CVS commit: xsrc/external/mit/xorg-server.old/dist/dix

To: source-changes%NetBSD.org@localhost
Subject: CVS commit: xsrc/external/mit/xorg-server.old/dist/dix
From: "matthew green" <mrg%netbsd.org@localhost>
Date: Sun, 3 Nov 2024 00:28:24 +0000

Module Name:    xsrc
Committed By:   mrg
Date:           Sun Nov  3 00:28:24 UTC 2024

Modified Files:
        xsrc/external/mit/xorg-server.old/dist/dix: devices.c

Log Message:
merge upstream change bc1fdbe46559dd947674375946bbef54dd0ce36b

Subject: [PATCH] Xi: do not keep linked list pointer during recursion

The `DisableDevice()` function is called whenever an enabled device
is disabled and it moves the device from the `inputInfo.devices` linked
list to the `inputInfo.off_devices` linked list.

However, its link/unlink operation has an issue during the recursive
call to `DisableDevice()` due to the `prev` pointer pointing to a
removed device.

This issue leads to a length mismatch between the total number of
devices and the number of device in the list, leading to a heap
overflow and, possibly, to local privilege escalation.

Simplify the code that checked whether the device passed to
`DisableDevice()` was in `inputInfo.devices` or not and find the
previous device after the recursion.

CVE-2024-21886, ZDI-CAN-22840

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1 -r1.2 \
    xsrc/external/mit/xorg-server.old/dist/dix/devices.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: xsrc/external/mit/xorg-server.old/dist/Xi
Next by Date: CVS commit: xsrc/external/mit/xorg-server.old/dist/Xi
Previous by Thread: CVS commit: xsrc/external/mit/xorg-server.old/dist/Xi
Next by Thread: CVS commit: xsrc/external/mit/xorg-server.old/dist/Xi
Indexes:

Home | Main Index | Thread Index | Old Index