frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
xserver/Xext
History
Peter Hutterer b79f32b57c Xext: free the XvRTVideoNotify when turning off from the same client 
This fixes a use-after-free bug:

When a client first calls XvdiSelectVideoNotify() on a drawable with a
TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct
is added twice to the resources:
  - as the drawable's XvRTVideoNotifyList. This happens only once per
    drawable, subsequent calls append to this list.
  - as the client's XvRTVideoNotify. This happens for every client.

The struct keeps the ClientPtr around once it has been added for a
client. The idea, presumably, is that if the client disconnects we can remove
all structs from the drawable's list that match the client (by resetting
the ClientPtr to NULL), but if the drawable is destroyed we can remove
and free the whole list.

However, if the same client then calls XvdiSelectVideoNotify() on the
same drawable with a FALSE onoff argument, only the ClientPtr on the
existing struct was set to NULL. The struct itself remained in the
client's resources.

If the drawable is now destroyed, the resource system invokes
XvdiDestroyVideoNotifyList which frees the whole list for this drawable
- including our struct. This function however does not free the resource
for the client since our ClientPtr is NULL.

Later, when the client is destroyed and the resource system invokes
XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On
a struct that has been freed previously. This is generally frowned upon.

Fix this by calling FreeResource() on the second call instead of merely
setting the ClientPtr to NULL. This removes the struct from the client
resources (but not from the list), ensuring that it won't be accessed
again when the client quits.

Note that the assignment tpn->client = NULL; is superfluous since the
XvdiDestroyVideoNotify function will do this anyway. But it's left for
clarity and to match a similar invocation in XvdiSelectPortNotify.

CVE-2022-46342, ZDI-CAN 19400

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
 		2022-12-14 11:02:06 +10:00
..
bigreq.c Move extension initialisation prototypes into extinit.h 2012-07-09 23:06:41 -07:00
dpms.c Change the DPMS initialization to be conditional on not set from config 2018-06-26 17:14:34 -07:00
dpmsproc.h dpms: Consolidate a bunch of stuff into Xext/dpms.c 2017-03-27 15:59:47 -04:00
geext.c More missing version checks in SProcs 2021-08-08 12:43:01 +00:00
geext.h Move extension initialisation prototypes into extinit.h 2012-07-09 23:06:41 -07:00
geint.h xge: Hide some implementation details 2015-07-08 16:40:58 -04:00
hashtable.c dix: Fix undefined shift in ht_generic_hash 2019-10-15 14:06:30 -04:00
hashtable.h Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
meson.build meson: hide C API if Xorg is disabled (like autotools) 2021-03-11 00:22:36 +00:00
panoramiX.c Xext: dynamically allocate the PanoramiXDepths[j].vids array 2018-07-19 11:52:14 +10:00
panoramiX.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
panoramiXSwap.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
panoramiXh.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
panoramiXprocs.c dix: Call SourceValidate before GetImage 2019-10-30 16:26:01 +00:00
panoramiXsrv.h Replace 'pointer' type with 'void *' 2014-01-12 10:24:11 -08:00
saver.c Xext: Fix out of bounds access in SProcScreenSaverSuspend() 2021-12-14 15:00:02 +02:00
security.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
securitysrv.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
shape.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
shm.c os, shm: fcntl()'s third argument is integer, not pointer 2020-12-18 09:36:30 -05:00
shmint.h xext: Fix shmint.h to not use headers outside of sdk_HEADERS 2013-11-14 10:22:15 +09:00
sleepuntil.c os: Don't crash in AttendClient if the client is gone 2019-11-19 10:15:05 -08:00
sleepuntil.h Replace 'pointer' type with 'void *' 2014-01-12 10:24:11 -08:00
sync.c xsync: Add resource inside of SyncCreate, export SyncCreate 2019-04-17 14:01:17 -07:00
syncsdk.h xsync: Add resource inside of SyncCreate, export SyncCreate 2019-04-17 14:01:17 -07:00
syncsrv.h sync: Convert from "CARD64" to int64_t. 2017-09-20 13:19:27 -04:00
vidmode.c Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
xace.c xace: Don't censor window borders 2016-09-28 15:25:07 -04:00
xace.h xace: Remove the audit hooks and tune dispatch 2016-06-10 13:26:19 -04:00
xacestr.h Replace 'pointer' type with 'void *' 2014-01-12 10:24:11 -08:00
xcmisc.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
xf86bigfont.c Drop workaround for pre-glibc linux 2017-05-11 15:24:01 -04:00
xf86bigfontsrv.h Move extension initialisation prototypes into extinit.h 2012-07-09 23:06:41 -07:00
xres.c Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
xselinux.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xselinux_ext.c selinux: Stop using security_context_t 2021-08-17 16:02:39 -04:00
xselinux_hooks.c selinux: Stop using security_context_t 2021-08-17 16:02:39 -04:00
xselinux_label.c selinux: Stop using security_context_t 2021-08-17 16:02:39 -04:00
xselinuxint.h selinux: Stop using security_context_t 2021-08-17 16:02:39 -04:00
xtest.c Xtest: disallow GenericEvents in XTestSwapFakeInput 2022-12-12 10:55:49 +10:00
xvdisp.c Unvalidated lengths 2017-10-10 23:33:34 +02:00
xvdisp.h Fix swapped Xv dispatch under Xinerama. 2007-12-02 14:15:36 -05:00
xvdix.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
xvmain.c Xext: free the XvRTVideoNotify when turning off from the same client 2022-12-14 11:02:06 +10:00
xvmc.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
xvmcext.h Replace 'pointer' type with 'void *' 2014-01-12 10:24:11 -08:00