diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch')
| -rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch new file mode 100644 index 0000000000..af607df4f0 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch | |||
| @@ -0,0 +1,57 @@ | |||
| 1 | From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
| 3 | Date: Fri, 5 Jan 2024 09:40:27 +1000 | ||
| 4 | Subject: [PATCH] dix: when disabling a master, float disabled slaved devices | ||
| 5 | too | ||
| 6 | |||
| 7 | Disabling a master device floats all slave devices but we didn't do this | ||
| 8 | to already-disabled slave devices. As a result those devices kept their | ||
| 9 | reference to the master device resulting in access to already freed | ||
| 10 | memory if the master device was removed before the corresponding slave | ||
| 11 | device. | ||
| 12 | |||
| 13 | And to match this behavior, also forcibly reset that pointer during | ||
| 14 | CloseDownDevices(). | ||
| 15 | |||
| 16 | Related to CVE-2024-21886, ZDI-CAN-22840 | ||
| 17 | |||
| 18 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8] | ||
| 19 | CVE: CVE-2024-21886 | ||
| 20 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 21 | --- | ||
| 22 | dix/devices.c | 12 ++++++++++++ | ||
| 23 | 1 file changed, 12 insertions(+) | ||
| 24 | |||
| 25 | diff --git a/dix/devices.c b/dix/devices.c | ||
| 26 | index 389d28a23c..84a6406d13 100644 | ||
| 27 | --- a/dix/devices.c | ||
| 28 | +++ b/dix/devices.c | ||
| 29 | @@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) | ||
| 30 | flags[other->id] |= XISlaveDetached; | ||
| 31 | } | ||
| 32 | } | ||
| 33 | + | ||
| 34 | + for (other = inputInfo.off_devices; other; other = other->next) { | ||
| 35 | + if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) { | ||
| 36 | + AttachDevice(NULL, other, NULL); | ||
| 37 | + flags[other->id] |= XISlaveDetached; | ||
| 38 | + } | ||
| 39 | + } | ||
| 40 | } | ||
| 41 | else { | ||
| 42 | for (other = inputInfo.devices; other; other = other->next) { | ||
| 43 | @@ -1088,6 +1095,11 @@ CloseDownDevices(void) | ||
| 44 | dev->master = NULL; | ||
| 45 | } | ||
| 46 | |||
| 47 | + for (dev = inputInfo.off_devices; dev; dev = dev->next) { | ||
| 48 | + if (!IsMaster(dev) && !IsFloating(dev)) | ||
| 49 | + dev->master = NULL; | ||
| 50 | + } | ||
| 51 | + | ||
| 52 | CloseDeviceList(&inputInfo.devices); | ||
| 53 | CloseDeviceList(&inputInfo.off_devices); | ||
| 54 | |||
| 55 | -- | ||
| 56 | GitLab | ||
| 57 | |||