Need to use unswapped length to send reply in ProcXIGetSelectedEvents() (CVE-2024-31080) and ProcXiPassiveGrabDevice() (CVE-2024-31081)

2024-04-04 10:21:45 +00:00 · 2024-04-04 10:21:45 +00:00 · f29b6fb075
commit f29b6fb075
parent 5cf6ab0cf4
2 changed files with 26 additions and 6 deletions
--- a/xserver/Xi/xipassivegrab.c
+++ b/xserver/Xi/xipassivegrab.c
@ -247,9 +247,18 @@ ProcXIPassiveGrabDevice(ClientPtr client)
        }
    }
-    WriteReplyToClient(client, sizeof(rep), &rep);
+    if (client->swapped) {
-    if (rep.num_modifiers)
+        /* save the value before SRepXIPassiveGrabDevice swaps it */
-        WriteToClient(client, rep.length * 4, modifiers_failed);
+        uint32_t length = rep.length;
        WriteReplyToClient(client, sizeof(rep), &rep);
        if (length)
            WriteToClient(client, length * 4, modifiers_failed);
    }
    else {
        WriteReplyToClient(client, sizeof(rep), &rep);
        if (rep.num_modifiers)
            WriteToClient(client, rep.length * 4, modifiers_failed);
    }
 out:
    free(modifiers_failed);
--- a/xserver/Xi/xiselectev.c
+++ b/xserver/Xi/xiselectev.c
@ -418,10 +418,21 @@ ProcXIGetSelectedEvents(ClientPtr client)
        }
    }
-    WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
+    if (client->swapped) {
        /* save the value before SRepXIGetSelectedEvents swaps it */
        uint32_t length = reply.length;
-    if (reply.num_masks)
+        WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
-        WriteToClient(client, reply.length * 4, buffer);
+
        if (length)
            WriteToClient(client, length * 4, buffer);
    }
    else {
        WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
        if (reply.num_masks)
            WriteToClient(client, reply.length * 4, buffer);
    }
    free(buffer);
    return Success;