54 lines
1.7 KiB
Diff
54 lines
1.7 KiB
Diff
From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001
|
|
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Date: Fri, 5 Jan 2024 09:40:27 +1000
|
|
Subject: [PATCH 7/9] dix: when disabling a master, float disabled slaved
|
|
devices too
|
|
|
|
Disabling a master device floats all slave devices but we didn't do this
|
|
to already-disabled slave devices. As a result those devices kept their
|
|
reference to the master device resulting in access to already freed
|
|
memory if the master device was removed before the corresponding slave
|
|
device.
|
|
|
|
And to match this behavior, also forcibly reset that pointer during
|
|
CloseDownDevices().
|
|
|
|
Related to CVE-2024-21886, ZDI-CAN-22840
|
|
---
|
|
dix/devices.c | 12 ++++++++++++
|
|
1 file changed, 12 insertions(+)
|
|
|
|
diff --git a/dix/devices.c b/dix/devices.c
|
|
index 389d28a23..84a6406d1 100644
|
|
--- a/dix/devices.c
|
|
+++ b/dix/devices.c
|
|
@@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
|
|
flags[other->id] |= XISlaveDetached;
|
|
}
|
|
}
|
|
+
|
|
+ for (other = inputInfo.off_devices; other; other = other->next) {
|
|
+ if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) {
|
|
+ AttachDevice(NULL, other, NULL);
|
|
+ flags[other->id] |= XISlaveDetached;
|
|
+ }
|
|
+ }
|
|
}
|
|
else {
|
|
for (other = inputInfo.devices; other; other = other->next) {
|
|
@@ -1088,6 +1095,11 @@ CloseDownDevices(void)
|
|
dev->master = NULL;
|
|
}
|
|
|
|
+ for (dev = inputInfo.off_devices; dev; dev = dev->next) {
|
|
+ if (!IsMaster(dev) && !IsFloating(dev))
|
|
+ dev->master = NULL;
|
|
+ }
|
|
+
|
|
CloseDeviceList(&inputInfo.devices);
|
|
CloseDeviceList(&inputInfo.off_devices);
|
|
|
|
--
|
|
2.43.0
|
|
|