Xi: allocate enough XkbActions for our buttons

button->xkb_acts is supposed to be an array sufficiently large for all our buttons, not just a single XkbActions struct. Allocating insufficient memory here means when we memcpy() later in XkbSetDeviceInfo we write into memory that wasn't ours to begin with, leading to the usual security ooopsiedaisies. CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative (cherry picked from commit 0c1a93d319558fe3ab2d94f51d174b4f93810afd)
author: Peter Hutterer <peter.hutterer@who-t.net> 2023-11-28 15:19:04 +1000
committer: Peter Hutterer <peter.hutterer@who-t.net> 2023-12-13 11:00:15 +1000
commit: a7bda3080d2b44eae668cdcec7a93095385b9652 (patch)
tree: f5f95bb9757ccabf38c305199a0c95a8b750a326
parent: 58e83c683950ac9e253ab05dd7a13a8368b70a3c (diff)
2 files changed, 16 insertions, 6 deletions
diff --git a/Xi/exevents.c b/Xi/exevents.c
index dcd4efb3b..54ea11a93 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
         }
 
         if (from->button->xkb_acts) {
-            if (!to->button->xkb_acts) {
-                to->button->xkb_acts = calloc(1, sizeof(XkbAction));
-                if (!to->button->xkb_acts)
-                    FatalError("[Xi] not enough memory for xkb_acts.\n");
-            }
+            size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
+            to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
+                                                   maxbuttons,
+                                                   sizeof(XkbAction));
+            memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
             memcpy(to->button->xkb_acts, from->button->xkb_acts,
-                   sizeof(XkbAction));
+                   from->button->numButtons * sizeof(XkbAction));
         }
         else {
             free(to->button->xkb_acts);
diff --git a/dix/devices.c b/dix/devices.c
index 5bf956ead..15e46a9a5 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -2525,6 +2525,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
 
     if (master->button && master->button->numButtons != maxbuttons) {
         int i;
+        int last_num_buttons = master->button->numButtons;
+
         DeviceChangedEvent event = {
             .header = ET_Internal,
             .type = ET_DeviceChanged,
@@ -2535,6 +2537,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
         };
 
         master->button->numButtons = maxbuttons;
+        if (last_num_buttons < maxbuttons) {
+            master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
+                                                       maxbuttons,
+                                                       sizeof(XkbAction));
+            memset(&master->button->xkb_acts[last_num_buttons],
+                   0,
+                   (maxbuttons - last_num_buttons) * sizeof(XkbAction));
+        }
 
         memcpy(&event.buttons.names, master->button->labels, maxbuttons *
                sizeof(Atom));
author	Peter Hutterer <peter.hutterer@who-t.net>	2023-11-28 15:19:04 +1000
committer	Peter Hutterer <peter.hutterer@who-t.net>	2023-12-13 11:00:15 +1000
commit	a7bda3080d2b44eae668cdcec7a93095385b9652 (patch)
tree	f5f95bb9757ccabf38c305199a0c95a8b750a326
parent	58e83c683950ac9e253ab05dd7a13a8368b70a3c (diff)