| From 842ca3ccef100ce010d1d8f5f6d6cc1915055900 Mon Sep 17 00:00:00 2001 |
| From: Peter Hutterer <peter.hutterer@who-t.net> |
| Date: Tue, 29 Nov 2022 14:53:07 +1000 |
| Subject: [PATCH] Xext: free the screen saver resource when replacing it |
| |
| This fixes a use-after-free bug: |
| |
| When a client first calls ScreenSaverSetAttributes(), a struct |
| ScreenSaverAttrRec is allocated and added to the client's |
| resources. |
| |
| When the same client calls ScreenSaverSetAttributes() again, a new |
| struct ScreenSaverAttrRec is allocated, replacing the old struct. The |
| old struct was freed but not removed from the clients resources. |
| |
| Later, when the client is destroyed the resource system invokes |
| ScreenSaverFreeAttr and attempts to clean up the already freed struct. |
| |
| Fix this by letting the resource system free the old attrs instead. |
| |
| CVE-2022-46343, ZDI-CAN 19404 |
| |
| This vulnerability was discovered by: |
| Jan-Niklas Sohn working with Trend Micro Zero Day Initiative |
| |
| Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> |
| Acked-by: Olivier Fourdan <ofourdan@redhat.com> |
| |
| Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/842ca3ccef100ce010d1d8f5f6d6cc1915055900] |
| CVE: CVE-2022-46343 |
| Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> |
| --- |
| Xext/saver.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/Xext/saver.c b/Xext/saver.c |
| index c23907d..05b9ca3 100644 |
| --- a/Xext/saver.c |
| +++ b/Xext/saver.c |
| @@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client) |
| pVlist++; |
| } |
| if (pPriv->attr) |
| - FreeScreenAttr(pPriv->attr); |
| + FreeResource(pPriv->attr->resource, AttrType); |
| pPriv->attr = pAttr; |
| pAttr->resource = FakeClientID(client->index); |
| if (!AddResource(pAttr->resource, AttrType, (void *) pAttr)) |
| -- |
| 2.25.1 |
| |