fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-06-07 04:08:25 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
xserver/Xext
History
Peter Hutterer f5abfb6199 sync: fix deletion of counters and fences 
Both FreeCounter() and miSyncDestroyFence() iterate over the trigger list
and invoke the CounterDestroyed callback on each trigger.

The CounterDestroyed callback (e.g. SyncAwaitTriggerFired) may call
FreeResource/FreeAwait, which frees the SyncAwaitUnion containing all
SyncAwait structs in the same Await group.

When multiple conditions in a single Await reference the same sync
object (counter or fence), the first callback frees all SyncAwait
structs while subsequent trigger list nodes still reference them. On the
next iteration, reading ptl->next or ptl->pTrigger dereferences freed
memory, leading to a use-after-free.

We need separate fixes for separate issues here to fix this in one go
- use our null-terminated list macro to make sure our next pointer stays
  valid (the code accessed ptl->next after freeing it)
- update the list head before deleting the trigger, eventually this ends
  up being NULL anyway but meanwhile the list head is a valid list
  during CounterDestroyed
- check if we actually do have a trigger before dereferencing the
  callback
- Set all triggers to NULL if they are shared so we don't dereference
  potentially freed memory

This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative

ZDI-CAN-30159 (miSyncDestroyFence), ZDI-CAN-30163 (FreeCounter)

Assisted-by: Claude:claude-opus-4-6
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2228>
2026-06-01 08:31:59 +10:00
..
bigreq.c Xext: bigreq: drop swapping request length fields 2026-01-25 10:39:59 -08:00
dpms.c Xext: dpms: need to include geext.h 2026-01-25 10:40:00 -08:00
dpmsproc.h dpms: Consolidate a bunch of stuff into Xext/dpms.c 2017-03-27 15:59:47 -04:00
geext.c randr, Xext: remove stale length swaps 2026-04-24 01:55:36 +00:00
geext.h Xext: geext.h: fix missing include of Xfuncproto.h 2026-01-25 10:40:00 -08:00
geint.h xge: Hide some implementation details 2015-07-08 16:40:58 -04:00
hashtable.c dix: Fix undefined shift in ht_generic_hash 2019-10-15 14:06:30 -04:00
hashtable.h Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
meson.build Xace: dont install xace.h and xacestr.h anymore 2026-01-25 10:39:54 -08:00
panoramiX.c panoramiX: fail if we can't allocate our visual arrays 2026-04-28 02:37:43 +00:00
panoramiX.h Xext: drop _PANORAMIX_SERVER 2026-01-25 10:39:54 -08:00
panoramiXh.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
panoramiXprocs.c Xext: handle various allocation failures 2026-04-28 02:37:43 +00:00
panoramiXsrv.h Replace 'pointer' type with 'void *' 2014-01-12 10:24:11 -08:00
panoramiXSwap.c Xext: panoramiX: drop now obsolete swap procs 2026-01-25 10:39:59 -08:00
saver.c Fix typos 2026-03-03 06:50:01 -03:00
security.c Xext: security: drop swapping request length fields 2026-01-25 10:39:59 -08:00
securitysrv.h Xext: securitysrv.h: drop hacks for including secur.h 2026-01-25 10:39:54 -08:00
shape.c Xext: shape: drop now obsolete swap procs 2026-01-25 10:39:59 -08:00
shm.c Xext/shm: add missing reply byte-swap in ProcShmCreateSegment 2026-04-24 01:55:36 +00:00
shmint.h xext: Fix shmint.h to not use headers outside of sdk_HEADERS 2013-11-14 10:22:15 +09:00
sleepuntil.c prevent name clash on Windows w/ RT_* defines 2026-01-19 12:48:30 -08:00
sleepuntil.h Replace 'pointer' type with 'void *' 2014-01-12 10:24:11 -08:00
sync.c sync: fix deletion of counters and fences 2026-06-01 08:31:59 +10:00
syncsdk.h xsync: Add resource inside of SyncCreate, export SyncCreate 2019-04-17 14:01:17 -07:00
syncsrv.h sync: Convert from "CARD64" to int64_t. 2017-09-20 13:19:27 -04:00
vidmode.c Xext/vidmode: add byte-swapping in various fields 2026-04-24 01:55:37 +00:00
xace.c xace: typesafe hook function for XACE_KEY_AVAIL 2026-01-25 10:39:54 -08:00
xace.h Xace: provide definitions of new hook functions when xace is disabled 2026-01-25 10:40:02 -08:00
xacestr.h Replace 'pointer' type with 'void *' 2014-01-12 10:24:11 -08:00
xcmisc.c Xext: xcmisc: drop now obsolete swap procs 2026-01-25 10:39:59 -08:00
xf86bigfont.c Fix typos 2026-03-03 06:50:01 -03:00
xf86bigfontsrv.h Move extension initialisation prototypes into extinit.h 2012-07-09 23:06:41 -07:00
xres.c Xext/xres: fix client PID value swap in ConstructClientIdValue 2026-05-10 23:28:33 +00:00
xselinux.h include: unpexport SELINUX_* consts from include/global.h 2026-01-19 12:32:24 -08:00
xselinux_ext.c Xext/xselinux: add fast path to ProcSELinuxListSelections() 2026-01-25 10:40:02 -08:00
xselinux_hooks.c selinux: only generate audit events for avc and error messages 2026-02-15 10:43:28 -08:00
xselinux_label.c Xext/xselinux: avoid memory leak in SELinuxAtomToSID() 2026-01-25 10:40:02 -08:00
xselinuxint.h selinux: Stop using security_context_t 2021-08-17 16:02:39 -04:00
xtest.c Xext/xtest: avoid null dereference in ProcXTestFakeInput() 2026-01-25 10:40:03 -08:00
xvdisp.c Zero out structs to avoid leaking information via padding 2026-04-24 01:14:55 +00:00
xvdisp.h Fix swapped Xv dispatch under Xinerama. 2007-12-02 14:15:36 -05:00
xvdix.h xv: move XvVideoNotifyRec into xvmain.c 2026-01-25 10:39:55 -08:00
xvmain.c xv: move XvVideoNotifyRec into xvmain.c 2026-01-25 10:39:55 -08:00
xvmc.c Zero out structs to avoid leaking information via padding 2026-04-24 01:14:55 +00:00
xvmcext.h Xext: xvmc: drop unused XvMCScreenInitProc 2026-01-25 10:39:57 -08:00