diff options
Diffstat (limited to 'package/x11r7/xserver_xorg-server/1.19.3/0004-Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch')
-rw-r--r-- | package/x11r7/xserver_xorg-server/1.19.3/0004-Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/package/x11r7/xserver_xorg-server/1.19.3/0004-Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch b/package/x11r7/xserver_xorg-server/1.19.3/0004-Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch new file mode 100644 index 0000000000..c15dc9f50c --- /dev/null +++ b/package/x11r7/xserver_xorg-server/1.19.3/0004-Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch @@ -0,0 +1,39 @@ +From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001 +From: Michal Srb <msrb@suse.com> +Date: Wed, 24 May 2017 15:54:39 +0300 +Subject: [PATCH] Xi: Zero target buffer in SProcXSendExtensionEvent. + +Make sure that the xEvent eventT is initialized with zeros, the same way as +in SProcSendEvent. + +Some event swapping functions do not overwrite all 32 bytes of xEvent +structure, for example XSecurityAuthorizationRevoked. Two cooperating +clients, one swapped and the other not, can send +XSecurityAuthorizationRevoked event to each other to retrieve old stack data +from X server. This can be potentialy misused to go around ASLR or +stack-protector. + +Signed-off-by: Michal Srb <msrb@suse.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Signed-off-by: Peter Korsgaard <peter@korsgaard.com> +--- + Xi/sendexev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 11d82029f..1cf118ab6 100644 +--- a/Xi/sendexev.c ++++ b/Xi/sendexev.c +@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client) + { + CARD32 *p; + int i; +- xEvent eventT; ++ xEvent eventT = { .u.u.type = 0 }; + xEvent *eventP; + EventSwapPtr proc; + +-- +2.11.0 + |