Xi: when creating a new ButtonClass, set the number of buttons

There's a racy sequence where a master device may copy the button class from the slave, without ever initializing numButtons. This leads to a device with zero buttons but a button class which is invalid. Let's copy the numButtons value from the source - by definition if we don't have a button class yet we do not have any other slave devices with more than this number of buttons anyway. CVE-2024-0229, ZDI-CAN-22678 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative (cherry picked from commit df3c65706eb169d5938df0052059f3e0d5981b74)
author: Peter Hutterer <peter.hutterer@who-t.net> 2023-12-21 13:48:10 +1000
committer: José Expósito <jose.exposito89@gmail.com> 2024-01-16 09:57:55 +0100
commit: 8887cb1f27c72324b50383b644cefb960e21f5ff (patch)
tree: c5c3bc7a7163013ef2629355471cdf33282c0e96
parent: 7173a8911ebeaa7c9c12bd64a2ba9c8685c6593c (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/Xi/exevents.c b/Xi/exevents.c
index 54ea11a93..e16171468 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
                 to->button = calloc(1, sizeof(ButtonClassRec));
                 if (!to->button)
                     FatalError("[Xi] no memory for class shift.\n");
+                to->button->numButtons = from->button->numButtons;
             }
             else
                 classes->button = NULL;
author	Peter Hutterer <peter.hutterer@who-t.net>	2023-12-21 13:48:10 +1000
committer	José Expósito <jose.exposito89@gmail.com>	2024-01-16 09:57:55 +0100
commit	8887cb1f27c72324b50383b644cefb960e21f5ff (patch)
tree	c5c3bc7a7163013ef2629355471cdf33282c0e96
parent	7173a8911ebeaa7c9c12bd64a2ba9c8685c6593c (diff)