fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2025-12-28 06:20:08 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

dix: when disabling a master, float disabled slaved devices too

Browse source 
Disabling a master device floats all slave devices but we didn't do this
to already-disabled slave devices. As a result those devices kept their
reference to the master device resulting in access to already freed
memory if the master device was removed before the corresponding slave
device.

And to match this behavior, also forcibly reset that pointer during
CloseDownDevices().

Related to CVE-2024-21886, ZDI-CAN-22840

(cherry picked from commit 26769aa71f)
This commit is contained in:
Peter Hutterer 2024-01-05 09:40:27 +10:00 committed by José Expósito
parent 7b5694368b
commit 5c4816afa7
1 changed files with 12 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
dix/devices.c
View file

@ -477,6 +477,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
flags[other->id] |= XISlaveDetached;
}
}
for (other = inputInfo.off_devices; other; other = other->next) {
if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) {
AttachDevice(NULL, other, NULL);
flags[other->id] |= XISlaveDetached;
}
}
}
else {
for (other = inputInfo.devices; other; other = other->next) {
@ -1073,6 +1080,11 @@ CloseDownDevices(void)
dev->master = NULL;
}
for (dev = inputInfo.off_devices; dev; dev = dev->next) {
if (!IsMaster(dev) && !IsFloating(dev))
dev->master = NULL;
}
CloseDeviceList(&inputInfo.devices);
CloseDeviceList(&inputInfo.off_devices);