CVE-2022-1215 安全更新:libinput存在格式化字符串错误漏洞.
This commit is contained in:
indira-bupt
parent
e80ee49528
commit
1a92bcb50a
|
|
@ -1,3 +1,9 @@
|
|||
libinput (1.20.0-ok3) yangtze; urgency=high
|
||||
|
||||
* konglingzi CVE-2022-1215 安全更新:libinput存在格式化字符串错误漏洞.
|
||||
|
||||
-- konglingzi <klz@bupt.edu.cn> Mon, 06 Mar 2023 11:44:39 +0800
|
||||
|
||||
libinput (1.20.0-ok2~0714) yangtze; urgency=medium
|
||||
|
||||
* close-cd #126196 外接键盘鼠标识别
|
||||
|
|
|
|||
|
|
@ -733,6 +733,7 @@ if get_option('tests')
|
|||
'test/litest-device-dell-canvas-totem-touch.c',
|
||||
'test/litest-device-elantech-touchpad.c',
|
||||
'test/litest-device-elan-tablet.c',
|
||||
'test/litest-device-format-string.c',
|
||||
'test/litest-device-generic-pressurepad.c',
|
||||
'test/litest-device-generic-singletouch.c',
|
||||
'test/litest-device-gpio-keys.c',
|
||||
|
|
|
|||
35
src/evdev.c
35
src/evdev.c
|
|
@ -2356,20 +2356,20 @@ evdev_device_create(struct libinput_seat *seat,
|
|||
struct libinput *libinput = seat->libinput;
|
||||
struct evdev_device *device = NULL;
|
||||
int rc;
|
||||
int fd;
|
||||
int fd = -1;
|
||||
int unhandled_device = 0;
|
||||
int unconfigured_device = 0;
|
||||
const char *devnode = udev_device_get_devnode(udev_device);
|
||||
const char *sysname = udev_device_get_sysname(udev_device);
|
||||
char *sysname = str_sanitize(udev_device_get_sysname(udev_device));
|
||||
|
||||
if (!devnode) {
|
||||
log_info(libinput, "%s: no device node associated\n", sysname);
|
||||
return NULL;
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (udev_device_should_be_ignored(udev_device)) {
|
||||
log_debug(libinput, "%s: device is ignored\n", sysname);
|
||||
return NULL;
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* Use non-blocking mode so that we can loop on read on
|
||||
|
|
@ -2383,13 +2383,15 @@ evdev_device_create(struct libinput_seat *seat,
|
|||
sysname,
|
||||
devnode,
|
||||
strerror(-fd));
|
||||
return NULL;
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (!evdev_device_have_same_syspath(udev_device, fd))
|
||||
goto err;
|
||||
|
||||
device = zalloc(sizeof *device);
|
||||
device->sysname = sysname;
|
||||
sysname = NULL;
|
||||
|
||||
libinput_device_init(&device->base, seat);
|
||||
libinput_seat_ref(seat);
|
||||
|
|
@ -2412,6 +2414,9 @@ evdev_device_create(struct libinput_seat *seat,
|
|||
device->dispatch = NULL;
|
||||
device->fd = fd;
|
||||
device->devname = libevdev_get_name(device->evdev);
|
||||
/* the log_prefix_name is used as part of a printf format string and
|
||||
* must not contain % directives, see evdev_log_msg */
|
||||
device->log_prefix_name = str_sanitize(device->devname);
|
||||
device->scroll.threshold = 5.0; /* Default may be overridden */
|
||||
device->scroll.direction_lock_threshold = 5.0; /* Default may be overridden */
|
||||
device->scroll.direction = 0;
|
||||
|
|
@ -2454,13 +2459,15 @@ evdev_device_create(struct libinput_seat *seat,
|
|||
return device;
|
||||
|
||||
err:
|
||||
close_restricted(libinput, fd);
|
||||
if (device) {
|
||||
unhandled_device = device->seat_caps == 0;
|
||||
evdev_device_destroy(device);
|
||||
if (fd >= 0){
|
||||
close_restricted(libinput, fd);
|
||||
if (device) {
|
||||
unhandled_device = device->seat_caps == 0;
|
||||
evdev_device_destroy(device);
|
||||
}
|
||||
}
|
||||
if (unconfigured_device)
|
||||
return NULL;
|
||||
free(sysname);
|
||||
|
||||
return unhandled_device ? EVDEV_UNHANDLED_DEVICE : NULL;
|
||||
}
|
||||
|
||||
|
|
@ -2473,7 +2480,7 @@ evdev_device_get_output(struct evdev_device *device)
|
|||
const char *
|
||||
evdev_device_get_sysname(struct evdev_device *device)
|
||||
{
|
||||
return udev_device_get_sysname(device->udev_device);
|
||||
return device->sysname;
|
||||
}
|
||||
|
||||
const char *
|
||||
|
|
@ -3069,7 +3076,9 @@ evdev_device_destroy(struct evdev_device *device)
|
|||
|
||||
if (device->base.group)
|
||||
libinput_device_group_unref(device->base.group);
|
||||
|
||||
|
||||
free(device->log_prefix_name);
|
||||
free(device->sysname);
|
||||
free(device->output_name);
|
||||
filter_destroy(device->pointer.filter);
|
||||
libinput_timer_destroy(&device->scroll.timer);
|
||||
|
|
|
|||
|
|
@ -169,6 +169,8 @@ struct evdev_device {
|
|||
struct udev_device *udev_device;
|
||||
char *output_name;
|
||||
const char *devname;
|
||||
char *log_prefix_name;
|
||||
char *sysname;
|
||||
bool was_removed;
|
||||
int fd;
|
||||
enum evdev_device_seat_capability seat_caps;
|
||||
|
|
@ -786,7 +788,7 @@ evdev_log_msg(struct evdev_device *device,
|
|||
sizeof(buf),
|
||||
"%-7s - %s%s%s",
|
||||
evdev_device_get_sysname(device),
|
||||
(priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->devname : "",
|
||||
(priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->log_prefix_name : "",
|
||||
(priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? ": " : "",
|
||||
format);
|
||||
|
||||
|
|
@ -824,7 +826,7 @@ evdev_log_msg_ratelimit(struct evdev_device *device,
|
|||
sizeof(buf),
|
||||
"%-7s - %s%s%s",
|
||||
evdev_device_get_sysname(device),
|
||||
(priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->devname : "",
|
||||
(priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->log_prefix_name : "",
|
||||
(priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? ": " : "",
|
||||
format);
|
||||
|
||||
|
|
|
|||
|
|
@ -42,6 +42,7 @@
|
|||
#ifdef HAVE_XLOCALE_H
|
||||
#include <xlocale.h>
|
||||
#endif
|
||||
#include "util-macros.h"
|
||||
|
||||
static inline bool
|
||||
streq(const char *str1, const char *str2)
|
||||
|
|
@ -398,3 +399,31 @@ safe_basename(const char *filename);
|
|||
|
||||
char *
|
||||
trunkname(const char *filename);
|
||||
|
||||
/**
|
||||
* Return a copy of str with all % converted to %% to make the string
|
||||
* acceptable as printf format.
|
||||
*/
|
||||
static inline char *
|
||||
str_sanitize(const char *str)
|
||||
{
|
||||
if (!str)
|
||||
return NULL;
|
||||
|
||||
if (!strchr(str, '%'))
|
||||
return strdup(str);
|
||||
|
||||
size_t slen = min(strlen(str), 512);
|
||||
char *sanitized = zalloc(2 * slen + 1);
|
||||
const char *src = str;
|
||||
char *dst = sanitized;
|
||||
|
||||
for (size_t i = 0; i < slen; i++) {
|
||||
if (*src == '%')
|
||||
*dst++ = '%';
|
||||
*dst++ = *src++;
|
||||
}
|
||||
*dst = '\0';
|
||||
|
||||
return sanitized;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,56 @@
|
|||
|
||||
/*
|
||||
* Copyright © 2013 Red Hat, Inc.
|
||||
*
|
||||
* Permission is hereby granted, free of charge, to any person obtaining a
|
||||
* copy of this software and associated documentation files (the "Software"),
|
||||
* to deal in the Software without restriction, including without limitation
|
||||
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
||||
* and/or sell copies of the Software, and to permit persons to whom the
|
||||
* Software is furnished to do so, subject to the following conditions:
|
||||
*
|
||||
* The above copyright notice and this permission notice (including the next
|
||||
* paragraph) shall be included in all copies or substantial portions of the
|
||||
* Software.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
|
||||
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
|
||||
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
|
||||
* DEALINGS IN THE SOFTWARE.
|
||||
*/
|
||||
|
||||
#include "config.h"
|
||||
|
||||
#include "litest.h"
|
||||
#include "litest-int.h"
|
||||
|
||||
static struct input_id input_id = {
|
||||
.bustype = 0x3,
|
||||
.vendor = 0x0123,
|
||||
.product = 0x0456,
|
||||
};
|
||||
|
||||
static int events[] = {
|
||||
EV_KEY, BTN_LEFT,
|
||||
EV_KEY, BTN_RIGHT,
|
||||
EV_KEY, BTN_MIDDLE,
|
||||
EV_REL, REL_X,
|
||||
EV_REL, REL_Y,
|
||||
EV_REL, REL_WHEEL,
|
||||
EV_REL, REL_WHEEL_HI_RES,
|
||||
-1 , -1,
|
||||
};
|
||||
|
||||
TEST_DEVICE("mouse-format-string",
|
||||
.type = LITEST_MOUSE_FORMAT_STRING,
|
||||
.features = LITEST_RELATIVE | LITEST_BUTTON | LITEST_WHEEL,
|
||||
.interface = NULL,
|
||||
|
||||
.name = "Evil %s %d %x Mouse %p %",
|
||||
.id = &input_id,
|
||||
.absinfo = NULL,
|
||||
.events = events,
|
||||
)
|
||||
|
|
@ -321,6 +321,7 @@ enum litest_device_type {
|
|||
LITEST_SYNAPTICS_PRESSUREPAD,
|
||||
LITEST_GENERIC_PRESSUREPAD,
|
||||
LITEST_WACOM_ISDV4_524C_PEN,
|
||||
LITEST_MOUSE_FORMAT_STRING,
|
||||
};
|
||||
|
||||
#define LITEST_DEVICELESS -2
|
||||
|
|
|
|||
|
|
@ -1267,6 +1267,31 @@ START_TEST(strstartswith_test)
|
|||
}
|
||||
END_TEST
|
||||
|
||||
START_TEST(strsanitize_test)
|
||||
{
|
||||
struct strsanitize_test {
|
||||
const char *string;
|
||||
const char *expected;
|
||||
} tests[] = {
|
||||
{ "foobar", "foobar" },
|
||||
{ "", "" },
|
||||
{ "%", "%%" },
|
||||
{ "%%%%", "%%%%%%%%" },
|
||||
{ "x %s", "x %%s" },
|
||||
{ "x %", "x %%" },
|
||||
{ "%sx", "%%sx" },
|
||||
{ "%s%s", "%%s%%s" },
|
||||
{ NULL, NULL },
|
||||
};
|
||||
|
||||
for (struct strsanitize_test *t = tests; t->string; t++) {
|
||||
char *sanitized = str_sanitize(t->string);
|
||||
ck_assert_str_eq(sanitized, t->expected);
|
||||
free(sanitized);
|
||||
}
|
||||
}
|
||||
END_TEST
|
||||
|
||||
START_TEST(list_test_insert)
|
||||
{
|
||||
struct list_test {
|
||||
|
|
@ -1489,6 +1514,7 @@ litest_utils_suite(void)
|
|||
tcase_add_test(tc, strstrip_test);
|
||||
tcase_add_test(tc, strendswith_test);
|
||||
tcase_add_test(tc, strstartswith_test);
|
||||
tcase_add_test(tc, strsanitize_test);
|
||||
tcase_add_test(tc, time_conversion);
|
||||
tcase_add_test(tc, human_time);
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue