xorg-x11-server-xwayland/0002-fix-CVE-2024-31081.patch

From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 28 Apr 2024 16:35:36 +0800
Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to send reply
CVE-2024-31081

Fixes: d220d690

 ("Xi: add GrabButton and GrabKeysym code.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <!1463>
---
 Xi/xipassivegrab.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
index 2769fb7..c925e3c 100644
--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
     GrabParameters param;
     void *tmp;
     int mask_len;
+    uint32_t length;
 
     REQUEST(xXIPassiveGrabDeviceReq);
     REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
         }
     }
 
+    /* save the value before SRepXIPassiveGrabDevice swaps it */
+    length = rep.length;
     WriteReplyToClient(client, sizeof(rep), &rep);
     if (rep.num_modifiers)
-        WriteToClient(client, rep.length * 4, modifiers_failed);
+        WriteToClient(client, length * 4, modifiers_failed);
 
  out:
     free(modifiers_failed);
-- 
2.27.0
fix CVE-2024-31080 and CVE-2024-31081 2024-04-28 16:41:09 +08:00			`From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001`
			`From: Alan Coopersmith <alan.coopersmith@oracle.com>`
			`Date: Sun, 28 Apr 2024 16:35:36 +0800`
			`Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to send reply`
			`CVE-2024-31081`

			`Fixes: d220d690`

			`("Xi: add GrabButton and GrabKeysym code.")`
			`Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>`
			`Part-of: <!1463>`
			`---`
			`Xi/xipassivegrab.c \| 5 ++++-`
			`1 file changed, 4 insertions(+), 1 deletion(-)`

			`diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c`
			`index 2769fb7..c925e3c 100644`
			`--- a/Xi/xipassivegrab.c`
			`+++ b/Xi/xipassivegrab.c`
			`@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)`
			`GrabParameters param;`
			`void *tmp;`
			`int mask_len;`
			`+ uint32_t length;`

			`REQUEST(xXIPassiveGrabDeviceReq);`
			`REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,`
			`@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)`
			`}`
			`}`

			`+ /* save the value before SRepXIPassiveGrabDevice swaps it */`
			`+ length = rep.length;`
			`WriteReplyToClient(client, sizeof(rep), &rep);`
			`if (rep.num_modifiers)`
			`- WriteToClient(client, rep.length * 4, modifiers_failed);`
			`+ WriteToClient(client, length * 4, modifiers_failed);`

			`out:`
			`free(modifiers_failed);`
			`--`
			`2.27.0`