- Dec 17, 2024
-
-
Matt Turner authored
Part-of: <!1753>
-
``` ../hw/xfree86/common/xf86sbusBus.c: In function ‘xf86SbusConfigureNewDev’: ../hw/xfree86/common/xf86sbusBus.c:751:21: error: passing argument 1 of ‘XNFasprintf’ from incompatible pointer type [-Wincompatible-pointer-types] 751 | XNFasprintf(&GDev->busID, "SBUS:%s", promPath); | ^~~~~~~~~~~~ | | | const char ** ``` Apply the same fix as in commit e1e01d2e ("xfree86/common: Warning fixes. Mostly const string handling.") (cherry picked from commit bdacb100) Part-of: <!1752>
-
- Dec 02, 2024
-
-
Xorg server does not correctly select the DCP for the display without a quirk on Apple Silicon. Signed-off-by:
Eric Curtin <ecurtin@redhat.com> Suggested-by:
Hector Martin <marcan@marcan.st> (cherry picked from commit 39934a65) Part-of: <!1746>
-
- Oct 31, 2024
-
-
Alan Coopersmith authored
Needed to build with IPv6 disabled using gcc 14 on some platforms to avoid: In file included from /usr/X11/include/X11/Xtrans/transport.c:67, from xstrans.c:17: /usr/X11/include/X11/Xtrans/Xtranssock.c: In function ‘_XSERVTransSocketOpen’: /usr/X11/include/X11/Xtrans/Xtranssock.c:467:28: error: passing argument 5 of ‘getsockopt’ from incompatible pointer type [-Wincompatible-pointer-types] 467 | (char *) &val, &len) == 0 && val < 64 * 1024) | ^~~~ | | | size_t * {aka long unsigned int *} (Backport to xserver-21.1-branch of commit a1b5aa5a. Backport adds autoconf equivalent to meson change from master branch.) Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> Part-of: <!1737>
-
- Oct 30, 2024
-
-
When IPv6 support isn't enabled, and h_addr isn't defined, there is no for loop, so the break statement is invalid. Signed-off-by:
Joaquim Monteiro <joaquim.monteiro@protonmail.com> (cherry picked from commit a6a993f9) Part-of: <!1737>
-
struct hostent->h_addr_list is of type char**, not const char**. GCC considers this an error when in C99 mode or later. Signed-off-by:
Joaquim Monteiro <joaquim.monteiro@protonmail.com> (cherry picked from commit 0ddcd878) Part-of: <!1737>
-
- Oct 29, 2024
-
-
José Expósito authored
Signed-off-by:
José Expósito <jexposit@redhat.com> Part-of: <!1734>
-
The _XkbSetCompatMap() function attempts to resize the `sym_interpret` buffer. However, It didn't update its size properly. It updated `num_si` only, without updating `size_si`. This may lead to local privilege escalation if the server is run as root or remote code execution (e.g. x11 over ssh). CVE-2024-9632, ZDI-CAN-24756 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Reviewed-by:
Peter Hutterer <peter.hutterer@who-t.net> Tested-by:
Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by:
José Expósito <jexposit@redhat.com> (cherry picked from commit 85b77657) Part-of: <!1734>
-
- Oct 22, 2024
-
-
$ echo "#foo\nfoo" > custom_config $ X -config custom_config will trigger the double free because the contents of xf86_lex_val.str have been realloc()ed aready when free is called in read.c:209. This copies the lex token and adds all the necessary free() calls to avoid leaking it (cherry picked from commit fbc034e8) Part-of: <!1719>
-
- Oct 12, 2024
-
-
Xnest fails to properly pass through expose events: the coordinates are miscalculated in xnestCollectExposures(), before miSendExposures() is called. Closes: #1735 Closes: #132 Fixes: 605e6764 - Fix Motif menu drawing in Xnest Backport-Of: !1397 Signed-off-by:
Enrico Weigelt, metux IT consult <info@metux.net> Part-of: <!1651>
-
- Oct 11, 2024
-
-
Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit 9c9e1afe) Part-of: <!1717>
-
Clears warning from gcc 14.1: ../dix/devices.c: In function ‘GetPairedDevice’: ../dix/devices.c:2734:15: warning: dereference of NULL ‘dev’ [CWE-476] [-Wanalyzer-null-dereference] 2734 | return dev->spriteInfo? dev->spriteInfo->paired: NULL; | ~~~^~~~~~~~~~~~ Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit e6fc0861) Part-of: <!1717>
-
Clears warning from gcc 14.1: ../dix/resource.c: In function ‘HashResourceID’: ../dix/resource.c:691:44: warning: left shift of negative value [-Wshift-negative-value] 691 | return (id ^ (id >> numBits)) & ~((~0) << numBits); | ^~ Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit 26a7ab09) Part-of: <!1717>
-
No real harm, but clears warning from gcc 14.1: ../dix/property.c: In function ‘ProcListProperties’: ..//dix/property.c:605:27: warning: dereference of NULL ‘temppAtoms’ [CWE-476] [-Wanalyzer-null-dereference] 605 | *temppAtoms++ = pProp->propertyName; | ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~ Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit 39f337fd) Part-of: <!1717>
-
It shouldn't matter, since it would have a length of 0, but it clears warnings from gcc 14.1: ../dix/property.c: In function ‘dixChangeWindowProperty’: ../dix/property.c:287:9: warning: use of possibly-NULL ‘data’ where non-null expected [CWE-690] [-Wanalyzer-possible-null-argument] 287 | memcpy(data, value, totalSize); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../dix/property.c:324:13: warning: use of possibly-NULL ‘data’ where non-null expected [CWE-690] [-Wanalyzer-possible-null-argument] 324 | memcpy(data, value, totalSize); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit 10cafd0b) Part-of: <!1717>
-
Clears warning from gcc 14.1: ../dix/ptrveloc.c: In function ‘InitPredictableAccelerationScheme’: ../dix/ptrveloc.c:149:9: warning: leak of ‘<unknown>’ [CWE-401] [-Wanalyzer-malloc-leak] 149 | free(vel); | ^~~~~~~~~ Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit 462d13c2) Part-of: <!1717>
-
Clears warning from gcc 14.1: ../dix/gc.c: In function ‘CreateScratchGC’: ../dix/gc.c:818:28: warning: dereference of NULL ‘pGC’ [CWE-476] [-Wanalyzer-null-dereference] 818 | pGC->graphicsExposures = FALSE; Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit 7ee3a520) Part-of: <!1717>
-
Clears 7 -Wimplicit-fallthrough warnings from gcc 14.1 Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit 0cb826e3) Part-of: <!1717>
-
Clears warning from gcc 14.1: ../dix/dixfonts.c: In function ‘SetFontPath’: ../dix/dixfonts.c:1697:28: warning: use of uninitialized value ‘bad’ [CWE-457] [-Wanalyzer-use-of-uninitialized-value] 1697 | client->errorValue = bad; | ~~~~~~~~~~~~~~~~~~~^~~~~ Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit 1a86fba0) Part-of: <!1717>
-
Clears warning from gcc 14.1: ../dix/dixfonts.c:1352:15: warning: use of uninitialized value ‘*c.data’ [CWE-457] [-Wanalyzer-use-of-uninitialized-value] 1352 | free(c->data); | ~^~~~~~ Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit d78836a3) Part-of: <!1717>
-
Clears up 12 -Wanalyzer-possible-null-dereference warnings from gcc 14.1 Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit 25762834) Part-of: <!1717>
-
- Oct 10, 2024
-
-
For 24 and 32 bit depth pictures xserver uses PICT_x8r8g8b8 and PICT_a8r8g8b8 formats, which must be backed with GL_BGRA format. It is present in OpenGL ES 2.0 only with GL_EXT_texture_format_BGRA8888 extension. We require such extension in glamor_init, so, why not to make use of it? Fixes #1208 Fixes #1354 Signed-off-by:
Konstantin Pugin <ria.freelander@gmail.com> Reviewed-by:
Adam Jackson <ajax@redhat.com> Reviewed-by:
Emma Anholt <emma@anholt.net> (cherry picked from commit 24cd5f34) Part-of: <!1546>
-
- Sep 01, 2024
- Aug 23, 2024
-
-
Enrico Weigelt, metux IT consult . authored
It's safer to zero-out the cursor-private memory on allocation, instead of relying on being cleared initialized somewhere later. Fixes: 3f3ff971 - Replace X-allocation functions with their C89 counterparts Backport-Of: !1652 Signed-off-by:
Enrico Weigelt, metux IT consult <info@metux.net> Part-of: <!1653>
-
- Jul 23, 2024
-
-
Olivier Fourdan authored
The SDK doed not need libxcvt, only Xorg and Xwayland do. Closes: #1721 Fixes: a4ab57cb - build: Add dependency on libxcvt Signed-off-by:
Olivier Fourdan <ofourdan@redhat.com> Part-of: <!1618>
-
- May 12, 2024
-
-
Fix a compilation error on 32 bits architectures with gcc 14: ephyr_glamor_xv.c: In function ‘ephyr_glamor_xv_init’: ephyr_glamor_xv.c:154:31: error: assignment to ‘SetPortAttributeFuncPtr’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int, int, void *)’} from incompatible pointer type ‘int (*)(KdScreenInfo *, Atom, INT32, void *)’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int, long int, void *)’} [-Wincompatible-pointer-types] 154 | adaptor->SetPortAttribute = ephyr_glamor_xv_set_port_attribute; | ^ ephyr_glamor_xv.c:155:31: error: assignment to ‘GetPortAttributeFuncPtr’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int, int *, void *)’} from incompatible pointer type ‘int (*)(KdScreenInfo *, Atom, INT32 *, void *)’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int, long int *, void *)’} [-Wincompatible-pointer-types] 155 | adaptor->GetPortAttribute = ephyr_glamor_xv_get_port_attribute; | ^ Build error logs: https://koji.fedoraproject.org/koji/taskinfo?taskID=111964273 Signed-off-by:
José Expósito <jexposit@redhat.com> (cherry picked from commit e89edec4) Part-of: <!1532>
-
- Apr 12, 2024
-
-
Matt Turner authored
Signed-off-by:
Matt Turner <mattst88@gmail.com>
-
- Apr 09, 2024
-
-
Olivier Fourdan authored
ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and then frees it using FreeGlyph() to decrease the reference count, after AddGlyph() has increased it. AddGlyph() however may chose to reuse an existing glyph if it's already in the glyphSet, and free the glyph that was given, in which case the caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an already freed glyph, as reported by ASan: READ of size 4 thread T0 #0 in FreeGlyph xserver/render/glyph.c:252 #1 in ProcRenderAddGlyphs xserver/render/render.c:1174 #2 in Dispatch xserver/dix/dispatch.c:546 #3 in dix_main xserver/dix/main.c:271 #4 in main xserver/dix/stubmain.c:34 #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #6 in __libc_start_main_impl ../csu/libc-start.c:360 #7 (/usr/bin/Xwayland+0x44fe4) Address is located 0 bytes inside of 64-byte region freed by thread T0 here: #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52 #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538 #2 in AddGlyph xserver/render/glyph.c:295 #3 in ProcRenderAddGlyphs xserver/render/render.c:1173 #4 in Dispatch xserver/dix/dispatch.c:546 #5 in dix_main xserver/dix/main.c:271 #6 in main xserver/dix/stubmain.c:34 #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 previously allocated by thread T0 here: #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69 #1 in AllocateGlyph xserver/render/glyph.c:355 #2 in ProcRenderAddGlyphs xserver/render/render.c:1085 #3 in Dispatch xserver/dix/dispatch.c:546 #4 in dix_main xserver/dix/main.c:271 #5 in main xserver/dix/stubmain.c:34 #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph To avoid that, make sure not to free the given glyph in AddGlyph(). v2: Simplify the test using the boolean returned from AddGlyph() (Michel) v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter) Fixes: bdca6c3d - render: fix refcounting of glyphs during ProcRenderAddGlyphs Closes: #1659 Signed-off-by:
Olivier Fourdan <ofourdan@redhat.com> Part-of: <!1476> (cherry picked from commit 337d8d48)
-
- Apr 05, 2024
-
-
Fixes: #577 This patch replaces the instances of trunc in miPointerSetPosition by floor, thereby removing the incorrect behaviour with subpixel pointer locations between -1 and 0. This is the relevant code fragment: /* In the event we actually change screen or we get confined, we just * drop the float component on the floor * FIXME: only drop remainder for ConstrainCursorHarder, not for screen * crossings */ if (x != trunc(*screenx)) *screenx = x; if (y != trunc(*screeny)) *screeny = y; The behaviour of this code does not match its comment for subpixel coordinates between -1 and 0. For example, if *screenx is -0.5, the preceding code would (correctly) clamp x to 0, but this would not be detected by this condition, since 0 == trunc(-0.5), leaving *screenx at -0.5, out of bounds. This causes undesirable behaviour in GTK3 code using xi2, where negative subpixel coordinates like this would (to all appearances randomly) remove the focus from windows aligned with the zero boundary when the mouse hits the left or top screen boundaries. The other occurences of trunc in miPointerSetPosition have a more subtle effect which would prevent proper clamping if there is a pointer limit at a negative integer rather than at 0. This patch changes these to floor for consistency. Signed-off-by:
Willem Jan Palenstijn <wjp@usecode.org> Part-of: <!1451> (cherry picked from commit 0ee4ed28)
-
- Apr 03, 2024
-
-
Povilas Kanapickas authored
Signed-off-by:
Povilas Kanapickas <povilas@radix.lt>
-
Previously, AllocateGlyph would return a new glyph with refcount=0 and a re-used glyph would end up not changing the refcount at all. The resulting glyph_new array would thus have multiple entries pointing to the same non-refcounted glyphs. AddGlyph may free a glyph, resulting in a UAF when the same glyph pointer is then later used. Fix this by returning a refcount of 1 for a new glyph and always incrementing the refcount for a re-used glyph, followed by dropping that refcount back down again when we're done with it. CVE-2024-31083, ZDI-CAN-22880 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Part-of: <!1463> (cherry picked from commit bdca6c3d)
-
CVE-2024-31082 Fixes: 14205ade ("XQuartz: appledri: Fix byte swapping in replies") Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> Part-of: <!1463> (cherry picked from commit 6c684d03)
-
CVE-2024-31081 Fixes: d220d690 ("Xi: add GrabButton and GrabKeysym code.") Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> Part-of: <!1463> (cherry picked from commit 3e77295f)
-
CVE-2024-31080 Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762 Fixes: 53e821ab ("Xi: add request processing for XIGetSelectedEvents.") Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> Part-of: <!1463> (cherry picked from commit 96798fc1)
-
- Mar 27, 2024
-
-
Otherwise it causes the server to return BadDrawable giving a byte-swapped resource id instead of the real id the client sent. Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762 Fixes: 397dfd9f ("Create/Destroy/Trigger/Reset/Query Fence Sync objs") Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> --- (cherry picked from commit e6573baa) Part-of: <!1438>
-
- Mar 23, 2024
-
-
The X server swapping code is a huge attack surface, much of this code is untested and prone to security issues. The use-case of byte-swapped clients is very niche, so allow users to disable this if they don't need it, using either a config option or commandline flag. For Xorg, this adds the ServerFlag "AllowByteSwappedClients" "off". For all DDX, this adds the commandline options +byteswappedclients and -byteswappedclients to enable or disable, respectively. Fixes #1201 Signed-off-by:
Peter Hutterer <peter.hutterer@who-t.net> --- (cherry picked from commit 41277766) (cherry picked from commit af5cd5ac) Backport to server-21.1-branch modified to keep byte-swapping enabled by default but easy to disable by users or admins (or even by distros shipping an xorg.conf.d fragment in their packages). Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> Part-of: <!1440>
-