From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001
From: Michal Srb <msrb@suse.com>
Date: Wed, 24 May 2017 15:54:39 +0300
Subject: Xi: Zero target buffer in SProcXSendExtensionEvent.

Make sure that the xEvent eventT is initialized with zeros, the same way as
in SProcSendEvent.

Some event swapping functions do not overwrite all 32 bytes of xEvent
structure, for example XSecurityAuthorizationRevoked. Two cooperating
clients, one swapped and the other not, can send
XSecurityAuthorizationRevoked event to each other to retrieve old stack data
from X server. This can be potentialy misused to go around ASLR or
stack-protector.

Signed-off-by: Michal Srb <msrb@suse.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
diff --git a/Xi/sendexev.c b/Xi/sendexev.c
index 11d8202..1cf118a 100644
--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
 {
     CARD32 *p;
     int i;
-    xEvent eventT;
+    xEvent eventT = { .u.u.type = 0 };
     xEvent *eventP;
     EventSwapPtr proc;
 
-- 
cgit v0.10.2

guix/log/m4'>log</a><a href='/guix/tree/m4?id=8150ebedb8b87bcc48649fa582474db65fed2268'>tree</a><a href='/guix/commit/m4?id=8150ebedb8b87bcc48649fa582474db65fed2268'>commit</a><a href='/guix/diff/m4?id=8150ebedb8b87bcc48649fa582474db65fed2268'>diff</a></td><td class='form'><form class='right' method='get' action='/guix/log/m4'>
<input type='hidden' name='id' value='8150ebedb8b87bcc48649fa582474db65fed2268'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=8150ebedb8b87bcc48649fa582474db65fed2268'>root</a>/<a href='/guix/log/m4?id=8150ebedb8b87bcc48649fa582474db65fed2268'>m4</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/m4?id=8150ebedb8b87bcc48649fa582474db65fed2268&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2019-08-17 19:26:21 +0200'>2019-08-17</span></td><td><a href='/guix/commit/m4?id=611a64bd7e0893057cd04dcdc2a8d5e7ecc39e45'>build: 'GUIX_CHECK_GUILE_JSON' really checks for Guile-JSON 3.x.</a><span class='msg-avail'>...</span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2019-07-25 00:16:41 +0200'>2019-07-25</span></td><td><a href='/guix/commit/m4?id=81c3dc32244a17241d74eea9fa265edfcb326f6d'>maint: Switch to Guile-JSON 3.x.</a><span class='msg-avail'>...</span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2019-05-06 23:21:33 +0200'>2019-05-06</span></td><td><a href='/guix/commit/m4?id=fea338c6ca1922097fa233be85f424c152a4f507'>Add (guix lzlib).</a><span class='msg-avail'>...</span></td><td>Pierre Neidhardt</td></tr>
<tr><td><span title='2018-11-23 15:42:00 +0100'>2018-11-23</span></td><td><a href='/guix/commit/m4?id=60e1c1099fc3d73ed7d3235e71aae5d00ab7d773'>Update Guile-SQLite3 URL everywhere.</a><span class='msg-avail'>...</span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2018-09-04 17:25:11 +0200'>2018-09-04</span></td><td><a href='/guix/commit/m4?id=ca719424455465fca4b872c371daf2a46de88b33'>Switch to Guile-Gcrypt.</a><span class='msg-avail'>...</span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2018-06-01 15:35:15 +0200'>2018-06-01</span></td><td><a href='/guix/commit/m4?id=d59e75f3b5b82692bd250a1a3a9965397bb588c5'>build: Check for Guile-SQLite3.</a><span class='msg-avail'>...</span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2018-02-26 18:19:34 +0100'>2018-02-26</span></td><td><a href='/guix/commit/m4?id=1d84d7bf6052c0c80bd212d4524876576e9817d4'>build: Require Guile &gt;= 2.0.13.</a><span class='msg-avail'>...</span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2018-01-06 14:45:01 +0100'>2018-01-06</span></td><td><a href='/guix/commit/m4?id=142182514b84ee233bc27e574df2ca2074291525'>build: Detect broken 'equal?' in Guile 2.2.1.</a><span class='msg-avail'>...</span></td><td>Ludovic Courtès</td></tr>

Age	Commit message (Expand)	Author
2019-08-17	build: 'GUIX_CHECK_GUILE_JSON' really checks for Guile-JSON 3.x....	Ludovic Courtès
2019-07-25	maint: Switch to Guile-JSON 3.x....	Ludovic Courtès
2019-05-06	Add (guix lzlib)....	Pierre Neidhardt
2018-11-23	Update Guile-SQLite3 URL everywhere....	Ludovic Courtès
2018-09-04	Switch to Guile-Gcrypt....	Ludovic Courtès
2018-06-01	build: Check for Guile-SQLite3....	Ludovic Courtès
2018-02-26	build: Require Guile >= 2.0.13....	Ludovic Courtès
2018-01-06	build: Detect broken 'equal?' in Guile 2.2.1....	Ludovic Courtès