Enrico Weigelt, metux IT consult . authored 1 week ago and Marge Bot committed 1 week ago

make it a bit easier to diffenciate from other symbols by
adding a prefix to their names.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <!1837>

Enrico Weigelt, metux IT consult . authored 1 week ago and Marge Bot committed 1 week ago

These aren't used anywhere in modules or outside DIX & XI, so
no need to keep them in public API any longer.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <!1837>

When a device is removed while still frozen, the events queued for that
device remain while the device itself is freed.

As a result, replaying the events will cause a use after free.

To avoid the issue, make sure to dequeue and free any pending events on
a frozen device when removed.

CVE-2025-26600, ZDI-CAN-25871

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <!1828>

Peter Hutterer authored 3 months ago and Olivier Fourdan committed 2 weeks ago

CreateCursor returns a cursor with refcount 1 - that refcount is used by
the resource system, any caller needs to call RefCursor to get their own
reference. That happens correctly for normal cursors but for our
rootCursor we keep a variable to the cursor despite not having a ref for
ourselves.

Fix this by reffing/unreffing the rootCursor to ensure our pointer is
valid.

Related to CVE-2025-26594, ZDI-CAN-25544

Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <!1828>

If a cursor reference count drops to 0, the cursor is freed.

The root cursor however is referenced with a specific global variable,
and when the root cursor is freed, the global variable may still point
to freed memory.

Make sure to prevent the rootCursor from being explicitly freed by a
client.

CVE-2025-26594, ZDI-CAN-25544

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer
<peter.hutterer@who-t.net>)
v3: Return BadCursor instead of BadValue (Michel Dänzer
<michel@daenzer.net>)

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Suggested-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <!1828>

Enrico Weigelt, metux IT consult . authored 3 weeks ago and Marge Bot committed 2 weeks ago

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <xorg/xserver!1810>

Enrico Weigelt, metux IT consult . authored 3 weeks ago and Marge Bot committed 2 weeks ago

Everything in here only used by geext.c, so no need to keep
a separate header file for that.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <!1811>

Enrico Weigelt, metux IT consult . authored 2 weeks ago and Marge Bot committed 2 weeks ago

Not used by any drivers/modules, so no need to keep it exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <!1814>

Enrico Weigelt, metux IT consult . authored 3 weeks ago and Marge Bot committed 3 weeks ago

Not used by any external modules, so no need to keep it in public header.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <!1807>

Enrico Weigelt, metux IT consult . authored 3 weeks ago and Marge Bot committed 3 weeks ago

These macros aren't used by any external modules, so no need
to keep them public. Moving them into private header.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <!1804>

Enrico Weigelt, metux IT consult . authored 3 weeks ago and Marge Bot committed 3 weeks ago

Only used at exactly one place, for trivial size computation, so not worth
having an extra macro in a public header for this.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <xorg/xserver!1805>

Enrico Weigelt, metux IT consult . authored 3 weeks ago and Marge Bot committed 3 weeks ago

Should never be called by modules/drivers.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <!1802>

Direct calls to ScreenRec->DestroyPixmap() blocks cleaning up the wrapping
jungle, so use the proper dix function instead.

See: #1754



Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <!1711>

Xrdp needs to know the current display name (for setting up it's
own server sockets accordingly). Instead of exporting an internal
field, adding a little getter for this.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <!1783>

Enrico Weigelt, metux IT consult . authored 5 months ago and Marge Bot committed 1 month ago

Since LogVMessageVerb() is now signal safe, we can use this one instead.
Leaving VErrorF() macro for backwards compat with drivers.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <xorg/xserver!1691>

Enrico Weigelt, metux IT consult . authored 5 months ago and Marge Bot committed 1 month ago

Since ErrorF() is now signal safe, we can use this one instead.
Leaving ErrorFSigSafe() macro for backwards compat with drivers.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <xorg/xserver!1691>

Enrico Weigelt, metux IT consult . authored 5 months ago and Marge Bot committed 1 month ago

Make dixDestroyPixmap() check for NULL pointer, so callers don't need to
do it anymore. Returning TRUE on NULL pointer - but most callers won't
even look at the retval anyways.

Together with subsequent commits, which will make use of that function,
instead of calling raw ScreenRec->DestroyPixmap vectors, this gives us some
more freedom for architectural changes, eg. get rid of the extremely
complicated and fragile wrapping chains.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <!1709>

Enrico Weigelt, metux IT consult . authored 7 months ago and Marge Bot committed 1 month ago

The request struct's length fields aren't used anymore - we have the
client->req_len field instead, which also is bigreq-compatible.

Also dropping now obsolete SProcNoOperation().

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <!1639>

Enrico Weigelt, metux IT consult . authored 6 months ago and Marge Bot committed 1 month ago

This script used to generated xproto header as well as a piece of source
for initializing the builtin atoms in the Xserver (MakePredeclaredAtoms()).

At least with R6.6 baseline it didn't seem to be used anymore, and - at least
since the modularization - it's completely broken and useless.

Since we now have a new generator, running directly in the build process,
this ancient script can be dropped.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <!1670>

Enrico Weigelt, metux IT consult . authored 6 months ago and Marge Bot committed 1 month ago

This function probably been (half?) auto generated somewhere back in the
dark ages (there're still remains of the former generator, which doesn't
work anymore, and hasn't been updated for ages). It's been added to SCM
with R6.6 baseline - and from that on manually maintained.

Adding a little generator to create source from "BuiltInAtoms" file,
directly in the build process.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <!1670>

Enrico Weigelt, metux IT consult . authored 1 year ago and Marge Bot committed 1 month ago

PANORAMIX was the original working title of the extension, before it became
official standard. Just nobody cared about fixing the symbols to the official
naming.

For backwards compatibility with drivers, the old PANORAMIX symbol will
still be set.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <!1258>

Public server module API shouldn't be clobbered with private definitions,
thus move them out to private header.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <!1360>

Enrico Weigelt, metux IT consult . authored 10 months ago and Povilas Kanapickas committed 1 month ago

Not used by any drivers/modules, so no need to keep it public.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <!1727>

Enrico Weigelt, metux IT consult . authored 10 months ago and Povilas Kanapickas committed 1 month ago

Not used by any drivers/modules, so no need to keep it public.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <!1727>

Enrico Weigelt, metux IT consult . authored 10 months ago and Povilas Kanapickas committed 1 month ago

Not used by any drivers/modules, so no need to keep it exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <!1727>

Enrico Weigelt, metux IT consult . authored 10 months ago and Povilas Kanapickas committed 1 month ago

Not used by any (known) drivers, so no need to keep it exported.

Part-of: <!1727>

Alan Coopersmith authored 4 months ago and Marge Bot committed 4 months ago

Previously, it was looping through sizeof(ev->valuators.mask) * 8
valuators, where valuators.mask is defined as an array of
(MAX_VALUATORS + 7) / 8 entries.  Since MAX_VALUATORS is defined as 36,
this made it actually loop through 40 entries.  The last 4 bits in this
array should never be set, so we should never access memory outside the
bounds of the arrays defined to be exactly MAX_VALUATORS in length, but
we can make the static analyzer happier and not waste time checking bits
that should never be set.

Found by Oracle Parfait 13.3 static analyzer:

   Read outside array bounds [read-outside-array-bounds]:
      In array dereference of ev->valuators.data[i] with index i
      Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39
        at line 741 of dix/eventconvert.c in function 'eventToDeviceEvent'.

   Read outside array bounds [read-outside-array-bounds]:
      In array dereference of ev->valuators.data[i] with index i
      Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39
        at line 808 of dix/eventconvert.c in function 'eventToRawEvent'.

   Read outside array bounds [read-outside-array-bounds]:
      In array dereference of ev->valuators.data_raw[i] with index i
      Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39
        at line 809 of dix/eventconvert.c in function 'eventToRawEvent'.

Fixes: b2ba77ba ("dix: add EventToXI2 and GetXI2Type.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <!1730>

Alan Coopersmith authored 4 months ago and Marge Bot committed 4 months ago

Found by Oracle Parfait 13.3 static analyzer:
   Buffer Overflow in STD C function [buffer-overflow-call-stdc]:
      Buffer overflow in call to memcpy. Buffer &bev->buttons[4] of
       size 24 is written at an offset of 28
      Array size is 28 bytes, index is 32
        at line 743 of dix/enterleave.c in function
	 'DeliverStateNotifyEvent'.

Fixes: a85f0d6b ("Xi: fix use of button->down - bitflags instead of int arrays.")
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <!1730>

If the compiler knows of a better algorithm for counting the number of
bits set in a word for the target CPU, let it use that, instead of the
classic algorithm optimized for PDP-6.

Based on xorg/lib/libxext@490a25e6

v2: make old version static inline, stop exporting after !1695

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <!1674>

Enrico Weigelt, metux IT consult . authored 5 months ago and Marge Bot committed 4 months ago

It's not used by any module/driver, so no need to keep it exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <!1695>

Enrico Weigelt, metux IT consult . authored 1 year ago and Povilas Kanapickas committed 4 months ago

* unexport functions from dixgrab.h, that aren't used by any driver/module.
* add paremeter names to prototypes
* add doxygen-style documentation for all the prototypes

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>

Enrico Weigelt, metux IT consult . authored 6 months ago and Povilas Kanapickas committed 4 months ago

Make it clear what exactly this parameter is for.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>

Enrico Weigelt, metux IT consult . authored 6 months ago and Povilas Kanapickas committed 4 months ago

Allow NULL parameters to be passed to FreeGrab(), so callers don't all
need to check on their own anymore.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>

Enrico Weigelt, metux IT consult . authored 6 months ago and Povilas Kanapickas committed 4 months ago

This function is only called once in the same source file, no external callers
at all. So, it doesn't need to be visible outside that file, and we can allow
the compiler to do whatever fancy optimizations it might wanna do.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>

Enrico Weigelt, metux IT consult . authored 1 year ago and Povilas Kanapickas committed 4 months ago

These aren't used by any (known) external modules, thus no need to export them.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>

Enrico Weigelt, metux IT consult . authored 1 year ago and Povilas Kanapickas committed 4 months ago

The client.h file is part of the public module API, but it also contains
definitions that aren't useful for being used in modules. Splitting them
out into their own client_priv.h file, which isn't part of the API.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>

Enrico Weigelt, metux IT consult . authored 6 months ago and Povilas Kanapickas committed 4 months ago

The dix-config.h include file is always present, so no need for
an extra check and conditional include.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <!1673>

Clears warning from gcc 14.1:

../dix/devices.c: In function ‘GetPairedDevice’:
../dix/devices.c:2734:15: warning: dereference of NULL ‘dev’
 [CWE-476] [-Wanalyzer-null-dereference]
 2734 |     return dev->spriteInfo? dev->spriteInfo->paired: NULL;
      |            ~~~^~~~~~~~~~~~

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <!1673>

Clears warning from gcc 14.1:

../dix/resource.c: In function ‘HashResourceID’:
../dix/resource.c:691:44: warning: left shift of negative value
 [-Wshift-negative-value]
  691 |     return (id ^ (id >> numBits)) & ~((~0) << numBits);
      |                                            ^~

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <!1673>