From f29b6fb07577395f9050fe352c76c83bb1b2a935 Mon Sep 17 00:00:00 2001 From: purplerain Date: Thu, 4 Apr 2024 10:21:45 +0000 Subject: [PATCH] Need to use unswapped length to send reply in ProcXIGetSelectedEvents() (CVE-2024-31080) and ProcXiPassiveGrabDevice() (CVE-2024-31081) --- xserver/Xi/xipassivegrab.c | 15 ++++++++++++--- xserver/Xi/xiselectev.c | 17 ++++++++++++++--- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/xserver/Xi/xipassivegrab.c b/xserver/Xi/xipassivegrab.c index c9ac2f85..10ffcd68 100644 --- a/xserver/Xi/xipassivegrab.c +++ b/xserver/Xi/xipassivegrab.c @@ -247,9 +247,18 @@ ProcXIPassiveGrabDevice(ClientPtr client) } } - WriteReplyToClient(client, sizeof(rep), &rep); - if (rep.num_modifiers) - WriteToClient(client, rep.length * 4, modifiers_failed); + if (client->swapped) { + /* save the value before SRepXIPassiveGrabDevice swaps it */ + uint32_t length = rep.length; + WriteReplyToClient(client, sizeof(rep), &rep); + if (length) + WriteToClient(client, length * 4, modifiers_failed); + } + else { + WriteReplyToClient(client, sizeof(rep), &rep); + if (rep.num_modifiers) + WriteToClient(client, rep.length * 4, modifiers_failed); + } out: free(modifiers_failed); diff --git a/xserver/Xi/xiselectev.c b/xserver/Xi/xiselectev.c index edcb8a0d..acb46425 100644 --- a/xserver/Xi/xiselectev.c +++ b/xserver/Xi/xiselectev.c @@ -418,10 +418,21 @@ ProcXIGetSelectedEvents(ClientPtr client) } } - WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply); + if (client->swapped) { + /* save the value before SRepXIGetSelectedEvents swaps it */ + uint32_t length = reply.length; - if (reply.num_masks) - WriteToClient(client, reply.length * 4, buffer); + WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply); + + if (length) + WriteToClient(client, length * 4, buffer); + } + else { + WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply); + + if (reply.num_masks) + WriteToClient(client, reply.length * 4, buffer); + } free(buffer); return Success;