| rev |
line source |
|
shann@25640
|
1 From 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Mon Sep 17 00:00:00 2001
|
|
shann@25640
|
2 From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
shann@25640
|
3 Date: Thu, 4 Jan 2024 10:01:24 +1000
|
|
shann@25640
|
4 Subject: [PATCH] Xi: flush hierarchy events after adding/removing master
|
|
shann@25640
|
5 devices
|
|
shann@25640
|
6
|
|
shann@25640
|
7 The `XISendDeviceHierarchyEvent()` function allocates space to store up
|
|
shann@25640
|
8 to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`.
|
|
shann@25640
|
9
|
|
shann@25640
|
10 If a device with a given ID was removed and a new device with the same
|
|
shann@25640
|
11 ID added both in the same operation, the single device ID will lead to
|
|
shann@25640
|
12 two info structures being written to `info`.
|
|
shann@25640
|
13
|
|
shann@25640
|
14 Since this case can occur for every device ID at once, a total of two
|
|
shann@25640
|
15 times `MAXDEVICES` info structures might be written to the allocation.
|
|
shann@25640
|
16
|
|
shann@25640
|
17 To avoid it, once one add/remove master is processed, send out the
|
|
shann@25640
|
18 device hierarchy event for the current state and continue. That event
|
|
shann@25640
|
19 thus only ever has exactly one of either added/removed in it (and
|
|
shann@25640
|
20 optionally slave attached/detached).
|
|
shann@25640
|
21
|
|
shann@25640
|
22 CVE-2024-21885, ZDI-CAN-22744
|
|
shann@25640
|
23
|
|
shann@25640
|
24 This vulnerability was discovered by:
|
|
shann@25640
|
25 Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
shann@25640
|
26 ---
|
|
shann@25640
|
27 Xi/xichangehierarchy.c | 27 ++++++++++++++++++++++-----
|
|
shann@25640
|
28 1 file changed, 22 insertions(+), 5 deletions(-)
|
|
shann@25640
|
29
|
|
shann@25640
|
30 diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
|
|
shann@25640
|
31 index d2d985848d..72d00451e3 100644
|
|
shann@25640
|
32 --- a/Xi/xichangehierarchy.c
|
|
shann@25640
|
33 +++ b/Xi/xichangehierarchy.c
|
|
shann@25640
|
34 @@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client)
|
|
shann@25640
|
35 size_t len; /* length of data remaining in request */
|
|
shann@25640
|
36 int rc = Success;
|
|
shann@25640
|
37 int flags[MAXDEVICES] = { 0 };
|
|
shann@25640
|
38 + enum {
|
|
shann@25640
|
39 + NO_CHANGE,
|
|
shann@25640
|
40 + FLUSH,
|
|
shann@25640
|
41 + CHANGED,
|
|
shann@25640
|
42 + } changes = NO_CHANGE;
|
|
shann@25640
|
43
|
|
shann@25640
|
44 REQUEST(xXIChangeHierarchyReq);
|
|
shann@25640
|
45 REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq);
|
|
shann@25640
|
46 @@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client)
|
|
shann@25640
|
47 rc = add_master(client, c, flags);
|
|
shann@25640
|
48 if (rc != Success)
|
|
shann@25640
|
49 goto unwind;
|
|
shann@25640
|
50 - }
|
|
shann@25640
|
51 + changes = FLUSH;
|
|
shann@25640
|
52 break;
|
|
shann@25640
|
53 + }
|
|
shann@25640
|
54 case XIRemoveMaster:
|
|
shann@25640
|
55 {
|
|
shann@25640
|
56 xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
|
|
shann@25640
|
57 @@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client)
|
|
shann@25640
|
58 rc = remove_master(client, r, flags);
|
|
shann@25640
|
59 if (rc != Success)
|
|
shann@25640
|
60 goto unwind;
|
|
shann@25640
|
61 - }
|
|
shann@25640
|
62 + changes = FLUSH;
|
|
shann@25640
|
63 break;
|
|
shann@25640
|
64 + }
|
|
shann@25640
|
65 case XIDetachSlave:
|
|
shann@25640
|
66 {
|
|
shann@25640
|
67 xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
|
|
shann@25640
|
68 @@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client)
|
|
shann@25640
|
69 rc = detach_slave(client, c, flags);
|
|
shann@25640
|
70 if (rc != Success)
|
|
shann@25640
|
71 goto unwind;
|
|
shann@25640
|
72 - }
|
|
shann@25640
|
73 + changes = CHANGED;
|
|
shann@25640
|
74 break;
|
|
shann@25640
|
75 + }
|
|
shann@25640
|
76 case XIAttachSlave:
|
|
shann@25640
|
77 {
|
|
shann@25640
|
78 xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
|
|
shann@25640
|
79 @@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client)
|
|
shann@25640
|
80 rc = attach_slave(client, c, flags);
|
|
shann@25640
|
81 if (rc != Success)
|
|
shann@25640
|
82 goto unwind;
|
|
shann@25640
|
83 + changes = CHANGED;
|
|
shann@25640
|
84 + break;
|
|
shann@25640
|
85 }
|
|
shann@25640
|
86 + default:
|
|
shann@25640
|
87 break;
|
|
shann@25640
|
88 }
|
|
shann@25640
|
89
|
|
shann@25640
|
90 + if (changes == FLUSH) {
|
|
shann@25640
|
91 + XISendDeviceHierarchyEvent(flags);
|
|
shann@25640
|
92 + memset(flags, 0, sizeof(flags));
|
|
shann@25640
|
93 + changes = NO_CHANGE;
|
|
shann@25640
|
94 + }
|
|
shann@25640
|
95 +
|
|
shann@25640
|
96 len -= any->length * 4;
|
|
shann@25640
|
97 any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
|
|
shann@25640
|
98 }
|
|
shann@25640
|
99
|
|
shann@25640
|
100 unwind:
|
|
shann@25640
|
101 -
|
|
shann@25640
|
102 - XISendDeviceHierarchyEvent(flags);
|
|
shann@25640
|
103 + if (changes != NO_CHANGE)
|
|
shann@25640
|
104 + XISendDeviceHierarchyEvent(flags);
|
|
shann@25640
|
105 return rc;
|
|
shann@25640
|
106 }
|
|
shann@25640
|
107 --
|
|
shann@25640
|
108 GitLab
|
|
shann@25640
|
109
|