diff options
Diffstat (limited to 'poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch')
-rw-r--r-- | poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch new file mode 100644 index 0000000000..23fef3f321 --- /dev/null +++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch @@ -0,0 +1,78 @@ +From b79f32b57cc0c1186b2899bce7cf89f7b325161b Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Wed, 30 Nov 2022 11:20:40 +1000 +Subject: [PATCH] Xext: free the XvRTVideoNotify when turning off from the same + client + +This fixes a use-after-free bug: + +When a client first calls XvdiSelectVideoNotify() on a drawable with a +TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct +is added twice to the resources: + - as the drawable's XvRTVideoNotifyList. This happens only once per + drawable, subsequent calls append to this list. + - as the client's XvRTVideoNotify. This happens for every client. + +The struct keeps the ClientPtr around once it has been added for a +client. The idea, presumably, is that if the client disconnects we can remove +all structs from the drawable's list that match the client (by resetting +the ClientPtr to NULL), but if the drawable is destroyed we can remove +and free the whole list. + +However, if the same client then calls XvdiSelectVideoNotify() on the +same drawable with a FALSE onoff argument, only the ClientPtr on the +existing struct was set to NULL. The struct itself remained in the +client's resources. + +If the drawable is now destroyed, the resource system invokes +XvdiDestroyVideoNotifyList which frees the whole list for this drawable +- including our struct. This function however does not free the resource +for the client since our ClientPtr is NULL. + +Later, when the client is destroyed and the resource system invokes +XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On +a struct that has been freed previously. This is generally frowned upon. + +Fix this by calling FreeResource() on the second call instead of merely +setting the ClientPtr to NULL. This removes the struct from the client +resources (but not from the list), ensuring that it won't be accessed +again when the client quits. + +Note that the assignment tpn->client = NULL; is superfluous since the +XvdiDestroyVideoNotify function will do this anyway. But it's left for +clarity and to match a similar invocation in XvdiSelectPortNotify. + +CVE-2022-46342, ZDI-CAN 19400 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Acked-by: Olivier Fourdan <ofourdan@redhat.com> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b79f32b57cc0c1186b2899bce7cf89f7b325161b] +CVE: CVE-2022-46342 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + Xext/xvmain.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/Xext/xvmain.c b/Xext/xvmain.c +index c520c7d..5f4c174 100644 +--- a/Xext/xvmain.c ++++ b/Xext/xvmain.c +@@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff) + tpn = pn; + while (tpn) { + if (tpn->client == client) { +- if (!onoff) ++ if (!onoff) { + tpn->client = NULL; ++ FreeResource(tpn->id, XvRTVideoNotify); ++ } + return Success; + } + if (!tpn->client) +-- +2.25.1 + |