diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch')
-rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch new file mode 100644 index 0000000000..23fef3f321 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch | |||
@@ -0,0 +1,78 @@ | |||
1 | From b79f32b57cc0c1186b2899bce7cf89f7b325161b Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Wed, 30 Nov 2022 11:20:40 +1000 | ||
4 | Subject: [PATCH] Xext: free the XvRTVideoNotify when turning off from the same | ||
5 | client | ||
6 | |||
7 | This fixes a use-after-free bug: | ||
8 | |||
9 | When a client first calls XvdiSelectVideoNotify() on a drawable with a | ||
10 | TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct | ||
11 | is added twice to the resources: | ||
12 | - as the drawable's XvRTVideoNotifyList. This happens only once per | ||
13 | drawable, subsequent calls append to this list. | ||
14 | - as the client's XvRTVideoNotify. This happens for every client. | ||
15 | |||
16 | The struct keeps the ClientPtr around once it has been added for a | ||
17 | client. The idea, presumably, is that if the client disconnects we can remove | ||
18 | all structs from the drawable's list that match the client (by resetting | ||
19 | the ClientPtr to NULL), but if the drawable is destroyed we can remove | ||
20 | and free the whole list. | ||
21 | |||
22 | However, if the same client then calls XvdiSelectVideoNotify() on the | ||
23 | same drawable with a FALSE onoff argument, only the ClientPtr on the | ||
24 | existing struct was set to NULL. The struct itself remained in the | ||
25 | client's resources. | ||
26 | |||
27 | If the drawable is now destroyed, the resource system invokes | ||
28 | XvdiDestroyVideoNotifyList which frees the whole list for this drawable | ||
29 | - including our struct. This function however does not free the resource | ||
30 | for the client since our ClientPtr is NULL. | ||
31 | |||
32 | Later, when the client is destroyed and the resource system invokes | ||
33 | XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On | ||
34 | a struct that has been freed previously. This is generally frowned upon. | ||
35 | |||
36 | Fix this by calling FreeResource() on the second call instead of merely | ||
37 | setting the ClientPtr to NULL. This removes the struct from the client | ||
38 | resources (but not from the list), ensuring that it won't be accessed | ||
39 | again when the client quits. | ||
40 | |||
41 | Note that the assignment tpn->client = NULL; is superfluous since the | ||
42 | XvdiDestroyVideoNotify function will do this anyway. But it's left for | ||
43 | clarity and to match a similar invocation in XvdiSelectPortNotify. | ||
44 | |||
45 | CVE-2022-46342, ZDI-CAN 19400 | ||
46 | |||
47 | This vulnerability was discovered by: | ||
48 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
49 | |||
50 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
51 | Acked-by: Olivier Fourdan <ofourdan@redhat.com> | ||
52 | |||
53 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b79f32b57cc0c1186b2899bce7cf89f7b325161b] | ||
54 | CVE: CVE-2022-46342 | ||
55 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
56 | --- | ||
57 | Xext/xvmain.c | 4 +++- | ||
58 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
59 | |||
60 | diff --git a/Xext/xvmain.c b/Xext/xvmain.c | ||
61 | index c520c7d..5f4c174 100644 | ||
62 | --- a/Xext/xvmain.c | ||
63 | +++ b/Xext/xvmain.c | ||
64 | @@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff) | ||
65 | tpn = pn; | ||
66 | while (tpn) { | ||
67 | if (tpn->client == client) { | ||
68 | - if (!onoff) | ||
69 | + if (!onoff) { | ||
70 | tpn->client = NULL; | ||
71 | + FreeResource(tpn->id, XvRTVideoNotify); | ||
72 | + } | ||
73 | return Success; | ||
74 | } | ||
75 | if (!tpn->client) | ||
76 | -- | ||
77 | 2.25.1 | ||
78 | |||