merge upstream change 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1


Subject: [PATCH] Xi: flush hierarchy events after adding/removing master
devices

The `XISendDeviceHierarchyEvent()` function allocates space to store up
to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`.

If a device with a given ID was removed and a new device with the same
ID added both in the same operation, the single device ID will lead to
two info structures being written to `info`.

Since this case can occur for every device ID at once, a total of two
times `MAXDEVICES` info structures might be written to the allocation.

To avoid it, once one add/remove master is processed, send out the
device hierarchy event for the current state and continue. That event
thus only ever has exactly one of either added/removed in it (and
optionally slave attached/detached).

CVE-2024-21885, ZDI-CAN-22744

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

apply fixes for CVEs 2017-12176 to 2017-12187 to xorg-server 1.10.
several of the changes were in new code, and the DGA code had moved.

--
From 1b1d4c04695dced2463404174b50b3581dbd857b Mon Sep 17 00:00:00 2001
From: Nathan Kidd <nkidd@opentext.com>
Date: Sun, 21 Dec 2014 01:10:03 -0500
Subject: hw/xfree86: unvalidated lengths

This addresses:
CVE-2017-12180 in XFree86-VidModeExtension
CVE-2017-12181 in XFree86-DGA
CVE-2017-12182 in XFree86-DRI
--
From 211e05ac85a294ef361b9f80d689047fa52b9076 Mon Sep 17 00:00:00 2001
From: Michal Srb <msrb@suse.com>
Date: Fri, 7 Jul 2017 17:21:46 +0200
Subject: Xi: Test exact size of XIBarrierReleasePointer

Otherwise a client can send any value of num_barriers and cause reading or swapping of values on heap behind the receive buffer.
--
From 4ca68b878e851e2136c234f40a25008297d8d831 Mon Sep 17 00:00:00 2001
From: Nathan Kidd <nkidd@opentext.com>
Date: Fri, 9 Jan 2015 10:09:14 -0500
Subject: dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo
(CVE-2017-12177)

v2: Protect against integer overflow (Alan Coopersmith)
--
From 55caa8b08c84af2b50fbc936cf334a5a93dd7db5 Mon Sep 17 00:00:00 2001
From: Nathan Kidd <nkidd@opentext.com>
Date: Fri, 9 Jan 2015 11:43:05 -0500
Subject: xfixes: unvalidated lengths (CVE-2017-12183)

v2: Use before swap (Jeremy Huddleston Sequoia)

v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)
--
From 859b08d523307eebde7724fd1a0789c44813e821 Mon Sep 17 00:00:00 2001
From: Nathan Kidd <nkidd@opentext.com>
Date: Wed, 24 Dec 2014 16:22:18 -0500
Subject: Xi: fix wrong extra length check in ProcXIChangeHierarchy
(CVE-2017-12178)
--
From 9c23685009aa96f4b861dcc5d2e01dbee00c4dd9 Mon Sep 17 00:00:00 2001
From: Michal Srb <msrb@suse.com>
Date: Fri, 7 Jul 2017 17:04:03 +0200
Subject: os: Make sure big requests have sufficient length.

A client can send a big request where the 32B "length" field has value
0. When the big request header is removed and the length corrected,
the value will underflow to 0xFFFFFFFF. Functions processing the
request later will think that the client sent much more data and may
touch memory beyond the receive buffer.
--
From b747da5e25be944337a9cd1415506fc06b70aa81 Mon Sep 17 00:00:00 2001
From: Nathan Kidd <nkidd@opentext.com>
Date: Fri, 9 Jan 2015 10:15:46 -0500
Subject: Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)

initial import of existing netbsd xorg-server 1.10 sources in the
xorg-server.old subdir.