fix regression caused by the fix for CVE-2024-31083
(cherry picked from commit 69b341c2690d1c4d09cd694606ac2186428eab8f)
This commit is contained in:
yangl777
openeuler-sync-bot
parent
63a9359b11
commit
847df5038c
@ -0,0 +1,75 @@
|
||||
From 337d8d48b618d4fc0168a7b978be4c3447650b04 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Fri, 5 Apr 2024 15:24:49 +0200
|
||||
Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs()
|
||||
|
||||
ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
|
||||
then frees it using FreeGlyph() to decrease the reference count, after
|
||||
AddGlyph() has increased it.
|
||||
|
||||
AddGlyph() however may chose to reuse an existing glyph if it's already
|
||||
in the glyphSet, and free the glyph that was given, in which case the
|
||||
caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
|
||||
already freed glyph, as reported by ASan:
|
||||
|
||||
READ of size 4 thread T0
|
||||
#0 in FreeGlyph xserver/render/glyph.c:252
|
||||
#1 in ProcRenderAddGlyphs xserver/render/render.c:1174
|
||||
#2 in Dispatch xserver/dix/dispatch.c:546
|
||||
#3 in dix_main xserver/dix/main.c:271
|
||||
#4 in main xserver/dix/stubmain.c:34
|
||||
#5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
||||
#6 in __libc_start_main_impl ../csu/libc-start.c:360
|
||||
#7 (/usr/bin/Xwayland+0x44fe4)
|
||||
Address is located 0 bytes inside of 64-byte region
|
||||
freed by thread T0 here:
|
||||
#0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
|
||||
#1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
|
||||
#2 in AddGlyph xserver/render/glyph.c:295
|
||||
#3 in ProcRenderAddGlyphs xserver/render/render.c:1173
|
||||
#4 in Dispatch xserver/dix/dispatch.c:546
|
||||
#5 in dix_main xserver/dix/main.c:271
|
||||
#6 in main xserver/dix/stubmain.c:34
|
||||
#7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
||||
previously allocated by thread T0 here:
|
||||
#0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
|
||||
#1 in AllocateGlyph xserver/render/glyph.c:355
|
||||
#2 in ProcRenderAddGlyphs xserver/render/render.c:1085
|
||||
#3 in Dispatch xserver/dix/dispatch.c:546
|
||||
#4 in dix_main xserver/dix/main.c:271
|
||||
#5 in main xserver/dix/stubmain.c:34
|
||||
#6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
||||
SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
|
||||
|
||||
To avoid that, make sure not to free the given glyph in AddGlyph().
|
||||
|
||||
v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
|
||||
v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
|
||||
|
||||
Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
|
||||
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1476>
|
||||
|
||||
Conflict:NA
|
||||
Reference:https://gitlab.freedesktop.org/xorg/xserver/-/commit/6c684d035c06fd41c727f0ef0744517580864cef
|
||||
---
|
||||
render/glyph.c | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
diff --git a/render/glyph.c b/render/glyph.c
|
||||
index 13991f8a12..5fa7f3b5b4 100644
|
||||
--- a/render/glyph.c
|
||||
+++ b/render/glyph.c
|
||||
@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id)
|
||||
gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature,
|
||||
TRUE, glyph->sha1);
|
||||
if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) {
|
||||
- FreeGlyphPicture(glyph);
|
||||
- dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH);
|
||||
glyph = gr->glyph;
|
||||
}
|
||||
else if (gr->glyph != glyph) {
|
||||
--
|
||||
GitLab
|
||||
|
||||
@ -16,7 +16,7 @@
|
||||
|
||||
Name: xorg-x11-server
|
||||
Version: 1.20.11
|
||||
Release: 29
|
||||
Release: 30
|
||||
Summary: X.Org X11 X server
|
||||
License: MIT and GPLv2
|
||||
URL: https://www.x.org
|
||||
@ -123,6 +123,7 @@ Patch6037: backport-CVE-2024-31080.patch
|
||||
Patch6038: backport-CVE-2024-31081.patch
|
||||
Patch6039: backport-CVE-2024-31082.patch
|
||||
Patch6040: backport-CVE-2024-31083.patch
|
||||
Patch6041: backport-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
|
||||
|
||||
BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex git gcc
|
||||
BuildRequires: systemtap-sdt-devel libtool pkgconfig
|
||||
@ -464,6 +465,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
|
||||
%{_mandir}/man*/*
|
||||
|
||||
%changelog
|
||||
* Wed Apr 17 2024 yanglu <yanglu72@h-partners.com> -1.20.11-30
|
||||
- fix regression caused by the fix for CVE-2024-31083
|
||||
|
||||
* Sun Apr 7 2024 yanglu <yanglu72@h-partners.com> -1.20.11-29
|
||||
- fix CVE-2024-31080 CVE-2024-31081 CVE-2024-31082 CVE-2024-31083
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user