(release/25.2) Xext: xvmc: guard against NULL screen private in ProcXvMCGetDRInfo#3111
Conversation
ProcXvMCGetDRInfo() fetched the per-screen XvMC private with XVMC_GET_PRIVATE() and immediately dereferenced it (strlen(pScreenPriv->clientDriverName)). The private is NULL for any screen on which XvMCScreenInit() was never called, while the extension and its private key become available globally as soon as any screen enables XvMC. A local client owning a valid Xv port on a non-XvMC screen (e.g. a multi-GPU setup where only one screen has XvMC) could thus crash the server. The three other port-taking XvMC handlers already check for NULL; do the same here and return BadMatch. Fixes: 3b0dce3 ("lib/XvMC/Imake Added support for automatic loading of the correct hardware XvMC driver.") Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net> (cherry picked from commit 6db14d0)
Backport review — #3111 → Applicability: confirmed. Correctness: good. Adding Backport-worthiness: yes — NULL-pointer deref / server crash (DoS) reachable by a local client with a valid Xv port on a non-XvMC screen (multi-GPU). Driver/NVIDIA ABI: no impact — local NULL guard in an Xv/XvMC handler; no public struct or Verdict: PASS. Merge decision is the maintainer's (release lines are manual-merge only). |
Backport dashboard
Master: #2970 ✅ merged
Auto-generated backport dashboard — links the source master PR and sibling backports with their merge status.
Backport of #2970 to
release/25.2.Clean cherry-pick —
release/25.2carried the identical pre-fix code at the same path. (release/25.1already contains the fix;release/25.0already contains it or predates the affected code — see the backport dashboard on #2970.)ProcXvMCGetDRInfo() fetched the per-screen XvMC private with
XVMC_GET_PRIVATE() and immediately dereferenced it
(strlen(pScreenPriv->clientDriverName)). The private is NULL for any screen on
which XvMCScreenInit() was never called, while the extension and its private
key become available globally as soon as any screen enables XvMC.
A local client owning a valid Xv port on a non-XvMC screen (e.g. a multi-GPU
setup where only one screen has XvMC) could thus crash the server. The three
other port-taking XvMC handlers already check for NULL; do the same here and
return BadMatch.
Fixes: 3b0dce3 ("lib/XvMC/Imake Added support for automatic loading of the correct hardware XvMC driver.")
Signed-off-by: Enrico Weigelt, metux IT consult info@metux.net
(cherry picked from commit 6db14d0)