diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch')
-rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch new file mode 100644 index 0000000000..1e1c782963 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch | |||
@@ -0,0 +1,74 @@ | |||
1 | From bc1fdbe46559dd947674375946bbef54dd0ce36b Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com> | ||
3 | Date: Fri, 22 Dec 2023 18:28:31 +0100 | ||
4 | Subject: [PATCH] Xi: do not keep linked list pointer during recursion | ||
5 | |||
6 | The `DisableDevice()` function is called whenever an enabled device | ||
7 | is disabled and it moves the device from the `inputInfo.devices` linked | ||
8 | list to the `inputInfo.off_devices` linked list. | ||
9 | |||
10 | However, its link/unlink operation has an issue during the recursive | ||
11 | call to `DisableDevice()` due to the `prev` pointer pointing to a | ||
12 | removed device. | ||
13 | |||
14 | This issue leads to a length mismatch between the total number of | ||
15 | devices and the number of device in the list, leading to a heap | ||
16 | overflow and, possibly, to local privilege escalation. | ||
17 | |||
18 | Simplify the code that checked whether the device passed to | ||
19 | `DisableDevice()` was in `inputInfo.devices` or not and find the | ||
20 | previous device after the recursion. | ||
21 | |||
22 | CVE-2024-21886, ZDI-CAN-22840 | ||
23 | |||
24 | This vulnerability was discovered by: | ||
25 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
26 | |||
27 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b] | ||
28 | CVE: CVE-2024-21886 | ||
29 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
30 | --- | ||
31 | dix/devices.c | 15 ++++++++++++--- | ||
32 | 1 file changed, 12 insertions(+), 3 deletions(-) | ||
33 | |||
34 | diff --git a/dix/devices.c b/dix/devices.c | ||
35 | index dca98c8d1b..389d28a23c 100644 | ||
36 | --- a/dix/devices.c | ||
37 | +++ b/dix/devices.c | ||
38 | @@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) | ||
39 | { | ||
40 | DeviceIntPtr *prev, other; | ||
41 | BOOL enabled; | ||
42 | + BOOL dev_in_devices_list = FALSE; | ||
43 | int flags[MAXDEVICES] = { 0 }; | ||
44 | |||
45 | if (!dev->enabled) | ||
46 | return TRUE; | ||
47 | |||
48 | - for (prev = &inputInfo.devices; | ||
49 | - *prev && (*prev != dev); prev = &(*prev)->next); | ||
50 | - if (*prev != dev) | ||
51 | + for (other = inputInfo.devices; other; other = other->next) { | ||
52 | + if (other == dev) { | ||
53 | + dev_in_devices_list = TRUE; | ||
54 | + break; | ||
55 | + } | ||
56 | + } | ||
57 | + | ||
58 | + if (!dev_in_devices_list) | ||
59 | return FALSE; | ||
60 | |||
61 | TouchEndPhysicallyActiveTouches(dev); | ||
62 | @@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) | ||
63 | LeaveWindow(dev); | ||
64 | SetFocusOut(dev); | ||
65 | |||
66 | + for (prev = &inputInfo.devices; | ||
67 | + *prev && (*prev != dev); prev = &(*prev)->next); | ||
68 | + | ||
69 | *prev = dev->next; | ||
70 | dev->next = inputInfo.off_devices; | ||
71 | inputInfo.off_devices = dev; | ||
72 | -- | ||
73 | GitLab | ||
74 | |||