Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:FrontRunner
xwayland.33215
U_0004-Xi-disallow-passive-grabs-with-a-detail-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File U_0004-Xi-disallow-passive-grabs-with-a-detail-255.patch of Package xwayland.33215
From 9dc018a5a1a183e0a2cb945572454779b499430c Mon Sep 17 00:00:00 2001 From: Peter Hutterer <peter.hutterer@who-t.net> Date: Tue, 29 Nov 2022 13:55:32 +1000 Subject: [PATCH xserver 4/6] Xi: disallow passive grabs with a detail > 255 The XKB protocol effectively prevents us from ever using keycodes above 255. For buttons it's theoretically possible but realistically too niche to worry about. For all other passive grabs, the detail must be zero anyway. This fixes an OOB write: ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a temporary grab struct which contains tempGrab->detail.exact = stuff->detail. For matching existing grabs, DeleteDetailFromMask is called with the stuff->detail value. This function creates a new mask with the one bit representing stuff->detail cleared. However, the array size for the new mask is 8 * sizeof(CARD32) bits, thus any detail above 255 results in an OOB array write. ZDI-CAN 19381 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> --- Xi/xipassivegrab.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c index 2769fb7c94..c9ac2f8553 100644 --- a/Xi/xipassivegrab.c +++ b/Xi/xipassivegrab.c @@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client) return BadValue; } + /* XI2 allows 32-bit keycodes but thanks to XKB we can never + * implement this. Just return an error for all keycodes that + * cannot work anyway, same for buttons > 255. */ + if (stuff->detail > 255) + return XIAlreadyGrabbed; + if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1], stuff->mask_len * 4) != Success) return BadValue; @@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client) ¶m, XI2, &mask); break; case XIGrabtypeKeycode: - /* XI2 allows 32-bit keycodes but thanks to XKB we can never - * implement this. Just return an error for all keycodes that - * cannot work anyway */ - if (stuff->detail > 255) - status = XIAlreadyGrabbed; - else - status = GrabKey(client, dev, mod_dev, stuff->detail, - ¶m, XI2, &mask); + status = GrabKey(client, dev, mod_dev, stuff->detail, + ¶m, XI2, &mask); break; case XIGrabtypeEnter: case XIGrabtypeFocusIn: @@ -334,6 +334,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client) return BadValue; } + /* We don't allow passive grabs for details > 255 anyway */ + if (stuff->detail > 255) { + client->errorValue = stuff->detail; + return BadValue; + } + rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess); if (rc != Success) return rc; -- 2.38.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor