Blame SOURCES/0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch

a4dcf1
From 94f6fe99d87cf6ba0adadd95c595158c345b7d29 Mon Sep 17 00:00:00 2001
a4dcf1
From: Peter Hutterer <peter.hutterer@who-t.net>
a4dcf1
Date: Tue, 29 Nov 2022 14:53:07 +1000
a4dcf1
Subject: [PATCH xserver 5/7] Xext: free the screen saver resource when
a4dcf1
 replacing it
a4dcf1
a4dcf1
This fixes a use-after-free bug:
a4dcf1
a4dcf1
When a client first calls ScreenSaverSetAttributes(), a struct
a4dcf1
ScreenSaverAttrRec is allocated and added to the client's
a4dcf1
resources.
a4dcf1
a4dcf1
When the same client calls ScreenSaverSetAttributes() again, a new
a4dcf1
struct ScreenSaverAttrRec is allocated, replacing the old struct. The
a4dcf1
old struct was freed but not removed from the clients resources.
a4dcf1
a4dcf1
Later, when the client is destroyed the resource system invokes
a4dcf1
ScreenSaverFreeAttr and attempts to clean up the already freed struct.
a4dcf1
a4dcf1
Fix this by letting the resource system free the old attrs instead.
a4dcf1
a4dcf1
CVE-2022-46343, ZDI-CAN 19404
a4dcf1
a4dcf1
This vulnerability was discovered by:
a4dcf1
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
a4dcf1
a4dcf1
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
a4dcf1
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
a4dcf1
---
a4dcf1
 Xext/saver.c | 2 +-
a4dcf1
 1 file changed, 1 insertion(+), 1 deletion(-)
a4dcf1
a4dcf1
diff --git a/Xext/saver.c b/Xext/saver.c
a4dcf1
index f813ba08d1..fd6153c313 100644
a4dcf1
--- a/Xext/saver.c
a4dcf1
+++ b/Xext/saver.c
a4dcf1
@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client)
a4dcf1
         pVlist++;
a4dcf1
     }
a4dcf1
     if (pPriv->attr)
a4dcf1
-        FreeScreenAttr(pPriv->attr);
a4dcf1
+        FreeResource(pPriv->attr->resource, AttrType);
a4dcf1
     pPriv->attr = pAttr;
a4dcf1
     pAttr->resource = FakeClientID(client->index);
a4dcf1
     if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))
a4dcf1
--
a4dcf1
2.38.1