Commits:
-
905bc7f7
by Povilas Kanapickas at 2023-01-25T13:16:49+10:00
dix: Correctly save replayed event into GrabInfoRec
When processing events we operate on InternalEvent pointers. They may
actually refer to a an instance of DeviceEvent, GestureEvent or any
other event that comprises the InternalEvent union. This works well in
practice because we always look into event type before doing anything,
except in the case of copying the event.
*dst_event = *src_event would copy whole InternalEvent event and would
cause out of bounds read in case the pointed to event was not
InternalEvent but e.g. DeviceEvent.
This regression has been introduced in
23a8b62d34344575f9df9d057fb74bfefa94a77b.
Fixes https://gitlab.freedesktop.org/xorg/xserver/-/issues/1261
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
(cherry picked from commit 6ef5c05728f8b18170fbc8415d7502495a08670b)
-
8e392628
by Mike Gorse at 2023-01-25T13:16:49+10:00
dix: Use CopyPartialInternalEvent in EnqueueEvent
The event might be a DeviceEvent allocated on the stack, in
AccessXKeyboardEvent for instance. Fixes out-of-bounds read.
Signed-off-by: Mike Gorse <mgorse@suse.com>
(cherry picked from commit 2ef5ef57bd37a8bec2ac454053b283c6f87c3b40)
-
8660dd16
by Peter Hutterer at 2023-02-07T08:30:43+01:00
Xi: fix potential use-after-free in DeepCopyPointerClasses
CVE-2023-0494, ZDI-CAN-19596
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 0ba6d8c37071131a49790243cdac55392ecf71ec)
-
92c35190
by Olivier Fourdan at 2023-02-07T08:30:43+01:00
Bump version to 22.1.8
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
-
722e67df
by Timo Aaltonen at 2023-02-07T15:13:29+02:00
Merge branch 'upstream-unstable' into debian-unstable
-
51c7440e
by Timo Aaltonen at 2023-02-07T15:14:47+02:00
release to sid
5 changed files:
Changes:
Xi/exevents.c
... |
... |
@@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) |
619
|
619
|
memcpy(to->button->xkb_acts, from->button->xkb_acts,
|
620
|
620
|
sizeof(XkbAction));
|
621
|
621
|
}
|
622
|
|
- else
|
|
622
|
+ else {
|
623
|
623
|
free(to->button->xkb_acts);
|
|
624
|
+ to->button->xkb_acts = NULL;
|
|
625
|
+ }
|
624
|
626
|
|
625
|
627
|
memcpy(to->button->labels, from->button->labels,
|
626
|
628
|
from->button->numButtons * sizeof(Atom));
|
... |
... |
@@ -1524,7 +1526,7 @@ DeliverTouchEmulatedEvent(DeviceIntPtr dev, TouchPointInfoPtr ti, |
1524
|
1526
|
g = AllocGrab(devgrab);
|
1525
|
1527
|
BUG_WARN(!g);
|
1526
|
1528
|
|
1527
|
|
- *dev->deviceGrab.sync.event = *ev;
|
|
1529
|
+ CopyPartialInternalEvent(dev->deviceGrab.sync.event, ev);
|
1528
|
1530
|
|
1529
|
1531
|
/* The listener array has a sequence of grabs and then one event
|
1530
|
1532
|
* selection. Implicit grab activation occurs through delivering an
|
debian/changelog
|
1
|
+xwayland (2:22.1.8-1) unstable; urgency=medium
|
|
2
|
+
|
|
3
|
+ * New upstream release.
|
|
4
|
+ - CVE-2023-0494
|
|
5
|
+
|
|
6
|
+ -- Timo Aaltonen <tjaalton@debian.org> Tue, 07 Feb 2023 15:14:38 +0200
|
|
7
|
+
|
1
|
8
|
xwayland (2:22.1.7-1) unstable; urgency=medium
|
2
|
9
|
|
3
|
10
|
* New upstream release.
|
dix/events.c
... |
... |
@@ -467,6 +467,20 @@ WindowXI2MaskIsset(DeviceIntPtr dev, WindowPtr win, xEvent *ev) |
467
|
467
|
return xi2mask_isset(inputMasks->xi2mask, dev, evtype);
|
468
|
468
|
}
|
469
|
469
|
|
|
470
|
+/**
|
|
471
|
+ * When processing events we operate on InternalEvent pointers. They may actually refer to a
|
|
472
|
+ * an instance of DeviceEvent, GestureEvent or any other event that comprises the InternalEvent
|
|
473
|
+ * union. This works well in practice because we always look into event type before doing anything,
|
|
474
|
+ * except in the case of copying the event. Any copying of InternalEvent should use this function
|
|
475
|
+ * instead of doing *dst_event = *src_event whenever it's not clear whether source event actually
|
|
476
|
+ * points to full InternalEvent instance.
|
|
477
|
+ */
|
|
478
|
+void
|
|
479
|
+CopyPartialInternalEvent(InternalEvent* dst_event, const InternalEvent* src_event)
|
|
480
|
+{
|
|
481
|
+ memcpy(dst_event, src_event, src_event->any.length);
|
|
482
|
+}
|
|
483
|
+
|
470
|
484
|
Mask
|
471
|
485
|
GetEventMask(DeviceIntPtr dev, xEvent *event, InputClients * other)
|
472
|
486
|
{
|
... |
... |
@@ -1201,7 +1215,7 @@ EnqueueEvent(InternalEvent *ev, DeviceIntPtr device) |
1201
|
1215
|
qe->pScreen = pSprite->hotPhys.pScreen;
|
1202
|
1216
|
qe->months = currentTime.months;
|
1203
|
1217
|
qe->event = (InternalEvent *) (qe + 1);
|
1204
|
|
- memcpy(qe->event, event, eventlen);
|
|
1218
|
+ CopyPartialInternalEvent(qe->event, (InternalEvent *)event);
|
1205
|
1219
|
xorg_list_append(&qe->next, &syncEvents.pending);
|
1206
|
1220
|
}
|
1207
|
1221
|
|
... |
... |
@@ -3873,7 +3887,7 @@ void ActivateGrabNoDelivery(DeviceIntPtr dev, GrabPtr grab, |
3873
|
3887
|
|
3874
|
3888
|
if (grabinfo->sync.state == FROZEN_NO_EVENT)
|
3875
|
3889
|
grabinfo->sync.state = FROZEN_WITH_EVENT;
|
3876
|
|
- *grabinfo->sync.event = *real_event;
|
|
3890
|
+ CopyPartialInternalEvent(grabinfo->sync.event, real_event);
|
3877
|
3891
|
}
|
3878
|
3892
|
|
3879
|
3893
|
static BOOL
|
... |
... |
@@ -4455,7 +4469,7 @@ FreezeThisEventIfNeededForSyncGrab(DeviceIntPtr thisDev, InternalEvent *event) |
4455
|
4469
|
case FREEZE_NEXT_EVENT:
|
4456
|
4470
|
grabinfo->sync.state = FROZEN_WITH_EVENT;
|
4457
|
4471
|
FreezeThaw(thisDev, TRUE);
|
4458
|
|
- *grabinfo->sync.event = *event;
|
|
4472
|
+ CopyPartialInternalEvent(grabinfo->sync.event, event);
|
4459
|
4473
|
break;
|
4460
|
4474
|
}
|
4461
|
4475
|
}
|
include/input.h
... |
... |
@@ -676,6 +676,7 @@ extern void GestureEmitGestureEndToOwner(DeviceIntPtr dev, GestureInfoPtr gi); |
676
|
676
|
extern void ProcessGestureEvent(InternalEvent *ev, DeviceIntPtr dev);
|
677
|
677
|
|
678
|
678
|
/* misc event helpers */
|
|
679
|
+extern void CopyPartialInternalEvent(InternalEvent* dst_event, const InternalEvent* src_event);
|
679
|
680
|
extern Mask GetEventMask(DeviceIntPtr dev, xEvent *ev, InputClientsPtr clients);
|
680
|
681
|
extern Mask GetEventFilter(DeviceIntPtr dev, xEvent *event);
|
681
|
682
|
extern Bool WindowXI2MaskIsset(DeviceIntPtr dev, WindowPtr win, xEvent *ev);
|
meson.build
... |
... |
@@ -3,10 +3,10 @@ project('xwayland', 'c', |
3
|
3
|
'buildtype=debugoptimized',
|
4
|
4
|
'c_std=gnu99',
|
5
|
5
|
],
|
6
|
|
- version: '22.1.7',
|
|
6
|
+ version: '22.1.8',
|
7
|
7
|
meson_version: '>= 0.47.0',
|
8
|
8
|
)
|
9
|
|
-release_date = '2022-12-19'
|
|
9
|
+release_date = '2023-02-07'
|
10
|
10
|
|
11
|
11
|
add_project_arguments('-DHAVE_DIX_CONFIG_H', language: ['c', 'objc'])
|
12
|
12
|
cc = meson.get_compiler('c')
|
|