ALAS2-2023-2103 --- waylandID: oval:org.secpod.oval:def:1701417 | Date: (C)2023-07-07 (M)2023-11-13 |
Class: PATCH | Family: unix |
An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wl_shm buffer objects, or if it can coerce the server to create a large number of external references to the buffer storage. With the reference count overflowing, a use-after-free can be constructed on the wl_shm_pool tracking structure, where values may be incremented or decremented; it may also be possible to construct a limited oracle to leak 4 bytes of server-side memory to the attacking client at a time
Product: |
wayland |
libwayland-client |
libwayland-cursor |
libwayland-egl |
libwayland-server |