-
Aaron Plattner authored
The Linux version of xf86EnableIO calls a helper function called hwEnableIO(). Except on Alpha, this function reads /proc/ioports looking for the 'keyboard' and 'timer' ports, extracts the port ranges, and enables access to them. It does this by reading 4 bytes from the string for the start port number and 4 bytes for the last port number, passing those to atoi(). However, it doesn't add a fifth byte for a NUL terminator, so some implementations of atoi() read past the end of this string, triggering an AddressSanitizer error: ==1383==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff71fd5b74 at pc 0x7fe1be0de3e0 bp 0x7fff71fd5ae0 sp 0x7fff71fd5288 READ of size 5 at 0x7fff71fd5b74 thread T0 #0 0x7fe1be0de3df in __interceptor_atoi /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:520 #1 0x564971adcc45 in hwEnableIO ../hw/xfree86/os-support/linux/lnx_video.c:138 #2 0x564971adce87 in xf86EnableIO ../hw/xfree86/os-support/linux/lnx_video.c:174 #3 0x5649719f6a30 in InitOutput ../hw/xfree86/common/xf86Init.c:439 #4 0x564971585924 in dix_main ../dix/main.c:190 #5 0x564971b6246e in main ../dix/stubmain.c:34 #6 0x7fe1bdab6b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) #7 0x564971490e9d in _start (/home/aaron/git/x/xserver/build.asan/hw/xfree86/Xorg+0xb2e9d) Address 0x7fff71fd5b74 is located in stack of thread T0 at offset 100 in frame #0 0x564971adc96a in hwEnableIO ../hw/xfree86/os-support/linux/lnx_video.c:118 This frame has 3 object(s): [32, 40) 'n' (line 120) [64, 72) 'buf' (line 122) [96, 100) 'target' (line 122) <== Memory access at offset 100 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:520 in __interceptor_atoi Shadow bytes around the buggy address: 0x10006e3f2b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006e3f2b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006e3f2b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006e3f2b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006e3f2b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10006e3f2b60: 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2[04]f3 0x10006e3f2b70: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006e3f2b80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x10006e3f2b90: f1 f1 f8 f2 00 f2 f2 f2 f8 f3 f3 f3 00 00 00 00 0x10006e3f2ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 0x10006e3f2bb0: f1 f1 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1383==ABORTING Fix this by NUL-terminating the string. Fixes: #1193 (comment 1053306) Signed-off-by:
Aaron Plattner <aplattner@nvidia.com>
72c5d153 -
Olivier Fourdan authored
On screen init, if any of the private type registration fails we would return FALSE without actually freeing the xwl_screen we just allocated. This is not a serious leak as failure at that point would lead to the premature termination of Xwayland at startup, but covscan complains and it's easy enough to fix. Signed-off-by:
Olivier Fourdan <ofourdan@redhat.com> Reviewed-by:
Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by:
Michel Dänzer <mdaenzer@redhat.com>
138d4eba -
Olivier Fourdan authored
Due to a typo in tablet_pad_group(), we would allocate a variable ("group") and test another one ("pad") for allocation success. Spotted by covscan. Signed-off-by:
Olivier Fourdan <ofourdan@redhat.com> Fixes: commit 8475e636 - "xwayland: add tablet pad support" Reviewed-by:
Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by:
Michel Dänzer <mdaenzer@redhat.com>
c01ac52b -
Olivier Fourdan authored
Fix the possible leak of `vs_prog_string` and `fs_prog_string` in case of failure, as reported by covscan. Signed-off-by:
Olivier Fourdan <ofourdan@redhat.com> Reviewed-by:
Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by:
Michel Dänzer <mdaenzer@redhat.com>
2906ee5e -
There's no real benefit to using GLX, and the other DDXes are using EGL already, so let's converge on EGL so we can concentrate the fixes in one place. We go to some effort to avoid being the thing that requires libX11 here. We prefer EGL_EXT_platform_xcb over _x11, and if forced to use the latter we'll ask the dynamic linker for XGetXCBConnection and XOpenDisplay rather than link against xlib stuff ourselves. Xephyr is now a pure XCB application if it can be. Reviewed-by:
Emma Anholt <emma@anholt.net>
07fa12ad -
Reviewed-by:
Emma Anholt <emma@anholt.net>
ea92cd22 -
Reviewed-by:
Emma Anholt <emma@anholt.net>
22772f00 -
Reviewed-by:
Emma Anholt <emma@anholt.net>
abda3f42 -
This is not actually a change for xwayland with gbm, or for xfree86 with big-GL, but we do change them as well to use EGL_NO_CONFIG_KHR explicitly. Reviewed-by:
Emma Anholt <emma@anholt.net>
7d5b4c54 -
Reviewed-by:
Emma Anholt <emma@anholt.net>
ecdf2103 -
Rotation is broken for all drm drivers not providing hardware rotation support. Drivers that give direct access to vram and not needing dirty updates still work but only by accident. The problem is caused by modesetting not sending the correct fb_id to drmModeDirtyFB() and passing the damage rects in the rotated state and not as the crtc expects them. This patch takes care of both problems. Signed-off-by:
Patrik Jakobsson <pjakobsson@suse.de>
db9e9d45
- configure.ac 0 additions, 3 deletionsconfigure.ac
- glamor/Makefile.am 0 additions, 1 deletionglamor/Makefile.am
- glamor/glamor.c 1 addition, 29 deletionsglamor/glamor.c
- glamor/glamor_context.h 12 additions, 15 deletionsglamor/glamor_context.h
- glamor/glamor_egl.c 5 additions, 11 deletionsglamor/glamor_egl.c
- glamor/glamor_glx.c 0 additions, 68 deletionsglamor/glamor_glx.c
- glamor/glamor_program.c 2 additions, 0 deletionsglamor/glamor_program.c
- glamor/meson.build 0 additions, 1 deletionglamor/meson.build
- hw/kdrive/ephyr/Makefile.am 2 additions, 2 deletionshw/kdrive/ephyr/Makefile.am
- hw/kdrive/ephyr/ephyr.c 1 addition, 4 deletionshw/kdrive/ephyr/ephyr.c
- hw/kdrive/ephyr/ephyr.h 1 addition, 4 deletionshw/kdrive/ephyr/ephyr.h
- hw/kdrive/ephyr/ephyr_glamor.c 378 additions, 0 deletionshw/kdrive/ephyr/ephyr_glamor.c
- hw/kdrive/ephyr/ephyr_glamor.h 2 additions, 20 deletionshw/kdrive/ephyr/ephyr_glamor.h
- hw/kdrive/ephyr/hostx.c 6 additions, 19 deletionshw/kdrive/ephyr/hostx.c
- hw/kdrive/ephyr/meson.build 1 addition, 2 deletionshw/kdrive/ephyr/meson.build
- hw/xfree86/drivers/modesetting/driver.c 60 additions, 21 deletionshw/xfree86/drivers/modesetting/driver.c
- hw/xfree86/drivers/modesetting/drmmode_display.c 1 addition, 1 deletionhw/xfree86/drivers/modesetting/drmmode_display.c
- hw/xfree86/drivers/modesetting/drmmode_display.h 2 additions, 0 deletionshw/xfree86/drivers/modesetting/drmmode_display.h
- hw/xfree86/os-support/linux/lnx_video.c 3 additions, 1 deletionhw/xfree86/os-support/linux/lnx_video.c
- hw/xwayland/xwayland-glamor-eglstream.c 6 additions, 35 deletionshw/xwayland/xwayland-glamor-eglstream.c