diff options
author | Peter Hutterer <peter.hutterer@who-t.net> | 2022-11-29 14:53:07 +1000 |
---|---|---|
committer | Peter Hutterer <peter.hutterer@who-t.net> | 2022-12-14 11:30:13 +1000 |
commit | 2a81326e75f739fbdff66cfbe4a3d5ce9c5de014 (patch) | |
tree | 60d0773ac45a9f38f2142b7f26bb2ac4101f0620 | |
parent | dc0eddb5ec429737563c5d7517fec3a4fd26e193 (diff) | |
download | xserver-2a81326e75f739fbdff66cfbe4a3d5ce9c5de014.tar.gz |
Xext: free the screen saver resource when replacing it
This fixes a use-after-free bug:
When a client first calls ScreenSaverSetAttributes(), a struct
ScreenSaverAttrRec is allocated and added to the client's
resources.
When the same client calls ScreenSaverSetAttributes() again, a new
struct ScreenSaverAttrRec is allocated, replacing the old struct. The
old struct was freed but not removed from the clients resources.
Later, when the client is destroyed the resource system invokes
ScreenSaverFreeAttr and attempts to clean up the already freed struct.
Fix this by letting the resource system free the old attrs instead.
CVE-2022-46343, ZDI-CAN 19404
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 842ca3ccef100ce010d1d8f5f6d6cc1915055900)
-rw-r--r-- | Xext/saver.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/Xext/saver.c b/Xext/saver.c index f813ba08d..fd6153c31 100644 --- a/Xext/saver.c +++ b/Xext/saver.c @@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client) pVlist++; } if (pPriv->attr) - FreeScreenAttr(pPriv->attr); + FreeResource(pPriv->attr->resource, AttrType); pPriv->attr = pAttr; pAttr->resource = FakeClientID(client->index); if (!AddResource(pAttr->resource, AttrType, (void *) pAttr)) |