fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-01-24 02:50:24 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Xi: Zero target buffer in SProcXSendExtensionEvent.

Browse source 
Make sure that the xEvent eventT is initialized with zeros, the same way as
in SProcSendEvent.

Some event swapping functions do not overwrite all 32 bytes of xEvent
structure, for example XSecurityAuthorizationRevoked. Two cooperating
clients, one swapped and the other not, can send
XSecurityAuthorizationRevoked event to each other to retrieve old stack data
from X server. This can be potentialy misused to go around ASLR or
stack-protector.

Signed-off-by: Michal Srb <msrb@suse.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 05442de962)
This commit is contained in:
Michal Srb 2017-05-24 15:54:39 +03:00 committed by Adam Jackson
parent 3a53e4407f
commit cdf15ab8f9
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Xi/sendexev.c
View file

@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
{
CARD32 *p;
int i;
xEvent eventT;
xEvent eventT = { .u.u.type = 0 };
xEvent *eventP;
EventSwapPtr proc;