frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
xserver/Xi
History
Peter Hutterer 541ab2ecd4 Xi/randr: fix handling of PropModeAppend/Prepend 
The handling of appending/prepending properties was incorrect, with at
least two bugs: the property length was set to the length of the new
part only, i.e. appending or prepending N elements to a property with P
existing elements always resulted in the property having N elements
instead of N + P.

Second, when pre-pending a value to a property, the offset for the old
values was incorrect, leaving the new property with potentially
uninitalized values and/or resulting in OOB memory writes.
For example, prepending a 3 element value to a 5 element property would
result in this 8 value array:
  [N, N, N, ?, ?, P, P, P ] P, P
                            ^OOB write

The XI2 code is a copy/paste of the RandR code, so the bug exists in
both.

CVE-2023-5367, ZDI-CAN-22153

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
 		2023-10-25 00:32:52 +00:00
..
allowev.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
allowev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
chgdctl.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
chgdctl.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
chgfctl.c Fix XChangeFeedbackControl() request underflow 2021-04-13 14:28:13 +02:00
chgfctl.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
chgkbd.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
chgkbd.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
chgkmap.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
chgkmap.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
chgprop.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
chgprop.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
chgptr.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
chgptr.h Xi: Remove redundant declaration. 2012-05-14 13:17:30 +01:00
closedev.c Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
closedev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
devbell.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
devbell.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
exevents.c Xi: fix potential use-after-free in DeepCopyPointerClasses 2023-02-07 10:07:18 +10:00
exglobals.h xinput: Remove PropagateMask 2020-03-30 21:48:11 +00:00
extinit.c xi: Implement conversions from internal to Xi2 gesture event structs 2021-05-30 13:26:37 +03:00
getbmap.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
getbmap.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
getdctl.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
getdctl.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
getfctl.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
getfctl.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
getfocus.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
getfocus.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
getkmap.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
getkmap.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
getmmap.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
getmmap.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
getprop.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
getprop.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
getselev.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
getselev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
getvers.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
getvers.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
grabdev.c Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
grabdev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
grabdevb.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
grabdevb.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
grabdevk.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
grabdevk.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
gtmotion.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
gtmotion.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
listdev.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
listdev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
meson.build Add a Meson build system alongside autotools. 2017-04-26 15:25:27 -07:00
opendev.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
opendev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
queryst.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
queryst.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
selectev.c xinput: Remove ExtExclusiveMasks 2020-03-30 21:48:11 +00:00
selectev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
sendexev.c Xi: Do not try to swap GenericEvent. 2017-06-19 11:58:56 +10:00
sendexev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
setbmap.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
setbmap.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
setdval.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
setdval.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
setfocus.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
setfocus.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
setmmap.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
setmmap.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
setmode.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
setmode.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
stubs.c ddx: add new call to purge input devices that weren't added 2016-10-26 15:35:07 +10:00
ungrdev.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
ungrdev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
ungrdevb.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
ungrdevb.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
ungrdevk.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
ungrdevk.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xiallowev.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
xiallowev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xibarriers.c Xi: lock the input thread for any pointer barrier list manipulation 2019-02-14 09:10:58 +10:00
xibarriers.h Xi: free barrier code at reset time 2013-05-07 09:41:19 +10:00
xichangecursor.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
xichangecursor.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xichangehierarchy.c Fix XIChangeHierarchy() integer underflow 2020-08-25 17:01:29 +02:00
xichangehierarchy.h xinput: Silence a warning from gcc 11 2021-08-17 16:02:44 -04:00
xigetclientpointer.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
xigetclientpointer.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xigrabdev.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
xigrabdev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xipassivegrab.c Xi: disallow passive grabs with a detail > 255 2022-12-14 11:02:06 +10:00
xipassivegrab.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xiproperty.c Xi/randr: fix handling of PropModeAppend/Prepend 2023-10-25 00:32:52 +00:00
xiproperty.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xiquerydevice.c Xi: Work around broken libxcb that doesn't ignore unknown device classes 2021-05-30 13:46:59 +03:00
xiquerydevice.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xiquerypointer.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
xiquerypointer.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xiqueryversion.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
xiqueryversion.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xiselectev.c xi: Implement selection logic for gesture event types 2021-05-30 13:26:33 +03:00
xiselectev.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xisetclientpointer.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
xisetclientpointer.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xisetdevfocus.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
xisetdevfocus.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
xiwarppointer.c Xi: Use WarpPointerProc hook on XI pointer warping implementation 2017-06-07 14:49:04 +10:00
xiwarppointer.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00