|
 |
279a87 |
From 0dab0b527ac5c4fe0272ea679522bd87238a733b Mon Sep 17 00:00:00 2001
|
|
|
279a87 |
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
279a87 |
Date: Tue, 29 Nov 2022 13:55:32 +1000
|
|
|
279a87 |
Subject: [PATCH xserver 4/7] Xi: disallow passive grabs with a detail > 255
|
|
|
279a87 |
|
|
|
279a87 |
The XKB protocol effectively prevents us from ever using keycodes above
|
|
|
279a87 |
255. For buttons it's theoretically possible but realistically too niche
|
|
|
279a87 |
to worry about. For all other passive grabs, the detail must be zero
|
|
|
279a87 |
anyway.
|
|
|
279a87 |
|
|
|
279a87 |
This fixes an OOB write:
|
|
|
279a87 |
|
|
|
279a87 |
ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a
|
|
|
279a87 |
temporary grab struct which contains tempGrab->detail.exact = stuff->detail.
|
|
|
279a87 |
For matching existing grabs, DeleteDetailFromMask is called with the
|
|
|
279a87 |
stuff->detail value. This function creates a new mask with the one bit
|
|
|
279a87 |
representing stuff->detail cleared.
|
|
|
279a87 |
|
|
|
279a87 |
However, the array size for the new mask is 8 * sizeof(CARD32) bits,
|
|
|
279a87 |
thus any detail above 255 results in an OOB array write.
|
|
|
279a87 |
|
|
|
279a87 |
CVE-2022-46341, ZDI-CAN 19381
|
|
|
279a87 |
|
|
|
279a87 |
This vulnerability was discovered by:
|
|
|
279a87 |
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
279a87 |
|
|
|
279a87 |
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
279a87 |
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
|
279a87 |
---
|
|
|
279a87 |
Xi/xipassivegrab.c | 12 ++++++++++++
|
|
|
279a87 |
1 file changed, 12 insertions(+)
|
|
|
279a87 |
|
|
|
279a87 |
diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
|
|
|
279a87 |
index 65d5870f6f..89a591098a 100644
|
|
|
279a87 |
--- a/Xi/xipassivegrab.c
|
|
|
279a87 |
+++ b/Xi/xipassivegrab.c
|
|
|
279a87 |
@@ -133,6 +133,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)
|
|
|
279a87 |
return BadValue;
|
|
|
279a87 |
}
|
|
|
279a87 |
|
|
|
279a87 |
+ /* XI2 allows 32-bit keycodes but thanks to XKB we can never
|
|
|
279a87 |
+ * implement this. Just return an error for all keycodes that
|
|
|
279a87 |
+ * cannot work anyway, same for buttons > 255. */
|
|
|
279a87 |
+ if (stuff->detail > 255)
|
|
|
279a87 |
+ return XIAlreadyGrabbed;
|
|
|
279a87 |
+
|
|
|
279a87 |
if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],
|
|
|
279a87 |
stuff->mask_len * 4) != Success)
|
|
|
279a87 |
return BadValue;
|
|
|
279a87 |
@@ -313,6 +319,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
|
|
|
279a87 |
return BadValue;
|
|
|
279a87 |
}
|
|
|
279a87 |
|
|
|
279a87 |
+ /* We don't allow passive grabs for details > 255 anyway */
|
|
|
279a87 |
+ if (stuff->detail > 255) {
|
|
|
279a87 |
+ client->errorValue = stuff->detail;
|
|
|
279a87 |
+ return BadValue;
|
|
|
279a87 |
+ }
|
|
|
279a87 |
+
|
|
|
279a87 |
rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess);
|
|
|
279a87 |
if (rc != Success)
|
|
|
279a87 |
return rc;
|
|
|
279a87 |
--
|
|
|
279a87 |
2.38.1
|
|
|
279a87 |
|