You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
48 lines
1.6 KiB
48 lines
1.6 KiB
From 6b59bdddf30dde413c4e0391cf84f3b94d4b4e31 Mon Sep 17 00:00:00 2001 |
|
From: Peter Hutterer <peter.hutterer@who-t.net> |
|
Date: Tue, 29 Nov 2022 14:53:07 +1000 |
|
Subject: [PATCH xserver 5/7] Xext: free the screen saver resource when |
|
replacing it |
|
|
|
This fixes a use-after-free bug: |
|
|
|
When a client first calls ScreenSaverSetAttributes(), a struct |
|
ScreenSaverAttrRec is allocated and added to the client's |
|
resources. |
|
|
|
When the same client calls ScreenSaverSetAttributes() again, a new |
|
struct ScreenSaverAttrRec is allocated, replacing the old struct. The |
|
old struct was freed but not removed from the clients resources. |
|
|
|
Later, when the client is destroyed the resource system invokes |
|
ScreenSaverFreeAttr and attempts to clean up the already freed struct. |
|
|
|
Fix this by letting the resource system free the old attrs instead. |
|
|
|
CVE-2022-46343, ZDI-CAN 19404 |
|
|
|
This vulnerability was discovered by: |
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative |
|
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> |
|
Acked-by: Olivier Fourdan <ofourdan@redhat.com> |
|
--- |
|
Xext/saver.c | 2 +- |
|
1 file changed, 1 insertion(+), 1 deletion(-) |
|
|
|
diff --git a/Xext/saver.c b/Xext/saver.c |
|
index f813ba08d1..fd6153c313 100644 |
|
--- a/Xext/saver.c |
|
+++ b/Xext/saver.c |
|
@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client) |
|
pVlist++; |
|
} |
|
if (pPriv->attr) |
|
- FreeScreenAttr(pPriv->attr); |
|
+ FreeResource(pPriv->attr->resource, AttrType); |
|
pPriv->attr = pAttr; |
|
pAttr->resource = FakeClientID(client->index); |
|
if (!AddResource(pAttr->resource, AttrType, (void *) pAttr)) |
|
-- |
|
2.38.1 |
|
|
|
|