Skip to content
Snippets Groups Projects
Commit 16a1242d authored by Olivier Fourdan's avatar Olivier Fourdan :tools:
Browse files

sync: Do not let sync objects uninitialized 


When changing an alarm, the change mask values are evaluated one after
the other, changing the trigger values as requested and eventually,
SyncInitTrigger() is called.

SyncInitTrigger() will evaluate the XSyncCACounter first and may free
the existing sync object.

Other changes are then evaluated and may trigger an error and an early
return, not adding the new sync object.

This can be used to cause a use after free when the alarm eventually
triggers.

To avoid the issue, delete the existing sync object as late as possible
only once we are sure that no further error will cause an early exit.

CVE-2025-26601, ZDI-CAN-25870

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: default avatarOlivier Fourdan <ofourdan@redhat.com>
Reviewed-by: default avatarPeter Hutterer <peter.hutterer@who-t.net>
Part-of: <!1828>
parent 6e0f332b
No related branches found
No related tags found
1 merge request!1828Multiple CVE fixes
Hide whitespace changes
Inline Side-by-side
Showing
with 8 additions and 5 deletions
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment