1 files changed, 74 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch
new file mode 100644
index 0000000000..1e1c782963
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch
@@ -0,0 +1,74 @@
+From bc1fdbe46559dd947674375946bbef54dd0ce36b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
+Date: Fri, 22 Dec 2023 18:28:31 +0100
+Subject: [PATCH] Xi: do not keep linked list pointer during recursion
+The `DisableDevice()` function is called whenever an enabled device
+is disabled and it moves the device from the `inputInfo.devices` linked
+list to the `inputInfo.off_devices` linked list.
+However, its link/unlink operation has an issue during the recursive
+call to `DisableDevice()` due to the `prev` pointer pointing to a
+removed device.
+This issue leads to a length mismatch between the total number of
+devices and the number of device in the list, leading to a heap
+overflow and, possibly, to local privilege escalation.
+Simplify the code that checked whether the device passed to
+`DisableDevice()` was in `inputInfo.devices` or not and find the
+previous device after the recursion.
+CVE-2024-21886, ZDI-CAN-22840
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b]
+CVE: CVE-2024-21886
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ dix/devices.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+diff --git a/dix/devices.c b/dix/devices.c
+index dca98c8d1b..389d28a23c 100644
+--- a/dix/devices.c
+++ b/dix/devices.c
+@@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
+ {
+     DeviceIntPtr *prev, other;
+     BOOL enabled;
+    BOOL dev_in_devices_list = FALSE;
+     int flags[MAXDEVICES] = { 0 };
+ 
+     if (!dev->enabled)
+         return TRUE;
+ 
+-    for (prev = &inputInfo.devices;
+-         *prev && (*prev != dev); prev = &(*prev)->next);
+-    if (*prev != dev)
+    for (other = inputInfo.devices; other; other = other->next) {
+        if (other == dev) {
+            dev_in_devices_list = TRUE;
+            break;
+        }
+    }
+
+    if (!dev_in_devices_list)
+         return FALSE;
+ 
+     TouchEndPhysicallyActiveTouches(dev);
+@@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
+     LeaveWindow(dev);
+     SetFocusOut(dev);
+ 
+    for (prev = &inputInfo.devices;
+         *prev && (*prev != dev); prev = &(*prev)->next);
+
+     *prev = dev->next;
+     dev->next = inputInfo.off_devices;
+     inputInfo.off_devices = dev;
+-- 
+GitLab

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch new file mode 100644 index 0000000000..1e1c782963 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch
@@ -0,0 +1,74 @@
	1	From bc1fdbe46559dd947674375946bbef54dd0ce36b Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
	3	Date: Fri, 22 Dec 2023 18:28:31 +0100
	4	Subject: [PATCH] Xi: do not keep linked list pointer during recursion
	5
	6	The `DisableDevice()` function is called whenever an enabled device
	7	is disabled and it moves the device from the `inputInfo.devices` linked
	8	list to the `inputInfo.off_devices` linked list.
	9
	10	However, its link/unlink operation has an issue during the recursive
	11	call to `DisableDevice()` due to the `prev` pointer pointing to a
	12	removed device.
	13
	14	This issue leads to a length mismatch between the total number of
	15	devices and the number of device in the list, leading to a heap
	16	overflow and, possibly, to local privilege escalation.
	17
	18	Simplify the code that checked whether the device passed to
	19	`DisableDevice()` was in `inputInfo.devices` or not and find the
	20	previous device after the recursion.
	21
	22	CVE-2024-21886, ZDI-CAN-22840
	23
	24	This vulnerability was discovered by:
	25	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
	26
	27	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b]
	28	CVE: CVE-2024-21886
	29	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	30	---
	31	dix/devices.c \| 15 ++++++++++++---
	32	1 file changed, 12 insertions(+), 3 deletions(-)
	33
	34	diff --git a/dix/devices.c b/dix/devices.c
	35	index dca98c8d1b..389d28a23c 100644
	36	--- a/dix/devices.c
	37	+++ b/dix/devices.c
	38	@@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
	39	{
	40	DeviceIntPtr *prev, other;
	41	BOOL enabled;
	42	+ BOOL dev_in_devices_list = FALSE;
	43	int flags[MAXDEVICES] = { 0 };
	44
	45	if (!dev->enabled)
	46	return TRUE;
	47
	48	- for (prev = &inputInfo.devices;
	49	- prev && (prev != dev); prev = &(*prev)->next);
	50	- if (*prev != dev)
	51	+ for (other = inputInfo.devices; other; other = other->next) {
	52	+ if (other == dev) {
	53	+ dev_in_devices_list = TRUE;
	54	+ break;
	55	+ }
	56	+ }
	57	+
	58	+ if (!dev_in_devices_list)
	59	return FALSE;
	60
	61	TouchEndPhysicallyActiveTouches(dev);
	62	@@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
	63	LeaveWindow(dev);
	64	SetFocusOut(dev);
	65
	66	+ for (prev = &inputInfo.devices;
	67	+ prev && (prev != dev); prev = &(*prev)->next);
	68	+
	69	*prev = dev->next;
	70	dev->next = inputInfo.off_devices;
	71	inputInfo.off_devices = dev;
	72	--
	73	GitLab
	74