49 lines
1.6 KiB
Diff
49 lines
1.6 KiB
Diff
|
From 94f6fe99d87cf6ba0adadd95c595158c345b7d29 Mon Sep 17 00:00:00 2001
|
||
|
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||
|
Date: Tue, 29 Nov 2022 14:53:07 +1000
|
||
|
Subject: [PATCH xserver 5/7] Xext: free the screen saver resource when
|
||
|
replacing it
|
||
|
|
||
|
This fixes a use-after-free bug:
|
||
|
|
||
|
When a client first calls ScreenSaverSetAttributes(), a struct
|
||
|
ScreenSaverAttrRec is allocated and added to the client's
|
||
|
resources.
|
||
|
|
||
|
When the same client calls ScreenSaverSetAttributes() again, a new
|
||
|
struct ScreenSaverAttrRec is allocated, replacing the old struct. The
|
||
|
old struct was freed but not removed from the clients resources.
|
||
|
|
||
|
Later, when the client is destroyed the resource system invokes
|
||
|
ScreenSaverFreeAttr and attempts to clean up the already freed struct.
|
||
|
|
||
|
Fix this by letting the resource system free the old attrs instead.
|
||
|
|
||
|
CVE-2022-46343, ZDI-CAN 19404
|
||
|
|
||
|
This vulnerability was discovered by:
|
||
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||
|
|
||
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||
|
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
|
||
|
---
|
||
|
Xext/saver.c | 2 +-
|
||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/Xext/saver.c b/Xext/saver.c
|
||
|
index f813ba08d1..fd6153c313 100644
|
||
|
--- a/Xext/saver.c
|
||
|
+++ b/Xext/saver.c
|
||
|
@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client)
|
||
|
pVlist++;
|
||
|
}
|
||
|
if (pPriv->attr)
|
||
|
- FreeScreenAttr(pPriv->attr);
|
||
|
+ FreeResource(pPriv->attr->resource, AttrType);
|
||
|
pPriv->attr = pAttr;
|
||
|
pAttr->resource = FakeClientID(client->index);
|
||
|
if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))
|
||
|
--
|
||
|
2.38.1
|
||
|
|