fdo-mirrors/libinput
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/libinput/libinput.git synced 2026-06-18 06:08:23 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

libinput-device-group: sanitize phys before printing it

Browse source 
A malicious uinput device could set the phys value (via UI_SET_PHYS)
to contain a '\n'. When the value is printed as part of the device group
the udev rules will interpret it as separate property.

Depending on the property this can cause local privilege escalation.

Closes #1296

Found-by: Csome
(cherry picked from commit 76f0d8a7f5)

Part-of: <https://gitlab.freedesktop.org/libinput/libinput/-/merge_requests/1488>
This commit is contained in:
Peter Hutterer 2026-06-01 10:48:24 +10:00
parent 6cedfa6472
commit f5ac1e51ff
1 changed files with 7 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
udev/libinput-device-group.c
View file

@ -107,7 +107,8 @@ wacom_handle_ekr(struct udev_device *device,
udev_list_entry_foreach(entry, udev_enumerate_get_list_entry(e)) {
struct udev_device *d;
const char *path, *phys;
_autofree_ char *phys = NULL;
const char *path;
const char *pidstr, *vidstr;
int pid, vid, dist;
@ -122,7 +123,7 @@ wacom_handle_ekr(struct udev_device *device,
vidstr = udev_device_get_property_value(d, "ID_VENDOR_ID");
pidstr = udev_device_get_property_value(d, "ID_MODEL_ID");
phys = udev_device_get_sysattr_value(d, "phys");
phys = str_sanitize(udev_device_get_sysattr_value(d, "phys"));
if (vidstr && pidstr && phys && safe_atoi_base(vidstr, &vid, 16) &&
safe_atoi_base(pidstr, &pid, 16) && vid == VENDOR_ID_WACOM &&
@ -134,7 +135,7 @@ wacom_handle_ekr(struct udev_device *device,
best_dist = dist;
free(*phys_attr);
*phys_attr = safe_strdup(phys);
*phys_attr = steal(&phys);
}
}
@ -151,7 +152,8 @@ main(int argc, char **argv)
int rc = 1;
struct udev *udev = NULL;
struct udev_device *device = NULL;
const char *syspath, *phys = NULL;
_autofree_ char *phys = NULL;
const char *syspath = NULL;
const char *product;
int bustype, vendor_id, product_id, version;
char group[1024];
@ -175,8 +177,7 @@ main(int argc, char **argv)
* bit and use the remainder as device group identifier */
while (device != NULL) {
struct udev_device *parent;
phys = udev_device_get_sysattr_value(device, "phys");
phys = str_sanitize(udev_device_get_sysattr_value(device, "phys"));
if (phys)
break;