Module Name: xsrc
Committed By: mrg
Date: Wed Nov 6 07:14:56 UTC 2024
Modified Files:
xsrc/external/mit/xorg-server.old/dist/dix: devices.c
Log Message:
port xorg-server change 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8
there are two chunks in this change, and while they apply fine to the old
xorg-server 1.10 tree (unlike _most_), they do not build due to using new
identifiers.
the first chunk uses a new MASTER_ATTACHED argument to GetMaster(), which
avoids finding paired devices. the only answer it can give with the setup
of already testing !IsMaster(other) is "other->u.master", so just use that
directly instead if calling GetMaster().
the second chunk uses a new single-line IsFloating() function, and if you
expand it's use here to the full expression, it ends up just being:
if (!IsMaster(dev) && dev->u.master)
(which just happens to match the same line a few above, for the loop of
not-off "devices".)
testing this code path is a little tricky.
Subject: [PATCH] dix: when disabling a master, float disabled slaved devices
too
Disabling a master device floats all slave devices but we didn't do this
to already-disabled slave devices. As a result those devices kept their
reference to the master device resulting in access to already freed
memory if the master device was removed before the corresponding slave
device.
And to match this behavior, also forcibly reset that pointer during
CloseDownDevices().
Related to CVE-2024-21886, ZDI-CAN-22840
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 xsrc/external/mit/xorg-server.old/dist/dix/devices.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/xorg-server.old/dist/dix/devices.c
diff -u xsrc/external/mit/xorg-server.old/dist/dix/devices.c:1.2 xsrc/external/mit/xorg-server.old/dist/dix/devices.c:1.3
--- xsrc/external/mit/xorg-server.old/dist/dix/devices.c:1.2 Sun Nov 3 00:28:24 2024
+++ xsrc/external/mit/xorg-server.old/dist/dix/devices.c Wed Nov 6 07:14:56 2024
@@ -477,6 +477,19 @@ DisableDevice(DeviceIntPtr dev, BOOL sen
return FALSE;
}
}
+
+ for (other = inputInfo.off_devices; other; other = other->next) {
+ /*
+ * XXXMRG, from newer GetMaster(). The GetMaster() with new
+ * MASTER_ATTACHED avoids paired devices, and with this call
+ * being !IsMaster() first, dev->u.master is the only answer
+ * it can give.
+ */
+ if (!IsMaster(other) && other->u.master == dev) {
+ AttachDevice(NULL, other, NULL);
+ flags[other->id] |= XISlaveDetached;
+ }
+ }
}
(void)(*dev->deviceProc)(dev, DEVICE_OFF);
@@ -1002,6 +1015,11 @@ CloseDownDevices(void)
dev->u.master = NULL;
}
+ for (dev = inputInfo.off_devices; dev; dev = dev->next) {
+ if (!IsMaster(dev) && dev->u.master)
+ dev->u.master = NULL;
+ }
+
CloseDeviceList(&inputInfo.devices);
CloseDeviceList(&inputInfo.off_devices);
