Module Name: xsrc
Committed By: mrg
Date: Sat Nov 2 23:58:33 UTC 2024
Modified Files:
xsrc/external/mit/xorg-server.old/dist/Xi: xichangehierarchy.c
Log Message:
merge upstream change 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1
Subject: [PATCH] Xi: flush hierarchy events after adding/removing master
devices
The `XISendDeviceHierarchyEvent()` function allocates space to store up
to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`.
If a device with a given ID was removed and a new device with the same
ID added both in the same operation, the single device ID will lead to
two info structures being written to `info`.
Since this case can occur for every device ID at once, a total of two
times `MAXDEVICES` info structures might be written to the allocation.
To avoid it, once one add/remove master is processed, send out the
device hierarchy event for the current state and continue. That event
thus only ever has exactly one of either added/removed in it (and
optionally slave attached/detached).
CVE-2024-21885, ZDI-CAN-22744
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 \
xsrc/external/mit/xorg-server.old/dist/Xi/xichangehierarchy.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/xorg-server.old/dist/Xi/xichangehierarchy.c
diff -u xsrc/external/mit/xorg-server.old/dist/Xi/xichangehierarchy.c:1.2 xsrc/external/mit/xorg-server.old/dist/Xi/xichangehierarchy.c:1.3
--- xsrc/external/mit/xorg-server.old/dist/Xi/xichangehierarchy.c:1.2 Sat Nov 4 21:50:45 2017
+++ xsrc/external/mit/xorg-server.old/dist/Xi/xichangehierarchy.c Sat Nov 2 23:58:33 2024
@@ -440,6 +440,11 @@ ProcXIChangeHierarchy(ClientPtr client)
char n;
int rc = Success;
int flags[MAXDEVICES] = {0};
+ enum {
+ NO_CHANGE,
+ FLUSH,
+ CHANGED,
+ } changes = NO_CHANGE;
REQUEST(xXIChangeHierarchyReq);
REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq);
@@ -492,8 +497,9 @@ ProcXIChangeHierarchy(ClientPtr client)
rc = add_master(client, c, flags);
if (rc != Success)
goto unwind;
+ changes = FLUSH;
+ break;
}
- break;
case XIRemoveMaster:
{
xXIRemoveMasterInfo* r = (xXIRemoveMasterInfo*)any;
@@ -502,8 +508,9 @@ ProcXIChangeHierarchy(ClientPtr client)
rc = remove_master(client, r, flags);
if (rc != Success)
goto unwind;
+ changes = FLUSH;
+ break;
}
- break;
case XIDetachSlave:
{
xXIDetachSlaveInfo* c = (xXIDetachSlaveInfo*)any;
@@ -512,8 +519,9 @@ ProcXIChangeHierarchy(ClientPtr client)
rc = detach_slave(client, c, flags);
if (rc != Success)
goto unwind;
+ changes = CHANGED;
+ break;
}
- break;
case XIAttachSlave:
{
xXIAttachSlaveInfo* c = (xXIAttachSlaveInfo*)any;
@@ -522,17 +530,27 @@ ProcXIChangeHierarchy(ClientPtr client)
rc = attach_slave(client, c, flags);
if (rc != Success)
goto unwind;
+ changes = CHANGED;
+ break;
}
+ default:
break;
}
+ if (changes == FLUSH) {
+ XISendDeviceHierarchyEvent(flags);
+ memset(flags, 0, sizeof(flags));
+ changes = NO_CHANGE;
+ }
+
len -= any->length * 4;
any = (xXIAnyHierarchyChangeInfo*)((char*)any + any->length * 4);
}
unwind:
- XISendDeviceHierarchyEvent(flags);
+ if (changes != NO_CHANGE)
+ XISendDeviceHierarchyEvent(flags);
return rc;
}
