xserver: Branch 'server-21.1-branch' - 2 commits
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Tue Feb 7 00:29:29 UTC 2023
Xi/exevents.c | 4 +++-
dix/events.c | 2 +-
2 files changed, 4 insertions(+), 2 deletions(-)
New commits:
commit 9ca7d3f61a88ae6cf47fdf139b6215d745db976b
Author: Peter Hutterer <peter.hutterer at who-t.net>
Date: Wed Jan 25 11:41:40 2023 +1000
Xi: fix potential use-after-free in DeepCopyPointerClasses
CVE-2023-0494, ZDI-CAN-19596
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 0ba6d8c37071131a49790243cdac55392ecf71ec)
diff --git a/Xi/exevents.c b/Xi/exevents.c
index 217baa956..dcd4efb3b 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
memcpy(to->button->xkb_acts, from->button->xkb_acts,
sizeof(XkbAction));
}
- else
+ else {
free(to->button->xkb_acts);
+ to->button->xkb_acts = NULL;
+ }
memcpy(to->button->labels, from->button->labels,
from->button->numButtons * sizeof(Atom));
commit 4b925d388f76764dcb02dfd1cd7276262dcd7d74
Author: Mike Gorse <mgorse at suse.com>
Date: Wed Jan 25 02:02:48 2023 +0000
dix: Use CopyPartialInternalEvent in EnqueueEvent
The event might be a DeviceEvent allocated on the stack, in
AccessXKeyboardEvent for instance. Fixes out-of-bounds read.
Signed-off-by: Mike Gorse <mgorse at suse.com>
(cherry picked from commit 2ef5ef57bd37a8bec2ac454053b283c6f87c3b40)
diff --git a/dix/events.c b/dix/events.c
index 782ed35dc..86f5357e8 100644
--- a/dix/events.c
+++ b/dix/events.c
@@ -1215,7 +1215,7 @@ EnqueueEvent(InternalEvent *ev, DeviceIntPtr device)
qe->pScreen = pSprite->hotPhys.pScreen;
qe->months = currentTime.months;
qe->event = (InternalEvent *) (qe + 1);
- memcpy(qe->event, event, eventlen);
+ CopyPartialInternalEvent(qe->event, (InternalEvent *)event);
xorg_list_append(&qe->next, &syncEvents.pending);
}
More information about the xorg-commit
mailing list