git.libre-soc.org Git - buildroot.git/blob

   1 From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001
   2 From: Michal Srb <msrb@suse.com>
   3 Date: Wed, 24 May 2017 15:54:39 +0300
   4 Subject: [PATCH] Xi: Zero target buffer in SProcXSendExtensionEvent.
   5
   6 Make sure that the xEvent eventT is initialized with zeros, the same way as
   7 in SProcSendEvent.
   8
   9 Some event swapping functions do not overwrite all 32 bytes of xEvent
  10 structure, for example XSecurityAuthorizationRevoked. Two cooperating
  11 clients, one swapped and the other not, can send
  12 XSecurityAuthorizationRevoked event to each other to retrieve old stack data
  13 from X server. This can be potentialy misused to go around ASLR or
  14 stack-protector.
  15
  16 Signed-off-by: Michal Srb <msrb@suse.com>
  17 Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
  18 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  19 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
  20 ---
  21  Xi/sendexev.c | 2 +-
  22  1 file changed, 1 insertion(+), 1 deletion(-)
  23
  24 diff --git a/Xi/sendexev.c b/Xi/sendexev.c
  25 index 11d82029f..1cf118ab6 100644
  26 --- a/Xi/sendexev.c
  27 +++ b/Xi/sendexev.c
  28 @@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
  29  {
  30      CARD32 *p;
  31      int i;
  32 -    xEvent eventT;
  33 +    xEvent eventT = { .u.u.type = 0 };
  34      xEvent *eventP;
  35      EventSwapPtr proc;
  36
  37 --
  38 2.11.0
  39