Projects
Mega:24.03:SP1:Everything
xorg-x11-server
_service:tar_scm:backport-0002-CVE-2024-21886.p...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:backport-0002-CVE-2024-21886.patch of Package xorg-x11-server
From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001 From: Peter Hutterer <peter.hutterer@who-t.net> Date: Fri, 5 Jan 2024 09:40:27 +1000 Subject: [PATCH] dix: when disabling a master, float disabled slaved devices too Disabling a master device floats all slave devices but we didn't do this to already-disabled slave devices. As a result those devices kept their reference to the master device resulting in access to already freed memory if the master device was removed before the corresponding slave device. And to match this behavior, also forcibly reset that pointer during CloseDownDevices(). Related to CVE-2024-21886, ZDI-CAN-22840 --- dix/devices.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/dix/devices.c b/dix/devices.c index 389d28a23c..84a6406d13 100644 --- a/dix/devices.c +++ b/dix/devices.c @@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) flags[other->id] |= XISlaveDetached; } } + + for (other = inputInfo.off_devices; other; other = other->next) { + if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) { + AttachDevice(NULL, other, NULL); + flags[other->id] |= XISlaveDetached; + } + } } else { for (other = inputInfo.devices; other; other = other->next) { @@ -1088,6 +1095,11 @@ CloseDownDevices(void) dev->master = NULL; } + for (dev = inputInfo.off_devices; dev; dev = dev->next) { + if (!IsMaster(dev) && !IsFloating(dev)) + dev->master = NULL; + } + CloseDeviceList(&inputInfo.devices); CloseDeviceList(&inputInfo.off_devices); -- GitLab
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2