Skip to content
Snippets Groups Projects
  1. Jul 12, 2022
    • Povilas Kanapickas's avatar
      xserver 21.1.4 · 6bf62381
      Povilas Kanapickas authored
    • Peter Hutterer's avatar
      xkb: add request length validation for XkbSetGeometry · 06b23ccc
      Peter Hutterer authored and Povilas Kanapickas's avatar Povilas Kanapickas committed
      
      No validation of the various fields on that report were done, so a
      malicious client could send a short request that claims it had N
      sections, or rows, or keys, and the server would process the request for
      N sections, running out of bounds of the actual request data.
      
      Fix this by adding size checks to ensure our data is valid.
      
      ZDI-CAN 16062, CVE-2022-2319.
      
      This vulnerability was discovered by:
      Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
      
      Signed-off-by: default avatarPeter Hutterer <peter.hutterer@who-t.net>
      (cherry picked from commit 6907b6ea)
      06b23ccc
    • Peter Hutterer's avatar
      xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck · e3a53054
      Peter Hutterer authored and Povilas Kanapickas's avatar Povilas Kanapickas committed
      
      XKB often uses a FooCheck and Foo function pair, the former is supposed
      to check all values in the request and error out on BadLength,
      BadValue, etc. The latter is then called once we're confident the values
      are good (they may still fail on an individual device, but that's a
      different topic).
      
      In the case of XkbSetDeviceInfo, those functions were incorrectly
      named, with XkbSetDeviceInfo ending up as the checker function and
      XkbSetDeviceInfoCheck as the setter function. As a result, the setter
      function was called before the checker function, accessing request
      data and modifying device state before we ensured that the data is
      valid.
      
      In particular, the setter function relied on values being already
      byte-swapped. This in turn could lead to potential OOB memory access.
      
      Fix this by correctly naming the functions and moving the length checks
      over to the checker function. These were added in 87c64fc5 to the
      wrong function, probably due to the incorrect naming.
      
      Fixes ZDI-CAN 16070, CVE-2022-2320.
      
      This vulnerability was discovered by:
      Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
      
      Introduced in c06e27b2
      
      Signed-off-by: default avatarPeter Hutterer <peter.hutterer@who-t.net>
      (cherry picked from commit dd8caf39)
      e3a53054
    • Peter Hutterer's avatar
      xkb: switch to array index loops to moving pointers · e7584056
      Peter Hutterer authored and Povilas Kanapickas's avatar Povilas Kanapickas committed
      
      Most similar loops here use a pointer that advances with each loop
      iteration, let's do the same here for consistency.
      
      No functional changes.
      
      Signed-off-by: default avatarPeter Hutterer <peter.hutterer@who-t.net>
      Reviewed-by: default avatarOlivier Fourdan <ofourdan@redhat.com>
      (cherry picked from commit f1070c01)
      e7584056
  2. Jul 04, 2022
  3. Jul 02, 2022
  4. Jul 01, 2022
    • Jeremy Huddleston Sequoia's avatar
    • Povilas Kanapickas's avatar
      xfree86: Fix event data alignment in inputtest driver · 855b96a8
      Povilas Kanapickas authored
      
      This fixes address sanitizer errors when running unit tests. The
      additional copying may reduce performance by a small amount, but we
      don't care about that because this driver is used for testing only.
      
      Signed-off-by: default avatarPovilas Kanapickas <povilas@radix.lt>
      (cherry picked from commit 7d2014e7)
      855b96a8
    • Povilas Kanapickas's avatar
      dix: Don't send touch end to clients that do async grab without touches · 9d05ee10
      Povilas Kanapickas authored
      GTK3 menu widget creates a selection for touch and other events and
      after receiving touch events creates an async grab that excludes touch
      events. Unfortunately it relies on X server not sending the touch end
      event in order to function properly. Sending touch end event will cause
      it to think that the initiating touch ended and when it actually ends,
      the ButtonRelease event will make it think that the menu should be
      closed. As a result, the menu will be open only for the duration of the
      touch making it useless.
      
      This commit reverts f682e056.
      
      Fixes: #1255
      
      
      
      Signed-off-by: default avatarPovilas Kanapickas <povilas@radix.lt>
      (cherry picked from commit 43e934a1)
      9d05ee10
    • Povilas Kanapickas's avatar
      dix: Correctly save replayed event into GrabInfoRec · b713e717
      Povilas Kanapickas authored
      When processing events we operate on InternalEvent pointers. They may
      actually refer to a an instance of DeviceEvent, GestureEvent or any
      other event that comprises the InternalEvent union. This works well in
      practice because we always look into event type before doing anything,
      except in the case of copying the event.
      
      *dst_event = *src_event would copy whole InternalEvent event and would
      cause out of bounds read in case the pointed to event was not
      InternalEvent but e.g. DeviceEvent.
      
      This regression has been introduced in
      23a8b62d.
      
      Fixes #1261
      
      
      
      Signed-off-by: default avatarPovilas Kanapickas <povilas@radix.lt>
      (cherry picked from commit 6ef5c057)
      b713e717
    • Samuel Thibault's avatar
      xkb: fix XkbSetMap when changing a keysym without changing a keytype · cd3d21d8
      Samuel Thibault authored and Povilas Kanapickas's avatar Povilas Kanapickas committed
      
      As the comment says:
      
      "symsPerKey/mapWidths must be filled regardless of client-side flags"
      
      so we always have to call CheckKeyTypes which will notably fill mapWidths
      and nTypes. That is needed for CheckKeySyms to work since it checks the
      width. Without it, any request with XkbKeySymsMask but not
      XkbKeyTypesMask will fail because of the missing width information, for
      instance this:
      
        XkbDescPtr xkb;
        if (!(xkb = XkbGetMap (dpy, XkbKeyTypesMask|XkbKeySymsMask, XkbUseCoreKbd))) {
          fprintf (stderr, "ERROR getting map\n");
          exit(1);
        }
        XFlush (dpy);
        XSync (dpy, False);
      
        XkbMapChangesRec changes = { .changed = 0 };
        int oneGroupType[XkbNumKbdGroups] = { XkbOneLevelIndex };
      
        if (XkbChangeTypesOfKey(xkb, keycode, 1, XkbGroup1Mask, oneGroupType, &changes)) {
          fprintf(stderr, "ERROR changing type of key\n");
          exit(1);
        }
        XkbKeySymEntry(xkb,keycode,0,0) = keysym;
      
        if (!XkbChangeMap(dpy,xkb,&changes)) {
          fprintf(stderr, "ERROR changing map\n");
          exit(1);
        }
      
        XkbFreeKeyboard (xkb, 0, TRUE);
        XFlush (dpy);
        XSync (dpy, False);
      
      This had being going under the radar since about ever until commit
      de940e06 ("xkb: fix key type index check
      in _XkbSetMapChecks") fixed checking the values of kt_index, which was
      previously erroneously ignoring errors and ignoring all other checks, just
      because nTypes was not set, precisely because CheckKeyTypes was not called.
      
      Note: yes, CheckKeyTypes is meant to be callable without XkbKeyTypesMask, it
      does properly check for that and just fills nTypes and mapWidths in that
      case.
      
      Signed-off-by: default avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
      (cherry picked from commit 0217cc6e)
      cd3d21d8
    • Povilas Kanapickas's avatar
  5. Jun 26, 2022
    • Jeremy Huddleston Sequoia's avatar
      XQuartz: Add TCC reason keys to Info.plist · 419fbf63
      Jeremy Huddleston Sequoia authored
      
      Signed-off-by: default avatarJeremy Huddleston Sequoia <jeremyhu@apple.com>
      (cherry picked from commit 9ce72648)
      419fbf63
    • Jeremy Huddleston Sequoia's avatar
      XQuartz: Build the bundle trampoline when using meson · 66ac5009
      Jeremy Huddleston Sequoia authored
      
      This brings the change for e1fdc856 into meson based builds
      
      Signed-off-by: default avatarJeremy Huddleston Sequoia <jeremyhu@apple.com>
      (cherry picked from commit b00cf4ae)
      66ac5009
    • Jeremy Huddleston Sequoia's avatar
      meson: Support building Xnest and Xorg on darwin · 033d93a0
      Jeremy Huddleston Sequoia authored
      
      Signed-off-by: default avatarJeremy Huddleston Sequoia <jeremyhu@apple.com>
      (cherry picked from commit ef810156)
      033d93a0
    • Jeremy Huddleston Sequoia's avatar
      tests: Fix build failure from missing micmap.c · 433f53a1
      Jeremy Huddleston Sequoia authored
      
      FAILED: test/tests
      clang  -o test/tests test/tests.p/.._mi_miinitext.c.o test/tests.p/fixes.c.o test/tests.p/input.c.o test/tests.p/list.c.o test/tests.p/misc.c.o test/tests.p/signal-logging.c.o test/tests.p/string.c.o test/tests.p/test_xkb.c.o test/tests.p/tests-common.c.o test/tests.p/tests.c.o test/tests.p/touch.c.o test/tests.p/xfree86.c.o test/tests.p/xtest.c.o test/tests.p/hashtabletest.c.o -Wl,-dead_strip_dylibs -Wl,-headerpad_max_install_names -Wl,-undefined,error -fvisibility=hidden -O0 -g3 -gdwarf-2 -mmacosx-version-min=10.9 -Werror=unguarded-availability-new -Werror=format -Werror=objc-method-access -Werror=incompatible-pointer-types -F/Applications/Utilities/XQuartz.app/Contents/Frameworks -isysroot /Library/Developer/CommandLineTools/SDKs/MacOSX10.13.sdk -arch x86_64 -O0 -g3 -gdwarf-2 -mmacosx-version-min=10.9 -Werror=unguarded-availability-new -Werror=format -Werror=objc-method-access -Werror=incompatible-pointer-types -F/Applications/Utilities/XQuartz.app/Contents/Frameworks -isysroot /Library/Developer/CommandLineTools/SDKs/MacOSX10.13.sdk -arch x86_64 -Wl,-rpath,/opt/X11/lib mi/liblibxserver_mi.a dix/liblibxserver_dix.a composite/liblibxserver_composite.a damageext/liblibxserver_damageext.a dbe/liblibxserver_dbe.a randr/liblibxserver_randr.a miext/damage/liblibxserver_miext_damage.a render/liblibxserver_render.a present/liblibxserver_present.a Xext/liblibxserver_xext.a miext/sync/liblibxserver_miext_sync.a xfixes/liblibxserver_xfixes.a Xi/liblibxserver_xi.a xkb/liblibxserver_xkb.a record/liblibxserver_record.a os/liblibxserver_os.a os/liblibxlibc.a glx/liblibglxvnd.a hw/xfree86/common/libxorg_common.a hw/xfree86/loader/libxorg_loader.a hw/xfree86/ddc/libxorg_ddc.a hw/xfree86/xkb/libxorg_xkb.a hw/xfree86/i2c/libxorg_i2c.a hw/xfree86/modes/libxorg_modes.a hw/xfree86/os-support/libxorg_os_support.a hw/xfree86/parser/libxorg_parser.a hw/xfree86/ramdac/libxorg_ramdac.a fb/liblibxserver_fb.a Xext/liblibxserver_xext_vidmode.a dix/liblibxserver_main.a config/liblibxserver_config.a /opt/X11/lib/libpixman-1.dylib /opt/X11/lib/libxcvt.dylib /opt/X11/lib/libxkbfile.dylib /opt/X11/lib/libXfont2.dylib /opt/X11/lib/libXdmcp.dylib -lm /opt/X11/lib/libxshmfence.dylib -ldl -lpthread /opt/X11/lib/libXau.dylib /opt/X11/lib/libGL.dylib
      Undefined symbols for architecture x86_64:
        "_micmapScrPrivateKeyRec", referenced from:
            _DGAInstallCmap in libxorg_common.a(xf86DGA.c.o)
            _xf86HandleColormaps in libxorg_common.a(xf86cmap.c.o)
            _CMapInstallColormap in libxorg_common.a(xf86cmap.c.o)
            _CMapEnterVT in libxorg_common.a(xf86cmap.c.o)
            _CMapSwitchMode in libxorg_common.a(xf86cmap.c.o)
            _CMapSetDGAMode in libxorg_common.a(xf86cmap.c.o)
            _CMapChangeGamma in libxorg_common.a(xf86cmap.c.o)
            ...
      ld: symbol(s) not found for architecture x86_64
      
      Signed-off-by: default avatarJeremy Huddleston Sequoia <jeremyhu@apple.com>
      (cherry picked from commit 6645ff59)
      433f53a1
    • Jeremy Huddleston Sequoia's avatar
    • Jeremy Huddleston Sequoia's avatar
      print_edid: Fix a format string error · afcaaac9
      Jeremy Huddleston Sequoia authored
      
      ../hw/xfree86/ddc/print_edid.c:511:20: error: format specifies type 'unsigned short' but the argument has type 'int' [-Werror,-Wformat]
                         det_mon->type - DS_VENDOR);
                         ^~~~~~~~~~~~~~~~~~~~~~~~~
      
      Signed-off-by: default avatarJeremy Huddleston Sequoia <jeremyhu@apple.com>
      (cherry picked from commit 199b8c08)
      afcaaac9
  6. Jun 21, 2022
  7. Jun 20, 2022
  8. Jun 16, 2022
  9. Jun 15, 2022
  10. Jan 28, 2022
    • Olivier Fourdan's avatar
      render: Fix build with gcc 12 · 53173fda
      Olivier Fourdan authored
      
      The xserver fails to compile with the latest gcc 12:
      
       render/picture.c: In function ‘CreateSolidPicture’:
       render/picture.c:874:26: error: array subscript ‘union _SourcePict[0]’ is partly outside array bounds of ‘unsigned char[16]’ [-Werror=array-bounds]
        874 |     pPicture->pSourcePict->type = SourcePictTypeSolidFill;
            |                          ^~
       render/picture.c:868:45: note: object of size 16 allocated by ‘malloc’
        868 |     pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictSolidFill));
            |                                             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       render/picture.c: In function ‘CreateLinearGradientPicture’:
       render/picture.c:906:26: error: array subscript ‘union _SourcePict[0]’ is partly outside array bounds of ‘unsigned char[32]’ [-Werror=array-bounds]
        906 |     pPicture->pSourcePict->linear.type = SourcePictTypeLinear;
            |                          ^~
       render/picture.c:899:45: note: object of size 32 allocated by ‘malloc’
        899 |     pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictLinearGradient));
            |                                             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       render/picture.c: In function ‘CreateConicalGradientPicture’:
       render/picture.c:989:26: error: array subscript ‘union _SourcePict[0]’ is partly outside array bounds of ‘unsigned char[32]’ [-Werror=array-bounds]
        989 |     pPicture->pSourcePict->conical.type = SourcePictTypeConical;
            |                          ^~
       render/picture.c:982:45: note: object of size 32 allocated by ‘malloc’
        982 |     pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictConicalGradient));
            |                                             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       cc1: some warnings being treated as errors
       ninja: build stopped: subcommand failed.
      
      This is because gcc 12 has become stricter and raises a warning now.
      
      Fix the warning/error by allocating enough memory to store the union
      struct.
      
      Signed-off-by: default avatarOlivier Fourdan <ofourdan@redhat.com>
      Acked-by: default avatarMichel Dänzer <mdaenzer@redhat.com>
      Closes: xorg/xserver#1256
      (cherry picked from commit c6b0dcb8)
      53173fda
  11. Jan 19, 2022
  12. Jan 02, 2022
  13. Jan 01, 2022
    • Adam Jackson's avatar
      glx/dri: Filter out fbconfigs that don't have a supported pixmap format · 001feb66
      Adam Jackson authored and Povilas Kanapickas's avatar Povilas Kanapickas committed
      For depth 30 in particular it's not uncommon for the DDX to not have
      a configured pixmap format. Since the client expects to back both
      GLXPixmaps and GLXPbuffers with X Pixmaps, trying to use an x2rgb10
      fbconfig would fail along various paths to CreatePixmap. Filter these
      fbconfigs out so the client can't ask for something that we know won't
      work.
      
      (cherry picked from commit f6c070a1)
      001feb66
  14. Dec 20, 2021
  15. Dec 19, 2021
Loading