|
 |
279a87 |
From a42635ee3c01f71a49052d83a372933504c9db04 Mon Sep 17 00:00:00 2001
|
|
|
279a87 |
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
279a87 |
Date: Wed, 30 Nov 2022 11:20:40 +1000
|
|
|
279a87 |
Subject: [PATCH xserver 6/7] Xext: free the XvRTVideoNotify when turning off
|
|
|
279a87 |
from the same client
|
|
|
279a87 |
|
|
|
279a87 |
This fixes a use-after-free bug:
|
|
|
279a87 |
|
|
|
279a87 |
When a client first calls XvdiSelectVideoNotify() on a drawable with a
|
|
|
279a87 |
TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct
|
|
|
279a87 |
is added twice to the resources:
|
|
|
279a87 |
- as the drawable's XvRTVideoNotifyList. This happens only once per
|
|
|
279a87 |
drawable, subsequent calls append to this list.
|
|
|
279a87 |
- as the client's XvRTVideoNotify. This happens for every client.
|
|
|
279a87 |
|
|
|
279a87 |
The struct keeps the ClientPtr around once it has been added for a
|
|
|
279a87 |
client. The idea, presumably, is that if the client disconnects we can remove
|
|
|
279a87 |
all structs from the drawable's list that match the client (by resetting
|
|
|
279a87 |
the ClientPtr to NULL), but if the drawable is destroyed we can remove
|
|
|
279a87 |
and free the whole list.
|
|
|
279a87 |
|
|
|
279a87 |
However, if the same client then calls XvdiSelectVideoNotify() on the
|
|
|
279a87 |
same drawable with a FALSE onoff argument, only the ClientPtr on the
|
|
|
279a87 |
existing struct was set to NULL. The struct itself remained in the
|
|
|
279a87 |
client's resources.
|
|
|
279a87 |
|
|
|
279a87 |
If the drawable is now destroyed, the resource system invokes
|
|
|
279a87 |
XvdiDestroyVideoNotifyList which frees the whole list for this drawable
|
|
|
279a87 |
- including our struct. This function however does not free the resource
|
|
|
279a87 |
for the client since our ClientPtr is NULL.
|
|
|
279a87 |
|
|
|
279a87 |
Later, when the client is destroyed and the resource system invokes
|
|
|
279a87 |
XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On
|
|
|
279a87 |
a struct that has been freed previously. This is generally frowned upon.
|
|
|
279a87 |
|
|
|
279a87 |
Fix this by calling FreeResource() on the second call instead of merely
|
|
|
279a87 |
setting the ClientPtr to NULL. This removes the struct from the client
|
|
|
279a87 |
resources (but not from the list), ensuring that it won't be accessed
|
|
|
279a87 |
again when the client quits.
|
|
|
279a87 |
|
|
|
279a87 |
Note that the assignment tpn->client = NULL; is superfluous since the
|
|
|
279a87 |
XvdiDestroyVideoNotify function will do this anyway. But it's left for
|
|
|
279a87 |
clarity and to match a similar invocation in XvdiSelectPortNotify.
|
|
|
279a87 |
|
|
|
279a87 |
CVE-2022-46342, ZDI-CAN 19400
|
|
|
279a87 |
|
|
|
279a87 |
This vulnerability was discovered by:
|
|
|
279a87 |
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
279a87 |
|
|
|
279a87 |
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
279a87 |
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
|
279a87 |
---
|
|
|
279a87 |
Xext/xvmain.c | 4 +++-
|
|
|
279a87 |
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
279a87 |
|
|
|
279a87 |
diff --git a/Xext/xvmain.c b/Xext/xvmain.c
|
|
|
279a87 |
index f627471938..2a08f8744a 100644
|
|
|
279a87 |
--- a/Xext/xvmain.c
|
|
|
279a87 |
+++ b/Xext/xvmain.c
|
|
|
279a87 |
@@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff)
|
|
|
279a87 |
tpn = pn;
|
|
|
279a87 |
while (tpn) {
|
|
|
279a87 |
if (tpn->client == client) {
|
|
|
279a87 |
- if (!onoff)
|
|
|
279a87 |
+ if (!onoff) {
|
|
|
279a87 |
tpn->client = NULL;
|
|
|
279a87 |
+ FreeResource(tpn->id, XvRTVideoNotify);
|
|
|
279a87 |
+ }
|
|
|
279a87 |
return Success;
|
|
|
279a87 |
}
|
|
|
279a87 |
if (!tpn->client)
|
|
|
279a87 |
--
|
|
|
279a87 |
2.38.1
|
|
|
279a87 |
|