2d42f4
From 061eb684996627347acdf87ec11d108cedee71b6 Mon Sep 17 00:00:00 2001
2d42f4
From: Peter Hutterer <peter.hutterer@who-t.net>
2d42f4
Date: Thu, 21 Dec 2023 13:48:10 +1000
2d42f4
Subject: [PATCH xserver] Xi: when creating a new ButtonClass, set the number
2d42f4
 of buttons
2d42f4
2d42f4
There's a racy sequence where a master device may copy the button class
2d42f4
from the slave, without ever initializing numButtons. This leads to a
2d42f4
device with zero buttons but a button class which is invalid.
2d42f4
2d42f4
Let's copy the numButtons value from the source - by definition if we
2d42f4
don't have a button class yet we do not have any other slave devices
2d42f4
with more than this number of buttons anyway.
2d42f4
2d42f4
CVE-2024-0229, ZDI-CAN-22678
2d42f4
2d42f4
This vulnerability was discovered by:
2d42f4
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
2d42f4
---
2d42f4
 Xi/exevents.c | 1 +
2d42f4
 1 file changed, 1 insertion(+)
2d42f4
2d42f4
diff --git a/Xi/exevents.c b/Xi/exevents.c
2d42f4
index 54ea11a938..e161714682 100644
2d42f4
--- a/Xi/exevents.c
2d42f4
+++ b/Xi/exevents.c
2d42f4
@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
2d42f4
                 to->button = calloc(1, sizeof(ButtonClassRec));
2d42f4
                 if (!to->button)
2d42f4
                     FatalError("[Xi] no memory for class shift.\n");
2d42f4
+                to->button->numButtons = from->button->numButtons;
2d42f4
             }
2d42f4
             else
2d42f4
                 classes->button = NULL;
2d42f4
-- 
2d42f4
2.43.0
2d42f4