1. 02 Aug, 2022 1 commit
  2. 27 Jul, 2022 1 commit
    • Olivier Fourdan's avatar
      dix: Fix overzealous caching of ResourceClientBits() · 2efa6d65
      Olivier Fourdan authored
      Commit c7311654 cached the value of ResourceClientBits(), but that value
      depends on the `MaxClients` value set either from the command line or
      from the configuration file.
      
      For the latter, a call to ResourceClientBits() is issued before the
      configuration file is read, meaning that the cached value is from the
      default, not from the maximum number of clients set in the configuration
      file.
      
      That obviously causes all sort of issues, including memory corruption
      and crashes of the Xserver when reaching the default limit value.
      
      To avoid that issue, also keep the LimitClient value, and recompute the
      ilog2() value if that changes, as on startup when the value is set from
      the the xorg.conf ServerFlags section.
      
      v2: Drop the `cache == 0` test
          Rename cache vars
      
      Fixes: c7311654 - dix: cache ResourceClientBits() value
      Closes: #1310
      
      Signed-off-by: Olivier Fourdan's avatarOlivier Fourdan <ofourdan@redhat.com>
      Reviewed-by: Adam Jackson ...
      2efa6d65
  3. 26 Jul, 2022 1 commit
    • Olivier Fourdan's avatar
      xwayland: Fix "-force-xrandr-emulation" · 24d7d93f
      Olivier Fourdan authored
      Commit 7cdcdfea
      
       introduced a new command line option
      "-force-xrandr-emulation", however it is missing from the
      ddxProcessArgument().
      
      As a result, trying to use that command option would result in a error:
      
      (EE) Unrecognized option: -force-xrandr-emulation
      
      Make sure "-force-xrandr-emulation" is accounted for in Xwayland's
      ddxProcessArgument().
      Signed-off-by: Olivier Fourdan's avatarOlivier Fourdan <ofourdan@redhat.com>
      Fixes: 7cdcdfea - xwayland: Add -force-xrandr-emulation switch
      24d7d93f
  4. 13 Jul, 2022 4 commits
  5. 12 Jul, 2022 2 commits
    • Peter Hutterer's avatar
      xkb: add request length validation for XkbSetGeometry · 6907b6ea
      Peter Hutterer authored and Povilas Kanapickas's avatar Povilas Kanapickas committed
      
      
      No validation of the various fields on that report were done, so a
      malicious client could send a short request that claims it had N
      sections, or rows, or keys, and the server would process the request for
      N sections, running out of bounds of the actual request data.
      
      Fix this by adding size checks to ensure our data is valid.
      
      ZDI-CAN 16062, CVE-2022-2319.
      
      This vulnerability was discovered by:
      Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
      Signed-off-by: Peter Hutterer's avatarPeter Hutterer <peter.hutterer@who-t.net>
      6907b6ea
    • Peter Hutterer's avatar
      xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck · dd8caf39
      Peter Hutterer authored and Povilas Kanapickas's avatar Povilas Kanapickas committed
      XKB often uses a FooCheck and Foo function pair, the former is supposed
      to check all values in the request and error out on BadLength,
      BadValue, etc. The latter is then called once we're confident the values
      are good (they may still fail on an individual device, but that's a
      different topic).
      
      In the case of XkbSetDeviceInfo, those functions were incorrectly
      named, with XkbSetDeviceInfo ending up as the checker function and
      XkbSetDeviceInfoCheck as the setter function. As a result, the setter
      function was called before the checker function, accessing request
      data and modifying device state before we ensured that the data is
      valid.
      
      In particular, the setter function relied on values being already
      byte-swapped. This in turn could lead to potential OOB memory access.
      
      Fix this by correctly naming the functions and moving the length checks
      over to the checker function. These were added in 87c64fc5 to the
      wrong function, probably due to the incorrect naming.
      
      Fixes ZDI-CAN 16070, CVE-2022-2320.
      
      This vulnerability was discovered by:
      Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
      
      Introduced in c06e27b2
      
      Signed-off-by: Peter Hutterer's avatarPeter Hutterer <peter.hutterer@who-t.net>
      dd8caf39
  6. 08 Jul, 2022 4 commits
  7. 04 Jul, 2022 1 commit
  8. 02 Jul, 2022 2 commits
  9. 01 Jul, 2022 7 commits
  10. 30 Jun, 2022 17 commits