git.ipfire.org Git - thirdparty/openembedded/openembedded-core.git/commit

author	Narpat Mali <narpat.mali@windriver.com>
	Fri, 4 Nov 2022 03:00:43 +0000 (17:00 -1000)
committer	Richard Purdie <richard.purdie@linuxfoundation.org>
	Fri, 4 Nov 2022 13:13:27 +0000 (13:13 +0000)
commit	09b8ff8d2361b2db001bc963f481db294ccf2170
tree	6f8cc064f71a5d8556989c9d4ddfe6f18a1c4d88	tree
parent	791fe354e5887af3fa3d3f772fafacc5eaedca21	commit \| diff

wayland: fix CVE-2021-3782

An internal reference count is held on the buffer pool,
incremented every time a new buffer is created from the pool.
The reference count is maintained as an int;
on LP64 systems this can cause thereference count to overflow if
the client creates a large number of wl_shm buffer objects,
or if it can coerce the server to create a large number of external references
to the buffer storage. With the reference count overflowing, a use-after-free
can be constructed on the wl_shm_pool tracking structure,
where values may be incremented or decremented;
it may also be possible to construct a limited oracle to leak 4 bytes of
server-side memory to the attacking client at a time.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2021-3782

Upstream patch:
https://gitlab.freedesktop.org/wayland/wayland/-/commit/b19488c7154b902354cb26a27f11415d7799b0b2

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch	[new file with mode: 0644]	blob
meta/recipes-graphics/wayland/wayland_1.20.0.bb		diff \| blob \| blame \| history