1 files changed, 78 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
new file mode 100644
index 0000000000..23fef3f321
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
@@ -0,0 +1,78 @@
+From b79f32b57cc0c1186b2899bce7cf89f7b325161b Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Wed, 30 Nov 2022 11:20:40 +1000
+Subject: [PATCH] Xext: free the XvRTVideoNotify when turning off from the same
+ client
+This fixes a use-after-free bug:
+When a client first calls XvdiSelectVideoNotify() on a drawable with a
+TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct
+is added twice to the resources:
+  - as the drawable's XvRTVideoNotifyList. This happens only once per
+    drawable, subsequent calls append to this list.
+  - as the client's XvRTVideoNotify. This happens for every client.
+The struct keeps the ClientPtr around once it has been added for a
+client. The idea, presumably, is that if the client disconnects we can remove
+all structs from the drawable's list that match the client (by resetting
+the ClientPtr to NULL), but if the drawable is destroyed we can remove
+and free the whole list.
+However, if the same client then calls XvdiSelectVideoNotify() on the
+same drawable with a FALSE onoff argument, only the ClientPtr on the
+existing struct was set to NULL. The struct itself remained in the
+client's resources.
+If the drawable is now destroyed, the resource system invokes
+XvdiDestroyVideoNotifyList which frees the whole list for this drawable
+- including our struct. This function however does not free the resource
+for the client since our ClientPtr is NULL.
+Later, when the client is destroyed and the resource system invokes
+XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On
+a struct that has been freed previously. This is generally frowned upon.
+Fix this by calling FreeResource() on the second call instead of merely
+setting the ClientPtr to NULL. This removes the struct from the client
+resources (but not from the list), ensuring that it won't be accessed
+again when the client quits.
+Note that the assignment tpn->client = NULL; is superfluous since the
+XvdiDestroyVideoNotify function will do this anyway. But it's left for
+clarity and to match a similar invocation in XvdiSelectPortNotify.
+CVE-2022-46342, ZDI-CAN 19400
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Acked-by: Olivier Fourdan <ofourdan@redhat.com>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b79f32b57cc0c1186b2899bce7cf89f7b325161b]
+CVE: CVE-2022-46342
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ Xext/xvmain.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+diff --git a/Xext/xvmain.c b/Xext/xvmain.c
+index c520c7d..5f4c174 100644
+--- a/Xext/xvmain.c
+++ b/Xext/xvmain.c
+@@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff)
+         tpn = pn;
+         while (tpn) {
+             if (tpn->client == client) {
+-                if (!onoff)
+                if (!onoff) {
+                     tpn->client = NULL;
+                    FreeResource(tpn->id, XvRTVideoNotify);
+                }
+                 return Success;
+             }
+             if (!tpn->client)
+-- 
+2.25.1

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch new file mode 100644 index 0000000000..23fef3f321 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
@@ -0,0 +1,78 @@
	1	From b79f32b57cc0c1186b2899bce7cf89f7b325161b Mon Sep 17 00:00:00 2001
	2	From: Peter Hutterer <peter.hutterer@who-t.net>
	3	Date: Wed, 30 Nov 2022 11:20:40 +1000
	4	Subject: [PATCH] Xext: free the XvRTVideoNotify when turning off from the same
	5	client
	6
	7	This fixes a use-after-free bug:
	8
	9	When a client first calls XvdiSelectVideoNotify() on a drawable with a
	10	TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct
	11	is added twice to the resources:
	12	- as the drawable's XvRTVideoNotifyList. This happens only once per
	13	drawable, subsequent calls append to this list.
	14	- as the client's XvRTVideoNotify. This happens for every client.
	15
	16	The struct keeps the ClientPtr around once it has been added for a
	17	client. The idea, presumably, is that if the client disconnects we can remove
	18	all structs from the drawable's list that match the client (by resetting
	19	the ClientPtr to NULL), but if the drawable is destroyed we can remove
	20	and free the whole list.
	21
	22	However, if the same client then calls XvdiSelectVideoNotify() on the
	23	same drawable with a FALSE onoff argument, only the ClientPtr on the
	24	existing struct was set to NULL. The struct itself remained in the
	25	client's resources.
	26
	27	If the drawable is now destroyed, the resource system invokes
	28	XvdiDestroyVideoNotifyList which frees the whole list for this drawable
	29	- including our struct. This function however does not free the resource
	30	for the client since our ClientPtr is NULL.
	31
	32	Later, when the client is destroyed and the resource system invokes
	33	XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On
	34	a struct that has been freed previously. This is generally frowned upon.
	35
	36	Fix this by calling FreeResource() on the second call instead of merely
	37	setting the ClientPtr to NULL. This removes the struct from the client
	38	resources (but not from the list), ensuring that it won't be accessed
	39	again when the client quits.
	40
	41	Note that the assignment tpn->client = NULL; is superfluous since the
	42	XvdiDestroyVideoNotify function will do this anyway. But it's left for
	43	clarity and to match a similar invocation in XvdiSelectPortNotify.
	44
	45	CVE-2022-46342, ZDI-CAN 19400
	46
	47	This vulnerability was discovered by:
	48	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
	49
	50	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
	51	Acked-by: Olivier Fourdan <ofourdan@redhat.com>
	52
	53	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b79f32b57cc0c1186b2899bce7cf89f7b325161b]
	54	CVE: CVE-2022-46342
	55	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	56	---
	57	Xext/xvmain.c \| 4 +++-
	58	1 file changed, 3 insertions(+), 1 deletion(-)
	59
	60	diff --git a/Xext/xvmain.c b/Xext/xvmain.c
	61	index c520c7d..5f4c174 100644
	62	--- a/Xext/xvmain.c
	63	+++ b/Xext/xvmain.c
	64	@@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff)
	65	tpn = pn;
	66	while (tpn) {
	67	if (tpn->client == client) {
	68	- if (!onoff)
	69	+ if (!onoff) {
	70	tpn->client = NULL;
	71	+ FreeResource(tpn->id, XvRTVideoNotify);
	72	+ }
	73	return Success;
	74	}
	75	if (!tpn->client)
	76	--
	77	2.25.1
	78