dix: when disabling a master, float disabled slaved devices too

Disabling a master device floats all slave devices but we didn't do this to already-disabled slave devices. As a result those devices kept their reference to the master device resulting in access to already freed memory if the master device was removed before the corresponding slave device. And to match this behavior, also forcibly reset that pointer during CloseDownDevices(). Related to CVE-2024-21886, ZDI-CAN-22840
2025-12-26 08:50:05 +01:00 · 2024-01-05 09:40:27 +10:00 · 2024-01-05 09:40:27 +10:00 · 26769aa71f
commit 26769aa71f
parent bc1fdbe465
1 changed files with 12 additions and 0 deletions
--- a/dix/devices.c
+++ b/dix/devices.c
@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
                flags[other->id] |= XISlaveDetached;
            }
        }
+
+        for (other = inputInfo.off_devices; other; other = other->next) {
+            if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) {
+                AttachDevice(NULL, other, NULL);
+                flags[other->id] |= XISlaveDetached;
+            }
+        }
    }
    else {
        for (other = inputInfo.devices; other; other = other->next) {
@ -1088,6 +1095,11 @@ CloseDownDevices(void)
            dev->master = NULL;
    }

+    for (dev = inputInfo.off_devices; dev; dev = dev->next) {
+        if (!IsMaster(dev) && !IsFloating(dev))
+            dev->master = NULL;
+    }
+
    CloseDeviceList(&inputInfo.devices);
    CloseDeviceList(&inputInfo.off_devices);