Blame SOURCES/xorg-CVE-2024-31081.patch
|
 |
6996b1 |
From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001
|
|
|
6996b1 |
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
|
6996b1 |
Date: Fri, 22 Mar 2024 18:56:27 -0700
|
|
|
6996b1 |
Subject: [PATCH 2/4] Xi: ProcXIPassiveGrabDevice needs to use unswapped length
|
|
|
6996b1 |
to send reply
|
|
|
6996b1 |
|
|
|
6996b1 |
CVE-2024-31081
|
|
|
6996b1 |
|
|
|
6996b1 |
Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
|
|
|
6996b1 |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
|
6996b1 |
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
|
|
|
6996b1 |
---
|
|
|
6996b1 |
Xi/xipassivegrab.c | 5 ++++-
|
|
|
6996b1 |
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
6996b1 |
|
|
|
6996b1 |
diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
|
|
|
6996b1 |
index c9ac2f855..896233bec 100644
|
|
|
6996b1 |
--- a/Xi/xipassivegrab.c
|
|
|
6996b1 |
+++ b/Xi/xipassivegrab.c
|
|
|
6996b1 |
@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
|
|
|
6996b1 |
GrabParameters param;
|
|
|
6996b1 |
void *tmp;
|
|
|
6996b1 |
int mask_len;
|
|
|
6996b1 |
+ uint32_t length;
|
|
|
6996b1 |
|
|
|
6996b1 |
REQUEST(xXIPassiveGrabDeviceReq);
|
|
|
6996b1 |
REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
|
|
|
6996b1 |
@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
|
|
|
6996b1 |
}
|
|
|
6996b1 |
}
|
|
|
6996b1 |
|
|
|
6996b1 |
+ /* save the value before SRepXIPassiveGrabDevice swaps it */
|
|
|
6996b1 |
+ length = rep.length;
|
|
|
6996b1 |
WriteReplyToClient(client, sizeof(rep), &rep;;
|
|
|
6996b1 |
if (rep.num_modifiers)
|
|
|
6996b1 |
- WriteToClient(client, rep.length * 4, modifiers_failed);
|
|
|
6996b1 |
+ WriteToClient(client, length * 4, modifiers_failed);
|
|
|
6996b1 |
|
|
|
6996b1 |
out:
|
|
|
6996b1 |
free(modifiers_failed);
|
|
|
6996b1 |
--
|
|
|
6996b1 |
2.44.0
|
|
|
6996b1 |
|