wok-current view xorg-server/stuff/CVE-2024-21886-1.patch @ rev 25695
Up linux 5.10.214, Patch xorg-server (CVE-2024-31080, CVE-2024-31081, CVE-2024-31082, CVE-2024-31083)
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Thu Apr 04 08:53:51 2024 +0000 (2 months ago) |
| parents | |
| children |
line source
1 From bc1fdbe46559dd947674375946bbef54dd0ce36b Mon Sep 17 00:00:00 2001
2 From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
3 Date: Fri, 22 Dec 2023 18:28:31 +0100
4 Subject: [PATCH] Xi: do not keep linked list pointer during recursion
6 The `DisableDevice()` function is called whenever an enabled device
7 is disabled and it moves the device from the `inputInfo.devices` linked
8 list to the `inputInfo.off_devices` linked list.
10 However, its link/unlink operation has an issue during the recursive
11 call to `DisableDevice()` due to the `prev` pointer pointing to a
12 removed device.
14 This issue leads to a length mismatch between the total number of
15 devices and the number of device in the list, leading to a heap
16 overflow and, possibly, to local privilege escalation.
18 Simplify the code that checked whether the device passed to
19 `DisableDevice()` was in `inputInfo.devices` or not and find the
20 previous device after the recursion.
22 CVE-2024-21886, ZDI-CAN-22840
24 This vulnerability was discovered by:
25 Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
26 ---
27 dix/devices.c | 15 ++++++++++++---
28 1 file changed, 12 insertions(+), 3 deletions(-)
30 diff --git a/dix/devices.c b/dix/devices.c
31 index dca98c8d1b..389d28a23c 100644
32 --- a/dix/devices.c
33 +++ b/dix/devices.c
34 @@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
35 {
36 DeviceIntPtr *prev, other;
37 BOOL enabled;
38 + BOOL dev_in_devices_list = FALSE;
39 int flags[MAXDEVICES] = { 0 };
41 if (!dev->enabled)
42 return TRUE;
44 - for (prev = &inputInfo.devices;
45 - *prev && (*prev != dev); prev = &(*prev)->next);
46 - if (*prev != dev)
47 + for (other = inputInfo.devices; other; other = other->next) {
48 + if (other == dev) {
49 + dev_in_devices_list = TRUE;
50 + break;
51 + }
52 + }
53 +
54 + if (!dev_in_devices_list)
55 return FALSE;
57 TouchEndPhysicallyActiveTouches(dev);
58 @@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
59 LeaveWindow(dev);
60 SetFocusOut(dev);
62 + for (prev = &inputInfo.devices;
63 + *prev && (*prev != dev); prev = &(*prev)->next);
64 +
65 *prev = dev->next;
66 dev->next = inputInfo.off_devices;
67 inputInfo.off_devices = dev;
68 --
69 GitLab