Fix regression caused by the fix for CVE-2024-31083

Resolves: https://issues.redhat.com/browse/RHEL-30763
This commit is contained in:
José Expósito 2024-04-10 10:17:02 +02:00
parent 7bbfacd4bb
commit e41cddf960
2 changed files with 79 additions and 3 deletions

View File

@ -0,0 +1,72 @@
From 337d8d48b618d4fc0168a7b978be4c3447650b04 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Fri, 5 Apr 2024 15:24:49 +0200
Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs()
ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
then frees it using FreeGlyph() to decrease the reference count, after
AddGlyph() has increased it.
AddGlyph() however may chose to reuse an existing glyph if it's already
in the glyphSet, and free the glyph that was given, in which case the
caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
already freed glyph, as reported by ASan:
READ of size 4 thread T0
#0 in FreeGlyph xserver/render/glyph.c:252
#1 in ProcRenderAddGlyphs xserver/render/render.c:1174
#2 in Dispatch xserver/dix/dispatch.c:546
#3 in dix_main xserver/dix/main.c:271
#4 in main xserver/dix/stubmain.c:34
#5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 in __libc_start_main_impl ../csu/libc-start.c:360
#7 (/usr/bin/Xwayland+0x44fe4)
Address is located 0 bytes inside of 64-byte region
freed by thread T0 here:
#0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
#1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
#2 in AddGlyph xserver/render/glyph.c:295
#3 in ProcRenderAddGlyphs xserver/render/render.c:1173
#4 in Dispatch xserver/dix/dispatch.c:546
#5 in dix_main xserver/dix/main.c:271
#6 in main xserver/dix/stubmain.c:34
#7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
#0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
#1 in AllocateGlyph xserver/render/glyph.c:355
#2 in ProcRenderAddGlyphs xserver/render/render.c:1085
#3 in Dispatch xserver/dix/dispatch.c:546
#4 in dix_main xserver/dix/main.c:271
#5 in main xserver/dix/stubmain.c:34
#6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
To avoid that, make sure not to free the given glyph in AddGlyph().
v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1476>
---
render/glyph.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/render/glyph.c b/render/glyph.c
index 13991f8a1..5fa7f3b5b 100644
--- a/render/glyph.c
+++ b/render/glyph.c
@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id)
gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature,
TRUE, glyph->sha1);
if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) {
- FreeGlyphPicture(glyph);
- dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH);
glyph = gr->glyph;
}
else if (gr->glyph != glyph) {
--
2.44.0

View File

@ -46,7 +46,7 @@
Summary: X.Org X11 X server
Name: xorg-x11-server
Version: 1.20.11
Release: 23%{?gitdate:.%{gitdate}}%{?dist}
Release: 24%{?gitdate:.%{gitdate}}%{?dist}
URL: http://www.x.org
License: MIT
Group: User Interface/X
@ -187,6 +187,7 @@ Patch10046: 0002-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch
Patch10047: 0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch
# CVE-2024-31083
Patch10048: 0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch
Patch10049: 0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
BuildRequires: make
BuildRequires: systemtap-sdt-devel
@ -615,13 +616,16 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
%changelog
* Thu Apr 04 2024 José Expósito <jexposit@redhat.com> - 1.20.14-23
* Wed Apr 10 2024 José Expósito <jexposit@redhat.com> - 1.20.11-24
- Fix regression caused by the fix for CVE-2024-31083
* Thu Apr 04 2024 José Expósito <jexposit@redhat.com> - 1.20.11-23
- CVE fix for: CVE-2024-31080, CVE-2024-31081, CVE-2024-31082 and
CVE-2024-31083
- Add util-linux as a dependency of Xvfb
- Fix compilation error on i686
* Thu Jan 18 2024 José Expósito <jexposit@redhat.com> - 1.20.4-24
* Thu Jan 18 2024 José Expósito <jexposit@redhat.com> - 1.20.11-22
- Fix use after free related to CVE-2024-21886
* Tue Jan 16 2024 José Expósito <jexposit@redhat.com> - 1.20.11-21