36 lines
1.1 KiB
Diff
36 lines
1.1 KiB
Diff
From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001
|
|
From: Michal Srb <msrb@suse.com>
|
|
Date: Wed, 24 May 2017 15:54:39 +0300
|
|
Subject: Xi: Zero target buffer in SProcXSendExtensionEvent.
|
|
|
|
Make sure that the xEvent eventT is initialized with zeros, the same way as
|
|
in SProcSendEvent.
|
|
|
|
Some event swapping functions do not overwrite all 32 bytes of xEvent
|
|
structure, for example XSecurityAuthorizationRevoked. Two cooperating
|
|
clients, one swapped and the other not, can send
|
|
XSecurityAuthorizationRevoked event to each other to retrieve old stack data
|
|
from X server. This can be potentialy misused to go around ASLR or
|
|
stack-protector.
|
|
|
|
Signed-off-by: Michal Srb <msrb@suse.com>
|
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
|
diff --git a/Xi/sendexev.c b/Xi/sendexev.c
|
|
index 11d8202..1cf118a 100644
|
|
--- a/Xi/sendexev.c
|
|
+++ b/Xi/sendexev.c
|
|
@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
|
|
{
|
|
CARD32 *p;
|
|
int i;
|
|
- xEvent eventT;
|
|
+ xEvent eventT = { .u.u.type = 0 };
|
|
xEvent *eventP;
|
|
EventSwapPtr proc;
|
|
|
|
--
|
|
cgit v0.10.2
|
|
|