1 /*
2  * Copyright © 2017 Broadcom
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining a
5  * copy of this software and associated documentation files (the "Software"),
6  * to deal in the Software without restriction, including without limitation
7  * the rights to use, copy, modify, merge, publish, distribute, sublicense,
8  * and/or sell copies of the Software, and to permit persons to whom the
9  * Software is furnished to do so, subject to the following conditions:
10  *
11  * The above copyright notice and this permission notice (including the next
12  * paragraph) shall be included in all copies or substantial portions of the
13  * Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
18  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
20  * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
21  * IN THE SOFTWARE.
22  */
23 
24 #include <unistd.h>
25 #include <stdlib.h>
26 #include <poll.h>
27 #include <xcb/xcb.h>
28 #include <xcb/bigreq.h>
29 #include <xcb/xinput.h>
30 
main(int argc,char ** argv)31 int main(int argc, char **argv)
32 {
33     xcb_connection_t *c = xcb_connect(NULL, NULL);
34     int fd = xcb_get_file_descriptor(c);
35 
36     struct {
37         uint8_t extension;
38         uint8_t opcode;
39         uint16_t length;
40         uint32_t length_bigreq;
41         uint32_t win;
42         int num_masks;
43         uint16_t pad;
44     } xise_req = {
45         .extension = 0,
46         .opcode = XCB_INPUT_XI_SELECT_EVENTS,
47         /* The server triggers BadValue on a zero num_mask */
48         .num_masks = 0,
49         .win = 0,
50 
51         /* This is the value that triggers the bug. */
52         .length_bigreq = 0,
53     };
54 
55     xcb_query_extension_cookie_t cookie;
56     xcb_query_extension_reply_t *rep;
57 
58     cookie = xcb_query_extension(c, 15, "XInputExtension");
59     rep = xcb_query_extension_reply(c, cookie, NULL);
60     xise_req.extension = rep->major_opcode;
61 
62     free(xcb_big_requests_enable_reply(c, xcb_big_requests_enable(c), NULL));
63 
64     /* Manually write out the bad request.  XCB can't help us here.*/
65     write(fd, &xise_req, sizeof(xise_req));
66 
67     /* Block until the server has processed our mess and throws an
68      * error. If we get disconnected, then the server has noticed what we're
69      * up to. If we get an error back from the server, it looked at our fake
70      * request - which shouldn't happen.
71      */
72     struct pollfd pfd = {
73         .fd = fd,
74         .events = POLLIN,
75     };
76     poll(&pfd, 1, -1);
77 
78     if (pfd.revents & POLLHUP) {
79         /* We got killed by the server for being naughty. Yay! */
80         return 0;
81     }
82 
83     /* We didn't get disconnected, that's bad. If we get a BadValue from our
84      * request, we at least know that the bug triggered.
85      *
86      * If we get anything else back, something else has gone wrong.
87      */
88     xcb_generic_error_t error;
89     int r = read(fd, &error, sizeof(error));
90 
91     if (r == sizeof(error) &&
92         error.error_code == 2 /* BadValue */  &&
93         error.major_code == xise_req.extension &&
94         error.minor_code == XCB_INPUT_XI_SELECT_EVENTS)
95         return 1; /* Our request was processed, which shouldn't happen */
96 
97     /* Something else bad happened. We got something back but it's not the
98      * error we expected. If this happens, it needs to be investigated. */
99 
100     return 2;
101 }
102