mirror of
https://gitlab.freedesktop.org/xorg/xserver.git
synced 2025-12-20 04:40:02 +01:00
5a4286b13f
Using the Present extension, if an error occurs while processing and adding the notifications after presenting a pixmap, the function present_create_notifies() will clean up and remove the notifications it added. However, there are two different code paths that can lead to an error creating the notify, one being before the notify is being added to the list, and another one after the notify is added. When the error occurs before it's been added, it removes the elements up to the last added element, instead of the actual number of elements which were added. As a result, in case of error, as with an invalid window for example, it leaves a dangling pointer to the last element, leading to a use after free case later: | Invalid write of size 8 | at 0x5361D5: present_clear_window_notifies (present_notify.c:42) | by 0x534A56: present_destroy_window (present_screen.c:107) | by 0x41E441: xwl_destroy_window (xwayland-window.c:1959) | by 0x4F9EC9: compDestroyWindow (compwindow.c:622) | by 0x51EAC4: damageDestroyWindow (damage.c:1592) | by 0x4FDC29: DbeDestroyWindow (dbe.c:1291) | by 0x4EAC55: FreeWindowResources (window.c:1023) | by 0x4EAF59: DeleteWindow (window.c:1091) | by 0x4DE59A: doFreeResource (resource.c:890) | by 0x4DEFB2: FreeClientResources (resource.c:1156) | by 0x4A9AFB: CloseDownClient (dispatch.c:3567) | by 0x5DCC78: ClientReady (connection.c:603) | Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd | at 0x4841E43: free (vg_replace_malloc.c:989) | by 0x5363DD: present_destroy_notifies (present_notify.c:111) | by 0x53638D: present_create_notifies (present_notify.c:100) | by 0x5368E9: proc_present_pixmap_common (present_request.c:164) | by 0x536A7D: proc_present_pixmap (present_request.c:189) | by 0x536FA9: proc_present_dispatch (present_request.c:337) | by 0x4A1E4E: Dispatch (dispatch.c:561) | by 0x4B00F1: dix_main (main.c:284) | by 0x42879D: main (stubmain.c:34) | Block was alloc'd at | at 0x48463F3: calloc (vg_replace_malloc.c:1675) | by 0x5362A1: present_create_notifies (present_notify.c:81) | by 0x5368E9: proc_present_pixmap_common (present_request.c:164) | by 0x536A7D: proc_present_pixmap (present_request.c:189) | by 0x536FA9: proc_present_dispatch (present_request.c:337) | by 0x4A1E4E: Dispatch (dispatch.c:561) | by 0x4B00F1: dix_main (main.c:284) | by 0x42879D: main (stubmain.c:34) To fix the issue, count and remove the actual number of notify elements added in case of error. CVE-2025-62229, ZDI-CAN-27238 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086> |
||
|---|---|---|
| .. | ||
| meson.build | ||
| present.c | ||
| present.h | ||
| present_event.c | ||
| present_execute.c | ||
| present_fake.c | ||
| present_fence.c | ||
| present_notify.c | ||
| present_priv.h | ||
| present_request.c | ||
| present_scmd.c | ||
| present_screen.c | ||
| present_vblank.c | ||
| presentext.h | ||