1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
|
From 6dae7f3792611aace1df0cca63bf50c50d93de43 Mon Sep 17 00:00:00 2001
From: Chris Wilson <chris@chris-wilson.co.uk>
Date: Tue, 10 Aug 2010 18:30:20 +0000
Subject: xace: Invalid reference to out-of-scope data.
The callback data passed by reference to the hook was allocated on stack
within the scope of the case statement. The compiler is free to reuse
any of that stack space whilst making the function call so we may end up
passing garbage into the callback.
References:
Bug 18451 - Xorg server 1.5.2 SEGV during XFixesGetCursorImage()
https://bugs.freedesktop.org/show_bug.cgi?id=18451
v2: Drop the unrelated hunk that snuck in when ammending the commit
message.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Upstream-Status: accepted
---
(limited to 'Xext/xace.c')
diff --git a/Xext/xace.c b/Xext/xace.c
index e10d837..c757cad 100644
--- a/Xext/xace.c
+++ b/Xext/xace.c
@@ -87,7 +87,18 @@ void XaceHookAuditEnd(ClientPtr ptr, int result)
*/
int XaceHook(int hook, ...)
{
- pointer calldata; /* data passed to callback */
+ union {
+ XaceResourceAccessRec res;
+ XaceDeviceAccessRec dev;
+ XaceSendAccessRec send;
+ XaceReceiveAccessRec recv;
+ XaceClientAccessRec client;
+ XaceExtAccessRec ext;
+ XaceServerAccessRec server;
+ XaceScreenAccessRec screen;
+ XaceAuthAvailRec auth;
+ XaceKeyAvailRec key;
+ } u;
int *prv = NULL; /* points to return value from callback */
va_list ap; /* argument list */
va_start(ap, hook);
@@ -99,117 +110,86 @@ int XaceHook(int hook, ...)
*/
switch (hook)
{
- case XACE_RESOURCE_ACCESS: {
- XaceResourceAccessRec rec;
- rec.client = va_arg(ap, ClientPtr);
- rec.id = va_arg(ap, XID);
- rec.rtype = va_arg(ap, RESTYPE);
- rec.res = va_arg(ap, pointer);
- rec.ptype = va_arg(ap, RESTYPE);
- rec.parent = va_arg(ap, pointer);
- rec.access_mode = va_arg(ap, Mask);
- rec.status = Success; /* default allow */
- calldata = &rec;
- prv = &rec.status;
+ case XACE_RESOURCE_ACCESS:
+ u.res.client = va_arg(ap, ClientPtr);
+ u.res.id = va_arg(ap, XID);
+ u.res.rtype = va_arg(ap, RESTYPE);
+ u.res.res = va_arg(ap, pointer);
+ u.res.ptype = va_arg(ap, RESTYPE);
+ u.res.parent = va_arg(ap, pointer);
+ u.res.access_mode = va_arg(ap, Mask);
+ u.res.status = Success; /* default allow */
+ prv = &u.res.status;
break;
- }
- case XACE_DEVICE_ACCESS: {
- XaceDeviceAccessRec rec;
- rec.client = va_arg(ap, ClientPtr);
- rec.dev = va_arg(ap, DeviceIntPtr);
- rec.access_mode = va_arg(ap, Mask);
- rec.status = Success; /* default allow */
- calldata = &rec;
- prv = &rec.status;
+ case XACE_DEVICE_ACCESS:
+ u.dev.client = va_arg(ap, ClientPtr);
+ u.dev.dev = va_arg(ap, DeviceIntPtr);
+ u.dev.access_mode = va_arg(ap, Mask);
+ u.dev.status = Success; /* default allow */
+ prv = &u.dev.status;
break;
- }
- case XACE_SEND_ACCESS: {
- XaceSendAccessRec rec;
- rec.client = va_arg(ap, ClientPtr);
- rec.dev = va_arg(ap, DeviceIntPtr);
- rec.pWin = va_arg(ap, WindowPtr);
- rec.events = va_arg(ap, xEventPtr);
- rec.count = va_arg(ap, int);
- rec.status = Success; /* default allow */
- calldata = &rec;
- prv = &rec.status;
+ case XACE_SEND_ACCESS:
+ u.send.client = va_arg(ap, ClientPtr);
+ u.send.dev = va_arg(ap, DeviceIntPtr);
+ u.send.pWin = va_arg(ap, WindowPtr);
+ u.send.events = va_arg(ap, xEventPtr);
+ u.send.count = va_arg(ap, int);
+ u.send.status = Success; /* default allow */
+ prv = &u.send.status;
break;
- }
- case XACE_RECEIVE_ACCESS: {
- XaceReceiveAccessRec rec;
- rec.client = va_arg(ap, ClientPtr);
- rec.pWin = va_arg(ap, WindowPtr);
- rec.events = va_arg(ap, xEventPtr);
- rec.count = va_arg(ap, int);
- rec.status = Success; /* default allow */
- calldata = &rec;
- prv = &rec.status;
+ case XACE_RECEIVE_ACCESS:
+ u.recv.client = va_arg(ap, ClientPtr);
+ u.recv.pWin = va_arg(ap, WindowPtr);
+ u.recv.events = va_arg(ap, xEventPtr);
+ u.recv.count = va_arg(ap, int);
+ u.recv.status = Success; /* default allow */
+ prv = &u.recv.status;
break;
- }
- case XACE_CLIENT_ACCESS: {
- XaceClientAccessRec rec;
- rec.client = va_arg(ap, ClientPtr);
- rec.target = va_arg(ap, ClientPtr);
- rec.access_mode = va_arg(ap, Mask);
- rec.status = Success; /* default allow */
- calldata = &rec;
- prv = &rec.status;
+ case XACE_CLIENT_ACCESS:
+ u.client.client = va_arg(ap, ClientPtr);
+ u.client.target = va_arg(ap, ClientPtr);
+ u.client.access_mode = va_arg(ap, Mask);
+ u.client.status = Success; /* default allow */
+ prv = &u.client.status;
break;
- }
- case XACE_EXT_ACCESS: {
- XaceExtAccessRec rec;
- rec.client = va_arg(ap, ClientPtr);
- rec.ext = va_arg(ap, ExtensionEntry*);
- rec.access_mode = DixGetAttrAccess;
- rec.status = Success; /* default allow */
- calldata = &rec;
- prv = &rec.status;
+ case XACE_EXT_ACCESS:
+ u.ext.client = va_arg(ap, ClientPtr);
+ u.ext.ext = va_arg(ap, ExtensionEntry*);
+ u.ext.access_mode = DixGetAttrAccess;
+ u.ext.status = Success; /* default allow */
+ prv = &u.ext.status;
break;
- }
- case XACE_SERVER_ACCESS: {
- XaceServerAccessRec rec;
- rec.client = va_arg(ap, ClientPtr);
- rec.access_mode = va_arg(ap, Mask);
- rec.status = Success; /* default allow */
- calldata = &rec;
- prv = &rec.status;
+ case XACE_SERVER_ACCESS:
+ u.server.client = va_arg(ap, ClientPtr);
+ u.server.access_mode = va_arg(ap, Mask);
+ u.server.status = Success; /* default allow */
+ prv = &u.server.status;
break;
- }
case XACE_SCREEN_ACCESS:
- case XACE_SCREENSAVER_ACCESS: {
- XaceScreenAccessRec rec;
- rec.client = va_arg(ap, ClientPtr);
- rec.screen = va_arg(ap, ScreenPtr);
- rec.access_mode = va_arg(ap, Mask);
- rec.status = Success; /* default allow */
- calldata = &rec;
- prv = &rec.status;
+ case XACE_SCREENSAVER_ACCESS:
+ u.screen.client = va_arg(ap, ClientPtr);
+ u.screen.screen = va_arg(ap, ScreenPtr);
+ u.screen.access_mode = va_arg(ap, Mask);
+ u.screen.status = Success; /* default allow */
+ prv = &u.screen.status;
break;
- }
- case XACE_AUTH_AVAIL: {
- XaceAuthAvailRec rec;
- rec.client = va_arg(ap, ClientPtr);
- rec.authId = va_arg(ap, XID);
- calldata = &rec;
+ case XACE_AUTH_AVAIL:
+ u.auth.client = va_arg(ap, ClientPtr);
+ u.auth.authId = va_arg(ap, XID);
break;
- }
- case XACE_KEY_AVAIL: {
- XaceKeyAvailRec rec;
- rec.event = va_arg(ap, xEventPtr);
- rec.keybd = va_arg(ap, DeviceIntPtr);
- rec.count = va_arg(ap, int);
- calldata = &rec;
+ case XACE_KEY_AVAIL:
+ u.key.event = va_arg(ap, xEventPtr);
+ u.key.keybd = va_arg(ap, DeviceIntPtr);
+ u.key.count = va_arg(ap, int);
break;
- }
- default: {
+ default:
va_end(ap);
return 0; /* unimplemented hook number */
- }
}
va_end(ap);
/* call callbacks and return result, if any. */
- CallCallbacks(&XaceHooks[hook], calldata);
+ CallCallbacks(&XaceHooks[hook], &u);
return prv ? *prv : Success;
}
--
cgit v0.9.0.2-2-gbebe
|
