mirror of
https://gitlab.freedesktop.org/xorg/xserver.git
synced 2025-12-20 15:10:02 +01:00
xkb: Free the XKB resource when freeing XkbInterest
XkbRemoveResourceClient() would free the XkbInterest data associated with the device, but not the resource associated with it. As a result, when the client terminates, the resource delete function gets called and accesses already freed memory: | Invalid read of size 8 | at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047) | by 0x5B3391: XkbClientGone (xkb.c:7094) | by 0x4DF138: doFreeResource (resource.c:890) | by 0x4DFB50: FreeClientResources (resource.c:1156) | by 0x4A9A59: CloseDownClient (dispatch.c:3550) | by 0x5E0A53: ClientReady (connection.c:601) | by 0x5E4FEF: ospoll_wait (ospoll.c:657) | by 0x5DC834: WaitForSomething (WaitFor.c:206) | by 0x4A1BA5: Dispatch (dispatch.c:491) | by 0x4B0070: dix_main (main.c:277) | by 0x4285E7: main (stubmain.c:34) | Address 0x1893e278 is 184 bytes inside a block of size 928 free'd | at 0x4842E43: free (vg_replace_malloc.c:989) | by 0x49C1A6: CloseDevice (devices.c:1067) | by 0x49C522: CloseOneDevice (devices.c:1193) | by 0x49C6E4: RemoveDevice (devices.c:1244) | by 0x5873D4: remove_master (xichangehierarchy.c:348) | by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504) | by 0x579BF1: ProcIDispatch (extinit.c:390) | by 0x4A1D85: Dispatch (dispatch.c:551) | by 0x4B0070: dix_main (main.c:277) | by 0x4285E7: main (stubmain.c:34) | Block was alloc'd at | at 0x48473F3: calloc (vg_replace_malloc.c:1675) | by 0x49A118: AddInputDevice (devices.c:262) | by 0x4A0E58: AllocDevicePair (devices.c:2846) | by 0x5866EE: add_master (xichangehierarchy.c:153) | by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493) | by 0x579BF1: ProcIDispatch (extinit.c:390) | by 0x4A1D85: Dispatch (dispatch.c:551) | by 0x4B0070: dix_main (main.c:277) | by 0x4285E7: main (stubmain.c:34) To avoid that issue, make sure to free the resources when freeing the device XkbInterest data. CVE-2025-62230, ZDI-CAN-27545 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Michel Dänzer <mdaenzer@redhat.com> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
This commit is contained in:
Olivier Fourdan
parent
99790a2c92
commit
10c94238bd
1 changed files with 2 additions and 0 deletions
|
|
@ -1055,6 +1055,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
|
||||||
autoCtrls = interest->autoCtrls;
|
autoCtrls = interest->autoCtrls;
|
||||||
autoValues = interest->autoCtrlValues;
|
autoValues = interest->autoCtrlValues;
|
||||||
client = interest->client;
|
client = interest->client;
|
||||||
|
FreeResource(interest->resource, RT_XKBCLIENT);
|
||||||
free(interest);
|
free(interest);
|
||||||
found = TRUE;
|
found = TRUE;
|
||||||
}
|
}
|
||||||
|
|
@ -1066,6 +1067,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
|
||||||
autoCtrls = victim->autoCtrls;
|
autoCtrls = victim->autoCtrls;
|
||||||
autoValues = victim->autoCtrlValues;
|
autoValues = victim->autoCtrlValues;
|
||||||
client = victim->client;
|
client = victim->client;
|
||||||
|
FreeResource(victim->resource, RT_XKBCLIENT);
|
||||||
free(victim);
|
free(victim);
|
||||||
found = TRUE;
|
found = TRUE;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue