wok-current diff xorg-server/stuff/CVE-2022-46341.patch @ rev 25634
Mass update, new toolchain gcc 8.3.0, glibc 2.28.0
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Sun Jan 14 08:12:37 2024 +0000 (20 months ago) |
| parents | |
| children |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/xorg-server/stuff/CVE-2022-46341.patch Sun Jan 14 08:12:37 2024 +0000 1.3 @@ -0,0 +1,82 @@ 1.4 +From 51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b Mon Sep 17 00:00:00 2001 1.5 +From: Peter Hutterer <peter.hutterer@who-t.net> 1.6 +Date: Tue, 29 Nov 2022 13:55:32 +1000 1.7 +Subject: [PATCH] Xi: disallow passive grabs with a detail > 255 1.8 + 1.9 +The XKB protocol effectively prevents us from ever using keycodes above 1.10 +255. For buttons it's theoretically possible but realistically too niche 1.11 +to worry about. For all other passive grabs, the detail must be zero 1.12 +anyway. 1.13 + 1.14 +This fixes an OOB write: 1.15 + 1.16 +ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a 1.17 +temporary grab struct which contains tempGrab->detail.exact = stuff->detail. 1.18 +For matching existing grabs, DeleteDetailFromMask is called with the 1.19 +stuff->detail value. This function creates a new mask with the one bit 1.20 +representing stuff->detail cleared. 1.21 + 1.22 +However, the array size for the new mask is 8 * sizeof(CARD32) bits, 1.23 +thus any detail above 255 results in an OOB array write. 1.24 + 1.25 +CVE-2022-46341, ZDI-CAN 19381 1.26 + 1.27 +This vulnerability was discovered by: 1.28 +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative 1.29 + 1.30 +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> 1.31 +Acked-by: Olivier Fourdan <ofourdan@redhat.com> 1.32 +--- 1.33 + Xi/xipassivegrab.c | 22 ++++++++++++++-------- 1.34 + 1 file changed, 14 insertions(+), 8 deletions(-) 1.35 + 1.36 +diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c 1.37 +index 2769fb7c9..c9ac2f855 100644 1.38 +--- a/Xi/xipassivegrab.c 1.39 ++++ b/Xi/xipassivegrab.c 1.40 +@@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client) 1.41 + return BadValue; 1.42 + } 1.43 + 1.44 ++ /* XI2 allows 32-bit keycodes but thanks to XKB we can never 1.45 ++ * implement this. Just return an error for all keycodes that 1.46 ++ * cannot work anyway, same for buttons > 255. */ 1.47 ++ if (stuff->detail > 255) 1.48 ++ return XIAlreadyGrabbed; 1.49 ++ 1.50 + if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1], 1.51 + stuff->mask_len * 4) != Success) 1.52 + return BadValue; 1.53 +@@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client) 1.54 + ¶m, XI2, &mask); 1.55 + break; 1.56 + case XIGrabtypeKeycode: 1.57 +- /* XI2 allows 32-bit keycodes but thanks to XKB we can never 1.58 +- * implement this. Just return an error for all keycodes that 1.59 +- * cannot work anyway */ 1.60 +- if (stuff->detail > 255) 1.61 +- status = XIAlreadyGrabbed; 1.62 +- else 1.63 +- status = GrabKey(client, dev, mod_dev, stuff->detail, 1.64 +- ¶m, XI2, &mask); 1.65 ++ status = GrabKey(client, dev, mod_dev, stuff->detail, 1.66 ++ ¶m, XI2, &mask); 1.67 + break; 1.68 + case XIGrabtypeEnter: 1.69 + case XIGrabtypeFocusIn: 1.70 +@@ -334,6 +334,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client) 1.71 + return BadValue; 1.72 + } 1.73 + 1.74 ++ /* We don't allow passive grabs for details > 255 anyway */ 1.75 ++ if (stuff->detail > 255) { 1.76 ++ client->errorValue = stuff->detail; 1.77 ++ return BadValue; 1.78 ++ } 1.79 ++ 1.80 + rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess); 1.81 + if (rc != Success) 1.82 + return rc; 1.83 +-- 1.84 +GitLab 1.85 +