mirror of
https://github.com/X11Libre/xserver.git
synced 2026-03-24 01:34:11 +00:00
f74d828668
XkbRemoveResourceClient() would free the XkbInterest data associated with the device, but not the resource associated with it. As a result, when the client terminates, the resource delete function gets called and accesses already freed memory: | Invalid read of size 8 | at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047) | by 0x5B3391: XkbClientGone (xkb.c:7094) | by 0x4DF138: doFreeResource (resource.c:890) | by 0x4DFB50: FreeClientResources (resource.c:1156) | by 0x4A9A59: CloseDownClient (dispatch.c:3550) | by 0x5E0A53: ClientReady (connection.c:601) | by 0x5E4FEF: ospoll_wait (ospoll.c:657) | by 0x5DC834: WaitForSomething (WaitFor.c:206) | by 0x4A1BA5: Dispatch (dispatch.c:491) | by 0x4B0070: dix_main (main.c:277) | by 0x4285E7: main (stubmain.c:34) | Address 0x1893e278 is 184 bytes inside a block of size 928 free'd | at 0x4842E43: free (vg_replace_malloc.c:989) | by 0x49C1A6: CloseDevice (devices.c:1067) | by 0x49C522: CloseOneDevice (devices.c:1193) | by 0x49C6E4: RemoveDevice (devices.c:1244) | by 0x5873D4: remove_master (xichangehierarchy.c:348) | by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504) | by 0x579BF1: ProcIDispatch (extinit.c:390) | by 0x4A1D85: Dispatch (dispatch.c:551) | by 0x4B0070: dix_main (main.c:277) | by 0x4285E7: main (stubmain.c:34) | Block was alloc'd at | at 0x48473F3: calloc (vg_replace_malloc.c:1675) | by 0x49A118: AddInputDevice (devices.c:262) | by 0x4A0E58: AllocDevicePair (devices.c:2846) | by 0x5866EE: add_master (xichangehierarchy.c:153) | by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493) | by 0x579BF1: ProcIDispatch (extinit.c:390) | by 0x4A1D85: Dispatch (dispatch.c:551) | by 0x4B0070: dix_main (main.c:277) | by 0x4285E7: main (stubmain.c:34) To avoid that issue, make sure to free the resources when freeing the device XkbInterest data. CVE-2025-62230, ZDI-CAN-27545 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Michel Dänzer <mdaenzer@redhat.com> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
The X server uses this directory to store the compiled version of the
current keymap and/or any scratch keymaps used by clients. The X server
or some other tool might destroy or replace the files in this directory,
so it is not a safe place to store compiled keymaps for long periods of
time. The default keymap for any server is usually stored in:
X<num>-default.xkm
where <num> is the display number of the server in question, which makes
it possible for several servers *on the same host* to share the same
directory.
Unless the X server is modified, sharing this directory between servers on
different hosts could cause problems.