mirror of
https://gitlab.freedesktop.org/xorg/xserver.git
synced 2026-05-09 10:48:29 +02:00
d90a480fab
As reported by valgrind:
== Invalid read of size 8
== at 0x568C14: miSyncTriggerFence (misync.c:140)
== by 0x540688: ProcSyncTriggerFence (sync.c:1957)
== by 0x540CCC: ProcSyncDispatch (sync.c:2152)
== by 0x4A28C5: Dispatch (dispatch.c:553)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
== Address 0x17e35488 is 8 bytes inside a block of size 16 free'd
== at 0x4843E43: free (vg_replace_malloc.c:990)
== by 0x53D683: SyncDeleteTriggerFromSyncObject (sync.c:169)
== by 0x53F14D: FreeAwait (sync.c:1208)
== by 0x4DFB06: doFreeResource (resource.c:888)
== by 0x4DFC59: FreeResource (resource.c:918)
== by 0x53E349: SyncAwaitTriggerFired (sync.c:701)
== by 0x568C52: miSyncTriggerFence (misync.c:142)
== by 0x540688: ProcSyncTriggerFence (sync.c:1957)
== by 0x540CCC: ProcSyncDispatch (sync.c:2152)
== by 0x4A28C5: Dispatch (dispatch.c:553)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
== Block was alloc'd at
== at 0x4840B26: malloc (vg_replace_malloc.c:447)
== by 0x5E50E1: XNFalloc (utils.c:1129)
== by 0x53D772: SyncAddTriggerToSyncObject (sync.c:206)
== by 0x53DCA8: SyncInitTrigger (sync.c:414)
== by 0x5409C7: ProcSyncAwaitFence (sync.c:2089)
== by 0x540D04: ProcSyncDispatch (sync.c:2160)
== by 0x4A28C5: Dispatch (dispatch.c:553)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
When walking the list of fences to trigger, miSyncTriggerFence() may
call TriggerFence() for the current trigger, which end up calling the
function SyncAwaitTriggerFired().
SyncAwaitTriggerFired() frees the entire await resource, which removes
all triggers from that await - including pNext which may be another
trigger from the same await attached to the same fence.
On the next iteration, ptl = pNext points to freed memory...
To avoid the issue, we need to restart the iteration from the beginning
of the list each time a trigger fires, since the callback can modify the
list.
CVE-2026-34001, ZDI-CAN-28706
This vulnerability was discovered by:
Jan-Niklas Sohn working with TrendAI Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit f19ab94ba9)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2177>
197 lines
5.1 KiB
C
197 lines
5.1 KiB
C
/*
|
|
* Copyright © 2010 NVIDIA Corporation
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person obtaining a
|
|
* copy of this software and associated documentation files (the "Software"),
|
|
* to deal in the Software without restriction, including without limitation
|
|
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
|
* and/or sell copies of the Software, and to permit persons to whom the
|
|
* Software is furnished to do so, subject to the following conditions:
|
|
*
|
|
* The above copyright notice and this permission notice (including the next
|
|
* paragraph) shall be included in all copies or substantial portions of the
|
|
* Software.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
|
|
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
|
|
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
|
|
* DEALINGS IN THE SOFTWARE.
|
|
*/
|
|
|
|
#ifdef HAVE_DIX_CONFIG_H
|
|
#include <dix-config.h>
|
|
#endif
|
|
|
|
#include "scrnintstr.h"
|
|
#include "misync_priv.h"
|
|
#include "misyncstr.h"
|
|
|
|
DevPrivateKeyRec miSyncScreenPrivateKey;
|
|
|
|
/* Default implementations of the sync screen functions */
|
|
void
|
|
miSyncScreenCreateFence(ScreenPtr pScreen, SyncFence * pFence,
|
|
Bool initially_triggered)
|
|
{
|
|
(void) pScreen;
|
|
|
|
pFence->triggered = initially_triggered;
|
|
}
|
|
|
|
void
|
|
miSyncScreenDestroyFence(ScreenPtr pScreen, SyncFence * pFence)
|
|
{
|
|
(void) pScreen;
|
|
(void) pFence;
|
|
}
|
|
|
|
/* Default implementations of the per-object functions */
|
|
void
|
|
miSyncFenceSetTriggered(SyncFence * pFence)
|
|
{
|
|
pFence->triggered = TRUE;
|
|
}
|
|
|
|
void
|
|
miSyncFenceReset(SyncFence * pFence)
|
|
{
|
|
pFence->triggered = FALSE;
|
|
}
|
|
|
|
Bool
|
|
miSyncFenceCheckTriggered(SyncFence * pFence)
|
|
{
|
|
return pFence->triggered;
|
|
}
|
|
|
|
void
|
|
miSyncFenceAddTrigger(SyncTrigger * pTrigger)
|
|
{
|
|
(void) pTrigger;
|
|
|
|
return;
|
|
}
|
|
|
|
void
|
|
miSyncFenceDeleteTrigger(SyncTrigger * pTrigger)
|
|
{
|
|
(void) pTrigger;
|
|
|
|
return;
|
|
}
|
|
|
|
/* Machine independent portion of the fence sync object implementation */
|
|
void
|
|
miSyncInitFence(ScreenPtr pScreen, SyncFence * pFence, Bool initially_triggered)
|
|
{
|
|
SyncScreenPrivPtr pScreenPriv = SYNC_SCREEN_PRIV(pScreen);
|
|
|
|
static const SyncFenceFuncsRec miSyncFenceFuncs = {
|
|
&miSyncFenceSetTriggered,
|
|
&miSyncFenceReset,
|
|
&miSyncFenceCheckTriggered,
|
|
&miSyncFenceAddTrigger,
|
|
&miSyncFenceDeleteTrigger
|
|
};
|
|
|
|
pFence->pScreen = pScreen;
|
|
pFence->funcs = miSyncFenceFuncs;
|
|
|
|
pScreenPriv->funcs.CreateFence(pScreen, pFence, initially_triggered);
|
|
|
|
pFence->sync.initialized = TRUE;
|
|
}
|
|
|
|
void
|
|
miSyncDestroyFence(SyncFence * pFence)
|
|
{
|
|
pFence->sync.beingDestroyed = TRUE;
|
|
|
|
if (pFence->sync.initialized) {
|
|
ScreenPtr pScreen = pFence->pScreen;
|
|
SyncScreenPrivPtr pScreenPriv = SYNC_SCREEN_PRIV(pScreen);
|
|
SyncTriggerList *ptl, *pNext;
|
|
|
|
/* tell all the fence's triggers that the counter has been destroyed */
|
|
for (ptl = pFence->sync.pTriglist; ptl; ptl = pNext) {
|
|
(*ptl->pTrigger->CounterDestroyed) (ptl->pTrigger);
|
|
pNext = ptl->next;
|
|
free(ptl); /* destroy the trigger list as we go */
|
|
}
|
|
|
|
pScreenPriv->funcs.DestroyFence(pScreen, pFence);
|
|
}
|
|
|
|
dixFreeObjectWithPrivates(pFence, PRIVATE_SYNC_FENCE);
|
|
}
|
|
|
|
void
|
|
miSyncTriggerFence(SyncFence * pFence)
|
|
{
|
|
SyncTriggerList *ptl;
|
|
Bool triggered;
|
|
|
|
pFence->funcs.SetTriggered(pFence);
|
|
|
|
/* run through triggers to see if any fired */
|
|
do {
|
|
triggered = FALSE;
|
|
for (ptl = pFence->sync.pTriglist; ptl; ptl = ptl->next) {
|
|
if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0)) {
|
|
(*ptl->pTrigger->TriggerFired) (ptl->pTrigger);
|
|
triggered = TRUE;
|
|
break;
|
|
}
|
|
}
|
|
} while (triggered);
|
|
}
|
|
|
|
SyncScreenFuncsPtr
|
|
miSyncGetScreenFuncs(ScreenPtr pScreen)
|
|
{
|
|
SyncScreenPrivPtr pScreenPriv = SYNC_SCREEN_PRIV(pScreen);
|
|
|
|
return &pScreenPriv->funcs;
|
|
}
|
|
|
|
static Bool
|
|
SyncCloseScreen(ScreenPtr pScreen)
|
|
{
|
|
SyncScreenPrivPtr pScreenPriv = SYNC_SCREEN_PRIV(pScreen);
|
|
|
|
pScreen->CloseScreen = pScreenPriv->CloseScreen;
|
|
|
|
return (*pScreen->CloseScreen) (pScreen);
|
|
}
|
|
|
|
Bool
|
|
miSyncSetup(ScreenPtr pScreen)
|
|
{
|
|
SyncScreenPrivPtr pScreenPriv;
|
|
|
|
static const SyncScreenFuncsRec miSyncScreenFuncs = {
|
|
&miSyncScreenCreateFence,
|
|
&miSyncScreenDestroyFence
|
|
};
|
|
|
|
if (!dixPrivateKeyRegistered(&miSyncScreenPrivateKey)) {
|
|
if (!dixRegisterPrivateKey(&miSyncScreenPrivateKey, PRIVATE_SCREEN,
|
|
sizeof(SyncScreenPrivRec)))
|
|
return FALSE;
|
|
}
|
|
|
|
pScreenPriv = SYNC_SCREEN_PRIV(pScreen);
|
|
|
|
if (!pScreenPriv->funcs.CreateFence) {
|
|
pScreenPriv->funcs = miSyncScreenFuncs;
|
|
|
|
/* Wrap CloseScreen to clean up */
|
|
pScreenPriv->CloseScreen = pScreen->CloseScreen;
|
|
pScreen->CloseScreen = SyncCloseScreen;
|
|
}
|
|
|
|
return TRUE;
|
|
}
|