From 774260dbae1fa505cd2848c786baed9a8db5179d Mon Sep 17 00:00:00 2001 From: Peter Hutterer Date: Mon, 5 Dec 2022 15:55:54 +1000 Subject: [PATCH xserver 7/7] xkb: reset the radio_groups pointer to NULL after freeing it Unlike other elements of the keymap, this pointer was freed but not reset. On a subsequent XkbGetKbdByName request, the server may access already freed memory. CVE-2022-46283, ZDI-CAN-19530 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Peter Hutterer Acked-by: Olivier Fourdan --- xkb/xkbUtils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c index dd089c2046..3f5791a183 100644 --- a/xkb/xkbUtils.c +++ b/xkb/xkbUtils.c @@ -1326,6 +1326,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr dst) } else { free(dst->names->radio_groups); + dst->names->radio_groups = NULL; } dst->names->num_rg = src->names->num_rg; -- 2.38.1