diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch')
-rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch new file mode 100644 index 0000000000..838f7d3726 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From 842ca3ccef100ce010d1d8f5f6d6cc1915055900 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Tue, 29 Nov 2022 14:53:07 +1000 | ||
4 | Subject: [PATCH] Xext: free the screen saver resource when replacing it | ||
5 | |||
6 | This fixes a use-after-free bug: | ||
7 | |||
8 | When a client first calls ScreenSaverSetAttributes(), a struct | ||
9 | ScreenSaverAttrRec is allocated and added to the client's | ||
10 | resources. | ||
11 | |||
12 | When the same client calls ScreenSaverSetAttributes() again, a new | ||
13 | struct ScreenSaverAttrRec is allocated, replacing the old struct. The | ||
14 | old struct was freed but not removed from the clients resources. | ||
15 | |||
16 | Later, when the client is destroyed the resource system invokes | ||
17 | ScreenSaverFreeAttr and attempts to clean up the already freed struct. | ||
18 | |||
19 | Fix this by letting the resource system free the old attrs instead. | ||
20 | |||
21 | CVE-2022-46343, ZDI-CAN 19404 | ||
22 | |||
23 | This vulnerability was discovered by: | ||
24 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
25 | |||
26 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
27 | Acked-by: Olivier Fourdan <ofourdan@redhat.com> | ||
28 | |||
29 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/842ca3ccef100ce010d1d8f5f6d6cc1915055900] | ||
30 | CVE: CVE-2022-46343 | ||
31 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
32 | --- | ||
33 | Xext/saver.c | 2 +- | ||
34 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
35 | |||
36 | diff --git a/Xext/saver.c b/Xext/saver.c | ||
37 | index c23907d..05b9ca3 100644 | ||
38 | --- a/Xext/saver.c | ||
39 | +++ b/Xext/saver.c | ||
40 | @@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client) | ||
41 | pVlist++; | ||
42 | } | ||
43 | if (pPriv->attr) | ||
44 | - FreeScreenAttr(pPriv->attr); | ||
45 | + FreeResource(pPriv->attr->resource, AttrType); | ||
46 | pPriv->attr = pAttr; | ||
47 | pAttr->resource = FakeClientID(client->index); | ||
48 | if (!AddResource(pAttr->resource, AttrType, (void *) pAttr)) | ||
49 | -- | ||
50 | 2.25.1 | ||
51 | |||