From: Dave Airlie <[email protected]> So when we VT switch back and attempt to flush the input devices, we don't succeed because evdev won't return part of an event, since we were only asking for 4 bytes, we'd only get -EINVAL back.
This could later cause events to be flushed that we shouldn't have gotten. This is a fix for CVE-2013-1940. Signed-off-by: Dave Airlie <[email protected]> Reviewed-by: Peter Hutterer <[email protected]> Signed-off-by: Peter Hutterer <[email protected]> --- Corresponding bug is here: https://bugs.freedesktop.org/show_bug.cgi?id=63353 Original bug: https://bugzilla.redhat.com/CVE-2013-1940 Affected are all hotplugging-enabled servers using evdev. Synopsis: If an input device is hotplugged while a server is VT-switched away, the input received on the new device file is not flushed after the VT switch back to that server. This can lead to some events from the device being sent into the session. This issue was evaluated to be of low impact. I've pushed this to master as 6ca03b9161d33b1d2b55a3a1a913cf88deb2343f. hw/xfree86/os-support/shared/posix_tty.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hw/xfree86/os-support/shared/posix_tty.c b/hw/xfree86/os-support/shared/posix_tty.c index ab3757a..4d08c1e 100644 --- a/hw/xfree86/os-support/shared/posix_tty.c +++ b/hw/xfree86/os-support/shared/posix_tty.c @@ -421,7 +421,8 @@ xf86FlushInput(int fd) { fd_set fds; struct timeval timeout; - char c[4]; + /* this needs to be big enough to flush an evdev event. */ + char c[256]; DebugF("FlushingSerial\n"); if (tcflush(fd, TCIFLUSH) == 0) -- 1.8.1.4
pgpbdXREyMtEi.pgp
Description: PGP signature
_______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
