xserver/Xi
Peter Hutterer 51eb63b0ee Xi: disallow passive grabs with a detail > 255
The XKB protocol effectively prevents us from ever using keycodes above
255. For buttons it's theoretically possible but realistically too niche
to worry about. For all other passive grabs, the detail must be zero
anyway.

This fixes an OOB write:

ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a
temporary grab struct which contains tempGrab->detail.exact = stuff->detail.
For matching existing grabs, DeleteDetailFromMask is called with the
stuff->detail value. This function creates a new mask with the one bit
representing stuff->detail cleared.

However, the array size for the new mask is 8 * sizeof(CARD32) bits,
thus any detail above 255 results in an OOB array write.

CVE-2022-46341, ZDI-CAN 19381

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
2022-12-14 11:02:06 +10:00
..
allowev.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
allowev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
chgdctl.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
chgdctl.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
chgfctl.c Fix XChangeFeedbackControl() request underflow 2021-04-13 14:28:13 +02:00
chgfctl.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
chgkbd.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
chgkbd.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
chgkmap.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
chgkmap.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
chgprop.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
chgprop.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
chgptr.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
chgptr.h Xi: Remove redundant declaration. 2012-05-14 13:17:30 +01:00
closedev.c Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
closedev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
devbell.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
devbell.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
exevents.c dix: Correctly save replayed event into GrabInfoRec 2022-02-09 11:33:03 +00:00
exglobals.h xinput: Remove PropagateMask 2020-03-30 21:48:11 +00:00
extinit.c xi: Implement conversions from internal to Xi2 gesture event structs 2021-05-30 13:26:37 +03:00
getbmap.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
getbmap.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
getdctl.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
getdctl.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
getfctl.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
getfctl.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
getfocus.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
getfocus.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
getkmap.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
getkmap.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
getmmap.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
getmmap.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
getprop.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
getprop.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
getselev.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
getselev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
getvers.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
getvers.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
grabdev.c Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
grabdev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
grabdevb.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
grabdevb.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
grabdevk.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
grabdevk.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
gtmotion.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
gtmotion.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
listdev.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
listdev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
meson.build Add a Meson build system alongside autotools. 2017-04-26 15:25:27 -07:00
opendev.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
opendev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
queryst.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
queryst.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
selectev.c xinput: Remove ExtExclusiveMasks 2020-03-30 21:48:11 +00:00
selectev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
sendexev.c Xi: Do not try to swap GenericEvent. 2017-06-19 11:58:56 +10:00
sendexev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
setbmap.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
setbmap.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
setdval.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
setdval.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
setfocus.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
setfocus.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
setmmap.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
setmmap.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
setmode.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
setmode.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
stubs.c ddx: add new call to purge input devices that weren't added 2016-10-26 15:35:07 +10:00
ungrdev.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
ungrdev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
ungrdevb.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
ungrdevb.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
ungrdevk.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
ungrdevk.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xiallowev.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
xiallowev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xibarriers.c Xi: lock the input thread for any pointer barrier list manipulation 2019-02-14 09:10:58 +10:00
xibarriers.h Xi: free barrier code at reset time 2013-05-07 09:41:19 +10:00
xichangecursor.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
xichangecursor.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xichangehierarchy.c Fix XIChangeHierarchy() integer underflow 2020-08-25 17:01:29 +02:00
xichangehierarchy.h xinput: Silence a warning from gcc 11 2021-08-17 16:02:44 -04:00
xigetclientpointer.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
xigetclientpointer.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xigrabdev.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
xigrabdev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xipassivegrab.c Xi: disallow passive grabs with a detail > 255 2022-12-14 11:02:06 +10:00
xipassivegrab.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xiproperty.c Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
xiproperty.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xiquerydevice.c Xi: Work around broken libxcb that doesn't ignore unknown device classes 2021-05-30 13:46:59 +03:00
xiquerydevice.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xiquerypointer.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
xiquerypointer.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xiqueryversion.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
xiqueryversion.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xiselectev.c xi: Implement selection logic for gesture event types 2021-05-30 13:26:33 +03:00
xiselectev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xisetclientpointer.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
xisetclientpointer.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xisetdevfocus.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
xisetdevfocus.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xiwarppointer.c Xi: Use WarpPointerProc hook on XI pointer warping implementation 2017-06-07 14:49:04 +10:00
xiwarppointer.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00