rpms / xorg-x11-server

Clone
Source Code
GIT

Blame SOURCES/0007-dix-when-disabling-a-master-float-disabled-slaved-de.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   f4a46c3c02df3dde282a57419b8797c3cfeff689
  2.   SOURCES
  3.   0007-dix-when-disabling-a-master-float-disabled-slaved-de.patch
Blob History Raw
f4a46c 
From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001
f4a46c 
From: Peter Hutterer <peter.hutterer@who-t.net>
f4a46c 
Date: Fri, 5 Jan 2024 09:40:27 +1000
f4a46c 
Subject: [PATCH 7/9] dix: when disabling a master, float disabled slaved
f4a46c 
 devices too
f4a46c
f4a46c 
Disabling a master device floats all slave devices but we didn't do this
f4a46c 
to already-disabled slave devices. As a result those devices kept their
f4a46c 
reference to the master device resulting in access to already freed
f4a46c 
memory if the master device was removed before the corresponding slave
f4a46c 
device.
f4a46c
f4a46c 
And to match this behavior, also forcibly reset that pointer during
f4a46c 
CloseDownDevices().
f4a46c
f4a46c 
Related to CVE-2024-21886, ZDI-CAN-22840
f4a46c 
---
f4a46c 
 dix/devices.c | 12 ++++++++++++
f4a46c 
 1 file changed, 12 insertions(+)
f4a46c
f4a46c 
diff --git a/dix/devices.c b/dix/devices.c
f4a46c 
index 389d28a23..84a6406d1 100644
f4a46c 
--- a/dix/devices.c
f4a46c 
+++ b/dix/devices.c
f4a46c 
@@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
f4a46c 
                 flags[other->id] |= XISlaveDetached;
f4a46c 
             }
f4a46c 
         }
f4a46c 
+
f4a46c 
+        for (other = inputInfo.off_devices; other; other = other->next) {
f4a46c 
+            if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) {
f4a46c 
+                AttachDevice(NULL, other, NULL);
f4a46c 
+                flags[other->id] |= XISlaveDetached;
f4a46c 
+            }
f4a46c 
+        }
f4a46c 
     }
f4a46c 
     else {
f4a46c 
         for (other = inputInfo.devices; other; other = other->next) {
f4a46c 
@@ -1088,6 +1095,11 @@ CloseDownDevices(void)
f4a46c 
             dev->master = NULL;
f4a46c 
     }
f4a46c
f4a46c 
+    for (dev = inputInfo.off_devices; dev; dev = dev->next) {
f4a46c 
+        if (!IsMaster(dev) && !IsFloating(dev))
f4a46c 
+            dev->master = NULL;
f4a46c 
+    }
f4a46c 
+
f4a46c 
     CloseDeviceList(&inputInfo.devices);
f4a46c 
     CloseDeviceList(&inputInfo.off_devices);
f4a46c
f4a46c 
--
f4a46c 
2.43.0
f4a46c

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation