Overview

File bsc1218585-0002-dix-when-disabling-a-master-float-disabled-slaved-de.patch of Package xorg-x11-server.33212

From 1a5e3c3e68d4f965077ea6a40ba57cc0d5a4e8cb Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Fri, 5 Jan 2024 09:40:27 +1000
Subject: [PATCH xserver] dix: when disabling a master, float disabled slaved
 devices too

Disabling a master device floats all slave devices but we didn't do this
to already-disabled slave devices. As a result those devices kept their
reference to the master device resulting in access to already freed
memory if the master device was removed before the corresponding slave
device.

And to match this behavior, also forcibly reset that pointer during
CloseDownDevices().

Related to CVE-2024-21886, ZDI-CAN-22840
---
 dix/devices.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

Index: xorg-server-1.20.3/dix/devices.c
===================================================================
--- xorg-server-1.20.3.orig/dix/devices.c
+++ xorg-server-1.20.3/dix/devices.c
@@ -480,6 +480,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sen
                 flags[other->id] |= XISlaveDetached;
             }
         }
+
+        for (other = inputInfo.off_devices; other; other = other->next) {
+            if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) {
+                AttachDevice(NULL, other, NULL);
+                flags[other->id] |= XISlaveDetached;
+            }
+        }
     }
     else {
         for (other = inputInfo.devices; other; other = other->next) {
@@ -1075,6 +1082,11 @@ CloseDownDevices(void)
         if (!IsMaster(dev) && !IsFloating(dev))
             dev->master = NULL;
     }
+
+    for (dev = inputInfo.off_devices; dev; dev = dev->next) {
+        if (!IsMaster(dev) && !IsFloating(dev))
+            dev->master = NULL;
+    }
 
     CloseDeviceList(&inputInfo.devices);
     CloseDeviceList(&inputInfo.off_devices);
openSUSE Build Service is sponsored by
Places