3.4 KiB
Diff
From 1abca0b9b5b019cda32aa92466a760660ebd952d Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Wed, 10 Sep 2025 15:58:57 +0200
|
|
Subject: [PATCH xserver 3/4] xkb: Free the XKB resource when freeing
|
|
XkbInterest
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
XkbRemoveResourceClient() would free the XkbInterest data associated
|
|
with the device, but not the resource associated with it.
|
|
|
|
As a result, when the client terminates, the resource delete function
|
|
gets called and accesses already freed memory:
|
|
|
|
| Invalid read of size 8
|
|
| at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047)
|
|
| by 0x5B3391: XkbClientGone (xkb.c:7094)
|
|
| by 0x4DF138: doFreeResource (resource.c:890)
|
|
| by 0x4DFB50: FreeClientResources (resource.c:1156)
|
|
| by 0x4A9A59: CloseDownClient (dispatch.c:3550)
|
|
| by 0x5E0A53: ClientReady (connection.c:601)
|
|
| by 0x5E4FEF: ospoll_wait (ospoll.c:657)
|
|
| by 0x5DC834: WaitForSomething (WaitFor.c:206)
|
|
| by 0x4A1BA5: Dispatch (dispatch.c:491)
|
|
| by 0x4B0070: dix_main (main.c:277)
|
|
| by 0x4285E7: main (stubmain.c:34)
|
|
| Address 0x1893e278 is 184 bytes inside a block of size 928 free'd
|
|
| at 0x4842E43: free (vg_replace_malloc.c:989)
|
|
| by 0x49C1A6: CloseDevice (devices.c:1067)
|
|
| by 0x49C522: CloseOneDevice (devices.c:1193)
|
|
| by 0x49C6E4: RemoveDevice (devices.c:1244)
|
|
| by 0x5873D4: remove_master (xichangehierarchy.c:348)
|
|
| by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504)
|
|
| by 0x579BF1: ProcIDispatch (extinit.c:390)
|
|
| by 0x4A1D85: Dispatch (dispatch.c:551)
|
|
| by 0x4B0070: dix_main (main.c:277)
|
|
| by 0x4285E7: main (stubmain.c:34)
|
|
| Block was alloc'd at
|
|
| at 0x48473F3: calloc (vg_replace_malloc.c:1675)
|
|
| by 0x49A118: AddInputDevice (devices.c:262)
|
|
| by 0x4A0E58: AllocDevicePair (devices.c:2846)
|
|
| by 0x5866EE: add_master (xichangehierarchy.c:153)
|
|
| by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493)
|
|
| by 0x579BF1: ProcIDispatch (extinit.c:390)
|
|
| by 0x4A1D85: Dispatch (dispatch.c:551)
|
|
| by 0x4B0070: dix_main (main.c:277)
|
|
| by 0x4285E7: main (stubmain.c:34)
|
|
|
|
To avoid that issue, make sure to free the resources when freeing the
|
|
device XkbInterest data.
|
|
|
|
CVE-2025-62230, ZDI-CAN-27545
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
|
|
(cherry picked from commit 10c94238bdad17c11707e0bdaaa3a9cd54c504be)
|
|
|
|
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
|
|
---
|
|
xkb/xkbEvents.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/xkb/xkbEvents.c b/xkb/xkbEvents.c
|
|
index f8f65d4a7..7c669c93e 100644
|
|
--- a/xkb/xkbEvents.c
|
|
+++ b/xkb/xkbEvents.c
|
|
@@ -1055,6 +1055,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
|
|
autoCtrls = interest->autoCtrls;
|
|
autoValues = interest->autoCtrlValues;
|
|
client = interest->client;
|
|
+ FreeResource(interest->resource, RT_XKBCLIENT);
|
|
free(interest);
|
|
found = TRUE;
|
|
}
|
|
@@ -1066,6 +1067,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
|
|
autoCtrls = victim->autoCtrls;
|
|
autoValues = victim->autoCtrlValues;
|
|
client = victim->client;
|
|
+ FreeResource(victim->resource, RT_XKBCLIENT);
|
|
free(victim);
|
|
found = TRUE;
|
|
}
|
|
--
|
|
2.51.1
|
|
|