frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Xi: allocate enough XkbActions for our buttons 

button->xkb_acts is supposed to be an array sufficiently large for all
our buttons, not just a single XkbActions struct. Allocating
insufficient memory here means when we memcpy() later in
XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
leading to the usual security ooopsiedaisies.

CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

(cherry picked from commit 0c1a93d319)
This commit is contained in:
Peter Hutterer 2023-11-28 15:19:04 +10:00
parent 58e83c6839
commit a7bda3080d
2 changed files with 16 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Xi/exevents.c
View File

@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
} }
if (from->button->xkb_acts) { if (from->button->xkb_acts) {
if (!to->button->xkb_acts) { size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
to->button->xkb_acts = calloc(1, sizeof(XkbAction)); to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
if (!to->button->xkb_acts) maxbuttons,
FatalError("[Xi] not enough memory for xkb_acts.\n");
}
memcpy(to->button->xkb_acts, from->button->xkb_acts,
sizeof(XkbAction)); sizeof(XkbAction));
memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
memcpy(to->button->xkb_acts, from->button->xkb_acts,
from->button->numButtons * sizeof(XkbAction));
} }
else { else {
free(to->button->xkb_acts); free(to->button->xkb_acts);

10
dix/devices.c
View File

@ -2525,6 +2525,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
if (master->button && master->button->numButtons != maxbuttons) { if (master->button && master->button->numButtons != maxbuttons) {
int i; int i;
int last_num_buttons = master->button->numButtons;
DeviceChangedEvent event = { DeviceChangedEvent event = {
.header = ET_Internal, .header = ET_Internal,
.type = ET_DeviceChanged, .type = ET_DeviceChanged,
@ -2535,6 +2537,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
}; };
master->button->numButtons = maxbuttons; master->button->numButtons = maxbuttons;
if (last_num_buttons < maxbuttons) {
master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
maxbuttons,
sizeof(XkbAction));
memset(&master->button->xkb_acts[last_num_buttons],
0,
(maxbuttons - last_num_buttons) * sizeof(XkbAction));
}
memcpy(&event.buttons.names, master->button->labels, maxbuttons * memcpy(&event.buttons.names, master->button->labels, maxbuttons *
sizeof(Atom)); sizeof(Atom));