fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-04-18 08:30:37 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
xserver/miext
History
Exact
Olivier Fourdan 70aad8867a miext/sync: Fix use-after-free in miSyncTriggerFence() 
As reported by valgrind:

  == Invalid read of size 8
  ==    at 0x568C14: miSyncTriggerFence (misync.c:140)
  ==    by 0x540688: ProcSyncTriggerFence (sync.c:1957)
  ==    by 0x540CCC: ProcSyncDispatch (sync.c:2152)
  ==    by 0x4A28C5: Dispatch (dispatch.c:553)
  ==    by 0x4B0B24: dix_main (main.c:274)
  ==    by 0x42915E: main (stubmain.c:34)
  ==  Address 0x17e35488 is 8 bytes inside a block of size 16 free'd
  ==    at 0x4843E43: free (vg_replace_malloc.c:990)
  ==    by 0x53D683: SyncDeleteTriggerFromSyncObject (sync.c:169)
  ==    by 0x53F14D: FreeAwait (sync.c:1208)
  ==    by 0x4DFB06: doFreeResource (resource.c:888)
  ==    by 0x4DFC59: FreeResource (resource.c:918)
  ==    by 0x53E349: SyncAwaitTriggerFired (sync.c:701)
  ==    by 0x568C52: miSyncTriggerFence (misync.c:142)
  ==    by 0x540688: ProcSyncTriggerFence (sync.c:1957)
  ==    by 0x540CCC: ProcSyncDispatch (sync.c:2152)
  ==    by 0x4A28C5: Dispatch (dispatch.c:553)
  ==    by 0x4B0B24: dix_main (main.c:274)
  ==    by 0x42915E: main (stubmain.c:34)
  ==  Block was alloc'd at
  ==    at 0x4840B26: malloc (vg_replace_malloc.c:447)
  ==    by 0x5E50E1: XNFalloc (utils.c:1129)
  ==    by 0x53D772: SyncAddTriggerToSyncObject (sync.c:206)
  ==    by 0x53DCA8: SyncInitTrigger (sync.c:414)
  ==    by 0x5409C7: ProcSyncAwaitFence (sync.c:2089)
  ==    by 0x540D04: ProcSyncDispatch (sync.c:2160)
  ==    by 0x4A28C5: Dispatch (dispatch.c:553)
  ==    by 0x4B0B24: dix_main (main.c:274)
  ==    by 0x42915E: main (stubmain.c:34)

When walking the list of fences to trigger, miSyncTriggerFence() may
call TriggerFence() for the current trigger, which end up calling the
function SyncAwaitTriggerFired().

SyncAwaitTriggerFired() frees the entire await resource, which removes
all triggers from that await - including pNext which may be another
trigger from the same await attached to the same fence.

On the next iteration, ptl = pNext points to freed memory...

To avoid the issue, we need to restart the iteration from the beginning
of the list each time a trigger fires, since the callback can modify the
list.

CVE-2026-34001, ZDI-CAN-28706

This vulnerability was discovered by:
Jan-Niklas Sohn working with TrendAI Zero Day Initiative

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit f19ab94ba9)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2178>
2026-04-14 15:12:24 +02:00
..
damage meson: hide C API if Xorg is disabled (like autotools) 2021-03-11 00:22:36 +00:00
rootless rootless: Protect alpha channel for Render operations 2026-03-24 20:59:03 -07:00
shadow meson: hide C API if Xorg is disabled (like autotools) 2021-03-11 00:22:36 +00:00
sync miext/sync: Fix use-after-free in miSyncTriggerFence() 2026-04-14 15:12:24 +02:00
Makefile.am rootless: Build unconditionally 2015-07-08 16:41:28 -04:00