summaryrefslogtreecommitdiffstats
path: root/extra/source/tigervnc/patches/xorg-server/CVE-2024-21886.02.patch
diff options
context:
space:
mode:
Diffstat (limited to 'extra/source/tigervnc/patches/xorg-server/CVE-2024-21886.02.patch')
-rw-r--r--extra/source/tigervnc/patches/xorg-server/CVE-2024-21886.02.patch53
1 files changed, 53 insertions, 0 deletions
diff --git a/extra/source/tigervnc/patches/xorg-server/CVE-2024-21886.02.patch b/extra/source/tigervnc/patches/xorg-server/CVE-2024-21886.02.patch
new file mode 100644
index 000000000..de7422442
--- /dev/null
+++ b/extra/source/tigervnc/patches/xorg-server/CVE-2024-21886.02.patch
@@ -0,0 +1,53 @@
+From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Fri, 5 Jan 2024 09:40:27 +1000
+Subject: [PATCH] dix: when disabling a master, float disabled slaved devices
+ too
+
+Disabling a master device floats all slave devices but we didn't do this
+to already-disabled slave devices. As a result those devices kept their
+reference to the master device resulting in access to already freed
+memory if the master device was removed before the corresponding slave
+device.
+
+And to match this behavior, also forcibly reset that pointer during
+CloseDownDevices().
+
+Related to CVE-2024-21886, ZDI-CAN-22840
+---
+ dix/devices.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/dix/devices.c b/dix/devices.c
+index 389d28a23c..84a6406d13 100644
+--- a/dix/devices.c
++++ b/dix/devices.c
+@@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
+ flags[other->id] |= XISlaveDetached;
+ }
+ }
++
++ for (other = inputInfo.off_devices; other; other = other->next) {
++ if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) {
++ AttachDevice(NULL, other, NULL);
++ flags[other->id] |= XISlaveDetached;
++ }
++ }
+ }
+ else {
+ for (other = inputInfo.devices; other; other = other->next) {
+@@ -1088,6 +1095,11 @@ CloseDownDevices(void)
+ dev->master = NULL;
+ }
+
++ for (dev = inputInfo.off_devices; dev; dev = dev->next) {
++ if (!IsMaster(dev) && !IsFloating(dev))
++ dev->master = NULL;
++ }
++
+ CloseDeviceList(&inputInfo.devices);
+ CloseDeviceList(&inputInfo.off_devices);
+
+--
+GitLab
+
generated by cgit v1.2.3-79-gdb01 (git 2.46.1) at 2024-09-23 20:42:21 +0000