From 94f6fe99d87cf6ba0adadd95c595158c345b7d29 Mon Sep 17 00:00:00 2001

From: Peter Hutterer <peter.hutterer@who-t.net>

Date: Tue, 29 Nov 2022 14:53:07 +1000

Subject: [PATCH xserver 5/7] Xext: free the screen saver resource when

 replacing it

This fixes a use-after-free bug:

When a client first calls ScreenSaverSetAttributes(), a struct

ScreenSaverAttrRec is allocated and added to the client's

resources.

When the same client calls ScreenSaverSetAttributes() again, a new

struct ScreenSaverAttrRec is allocated, replacing the old struct. The

old struct was freed but not removed from the clients resources.

Later, when the client is destroyed the resource system invokes

ScreenSaverFreeAttr and attempts to clean up the already freed struct.

Fix this by letting the resource system free the old attrs instead.

CVE-2022-46343, ZDI-CAN 19404

This vulnerability was discovered by:

Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

Acked-by: Olivier Fourdan <ofourdan@redhat.com>

---

 Xext/saver.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Xext/saver.c b/Xext/saver.c

index f813ba08d1..fd6153c313 100644

--- a/Xext/saver.c

+++ b/Xext/saver.c

@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client)

         pVlist++;

     }

     if (pPriv->attr)

-        FreeScreenAttr(pPriv->attr);

+        FreeResource(pPriv->attr->resource, AttrType);

     pPriv->attr = pAttr;

     pAttr->resource = FakeClientID(client->index);

     if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))

--

2.38.1