75 lines
2.9 KiB
Diff
75 lines
2.9 KiB
Diff
From a42635ee3c01f71a49052d83a372933504c9db04 Mon Sep 17 00:00:00 2001
|
|
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Date: Wed, 30 Nov 2022 11:20:40 +1000
|
|
Subject: [PATCH xserver 6/7] Xext: free the XvRTVideoNotify when turning off
|
|
from the same client
|
|
|
|
This fixes a use-after-free bug:
|
|
|
|
When a client first calls XvdiSelectVideoNotify() on a drawable with a
|
|
TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct
|
|
is added twice to the resources:
|
|
- as the drawable's XvRTVideoNotifyList. This happens only once per
|
|
drawable, subsequent calls append to this list.
|
|
- as the client's XvRTVideoNotify. This happens for every client.
|
|
|
|
The struct keeps the ClientPtr around once it has been added for a
|
|
client. The idea, presumably, is that if the client disconnects we can remove
|
|
all structs from the drawable's list that match the client (by resetting
|
|
the ClientPtr to NULL), but if the drawable is destroyed we can remove
|
|
and free the whole list.
|
|
|
|
However, if the same client then calls XvdiSelectVideoNotify() on the
|
|
same drawable with a FALSE onoff argument, only the ClientPtr on the
|
|
existing struct was set to NULL. The struct itself remained in the
|
|
client's resources.
|
|
|
|
If the drawable is now destroyed, the resource system invokes
|
|
XvdiDestroyVideoNotifyList which frees the whole list for this drawable
|
|
- including our struct. This function however does not free the resource
|
|
for the client since our ClientPtr is NULL.
|
|
|
|
Later, when the client is destroyed and the resource system invokes
|
|
XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On
|
|
a struct that has been freed previously. This is generally frowned upon.
|
|
|
|
Fix this by calling FreeResource() on the second call instead of merely
|
|
setting the ClientPtr to NULL. This removes the struct from the client
|
|
resources (but not from the list), ensuring that it won't be accessed
|
|
again when the client quits.
|
|
|
|
Note that the assignment tpn->client = NULL; is superfluous since the
|
|
XvdiDestroyVideoNotify function will do this anyway. But it's left for
|
|
clarity and to match a similar invocation in XvdiSelectPortNotify.
|
|
|
|
CVE-2022-46342, ZDI-CAN 19400
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
---
|
|
Xext/xvmain.c | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/Xext/xvmain.c b/Xext/xvmain.c
|
|
index f627471938..2a08f8744a 100644
|
|
--- a/Xext/xvmain.c
|
|
+++ b/Xext/xvmain.c
|
|
@@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff)
|
|
tpn = pn;
|
|
while (tpn) {
|
|
if (tpn->client == client) {
|
|
- if (!onoff)
|
|
+ if (!onoff) {
|
|
tpn->client = NULL;
|
|
+ FreeResource(tpn->id, XvRTVideoNotify);
|
|
+ }
|
|
return Success;
|
|
}
|
|
if (!tpn->client)
|
|
--
|
|
2.38.1
|
|
|