From d7c1a9360ab1ccb70e152a96f16475ba23640951 Mon Sep 17 00:00:00 2001
From: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com>
Date: Thu, 3 Jul 2025 09:32:41 +0800
Subject: [PATCH] [CVE] CVE-2024-21885

to #21820
add patch to fix CVE-2024-21885
Project: TC2024080204
Signed-off-by: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com>
---
 101-bugfix-for-CVE-2024-21885.patch | 109 ++++++++++++++++++++++++++++
 tigervnc.spec                       |   7 +-
 2 files changed, 115 insertions(+), 1 deletion(-)
 create mode 100644 101-bugfix-for-CVE-2024-21885.patch

diff --git a/101-bugfix-for-CVE-2024-21885.patch b/101-bugfix-for-CVE-2024-21885.patch
new file mode 100644
index 0000000..b9da09b
--- /dev/null
+++ b/101-bugfix-for-CVE-2024-21885.patch
@@ -0,0 +1,109 @@
+From a483b5c7724469309e3df427730cbb8b805b9c9f Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 4 Jan 2024 10:01:24 +1000
+Subject: [PATCH xserver] Xi: flush hierarchy events after adding/removing
+ master devices
+
+The `XISendDeviceHierarchyEvent()` function allocates space to store up
+to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`.
+
+If a device with a given ID was removed and a new device with the same
+ID added both in the same operation, the single device ID will lead to
+two info structures being written to `info`.
+
+Since this case can occur for every device ID at once, a total of two
+times `MAXDEVICES` info structures might be written to the allocation.
+
+To avoid it, once one add/remove master is processed, send out the
+device hierarchy event for the current state and continue. That event
+thus only ever has exactly one of either added/removed in it (and
+optionally slave attached/detached).
+
+CVE-2024-21885, ZDI-CAN-22744
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+---
+ Xi/xichangehierarchy.c | 30 ++++++++++++++++++++++++------
+ 1 file changed, 24 insertions(+), 6 deletions(-)
+
+diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
+index 01eb7a8af4..67eedddec6 100644
+--- a/Xi/xichangehierarchy.c
++++ b/Xi/xichangehierarchy.c
+@@ -340,6 +340,11 @@ ProcXIChangeHierarchy(ClientPtr client)
+     size_t len;			/* length of data remaining in request */
+     int rc = Success;
+     int flags[MAXDEVICES] = { 0 };
++    enum {
++        NO_CHANGE,
++        FLUSH,
++        CHANGED,
++    } changes = NO_CHANGE;
+ 
+     REQUEST(xXIChangeHierarchyReq);
+     REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq);
+@@ -389,8 +394,9 @@ ProcXIChangeHierarchy(ClientPtr client)
+             rc = add_master(client, c, flags);
+             if (rc != Success)
+                 goto unwind;
+-        }
++            changes = FLUSH;
+             break;
++        }
+         case XIRemoveMaster:
+         {
+             xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
+@@ -399,8 +405,9 @@ ProcXIChangeHierarchy(ClientPtr client)
+             rc = remove_master(client, r, flags);
+             if (rc != Success)
+                 goto unwind;
+-        }
++            changes = FLUSH;
+             break;
++        }
+         case XIDetachSlave:
+         {
+             xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
+@@ -409,8 +416,9 @@ ProcXIChangeHierarchy(ClientPtr client)
+             rc = detach_slave(client, c, flags);
+             if (rc != Success)
+                 goto unwind;
+-        }
++            changes = CHANGED;
+             break;
++        }
+         case XIAttachSlave:
+         {
+             xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
+@@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client)
+             rc = attach_slave(client, c, flags);
+             if (rc != Success)
+                 goto unwind;
++            changes = CHANGED;
++            break;
+         }
++        default:
+             break;
+         }
+ 
++        if (changes == FLUSH) {
++            XISendDeviceHierarchyEvent(flags);
++            memset(flags, 0, sizeof(flags));
++            changes = NO_CHANGE;
++        }
++
+         len -= any->length * 4;
+         any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
+     }
+ 
+  unwind:
+-
+-    XISendDeviceHierarchyEvent(flags);
++    if (changes != NO_CHANGE)
++        XISendDeviceHierarchyEvent(flags);
+     return rc;
+ }
+-- 
+2.43.0
+
diff --git a/tigervnc.spec b/tigervnc.spec
index 2fde9d1..87c9400 100644
--- a/tigervnc.spec
+++ b/tigervnc.spec
@@ -1,4 +1,4 @@
-%define anolis_release 2
+%define anolis_release 3
 #defining macros needed by SELinux
 %global selinuxtype targeted
 %global modulename vncsession
@@ -29,6 +29,7 @@ Patch50:        tigervnc-vncsession-restore-script-systemd-service.patch
 
 # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
 Patch100:       tigervnc-xserver120.patch
+Patch101:       101-bugfix-for-CVE-2024-21885.patch
 
 BuildRequires:  make
 BuildRequires:  gcc-c++
@@ -160,6 +161,7 @@ for all in `find . -type f -perm -001`; do
         chmod -x "$all"
 done
 %patch100 -p1 -b .xserver120-rebased
+%patch101 -p1 -b .101-bugfix-for-CVE-2024-21885
 popd
 
 # Downstream patches
@@ -331,6 +333,9 @@ fi
 %ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
 
 %changelog
+* Thu Jul 03 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 1.13.1-3
+- Fix CVE-2024-21885
+
 * Wed May 21 2025 zhoujiajia111 <zjl02254423@alibaba-inc.com> - 1.13.1-2
 - Rebuild for remove inappropriate build dependencies.
 
-- 
Gitee