Need to use unswapped length to send reply in ProcXIGetSelectedEvents() (CVE-2024-31080) and ProcXiPassiveGrabDevice() (CVE-2024-31081)

2024-04-04 10:21:45 +00:00 · 2024-04-04 10:21:45 +00:00 · f29b6fb075
parent 5cf6ab0cf4
commit f29b6fb075
2 changed files with 26 additions and 6 deletions
--- a/xserver/Xi/xipassivegrab.c
+++ b/xserver/Xi/xipassivegrab.c
@ -247,9 +247,18 @@ ProcXIPassiveGrabDevice(ClientPtr client)
        }
    }

-    WriteReplyToClient(client, sizeof(rep), &rep);
-    if (rep.num_modifiers)
-        WriteToClient(client, rep.length * 4, modifiers_failed);
+    if (client->swapped) {
+        /* save the value before SRepXIPassiveGrabDevice swaps it */
+        uint32_t length = rep.length;
+        WriteReplyToClient(client, sizeof(rep), &rep);
+        if (length)
+            WriteToClient(client, length * 4, modifiers_failed);
+    }
+    else {
+        WriteReplyToClient(client, sizeof(rep), &rep);
+        if (rep.num_modifiers)
+            WriteToClient(client, rep.length * 4, modifiers_failed);
+    }

 out:
    free(modifiers_failed);
--- a/xserver/Xi/xiselectev.c
+++ b/xserver/Xi/xiselectev.c
@ -418,10 +418,21 @@ ProcXIGetSelectedEvents(ClientPtr client)
        }
    }

-    WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
+    if (client->swapped) {
+        /* save the value before SRepXIGetSelectedEvents swaps it */
+        uint32_t length = reply.length;

-    if (reply.num_masks)
-        WriteToClient(client, reply.length * 4, buffer);
+        WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
+
+        if (length)
+            WriteToClient(client, length * 4, buffer);
+    }
+    else {
+        WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
+
+        if (reply.num_masks)
+            WriteToClient(client, reply.length * 4, buffer);
+    }

    free(buffer);
    return Success;