forked from pool/xwayland
Joan Torres
d2072e0686
* Out-of-bounds memory write in XKB button actions (CVE-2023-6377,
ZDI-CAN-22412, ZDI-CAN-22413, bsc#1217765)
- U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
* Out-of-bounds memory read in RRChangeOutputProperty and
RRChangeProviderProperty (CVE-2023-6478, ZDI-CAN-22561,
bsc#1217766)
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=65
76 lines
3.0 KiB
Diff
76 lines
3.0 KiB
Diff
From 924fbcb74ae5434afa7ce4603cd85ebcbdcccad5 Mon Sep 17 00:00:00 2001
|
|
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Date: Tue, 28 Nov 2023 15:19:04 +1000
|
|
Subject: [PATCH xserver] Xi: allocate enough XkbActions for our buttons
|
|
|
|
button->xkb_acts is supposed to be an array sufficiently large for all
|
|
our buttons, not just a single XkbActions struct. Allocating
|
|
insufficient memory here means when we memcpy() later in
|
|
XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
|
|
leading to the usual security ooopsiedaisies.
|
|
|
|
CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
---
|
|
Xi/exevents.c | 8 ++++++--
|
|
dix/devices.c | 11 +++++++++++
|
|
2 files changed, 17 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/Xi/exevents.c b/Xi/exevents.c
|
|
index dcd4efb3bc..f24de9eec4 100644
|
|
--- a/Xi/exevents.c
|
|
+++ b/Xi/exevents.c
|
|
@@ -612,12 +612,16 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
|
|
|
|
if (from->button->xkb_acts) {
|
|
if (!to->button->xkb_acts) {
|
|
- to->button->xkb_acts = calloc(1, sizeof(XkbAction));
|
|
+ to->button->xkb_acts = calloc(from->button->numButtons, sizeof(XkbAction));
|
|
if (!to->button->xkb_acts)
|
|
FatalError("[Xi] not enough memory for xkb_acts.\n");
|
|
+ } else {
|
|
+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
|
|
+ from->button->numButtons,
|
|
+ sizeof(XkbAction));
|
|
}
|
|
memcpy(to->button->xkb_acts, from->button->xkb_acts,
|
|
- sizeof(XkbAction));
|
|
+ from->button->numButtons * sizeof(XkbAction));
|
|
}
|
|
else {
|
|
free(to->button->xkb_acts);
|
|
diff --git a/dix/devices.c b/dix/devices.c
|
|
index 7150734a58..deb3010206 100644
|
|
--- a/dix/devices.c
|
|
+++ b/dix/devices.c
|
|
@@ -2530,6 +2530,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
|
|
|
|
if (master->button && master->button->numButtons != maxbuttons) {
|
|
int i;
|
|
+ int last_num_buttons = master->button->numButtons;
|
|
+
|
|
DeviceChangedEvent event = {
|
|
.header = ET_Internal,
|
|
.type = ET_DeviceChanged,
|
|
@@ -2540,6 +2542,15 @@ RecalculateMasterButtons(DeviceIntPtr slave)
|
|
};
|
|
|
|
master->button->numButtons = maxbuttons;
|
|
+ if (last_num_buttons < maxbuttons) {
|
|
+ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
|
|
+ maxbuttons,
|
|
+ sizeof(XkbAction));
|
|
+ memset(&master->button->xkb_acts[last_num_buttons],
|
|
+ 0,
|
|
+ (maxbuttons - last_num_buttons) * sizeof(XkbAction));
|
|
+ }
|
|
+
|
|
|
|
memcpy(&event.buttons.names, master->button->labels, maxbuttons *
|
|
sizeof(Atom));
|
|
--
|
|
2.43.0
|
|
|