[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Git][xorg-team/xserver/xorg-server][debian-unstable] 3 commits: Minor changelog correction

Title: GitLab

Julien Cristau pushed to branch debian-unstable at X Strike Force / xserver / xorg-server

Commits:

  • d7faa4c2
    by Julien Cristau at 2024-04-10T10:37:12+02:00 
    Minor changelog correction
  • a644fd32
    by Olivier Fourdan at 2024-04-10T10:43:09+02:00 
    render: Avoid possible double-free in ProcRenderAddGlyphs()

ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
then frees it using FreeGlyph() to decrease the reference count, after
AddGlyph() has increased it.

AddGlyph() however may chose to reuse an existing glyph if it's already
in the glyphSet, and free the glyph that was given, in which case the
caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
already freed glyph, as reported by ASan:

  READ of size 4 thread T0
    #0 in FreeGlyph xserver/render/glyph.c:252
    #1 in ProcRenderAddGlyphs xserver/render/render.c:1174
    #2 in Dispatch xserver/dix/dispatch.c:546
    #3 in dix_main xserver/dix/main.c:271
    #4 in main xserver/dix/stubmain.c:34
    #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #6 in __libc_start_main_impl ../csu/libc-start.c:360
    #7  (/usr/bin/Xwayland+0x44fe4)
  Address is located 0 bytes inside of 64-byte region
  freed by thread T0 here:
    #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
    #2 in AddGlyph xserver/render/glyph.c:295
    #3 in ProcRenderAddGlyphs xserver/render/render.c:1173
    #4 in Dispatch xserver/dix/dispatch.c:546
    #5 in dix_main xserver/dix/main.c:271
    #6 in main xserver/dix/stubmain.c:34
    #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
  previously allocated by thread T0 here:
    #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 in AllocateGlyph xserver/render/glyph.c:355
    #2 in ProcRenderAddGlyphs xserver/render/render.c:1085
    #3 in Dispatch xserver/dix/dispatch.c:546
    #4 in dix_main xserver/dix/main.c:271
    #5 in main xserver/dix/stubmain.c:34
    #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
  SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph

To avoid that, make sure not to free the given glyph in AddGlyph().

v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)

Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1476>
(cherry picked from commit 337d8d48b618d4fc0168a7b978be4c3447650b04)
  • d05d14f5
    by Julien Cristau at 2024-04-10T10:45:14+02:00 
    Upload to unstable

2 changed files:

Changes:

  • debian/changelog
    1 
    +xorg-server (2:21.1.12-1) unstable; urgency=medium
    2 
    +
    3 
    +  * New upstream release.
    4 
    +  * render: Avoid possible double-free in ProcRenderAddGlyphs()
    5 
    +    (closes: #1068470)
    6 
    +
    7 
    + -- Julien Cristau <jcristau@debian.org>  Wed, 10 Apr 2024 10:44:55 +0200
    8 
    +
    1 9 
     xorg-server (2:21.1.11-3) unstable; urgency=high
    2 10
    3 11 
       [ Chris Hofstaedtler ]
    ... ... @@ -17,8 +25,7 @@ xorg-server (2:21.1.11-3) unstable; urgency=high
    17 25 
           send reply (CVE-2024-31082)
    18 26 
         - render: fix refcounting of glyphs during ProcRenderAddGlyphs
    19 27 
           (CVE-2024-31083)
    20 
    -  * dix-Fix-use-after-free-in-input-device-shutdown.patch: drop (already
    21 
    -    cherry-picked).
    28 
    +  * dix-Fix-use-after-free-in-input-device-shutdown.patch: drop (now upstream).
    22 29
    23 30 
      -- Julien Cristau <jcristau@debian.org>  Wed, 03 Apr 2024 21:09:12 +0200
    24 31

  • render/glyph.c
    ... ... @@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id)
    291 291 
         gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature,
    292 292 
                           TRUE, glyph->sha1);
    293 293 
         if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) {
    294 
    -        FreeGlyphPicture(glyph);
    295 
    -        dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH);
    296 294 
             glyph = gr->glyph;
    297 295 
         }
    298 296 
         else if (gr->glyph != glyph) {


    • View it on GitLab.
    You're receiving this email because of your account on salsa.debian.org. Manage all notifications · Help

    Reply to: