xorg-x11-server/SOURCES/0001-dix-allocate-enough-space-for-logical-button-maps.patch

From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Thu, 14 Dec 2023 11:29:49 +1000
Subject: [PATCH 1/9] dix: allocate enough space for logical button maps

Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for
each logical button currently down. Since buttons can be arbitrarily mapped
to anything up to 255 make sure we have enough bits for the maximum mapping.

CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
 Xi/xiquerypointer.c | 3 +--
 dix/enterleave.c    | 5 +++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
index 5b77b1a44..2b05ac5f3 100644
--- a/Xi/xiquerypointer.c
+++ b/Xi/xiquerypointer.c
@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client)
     if (pDev->button) {
         int i;
 
-        rep.buttons_len =
-            bytes_to_int32(bits_to_bytes(pDev->button->numButtons));
+        rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */
         rep.length += rep.buttons_len;
         buttons = calloc(rep.buttons_len, 4);
         if (!buttons)
diff --git a/dix/enterleave.c b/dix/enterleave.c
index 867ec7436..ded8679d7 100644
--- a/dix/enterleave.c
+++ b/dix/enterleave.c
@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail,
 
     mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);
 
-    /* XI 2 event */
-    btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;
+    /* XI 2 event contains the logical button map - maps are CARD8
+     * so we need 256 bits for the possibly maximum mapping */
+    btlen = (mouse->button) ? bits_to_bytes(256) : 0;
     btlen = bytes_to_int32(btlen);
     len = sizeof(xXIFocusInEvent) + btlen * 4;
 
-- 
2.43.0
import CS xorg-x11-server-1.20.11-22.el8 2024-03-27 20:39:55 +00:00			`From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001`
			`From: Peter Hutterer <peter.hutterer@who-t.net>`
			`Date: Thu, 14 Dec 2023 11:29:49 +1000`
			`Subject: [PATCH 1/9] dix: allocate enough space for logical button maps`

			`Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for`
			`each logical button currently down. Since buttons can be arbitrarily mapped`
			`to anything up to 255 make sure we have enough bits for the maximum mapping.`

			`CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665`

			`This vulnerability was discovered by:`
			`Jan-Niklas Sohn working with Trend Micro Zero Day Initiative`
			`---`
			`Xi/xiquerypointer.c \| 3 +--`
			`dix/enterleave.c \| 5 +++--`
			`2 files changed, 4 insertions(+), 4 deletions(-)`

			`diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c`
			`index 5b77b1a44..2b05ac5f3 100644`
			`--- a/Xi/xiquerypointer.c`
			`+++ b/Xi/xiquerypointer.c`
			`@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client)`
			`if (pDev->button) {`
			`int i;`

			`- rep.buttons_len =`
			`- bytes_to_int32(bits_to_bytes(pDev->button->numButtons));`
			`+ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */`
			`rep.length += rep.buttons_len;`
			`buttons = calloc(rep.buttons_len, 4);`
			`if (!buttons)`
			`diff --git a/dix/enterleave.c b/dix/enterleave.c`
			`index 867ec7436..ded8679d7 100644`
			`--- a/dix/enterleave.c`
			`+++ b/dix/enterleave.c`
			`@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail,`

			`mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);`

			`- /* XI 2 event */`
			`- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;`
			`+ /* XI 2 event contains the logical button map - maps are CARD8`
			`+ * so we need 256 bits for the possibly maximum mapping */`
			`+ btlen = (mouse->button) ? bits_to_bytes(256) : 0;`
			`btlen = bytes_to_int32(btlen);`
			`len = sizeof(xXIFocusInEvent) + btlen * 4;`

			`--`
			`2.43.0`