Xi: do not keep linked list pointer during recursion (!2) · Merge requests · José Expósito / xserver

José Expósito requested to merge ZDI-CAN-22840 into master Jan 02, 2024

The DisableDevice() function is called whenever an enabled device is disabled and it moves the device from the inputInfo.devices linked list to the inputInfo.off_devices linked list.

However, its link/unlink operation has an issue during the recursive call to DisableDevice() due to the prev pointer pointing to a removed device.

This issue leads to a length mismatch between the total number of devices and the number of device in the list, leading to a heap overflow and, possibly, to local privilege escalation.

Simplify the code that checked whether the device passed to DisableDevice() was in inputInfo.devices or not and find the previous device after the recursion.

ZDI-CAN-22840

This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: José Expósito jexposit@redhat.com

Admin message

Xi: do not keep linked list pointer during recursion

Merge request reports