Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
X
xorg-server
Manage
Activity
Members
Labels
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Model registry
Operate
Environments
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
pkg
xorg-server
Merge requests
!71
Merge changes from apertis/v2022-security into apertis/v2022
Code
Review changes
Check out branch
Download
Patches
Plain diff
Merged
Merge changes from apertis/v2022-security into apertis/v2022
apertis/v2022-security
into
apertis/v2022
Overview
0
Commits
12
Pipelines
2
Changes
4
Merged
Andrej Shadura
requested to merge
apertis/v2022-security
into
apertis/v2022
1 year ago
Overview
0
Commits
12
Pipelines
2
Changes
4
Expand
0
0
Merge request reports
Viewing commit
c79cadf9
Prev
Next
Show latest version
4 files
+
145
−
0
Inline
Compare changes
Side-by-side
Inline
Show whitespace changes
Show one file at a time
Files
4
Search (e.g. *.vue) (Ctrl+P)
c79cadf9
Import Debian changes 2:1.20.11-1+deb11u9
· c79cadf9
Salvatore Bonaccorso
authored
1 year ago
debian/patches/Xi-allocate-enough-XkbActions-for-our-buttons.patch
0 → 100644
+
75
−
0
Options
From ff830d3c47c92e7c810055b9fd56ae22fc1d5346 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 28 Nov 2023 15:19:04 +1000
Subject: [PATCH xserver] Xi: allocate enough XkbActions for our buttons
button->xkb_acts is supposed to be an array sufficiently large for all
our buttons, not just a single XkbActions struct. Allocating
insufficient memory here means when we memcpy() later in
XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
leading to the usual security ooopsiedaisies.
CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
Xi/exevents.c | 8 ++++++--
dix/devices.c | 11 +++++++++++
2 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/Xi/exevents.c b/Xi/exevents.c
index dcd4efb3bc..f24de9eec4 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -612,12 +612,16 @@
DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
if (from->button->xkb_acts) {
if (!to->button->xkb_acts) {
- to->button->xkb_acts = calloc(1, sizeof(XkbAction));
+ to->button->xkb_acts = calloc(from->button->numButtons, sizeof(XkbAction));
if (!to->button->xkb_acts)
FatalError("[Xi] not enough memory for xkb_acts.\n");
+ } else {
+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
+ from->button->numButtons,
+ sizeof(XkbAction));
}
memcpy(to->button->xkb_acts, from->button->xkb_acts,
- sizeof(XkbAction));
+ from->button->numButtons * sizeof(XkbAction));
}
else {
free(to->button->xkb_acts);
diff --git a/dix/devices.c b/dix/devices.c
index 7150734a58..deb3010206 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -2530,6 +2530,8 @@
RecalculateMasterButtons(DeviceIntPtr slave)
if (master->button && master->button->numButtons != maxbuttons) {
int i;
+ int last_num_buttons = master->button->numButtons;
+
DeviceChangedEvent event = {
.header = ET_Internal,
.type = ET_DeviceChanged,
@@ -2540,6 +2542,15 @@
RecalculateMasterButtons(DeviceIntPtr slave)
};
master->button->numButtons = maxbuttons;
+ if (last_num_buttons < maxbuttons) {
+ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
+ maxbuttons,
+ sizeof(XkbAction));
+ memset(&master->button->xkb_acts[last_num_buttons],
+ 0,
+ (maxbuttons - last_num_buttons) * sizeof(XkbAction));
+ }
+
memcpy(&event.buttons.names, master->button->labels, maxbuttons *
sizeof(Atom));
--
2.43.0
Loading
Salvatore Bonaccorso authored