• Peter Hutterer's avatar
    evdev: strip the device name of format directives · a423d7d3
    Peter Hutterer authored
    This fixes a format string vulnerabilty.
    evdev_log_message() composes a format string consisting of a fixed
    prefix (including the rendered device name) and the passed-in format
    buffer. This format string is then passed with the arguments to the
    actual log handler, which usually and eventually ends up being printf.
    If the device name contains a printf-style format directive, these ended
    up in the format string and thus get interpreted correctly, e.g. for a
    device "Foo%sBar" the log message vs printf invocation ends up being:
      evdev_log_message(device, "some message %s", "some argument");
      printf("event9 - Foo%sBar: some message %s", "some argument");
    This can enable an attacker to execute malicious code with the
    privileges of the process using libinput.
    To exploit this, an attacker needs to be able to create a kernel device
    with a malicious name, e.g. through /dev/uinput or a Bluetooth device.
    To fix this, convert any potential format directives in t...