diff options
| author | Narpat Mali <narpat.mali@windriver.com> | 2022-11-03 17:00:43 -1000 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-11-04 13:13:31 +0000 |
| commit | 305b50555746bce5062cf466103d8bba29fb1438 (patch) | |
| tree | 3d7a4deea490fa27a0c8aac7b3a4f6963cf0fa79 /scripts/lib/scriptpath.py | |
| parent | d30ae5d97f3258f33da91c4a8d1a6d0fba416aca (diff) | |
| download | poky-305b50555746bce5062cf466103d8bba29fb1438.tar.gz | |
wayland: fix CVE-2021-3782
An internal reference count is held on the buffer pool,
incremented every time a new buffer is created from the pool.
The reference count is maintained as an int;
on LP64 systems this can cause thereference count to overflow if
the client creates a large number of wl_shm buffer objects,
or if it can coerce the server to create a large number of external references
to the buffer storage. With the reference count overflowing, a use-after-free
can be constructed on the wl_shm_pool tracking structure,
where values may be incremented or decremented;
it may also be possible to construct a limited oracle to leak 4 bytes of
server-side memory to the attacking client at a time.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2021-3782
Upstream patch:
https://gitlab.freedesktop.org/wayland/wayland/-/commit/b19488c7154b902354cb26a27f11415d7799b0b2
(From OE-Core rev: 09b8ff8d2361b2db001bc963f481db294ccf2170)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'scripts/lib/scriptpath.py')
0 files changed, 0 insertions, 0 deletions