diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch')
-rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch | 79 |
1 files changed, 79 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch new file mode 100644 index 0000000000..0abd5914fa --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch | |||
@@ -0,0 +1,79 @@ | |||
1 | From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Tue, 28 Nov 2023 15:19:04 +1000 | ||
4 | Subject: [PATCH] Xi: allocate enough XkbActions for our buttons | ||
5 | |||
6 | button->xkb_acts is supposed to be an array sufficiently large for all | ||
7 | our buttons, not just a single XkbActions struct. Allocating | ||
8 | insufficient memory here means when we memcpy() later in | ||
9 | XkbSetDeviceInfo we write into memory that wasn't ours to begin with, | ||
10 | leading to the usual security ooopsiedaisies. | ||
11 | |||
12 | CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413 | ||
13 | |||
14 | This vulnerability was discovered by: | ||
15 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
16 | |||
17 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd] | ||
18 | CVE: CVE-2023-6377 | ||
19 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
20 | --- | ||
21 | Xi/exevents.c | 12 ++++++------ | ||
22 | dix/devices.c | 10 ++++++++++ | ||
23 | 2 files changed, 16 insertions(+), 6 deletions(-) | ||
24 | |||
25 | diff --git a/Xi/exevents.c b/Xi/exevents.c | ||
26 | index dcd4efb3bc..54ea11a938 100644 | ||
27 | --- a/Xi/exevents.c | ||
28 | +++ b/Xi/exevents.c | ||
29 | @@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) | ||
30 | } | ||
31 | |||
32 | if (from->button->xkb_acts) { | ||
33 | - if (!to->button->xkb_acts) { | ||
34 | - to->button->xkb_acts = calloc(1, sizeof(XkbAction)); | ||
35 | - if (!to->button->xkb_acts) | ||
36 | - FatalError("[Xi] not enough memory for xkb_acts.\n"); | ||
37 | - } | ||
38 | + size_t maxbuttons = max(to->button->numButtons, from->button->numButtons); | ||
39 | + to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts, | ||
40 | + maxbuttons, | ||
41 | + sizeof(XkbAction)); | ||
42 | + memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction)); | ||
43 | memcpy(to->button->xkb_acts, from->button->xkb_acts, | ||
44 | - sizeof(XkbAction)); | ||
45 | + from->button->numButtons * sizeof(XkbAction)); | ||
46 | } | ||
47 | else { | ||
48 | free(to->button->xkb_acts); | ||
49 | diff --git a/dix/devices.c b/dix/devices.c | ||
50 | index b063128df0..3f3224d626 100644 | ||
51 | --- a/dix/devices.c | ||
52 | +++ b/dix/devices.c | ||
53 | @@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave) | ||
54 | |||
55 | if (master->button && master->button->numButtons != maxbuttons) { | ||
56 | int i; | ||
57 | + int last_num_buttons = master->button->numButtons; | ||
58 | + | ||
59 | DeviceChangedEvent event = { | ||
60 | .header = ET_Internal, | ||
61 | .type = ET_DeviceChanged, | ||
62 | @@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave) | ||
63 | }; | ||
64 | |||
65 | master->button->numButtons = maxbuttons; | ||
66 | + if (last_num_buttons < maxbuttons) { | ||
67 | + master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts, | ||
68 | + maxbuttons, | ||
69 | + sizeof(XkbAction)); | ||
70 | + memset(&master->button->xkb_acts[last_num_buttons], | ||
71 | + 0, | ||
72 | + (maxbuttons - last_num_buttons) * sizeof(XkbAction)); | ||
73 | + } | ||
74 | |||
75 | memcpy(&event.buttons.names, master->button->labels, maxbuttons * | ||
76 | sizeof(Atom)); | ||
77 | -- | ||
78 | GitLab | ||
79 | |||