Skip to content
Snippets Groups Projects
  1. Jul 12, 2022
    • Olivier Fourdan's avatar
      Bump version to 22.1.3 · 9542cb1a
      Olivier Fourdan authored
      
      Signed-off-by: default avatarOlivier Fourdan <ofourdan@redhat.com>
    • Peter Hutterer's avatar
      xkb: add request length validation for XkbSetGeometry · 9e0957ae
      Peter Hutterer authored and Olivier Fourdan's avatar Olivier Fourdan committed
      
      No validation of the various fields on that report were done, so a
      malicious client could send a short request that claims it had N
      sections, or rows, or keys, and the server would process the request for
      N sections, running out of bounds of the actual request data.
      
      Fix this by adding size checks to ensure our data is valid.
      
      ZDI-CAN 16062, CVE-2022-2319.
      
      This vulnerability was discovered by:
      Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
      
      Signed-off-by: default avatarPeter Hutterer <peter.hutterer@who-t.net>
      (cherry picked from commit 6907b6ea)
      9e0957ae
    • Peter Hutterer's avatar
      xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck · 81d70e11
      Peter Hutterer authored and Olivier Fourdan's avatar Olivier Fourdan committed
      
      XKB often uses a FooCheck and Foo function pair, the former is supposed
      to check all values in the request and error out on BadLength,
      BadValue, etc. The latter is then called once we're confident the values
      are good (they may still fail on an individual device, but that's a
      different topic).
      
      In the case of XkbSetDeviceInfo, those functions were incorrectly
      named, with XkbSetDeviceInfo ending up as the checker function and
      XkbSetDeviceInfoCheck as the setter function. As a result, the setter
      function was called before the checker function, accessing request
      data and modifying device state before we ensured that the data is
      valid.
      
      In particular, the setter function relied on values being already
      byte-swapped. This in turn could lead to potential OOB memory access.
      
      Fix this by correctly naming the functions and moving the length checks
      over to the checker function. These were added in 87c64fc5 to the
      wrong function, probably due to the incorrect naming.
      
      Fixes ZDI-CAN 16070, CVE-2022-2320.
      
      This vulnerability was discovered by:
      Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
      
      Introduced in c06e27b2
      
      Signed-off-by: default avatarPeter Hutterer <peter.hutterer@who-t.net>
      (cherry picked from commit dd8caf39)
      81d70e11
    • Peter Hutterer's avatar
      xkb: switch to array index loops to moving pointers · d76f4e20
      Peter Hutterer authored and Olivier Fourdan's avatar Olivier Fourdan committed
      
      Most similar loops here use a pointer that advances with each loop
      iteration, let's do the same here for consistency.
      
      No functional changes.
      
      Signed-off-by: default avatarPeter Hutterer <peter.hutterer@who-t.net>
      Reviewed-by: default avatarOlivier Fourdan <ofourdan@redhat.com>
      (cherry picked from commit f1070c01)
      d76f4e20
  2. Jul 01, 2022
  3. May 25, 2022
  4. Mar 30, 2022
  5. Mar 24, 2022
    • Michel Dänzer's avatar
      xwayland: Always hook up frame_callback_list in xwl_present_queue_vblank · 1a7e4e72
      Michel Dänzer authored and Olivier Fourdan's avatar Olivier Fourdan committed
      Even if there's no pending frame callback yet.
      
      Without this, if there was no pending frame callback yet in
      xwl_present_queue_vblank, xwl_present_msc_bump would only get called
      from xwl_present_timer_callback, resulting in the MSC ticking at ~58
      Hertz.
      
      Doing this requires some adjustments elsewhere:
      
      1. xwl_present_reset_timer needs to check for a pending frame callback
         as well.
      2. xwl_window_create_frame_callback needs to call
         xwl_present_reset_timer for all child windows hooked up to
         frame_callback_list, to make sure the timer length takes the pending
         frame callback into account.
      3. xwl_present_flip needs to hook up the window to frame_callback_list
         before calling xwl_window_create_frame_callback, for 2. to work.
      
      Closes: xorg/xserver#1309
      
      
      Fixes: 9b31358c ("xwayland: Use frame callbacks for Present vblank events")
      Reviewed-by: default avatarOlivier Fourdan <ofourdan@redhat.com>
      (cherry picked from commit 9e5a3796)
      1a7e4e72
  6. Mar 15, 2022
    • Michel Dänzer's avatar
      xwayland: Clear timer_armed in xwl_present_unrealize_window · 88ed88e8
      Michel Dänzer authored and Olivier Fourdan's avatar Olivier Fourdan committed
      
      Without this, xwl_present_reset_timer would call
      xwl_present_timer_callback if the timer was originally armed over a
      second ago. xwl_present_timer_callback would call xwl_present_msc_bump,
      which could end up hooking up the window to
      xwl_window->frame_callback_list again. This would lead to use-after-free
      in xwl_present_cleanup:
      
        Invalid write of size 8
          at 0x42B65C: __xorg_list_del (list.h:183)
          by 0x42B693: xorg_list_del (list.h:204)
          by 0x42C041: xwl_present_cleanup (xwayland-present.c:354)
          by 0x423669: xwl_destroy_window (xwayland-window.c:770)
          by 0x4FDDC5: compDestroyWindow (compwindow.c:620)
          by 0x5233FB: damageDestroyWindow (damage.c:1590)
          by 0x501C5F: DbeDestroyWindow (dbe.c:1326)
          by 0x4EF35B: FreeWindowResources (window.c:1018)
          by 0x4EF687: DeleteWindow (window.c:1086)
          by 0x4E24B3: doFreeResource (resource.c:885)
          by 0x4E2ED7: FreeClientResources (resource.c:1151)
          by 0x4ACBA4: CloseDownClient (dispatch.c:3546)
        Address 0x12f44980 is 144 bytes inside a block of size 160 free'd
          at 0x48470E4: free (vg_replace_malloc.c:872)
          by 0x423115: xwl_unrealize_window (xwayland-window.c:621)
          by 0x4FCDD8: compUnrealizeWindow (compwindow.c:292)
          by 0x4F3F5C: UnrealizeTree (window.c:2805)
          by 0x4F424B: UnmapWindow (window.c:2863)
          by 0x4EF58C: DeleteWindow (window.c:1075)
          by 0x4E24B3: doFreeResource (resource.c:885)
          by 0x4E2ED7: FreeClientResources (resource.c:1151)
          by 0x4ACBA4: CloseDownClient (dispatch.c:3546)
          by 0x5E27EE: ClientReady (connection.c:599)
          by 0x5E6CB7: ospoll_wait (ospoll.c:657)
          by 0x5DE6CD: WaitForSomething (WaitFor.c:208)
        Block was alloc'd at
          at 0x4849464: calloc (vg_replace_malloc.c:1328)
          by 0x4229CE: ensure_surface_for_window (xwayland-window.c:439)
          by 0x4231E8: xwl_window_set_window_pixmap (xwayland-window.c:647)
          by 0x5232D6: damageSetWindowPixmap (damage.c:1565)
          by 0x4FC7BC: compSetPixmapVisitWindow (compwindow.c:129)
          by 0x4EDB3F: TraverseTree (window.c:441)
          by 0x4FC851: compSetPixmap (compwindow.c:151)
          by 0x4F8C1A: compAllocPixmap (compalloc.c:616)
          by 0x4FC938: compCheckRedirect (compwindow.c:174)
          by 0x4FCD1D: compRealizeWindow (compwindow.c:274)
          by 0x4F36EC: RealizeTree (window.c:2606)
          by 0x4F39F5: MapWindow (window.c:2683)
      
      Fixes: 288ec0e0 ("xwayland/present: Run fallback timer callback after more than a second")
      Tested-by: default avatarOlivier Fourdan <ofourdan@redhat.com>
      Reviewed-by: default avatarOlivier Fourdan <ofourdan@redhat.com>
      (cherry picked from commit 102764b6)
      88ed88e8
    • Olivier Fourdan's avatar
      xwayland/present: Fix use-after-free in xwl_unrealize_window() · c5b89441
      Olivier Fourdan authored and Olivier Fourdan's avatar Olivier Fourdan committed
      
      When a window is unrealized, Xwayland would destroy the Wayland surface
      prior to unrealizing the present window.
      
      xwl_present_flip() will then do a wl_surface_commit() of that surface,
      hence causing a use-after-free:
      
       Invalid read of size 8
          at 0x49F7FD4: wl_proxy_marshal_array_flags (wayland-client.c:852)
          by 0x49F823A: wl_proxy_marshal_flags (wayland-client.c:784)
          by 0x42B877: wl_surface_commit (wayland-client-protocol.h:3914)
          by 0x42CAA7: xwl_present_flip (xwayland-present.c:717)
          by 0x42CD0E: xwl_present_execute (xwayland-present.c:783)
          by 0x42C26D: xwl_present_msc_bump (xwayland-present.c:416)
          by 0x42C2D1: xwl_present_timer_callback (xwayland-present.c:433)
          by 0x42BAC4: xwl_present_reset_timer (xwayland-present.c:149)
          by 0x42D1F8: xwl_present_unrealize_window (xwayland-present.c:945)
          by 0x4230E2: xwl_unrealize_window (xwayland-window.c:616)
          by 0x4FCDD8: compUnrealizeWindow (compwindow.c:292)
          by 0x4F3F5C: UnrealizeTree (window.c:2805)
        Address 0x1390b8d8 is 24 bytes inside a block of size 80 free'd
          at 0x48470E4: free (vg_replace_malloc.c:872)
          by 0x49F8029: wl_proxy_destroy_caller_locks (wayland-client.c:523)
          by 0x49F8029: wl_proxy_marshal_array_flags (wayland-client.c:861)
          by 0x49F823A: wl_proxy_marshal_flags (wayland-client.c:784)
          by 0x421984: wl_surface_destroy (wayland-client-protocol.h:3672)
          by 0x423052: xwl_unrealize_window (xwayland-window.c:599)
          by 0x4FCDD8: compUnrealizeWindow (compwindow.c:292)
          by 0x4F3F5C: UnrealizeTree (window.c:2805)
          by 0x4F424B: UnmapWindow (window.c:2863)
          by 0x4EF58C: DeleteWindow (window.c:1075)
          by 0x4E24B3: doFreeResource (resource.c:885)
          by 0x4E2ED7: FreeClientResources (resource.c:1151)
          by 0x4ACBA4: CloseDownClient (dispatch.c:3546)
        Block was alloc'd at
          at 0x4849464: calloc (vg_replace_malloc.c:1328)
          by 0x49F7F29: zalloc (wayland-private.h:233)
          by 0x49F7F29: proxy_create (wayland-client.c:422)
          by 0x49F7F29: create_outgoing_proxy (wayland-client.c:664)
          by 0x49F7F29: wl_proxy_marshal_array_flags (wayland-client.c:831)
          by 0x49F823A: wl_proxy_marshal_flags (wayland-client.c:784)
          by 0x4218CA: wl_compositor_create_surface (wayland-client-protocol.h:1291)
          by 0x422A0D: ensure_surface_for_window (xwayland-window.c:445)
          by 0x4231E8: xwl_window_set_window_pixmap (xwayland-window.c:647)
          by 0x5232D6: damageSetWindowPixmap (damage.c:1565)
          by 0x4FC7BC: compSetPixmapVisitWindow (compwindow.c:129)
          by 0x4EDB3F: TraverseTree (window.c:441)
          by 0x4FC851: compSetPixmap (compwindow.c:151)
          by 0x4F8C1A: compAllocPixmap (compalloc.c:616)
          by 0x4FC938: compCheckRedirect (compwindow.c:174)
      
      To avoid that, call xwl_present_unrealize_window() before destroying the
      Wayland surface.
      
      Signed-off-by: default avatarOlivier Fourdan <ofourdan@redhat.com>
      Reviewed-by: default avatarMichel Dänzer <mdaenzer@redhat.com>
      (cherry picked from commit 42113ab2)
      c5b89441
    • Olivier Fourdan's avatar
      Xwayland: Do not map the COW by default when rootless · b211df90
      Olivier Fourdan authored and Olivier Fourdan's avatar Olivier Fourdan committed
      The composite overlay window (COW) can be queried from any X11 client,
      not just the X11 compositing manager.
      
      If a client tries to get the composite overlay window, the Xserver will
      map the window and block all pointer events (the window being mapped and
      on top of the stack).
      
      To avoid that issue, unset the "mapped" state of the composite overlay
      window once realized when Xwayland is running rootless.
      
      Note: All Xservers are actually affected by this issue, but with most
      regular X servers, the compositing manager will take care of dealing
      with the composite overlay window, and an X11 client using
      GetOverlayWindow() won't break pointer events for all X11 clients.
      Wayland compositors however usually run Xwayland rootless and have no
      use for the COW.
      
      v2: Avoid registering damage for the COW (Michel)
      v3: Remove the "mapped" test to avoid calling register_damage() if the
          COW is not mapped (Michel)
      
      Closes: xorg/xserver#1314
      
      
      Signed-off-by: default avatarOlivier Fourdan <ofourdan@redhat.com>
      Reviewed-by: default avatarMichel Dänzer <mdaenzer@redhat.com>
      (cherry picked from commit 47d33174)
      b211df90
  7. Feb 16, 2022
  8. Feb 11, 2022
  9. Feb 02, 2022
  10. Jan 28, 2022
    • Olivier Fourdan's avatar
      render: Fix build with gcc 12 · 1d98f8b7
      Olivier Fourdan authored
      
      The xserver fails to compile with the latest gcc 12:
      
       render/picture.c: In function ‘CreateSolidPicture’:
       render/picture.c:874:26: error: array subscript ‘union _SourcePict[0]’ is partly outside array bounds of ‘unsigned char[16]’ [-Werror=array-bounds]
        874 |     pPicture->pSourcePict->type = SourcePictTypeSolidFill;
            |                          ^~
       render/picture.c:868:45: note: object of size 16 allocated by ‘malloc’
        868 |     pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictSolidFill));
            |                                             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       render/picture.c: In function ‘CreateLinearGradientPicture’:
       render/picture.c:906:26: error: array subscript ‘union _SourcePict[0]’ is partly outside array bounds of ‘unsigned char[32]’ [-Werror=array-bounds]
        906 |     pPicture->pSourcePict->linear.type = SourcePictTypeLinear;
            |                          ^~
       render/picture.c:899:45: note: object of size 32 allocated by ‘malloc’
        899 |     pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictLinearGradient));
            |                                             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       render/picture.c: In function ‘CreateConicalGradientPicture’:
       render/picture.c:989:26: error: array subscript ‘union _SourcePict[0]’ is partly outside array bounds of ‘unsigned char[32]’ [-Werror=array-bounds]
        989 |     pPicture->pSourcePict->conical.type = SourcePictTypeConical;
            |                          ^~
       render/picture.c:982:45: note: object of size 32 allocated by ‘malloc’
        982 |     pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictConicalGradient));
            |                                             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       cc1: some warnings being treated as errors
       ninja: build stopped: subcommand failed.
      
      This is because gcc 12 has become stricter and raises a warning now.
      
      Fix the warning/error by allocating enough memory to store the union
      struct.
      
      Signed-off-by: default avatarOlivier Fourdan <ofourdan@redhat.com>
      Acked-by: default avatarMichel Dänzer <mdaenzer@redhat.com>
      Closes: xorg/xserver#1256
      (cherry picked from commit c6b0dcb8)
      1d98f8b7
  11. Jan 19, 2022
  12. Jan 18, 2022
  13. Jan 14, 2022
  14. Dec 24, 2021
  15. Dec 20, 2021
Loading