From 5a4286b13f631b66c20f5bc8db7b68211dcbd1d0 Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Wed, 2 Jul 2025 09:46:22 +0200 Subject: [PATCH] present: Fix use-after-free in present_create_notifies() Using the Present extension, if an error occurs while processing and adding the notifications after presenting a pixmap, the function present_create_notifies() will clean up and remove the notifications it added. However, there are two different code paths that can lead to an error creating the notify, one being before the notify is being added to the list, and another one after the notify is added. When the error occurs before it's been added, it removes the elements up to the last added element, instead of the actual number of elements which were added. As a result, in case of error, as with an invalid window for example, it leaves a dangling pointer to the last element, leading to a use after free case later: | Invalid write of size 8 | at 0x5361D5: present_clear_window_notifies (present_notify.c:42) | by 0x534A56: present_destroy_window (present_screen.c:107) | by 0x41E441: xwl_destroy_window (xwayland-window.c:1959) | by 0x4F9EC9: compDestroyWindow (compwindow.c:622) | by 0x51EAC4: damageDestroyWindow (damage.c:1592) | by 0x4FDC29: DbeDestroyWindow (dbe.c:1291) | by 0x4EAC55: FreeWindowResources (window.c:1023) | by 0x4EAF59: DeleteWindow (window.c:1091) | by 0x4DE59A: doFreeResource (resource.c:890) | by 0x4DEFB2: FreeClientResources (resource.c:1156) | by 0x4A9AFB: CloseDownClient (dispatch.c:3567) | by 0x5DCC78: ClientReady (connection.c:603) | Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd | at 0x4841E43: free (vg_replace_malloc.c:989) | by 0x5363DD: present_destroy_notifies (present_notify.c:111) | by 0x53638D: present_create_notifies (present_notify.c:100) | by 0x5368E9: proc_present_pixmap_common (present_request.c:164) | by 0x536A7D: proc_present_pixmap (present_request.c:189) | by 0x536FA9: proc_present_dispatch (present_request.c:337) | by 0x4A1E4E: Dispatch (dispatch.c:561) | by 0x4B00F1: dix_main (main.c:284) | by 0x42879D: main (stubmain.c:34) | Block was alloc'd at | at 0x48463F3: calloc (vg_replace_malloc.c:1675) | by 0x5362A1: present_create_notifies (present_notify.c:81) | by 0x5368E9: proc_present_pixmap_common (present_request.c:164) | by 0x536A7D: proc_present_pixmap (present_request.c:189) | by 0x536FA9: proc_present_dispatch (present_request.c:337) | by 0x4A1E4E: Dispatch (dispatch.c:561) | by 0x4B00F1: dix_main (main.c:284) | by 0x42879D: main (stubmain.c:34) To fix the issue, count and remove the actual number of notify elements added in case of error. CVE-2025-62229, ZDI-CAN-27238 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan Part-of: --- present/present_notify.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/present/present_notify.c b/present/present_notify.c index 7d19d9cfe..fe84d1f07 100644 --- a/present/present_notify.c +++ b/present/present_notify.c @@ -92,7 +92,7 @@ present_create_notifies(ClientPtr client, int num_notifies, xPresentNotify *x_no if (status != Success) goto bail; - added = i; + added++; } return Success;