wok-current diff xorg-server/stuff/CVE-2024-21885.patch @ rev 25640
Patch xorg-server (CVE-2023-6816, CVE-2024-0229, CVE-2024-0408, CVE-2024-0409, CVE-2024-21885, CVE-2024-21886)
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Tue Jan 16 20:32:03 2024 +0000 (5 months ago) |
| parents | |
| children |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/xorg-server/stuff/CVE-2024-21885.patch Tue Jan 16 20:32:03 2024 +0000 1.3 @@ -0,0 +1,109 @@ 1.4 +From 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Mon Sep 17 00:00:00 2001 1.5 +From: Peter Hutterer <peter.hutterer@who-t.net> 1.6 +Date: Thu, 4 Jan 2024 10:01:24 +1000 1.7 +Subject: [PATCH] Xi: flush hierarchy events after adding/removing master 1.8 + devices 1.9 + 1.10 +The `XISendDeviceHierarchyEvent()` function allocates space to store up 1.11 +to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`. 1.12 + 1.13 +If a device with a given ID was removed and a new device with the same 1.14 +ID added both in the same operation, the single device ID will lead to 1.15 +two info structures being written to `info`. 1.16 + 1.17 +Since this case can occur for every device ID at once, a total of two 1.18 +times `MAXDEVICES` info structures might be written to the allocation. 1.19 + 1.20 +To avoid it, once one add/remove master is processed, send out the 1.21 +device hierarchy event for the current state and continue. That event 1.22 +thus only ever has exactly one of either added/removed in it (and 1.23 +optionally slave attached/detached). 1.24 + 1.25 +CVE-2024-21885, ZDI-CAN-22744 1.26 + 1.27 +This vulnerability was discovered by: 1.28 +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative 1.29 +--- 1.30 + Xi/xichangehierarchy.c | 27 ++++++++++++++++++++++----- 1.31 + 1 file changed, 22 insertions(+), 5 deletions(-) 1.32 + 1.33 +diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c 1.34 +index d2d985848d..72d00451e3 100644 1.35 +--- a/Xi/xichangehierarchy.c 1.36 ++++ b/Xi/xichangehierarchy.c 1.37 +@@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client) 1.38 + size_t len; /* length of data remaining in request */ 1.39 + int rc = Success; 1.40 + int flags[MAXDEVICES] = { 0 }; 1.41 ++ enum { 1.42 ++ NO_CHANGE, 1.43 ++ FLUSH, 1.44 ++ CHANGED, 1.45 ++ } changes = NO_CHANGE; 1.46 + 1.47 + REQUEST(xXIChangeHierarchyReq); 1.48 + REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq); 1.49 +@@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client) 1.50 + rc = add_master(client, c, flags); 1.51 + if (rc != Success) 1.52 + goto unwind; 1.53 +- } 1.54 ++ changes = FLUSH; 1.55 + break; 1.56 ++ } 1.57 + case XIRemoveMaster: 1.58 + { 1.59 + xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any; 1.60 +@@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client) 1.61 + rc = remove_master(client, r, flags); 1.62 + if (rc != Success) 1.63 + goto unwind; 1.64 +- } 1.65 ++ changes = FLUSH; 1.66 + break; 1.67 ++ } 1.68 + case XIDetachSlave: 1.69 + { 1.70 + xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any; 1.71 +@@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client) 1.72 + rc = detach_slave(client, c, flags); 1.73 + if (rc != Success) 1.74 + goto unwind; 1.75 +- } 1.76 ++ changes = CHANGED; 1.77 + break; 1.78 ++ } 1.79 + case XIAttachSlave: 1.80 + { 1.81 + xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any; 1.82 +@@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client) 1.83 + rc = attach_slave(client, c, flags); 1.84 + if (rc != Success) 1.85 + goto unwind; 1.86 ++ changes = CHANGED; 1.87 ++ break; 1.88 + } 1.89 ++ default: 1.90 + break; 1.91 + } 1.92 + 1.93 ++ if (changes == FLUSH) { 1.94 ++ XISendDeviceHierarchyEvent(flags); 1.95 ++ memset(flags, 0, sizeof(flags)); 1.96 ++ changes = NO_CHANGE; 1.97 ++ } 1.98 ++ 1.99 + len -= any->length * 4; 1.100 + any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4); 1.101 + } 1.102 + 1.103 + unwind: 1.104 +- 1.105 +- XISendDeviceHierarchyEvent(flags); 1.106 ++ if (changes != NO_CHANGE) 1.107 ++ XISendDeviceHierarchyEvent(flags); 1.108 + return rc; 1.109 + } 1.110 +-- 1.111 +GitLab 1.112 +