Commit 09b8ff8d authored Nov 03, 2022 by Narpat Mali Committed by Richard Purdie Nov 04, 2022

wayland: fix CVE-2021-3782

An internal reference count is held on the buffer pool,
incremented every time a new buffer is created from the pool.
The reference count is maintained as an int;
on LP64 systems this can cause thereference count to overflow if
the client creates a large number of wl_shm buffer objects,
or if it can coerce the server to create a large number of external references
to the buffer storage. With the reference count overflowing, a use-after-free
can be constructed on the wl_shm_pool tracking structure,
where values may be incremented or decremented;
it may also be possible to construct a limited oracle to leak 4 bytes of
server-side memory to the attacking client at a time.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2021-3782

Upstream patch:
https://gitlab.freedesktop.org/wayland/wayland/-/commit/b19488c7154b902354cb26a27f11415d7799b0b2



Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

parent 791fe354

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit 9c3f494b
· Dec 02, 2023

mentioned in commit 9c3f494b

mentioned in commit 9c3f494bf54c4d4b7ec776ab18d900bf9fbd042a

Toggle commit list

Please register or to comment