Module Name: xsrc
Committed By: mrg
Date: Sun Nov 3 00:28:24 UTC 2024
Modified Files:
xsrc/external/mit/xorg-server.old/dist/dix: devices.c
Log Message:
merge upstream change bc1fdbe46559dd947674375946bbef54dd0ce36b
Subject: [PATCH] Xi: do not keep linked list pointer during recursion
The `DisableDevice()` function is called whenever an enabled device
is disabled and it moves the device from the `inputInfo.devices` linked
list to the `inputInfo.off_devices` linked list.
However, its link/unlink operation has an issue during the recursive
call to `DisableDevice()` due to the `prev` pointer pointing to a
removed device.
This issue leads to a length mismatch between the total number of
devices and the number of device in the list, leading to a heap
overflow and, possibly, to local privilege escalation.
Simplify the code that checked whether the device passed to
`DisableDevice()` was in `inputInfo.devices` or not and find the
previous device after the recursion.
CVE-2024-21886, ZDI-CAN-22840
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1 -r1.2 \
xsrc/external/mit/xorg-server.old/dist/dix/devices.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
