rpms / tigervnc

Clone
Source Code
GIT

Blame SOURCES/xorg-CVE-2024-21886-2.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   2d42f48b6859dd8386ee0c0053eea650819150a9
  2.   SOURCES
  3.   xorg-CVE-2024-21886-2.patch
Blob History Raw
2d42f4 
From 1a5e3c3e68d4f965077ea6a40ba57cc0d5a4e8cb Mon Sep 17 00:00:00 2001
2d42f4 
From: Peter Hutterer <peter.hutterer@who-t.net>
2d42f4 
Date: Fri, 5 Jan 2024 09:40:27 +1000
2d42f4 
Subject: [PATCH xserver] dix: when disabling a master, float disabled slaved
2d42f4 
 devices too
2d42f4
2d42f4 
Disabling a master device floats all slave devices but we didn't do this
2d42f4 
to already-disabled slave devices. As a result those devices kept their
2d42f4 
reference to the master device resulting in access to already freed
2d42f4 
memory if the master device was removed before the corresponding slave
2d42f4 
device.
2d42f4
2d42f4 
And to match this behavior, also forcibly reset that pointer during
2d42f4 
CloseDownDevices().
2d42f4
2d42f4 
Related to CVE-2024-21886, ZDI-CAN-22840
2d42f4 
---
2d42f4 
 dix/devices.c | 12 ++++++++++++
2d42f4 
 1 file changed, 12 insertions(+)
2d42f4
2d42f4 
diff --git a/dix/devices.c b/dix/devices.c
2d42f4 
index c7fa8fad69..87f4d4a213 100644
2d42f4 
--- a/dix/devices.c
2d42f4 
+++ b/dix/devices.c
2d42f4 
@@ -482,6 +482,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
2d42f4 
                 flags[other->id] |= XISlaveDetached;
2d42f4 
             }
2d42f4 
         }
2d42f4 
+
2d42f4 
+        for (other = inputInfo.off_devices; other; other = other->next) {
2d42f4 
+            if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) {
2d42f4 
+                AttachDevice(NULL, other, NULL);
2d42f4 
+                flags[other->id] |= XISlaveDetached;
2d42f4 
+            }
2d42f4 
+        }
2d42f4 
     }
2d42f4 
     else {
2d42f4 
         for (other = inputInfo.devices; other; other = other->next) {
2d42f4 
@@ -1088,6 +1095,11 @@ CloseDownDevices(void)
2d42f4 
             dev->master = NULL;
2d42f4 
     }
2d42f4
2d42f4 
+    for (dev = inputInfo.off_devices; dev; dev = dev->next) {
2d42f4 
+        if (!IsMaster(dev) && !IsFloating(dev))
2d42f4 
+            dev->master = NULL;
2d42f4 
+    }
2d42f4 
+
2d42f4 
     CloseDeviceList(&inputInfo.devices);
2d42f4 
     CloseDeviceList(&inputInfo.off_devices);
2d42f4
2d42f4 
--
2d42f4 
2.43.0
2d42f4

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation