Commit Graph

20721 Commits

Author SHA1 Message Date
Enrico Weigelt, metux IT consult 6816605e22 os: move Auth* function types to separate header
The generic auth handling isn't really OS specific, and only few sites
actually need to call it, so at least it's prototypes are better off in some
separate header.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1311>
2024-02-22 23:42:53 +00:00
Enrico Weigelt, metux IT consult 5620102dfe os: move mitauth prototypes to separate header
The MIT authentication handling isn't really OS specific, and only few sites
actually need to call it, so at least it's prototypes are better off in some
separate header.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1311>
2024-02-22 23:42:52 +00:00
Enrico Weigelt, metux IT consult 8c4759a68e os: move xdmauth prototypes to separate header
The xdmcp authentication handling isn't really OS specific, and only few sites
actually need to call it, so at least it's prototypes are better off in some
separate header.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1311>
2024-02-22 23:42:52 +00:00
Enrico Weigelt, metux IT consult 194a7c2032 os: move xdmcp prototypes to separate header
The xdmcp handling isn't really OS specific, and only few sites actually need
to call it, so at least it's prototypes are better off in some separate header.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1311>
2024-02-22 23:42:52 +00:00
Enrico Weigelt, metux IT consult 664c3b6ba8 os: move rpcauth prototypes to separate header
The rpc authentication handling isn't really OS specific, and only few sites
actually need to call it, so at least it's prototypes are better off in some
separate header.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1311>
2024-02-22 23:42:52 +00:00
Enrico Weigelt, metux IT consult 8c4a015cc2 os: color: fix possible buffer overflow vulnerability
The old approach of builtin color lookup used a binary search of strings
within text blocks (their start offsets defined in the color array).

This could potentially lead to buffer overflow, if the requested color
name far outreaches the text block (eg. same prefix as some entry near to
the end, but really huge). This alone wouldn't allow remote memory readout
(just comparing), but could possibly trigger page faults (sigsegv) or used
as a building block for some more complex attack.

OTOH, the old approach is also hard to maintain, ugly programming style:
on each change, all the offset need to be carefully recounted, which is
pretty error-prone.

Both problems are solved by moving to simple, per-entry, char* pointers,
instead of the one large text block.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1313>
2024-02-22 23:33:34 +00:00
Enrico Weigelt, metux IT consult 7a010beefe os: oscolor: fix BuiltinColor field naming
The "name" field doesn't actually hold the color's name, but instead the
offset of the name in the string table block. Thus, fix the field's name
to reflect this.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1313>
2024-02-22 23:33:34 +00:00
Enrico Weigelt, metux IT consult fdf483d862 include: os: fix return value of OsLookupColor()
The actual implementation uses Bool, but forward declaration is int.
For the compiler it's practically the same, but for the programmer these
have different semantics.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1313>
2024-02-22 23:33:34 +00:00
Alan Coopersmith a91a862332 unifdef SUNSYSV
I can't tell what this code was originally for - it was added in 1988,
4 years before the release of the SysV R4 release of Solaris 2.0, and
I can't find anywhere that defined SUNSYSV.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1315>
2024-02-19 15:12:41 -08:00
Enrico Weigelt, metux IT consult 27b5530107 xfree86: drop remains of old USL compiler
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1286>
2024-02-19 09:21:36 +00:00
Enrico Weigelt, metux IT consult 6dafe3dbe6 drop remains of support for old Sun compilers
With transition from autoconf to meson, these aren't actually supported
anymore, and re-adding it isn't planned. Thus the now dead code pathes
can be completely removed.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1286>
2024-02-19 09:21:36 +00:00
Yusuf Khan db3aa4e03b hw/xfree86: fix NULL pointer refrence to mode name
Potentially, the pointer to the mode name could be unset, this can
occur with the xf86-video-nv DDX, in that case there isnt much we can do
except check if the next mode is any better.

Signed-off-by: Yusuf Khan <yusisamerican@gmail.com>
2024-02-19 03:51:25 +00:00
Enrico Weigelt, metux IT consult a2e7904b1d fix: unused readIntVec()
[585/699] Compiling C object hw/xfree86/int10/libint10.so.p/generic.c.o
../hw/xfree86/int10/generic.c:103:1: warning: ‘readIntVec’ defined but not used [-Wunused-function]
  103 | readIntVec(struct pci_device *dev, unsigned char *buf, int len)

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2024-02-19 01:02:32 +00:00
Enrico Weigelt, metux IT consult 8d2117abeb hw: xwayland: fix build if neither gbm nor eglstream available
glamor needs to be disabled if neither gbm nor eglstream is available,
otherwise build breaks.

Closes: xorg/xserver#1631
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2024-02-19 00:53:30 +00:00
Enrico Weigelt, metux IT consult 374ee7acd7 xkb: drop defining XKBSRV_NEED_FILE_FUNCS
No need to define XKBSRV_NEED_FILE_FUNCS, for about 15 years now
(since XKBsrv.h isn't used anymore), so drop it.

Fixes: e5f002edde
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2024-02-19 00:44:15 +00:00
Matthieu Herrb 0d4a7ed684 bsd_init.c: fix build on OpenBSD
isolate NetBSD specific VGAPCVTID ioctl(2) call.

Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
2024-02-19 00:40:04 +00:00
Alan Coopersmith 584a9715c3 unifdef apollo
Apollo Domain/OS died in the 1990's and has never been supported in
the modular Xserver builds.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2024-02-17 16:31:46 -08:00
Matthieu Herrb 7dfe1c56b0 OpenBSD build fix: struct ucred is struct sockpeercred there 2024-02-18 00:16:38 +00:00
Matthieu Herrb 238f8edcaf xfree86/bsd: fix build on NetBSD/amd64.
The IOPL function for 64 bit systems is x86_64_iopl() there
2024-02-18 00:03:45 +00:00
Matthieu Herrb 59dac6af45 Add full prototypes in hw/xfree86/os-support/bsd/bsd-video.c
Trivial functions without parameters -> (void)
2024-02-17 23:50:59 +00:00
Matthieu Herrb ae07e47559 Fix build on OpenBSD.
<dev/wscons/wsconsio.h> needs <sys/time.h> on OpenBSD.
This doesn't cause issues on NetBSD

Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
2024-02-17 16:14:23 +01:00
Enrico Weigelt 442aec2219 include: move BUG_*() macros to separate header
Yet another step of uncluttering includes: move out the BUG_* macros
into a separate header, which then is included as-needed.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2024-02-15 23:33:46 +00:00
Alan Coopersmith a8bb924af1 os: Assume all supported non-WIN32 platforms have seteuid & saved_ids
Removes fallback code to fork and exec a "cat" command to read files.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2024-02-10 00:05:54 +00:00
Enrico Weigelt, metux IT consult b3b86ae674 replace _X_INLINE by inline in internal static functions
Since xserver is compiled as C99, we just can use the `inline` keyword.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2024-02-05 19:26:14 +00:00
Florian Weimer f0a187f55d xwayland: Use correct pointer types on i386
And other 32-bit architectures, where uint32_t and CARD32 are
not the same type.  Otherwise the build will fail with GCC 14
with errors like:

../hw/xwayland/xwayland-glamor.c: In function ‘xwl_glamor_get_formats’:
../hw/xwayland/xwayland-glamor.c:291:43: error: passing argument 3 of ‘xwl_get_formats_for_device’ from incompatible pointer type [-Wincompatible-pointer-types]
  291 |                                           num_formats, formats);
      |                                           ^~~~~~~~~~~
      |                                           |
      |                                           CARD32 * {aka long unsigned int *}
../hw/xwayland/xwayland-glamor.c:238:38: note: expected ‘uint32_t *’ {aka ‘unsigned int *’} but argument is of type ‘CARD32 *’ {aka ‘long unsigned int *’}
  238 |                            uint32_t *num_formats, uint32_t **formats)
      |                            ~~~~~~~~~~^~~~~~~~~~~
../hw/xwayland/xwayland-glamor.c:291:56: error: passing argument 4 of ‘xwl_get_formats_for_device’ from incompatible pointer type [-Wincompatible-pointer-types]
  291 |                                           num_formats, formats);
      |                                                        ^~~~~~~
      |                                                        |
      |                                                        CARD32 ** {aka long unsigned int **}
../hw/xwayland/xwayland-glamor.c:238:62: note: expected ‘uint32_t **’ {aka ‘unsigned int **’} but argument is of type ‘CARD32 **’ {aka ‘long unsigned int **’}
  238 |                            uint32_t *num_formats, uint32_t **formats)
      |                                                   ~~~~~~~~~~~^~~~~~~
../hw/xwayland/xwayland-glamor.c:295:28: error: passing argument 3 of ‘xwl_get_formats’ from incompatible pointer type [-Wincompatible-pointer-types]
  295 |                            num_formats, formats);
      |                            ^~~~~~~~~~~
      |                            |
      |                            CARD32 * {aka long unsigned int *}
../hw/xwayland/xwayland-glamor.c:217:26: note: expected ‘uint32_t *’ {aka ‘unsigned int *’} but argument is of type ‘CARD32 *’ {aka ‘long unsigned int *’}
  217 |                uint32_t *num_formats, uint32_t **formats)
      |                ~~~~~~~~~~^~~~~~~~~~~
../hw/xwayland/xwayland-glamor.c:295:41: error: passing argument 4 of ‘xwl_get_formats’ from incompatible pointer type [-Wincompatible-pointer-types]
  295 |                            num_formats, formats);
      |                                         ^~~~~~~
      |                                         |
      |                                         CARD32 ** {aka long unsigned int **}
../hw/xwayland/xwayland-glamor.c:217:50: note: expected ‘uint32_t **’ {aka ‘unsigned int **’} but argument is of type ‘CARD32 **’ {aka ‘long unsigned int **’}
  217 |                uint32_t *num_formats, uint32_t **formats)
      |                                       ~~~~~~~~~~~^~~~~~~
2024-02-02 09:36:52 +01:00
Wanli Niu e62246641b dix: Fix segfault if CreateGC() failed in XaceHook()
CreateGC() allocates a new GC and then checks the resource access rights
with XaceHook().

If the call to XaceHook() fails (i.e. GC creation is not granted to the
client), CreateGC() exits early and calls FreeGC() to avoid leaking the
newly allocated GC.

If that happens, the screen's own CreateGC() has not yet been invoked,
and as a result the GC functions (GCfuncs) have not been set yet.

FreeGC() will invoke the funcs->DestroyClip() and the funcs->DestroyGC()
functions, but since those haven't been set, the Xserver will segfault
trying to call a NULL function.

To prevent that issue, make sure the GC's functions are initialized
prior to call them in FreeGC().

Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1625
Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
2024-02-01 10:10:53 +01:00
Peter Hutterer 9c7c470b12 test: use a dbg() macro for the test output
Currently hardcoded to verbose = 0 until we have option parsing but meh.
2024-01-30 00:15:10 +00:00
Peter Hutterer d178978ce2 test: specify non-negative log verbosity for the siglogging test
Less noise in the test output
2024-01-30 00:15:10 +00:00
Peter Hutterer 3c5eaedaf9 test: switch the remaining wrapped functions to use the macros
dixLookupWindow and dixLookupClient have a test-global default
implementation because overriding that in ever test doesn't make sense.
2024-01-30 00:15:10 +00:00
Peter Hutterer 7e9d167c9c test: make wrapping a function more generic
This cleans up some of the mess this code was in. Functions we need to
wrap can now have a standard implementation using WRAP_FUNCTION - that
macro declares the __real and __wrap functions and a wrapped_$func
global variable.

Tests can set that variable to their desired functions and it will be
then be called on demand.
2024-01-30 00:15:10 +00:00
Peter Hutterer 46b579e8d5 test: switch the unit tests to something resembling a test suite
The tests have inadvertent dependencies on each other so let's avoid
those by changing to a system that returns a null-terminated list of
test functions and our test runner iterates over those and forks off one
process per function.
2024-01-30 00:15:10 +00:00
Peter Hutterer 133e0d651c dix: fix valuator copy/paste error in the DeviceStateNotify event
Fixes 219c54b8a3
2024-01-22 21:24:58 +00:00
Michel Dänzer abe3a08245 xwayland: Enable Present extension support also without glamor
This allows e.g.

 xfwm4 --vblank=xpresent

to hit the page flip path instead of copies.

In the future, Mesa might also use the Present extension with software
rendering.
2024-01-22 14:14:05 +00:00
Michel Dänzer 17986658bf xwayland: Add xwl_pixmap_get_wl_buffer helper
Preparation for the next commit.
2024-01-22 14:14:05 +00:00
Michel Dänzer 613e4466b4 xwayland: Handle NULL xwl_pixmap in xwl_shm_pixmap_get_wl_buffer 2024-01-22 14:14:05 +00:00
Michel Dänzer f50ed265cf xwayland: Initialize Present extension support also with rootful
Multiple benefits, in particular:

* Fullscreen windows can hit the page flip path
* X client presentation is properly synchronized to the Wayland
  compositor refresh cycle via frame events
2024-01-22 14:14:05 +00:00
Michel Dänzer e391d53076 xwayland/present: Update screen pixmap in xwl_present_execute
If the screen pixmap was also the toplevel window pixmap.

This can't happen yet, it will with the next commit though.
2024-01-22 14:14:05 +00:00
Olivier Fourdan 0cbf6d9326 xwayland: Add a -nokeymap option
By default, Xwayland (as any Wayland client) uses the keymap set by the
Wayland compositor using the standard Wayland protocol.

There are some specific uses cases where a user would want to let the
X11 clients control the keymap. However, the Wayland compositor may
(re)send the keymap at any time, overriding whatever change was made
using the X11 mechanisms.

Add a new "-nokeymap" option to Xwayland to instruct Xwayland to simply
ignore the standard Wayland mechanism to set the keymap, hence leaving
the control entirely to the X11 clients.

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2024-01-22 13:01:18 +00:00
José Expósito e89edec497 ephyr: Fix incompatible pointer type build error
Fix a compilation error on 32 bits architectures with gcc 14:

  ephyr_glamor_xv.c: In function ‘ephyr_glamor_xv_init’:
  ephyr_glamor_xv.c:154:31: error: assignment to ‘SetPortAttributeFuncPtr’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int,  int,  void *)’} from incompatible pointer type ‘int (*)(KdScreenInfo *, Atom,  INT32,  void *)’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int,  long int,  void *)’} [-Wincompatible-pointer-types]
    154 |     adaptor->SetPortAttribute = ephyr_glamor_xv_set_port_attribute;
        |                               ^
  ephyr_glamor_xv.c:155:31: error: assignment to ‘GetPortAttributeFuncPtr’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int,  int *, void *)’} from incompatible pointer type ‘int (*)(KdScreenInfo *, Atom,  INT32 *, void *)’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int,  long int *, void *)’} [-Wincompatible-pointer-types]
    155 |     adaptor->GetPortAttribute = ephyr_glamor_xv_get_port_attribute;
        |                               ^

Build error logs:
https://koji.fedoraproject.org/koji/taskinfo?taskID=111964273

Signed-off-by: José Expósito <jexposit@redhat.com>
2024-01-19 14:42:48 +01:00
Simon Ser d7f1909e7c xwayland/glamor/gbm: make wl_drm optional
Build on top of [1] to use linux-dmabuf to grab the main device
when wl_drm is unavailable. Fixes Xwayland glamor on top of latest
wlroots commit which has dropped wl_drm support [2].

[1]: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/818
[2]: https://gitlab.freedesktop.org/wlroots/wlroots/-/merge_requests/4397

Signed-off-by: Simon Ser <contact@emersion.fr>
2024-01-19 10:59:53 +00:00
Simon Ser 4beb4f26ef xwayland/glamor/gbm: use Bool for true/false fields
This makes it more obvious what the values mean.

Signed-off-by: Simon Ser <contact@emersion.fr>
2024-01-19 10:59:53 +00:00
Michel Dänzer 3ddb81b15e xwayland: Update screen pixmap for root window in xwl_window_set_pixmap
If the old window pixmap was the screen pixmap.

Fixes screen->GetScreenPixmap() returning a stale pointer to a destroyed
pixmap with rootful Xwayland. It would result in a crash after resizing
the Xwayland window, or at the latest when shutting down.

Fixes: 6779ec5bf6 ("xwayland: Use window pixmap as a window buffer")
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1621
2024-01-17 18:12:37 +01:00
Olivier Fourdan 2ef0f1116c ephyr,xwayland: Use the proper private key for cursor
The cursor in DIX is actually split in two parts, the cursor itself and
the cursor bits, each with their own devPrivates.

The cursor itself includes the cursor bits, meaning that the cursor bits
devPrivates in within structure of the cursor.

Both Xephyr and Xwayland were using the private key for the cursor bits
to store the data for the cursor, and when using XSELINUX which comes
with its own special devPrivates, the data stored in that cursor bits'
devPrivates would interfere with the XSELINUX devPrivates data and the
SELINUX security ID would point to some other unrelated data, causing a
crash in the XSELINUX code when trying to (re)use the security ID.

CVE-2024-0409

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2024-01-16 09:26:01 +01:00
Olivier Fourdan e5e8586a12 glx: Call XACE hooks on the GLX buffer
The XSELINUX code will label resources at creation by checking the
access mode. When the access mode is DixCreateAccess, it will call the
function to label the new resource SELinuxLabelResource().

However, GLX buffers do not go through the XACE hooks when created,
hence leaving the resource actually unlabeled.

When, later, the client tries to create another resource using that
drawable (like a GC for example), the XSELINUX code would try to use
the security ID of that object which has never been labeled, get a NULL
pointer and crash when checking whether the requested permissions are
granted for subject security ID.

To avoid the issue, make sure to call the XACE hooks when creating the
GLX buffers.

Credit goes to Donn Seeley <donn@xmission.com> for providing the patch.

CVE-2024-0408

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
2024-01-16 09:25:49 +01:00
Peter Hutterer 26769aa71f dix: when disabling a master, float disabled slaved devices too
Disabling a master device floats all slave devices but we didn't do this
to already-disabled slave devices. As a result those devices kept their
reference to the master device resulting in access to already freed
memory if the master device was removed before the corresponding slave
device.

And to match this behavior, also forcibly reset that pointer during
CloseDownDevices().

Related to CVE-2024-21886, ZDI-CAN-22840
2024-01-16 09:24:31 +01:00
José Expósito bc1fdbe465 Xi: do not keep linked list pointer during recursion
The `DisableDevice()` function is called whenever an enabled device
is disabled and it moves the device from the `inputInfo.devices` linked
list to the `inputInfo.off_devices` linked list.

However, its link/unlink operation has an issue during the recursive
call to `DisableDevice()` due to the `prev` pointer pointing to a
removed device.

This issue leads to a length mismatch between the total number of
devices and the number of device in the list, leading to a heap
overflow and, possibly, to local privilege escalation.

Simplify the code that checked whether the device passed to
`DisableDevice()` was in `inputInfo.devices` or not and find the
previous device after the recursion.

CVE-2024-21886, ZDI-CAN-22840

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
2024-01-16 09:24:31 +01:00
Peter Hutterer 4a5e9b1895 Xi: flush hierarchy events after adding/removing master devices
The `XISendDeviceHierarchyEvent()` function allocates space to store up
to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`.

If a device with a given ID was removed and a new device with the same
ID added both in the same operation, the single device ID will lead to
two info structures being written to `info`.

Since this case can occur for every device ID at once, a total of two
times `MAXDEVICES` info structures might be written to the allocation.

To avoid it, once one add/remove master is processed, send out the
device hierarchy event for the current state and continue. That event
thus only ever has exactly one of either added/removed in it (and
optionally slave attached/detached).

CVE-2024-21885, ZDI-CAN-22744

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
2024-01-16 09:24:26 +01:00
Peter Hutterer df3c65706e Xi: when creating a new ButtonClass, set the number of buttons
There's a racy sequence where a master device may copy the button class
from the slave, without ever initializing numButtons. This leads to a
device with zero buttons but a button class which is invalid.

Let's copy the numButtons value from the source - by definition if we
don't have a button class yet we do not have any other slave devices
with more than this number of buttons anyway.

CVE-2024-0229, ZDI-CAN-22678

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
2024-01-16 09:24:01 +01:00
Peter Hutterer 219c54b8a3 dix: fix DeviceStateNotify event calculation
The previous code only made sense if one considers buttons and keys to
be mutually exclusive on a device. That is not necessarily true, causing
a number of issues.

This function allocates and fills in the number of xEvents we need to
send the device state down the wire.  This is split across multiple
32-byte devices including one deviceStateNotify event and optional
deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple)
deviceValuator events.

The previous behavior would instead compose a sequence
of [state, buttonstate, state, keystate, valuator...]. This is not
protocol correct, and on top of that made the code extremely convoluted.

Fix this by streamlining: add both button and key into the deviceStateNotify
and then append the key state and button state, followed by the
valuators. Finally, the deviceValuator events contain up to 6 valuators
per event but we only ever sent through 3 at a time. Let's double that
troughput.

CVE-2024-0229, ZDI-CAN-22678

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
2024-01-16 09:24:01 +01:00
Peter Hutterer ece23be888 dix: Allocate sufficient xEvents for our DeviceStateNotify
If a device has both a button class and a key class and numButtons is
zero, we can get an OOB write due to event under-allocation.

This function seems to assume a device has either keys or buttons, not
both. It has two virtually identical code paths, both of which assume
they're applying to the first event in the sequence.

A device with both a key and button class triggered a logic bug - only
one xEvent was allocated but the deviceStateNotify pointer was pushed on
once per type. So effectively this logic code:

   int count = 1;
   if (button && nbuttons > 32) count++;
   if (key && nbuttons > 0) count++;
   if (key && nkeys > 32) count++; // this is basically always true
   // count is at 2 for our keys + zero button device

   ev = alloc(count * sizeof(xEvent));
   FixDeviceStateNotify(ev);
   if (button)
     FixDeviceStateNotify(ev++);
   if (key)
     FixDeviceStateNotify(ev++);   // santa drops into the wrong chimney here

If the device has more than 3 valuators, the OOB is pushed back - we're
off by one so it will happen when the last deviceValuator event is
written instead.

Fix this by allocating the maximum number of events we may allocate.
Note that the current behavior is not protocol-correct anyway, this
patch fixes only the allocation issue.

Note that this issue does not trigger if the device has at least one
button. While the server does not prevent a button class with zero
buttons, it is very unlikely.

CVE-2024-0229, ZDI-CAN-22678

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
2024-01-16 09:24:01 +01:00