|
 |
f4a46c |
From 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7 Mon Sep 17 00:00:00 2001
|
|
|
f4a46c |
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
|
f4a46c |
Date: Wed, 6 Dec 2023 11:51:56 +0100
|
|
|
f4a46c |
Subject: [PATCH 9/9] ephyr,xwayland: Use the proper private key for cursor
|
|
|
f4a46c |
|
|
|
f4a46c |
The cursor in DIX is actually split in two parts, the cursor itself and
|
|
|
f4a46c |
the cursor bits, each with their own devPrivates.
|
|
|
f4a46c |
|
|
|
f4a46c |
The cursor itself includes the cursor bits, meaning that the cursor bits
|
|
|
f4a46c |
devPrivates in within structure of the cursor.
|
|
|
f4a46c |
|
|
|
f4a46c |
Both Xephyr and Xwayland were using the private key for the cursor bits
|
|
|
f4a46c |
to store the data for the cursor, and when using XSELINUX which comes
|
|
|
f4a46c |
with its own special devPrivates, the data stored in that cursor bits'
|
|
|
f4a46c |
devPrivates would interfere with the XSELINUX devPrivates data and the
|
|
|
f4a46c |
SELINUX security ID would point to some other unrelated data, causing a
|
|
|
f4a46c |
crash in the XSELINUX code when trying to (re)use the security ID.
|
|
|
f4a46c |
|
|
|
f4a46c |
CVE-2024-0409
|
|
|
f4a46c |
|
|
|
f4a46c |
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
|
f4a46c |
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
f4a46c |
---
|
|
|
f4a46c |
hw/kdrive/ephyr/ephyrcursor.c | 2 +-
|
|
|
f4a46c |
hw/xwayland/xwayland-cursor.c | 2 +-
|
|
|
f4a46c |
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
f4a46c |
|
|
|
f4a46c |
diff --git a/hw/kdrive/ephyr/ephyrcursor.c b/hw/kdrive/ephyr/ephyrcursor.c
|
|
|
f4a46c |
index f991899c5..3f192d034 100644
|
|
|
f4a46c |
--- a/hw/kdrive/ephyr/ephyrcursor.c
|
|
|
f4a46c |
+++ b/hw/kdrive/ephyr/ephyrcursor.c
|
|
|
f4a46c |
@@ -246,7 +246,7 @@ miPointerSpriteFuncRec EphyrPointerSpriteFuncs = {
|
|
|
f4a46c |
Bool
|
|
|
f4a46c |
ephyrCursorInit(ScreenPtr screen)
|
|
|
f4a46c |
{
|
|
|
f4a46c |
- if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR_BITS,
|
|
|
f4a46c |
+ if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR,
|
|
|
f4a46c |
sizeof(ephyrCursorRec)))
|
|
|
f4a46c |
return FALSE;
|
|
|
f4a46c |
|
|
|
f4a46c |
diff --git a/hw/xwayland/xwayland-cursor.c b/hw/xwayland/xwayland-cursor.c
|
|
|
f4a46c |
index e3c1aaa50..bd94b0cfb 100644
|
|
|
f4a46c |
--- a/hw/xwayland/xwayland-cursor.c
|
|
|
f4a46c |
+++ b/hw/xwayland/xwayland-cursor.c
|
|
|
f4a46c |
@@ -431,7 +431,7 @@ static miPointerScreenFuncRec xwl_pointer_screen_funcs = {
|
|
|
f4a46c |
Bool
|
|
|
f4a46c |
xwl_screen_init_cursor(struct xwl_screen *xwl_screen)
|
|
|
f4a46c |
{
|
|
|
f4a46c |
- if (!dixRegisterPrivateKey(&xwl_cursor_private_key, PRIVATE_CURSOR_BITS, 0))
|
|
|
f4a46c |
+ if (!dixRegisterPrivateKey(&xwl_cursor_private_key, PRIVATE_CURSOR, 0))
|
|
|
f4a46c |
return FALSE;
|
|
|
f4a46c |
|
|
|
f4a46c |
return miPointerInitialize(xwl_screen->screen,
|
|
|
f4a46c |
--
|
|
|
f4a46c |
2.43.0
|
|
|
f4a46c |
|