Compare revisions

Gleb Popov · Alan Coopersmith · Niclas Zeising · Alan Coopersmith · Gleb Popov · Alan Coopersmith
--- a/Xi/xiproperty.c
+++ b/Xi/xiproperty.c
@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
                XIDestroyDeviceProperty(prop);
            return BadAlloc;
        }
-        new_value.size = len;
+        new_value.size = total_len;
        new_value.type = type;
        new_value.format = format;

@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
        case PropModePrepend:
            new_data = new_value.data;
            old_data = (void *) (((char *) new_value.data) +
-                                  (prop_value->size * size_in_bytes));
+                                  (len * size_in_bytes));
            break;
        }
        if (new_data)

--- a/dix/enterleave.h
+++ b/dix/enterleave.h
@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,

 extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);

-extern void LeaveWindow(DeviceIntPtr dev);
-
 extern void CoreFocusEvent(DeviceIntPtr kbd,
                           int type, int mode, int detail, WindowPtr pWin);


--- a/hw/xfree86/common/xf86AutoConfig.c
+++ b/hw/xfree86/common/xf86AutoConfig.c
@@ -302,6 +302,9 @@ listPossibleVideoDrivers(XF86MatchedDrivers *md)
 #if defined(__linux__)
    xf86AddMatchedDriver(md, "fbdev");
 #endif
+#if defined(__FreeBSD__)
+    xf86AddMatchedDriver(md, "scfb");
+#endif

    /* Fallback to platform default hardware */
 #if defined(__i386__) || defined(__amd64__) || defined(__hurd__)

--- a/hw/xfree86/common/xf86str.h
+++ b/hw/xfree86/common/xf86str.h
@@ -249,7 +249,7 @@ typedef struct _DriverRec {
 */

 /* Tolerate prior #include <linux/input.h> */
-#if defined(__linux__)
+#if defined(__linux__) || defined(__FreeBSD__)
 #undef BUS_NONE
 #undef BUS_PCI
 #undef BUS_SBUS

--- a/hw/xfree86/os-support/bsd/bsd_init.c
+++ b/hw/xfree86/os-support/bsd/bsd_init.c
@@ -303,7 +303,7 @@ xf86OpenConsole()
    else {
        /* serverGeneration != 1 */
 #if defined (SYSCONS_SUPPORT) || defined (PCVT_SUPPORT)
-        if (!xf86Info.ShareVTs &&
+        if (!xf86Info.ShareVTs && xf86Info.autoVTSwitch &&
            (xf86Info.consType == SYSCONS || xf86Info.consType == PCVT)) {
            if (ioctl(xf86Info.consoleFd, VT_ACTIVATE, xf86Info.vtno) != 0) {
                xf86Msg(X_WARNING, "xf86OpenConsole: VT_ACTIVATE failed\n");
@@ -604,7 +604,7 @@ xf86CloseConsole()
                           strerror(errno));
        }
 #endif
-        if (initialVT != -1)
+        if (xf86Info.autoVTSwitch && initialVT != -1)
            ioctl(xf86Info.consoleFd, VT_ACTIVATE, initialVT);
        break;
 #endif                          /* SYSCONS_SUPPORT || PCVT_SUPPORT */

--- a/hw/xfree86/os-support/bsd/ppc_video.c
+++ b/hw/xfree86/os-support/bsd/ppc_video.c
@@ -79,7 +79,11 @@ xf86DisableIO()
 {

    if (ioBase != MAP_FAILED) {
+#if defined(__FreeBSD__)
+        munmap(__DEVOLATILE(unsigned char *, ioBase), 0x10000);
+#else
        munmap(__UNVOLATILE(ioBase), 0x10000);
+#endif
        ioBase = MAP_FAILED;
    }
 }
--- a/hw/xfree86/os-support/meson.build
+++ b/hw/xfree86/os-support/meson.build
@@ -97,9 +97,13 @@ elif host_machine.system().endswith('bsd')
        'bsd/bsd_bell.c',
        'bsd/bsd_init.c',
        'shared/drm_platform.c',
-	'shared/pm_noop.c'
+        'shared/pm_noop.c'
    ]

+    if host_machine.system() == 'freebsd'
+        srcs_xorg_os_support += ['linux/lnx_platform.c', 'misc/SlowBcopy.c']
+    endif
+
    if host_machine.cpu_family() == 'x86_64'
        srcs_xorg_os_support += 'bsd/i386_video.c'
        if host_machine.system() == 'netbsd'
@@ -112,7 +116,7 @@ elif host_machine.system().endswith('bsd')
        if host_machine.system() == 'netbsd' or host_machine.system() == 'openbsd'
            os_dep += cc.find_library('i386')
        endif
-    elif host_machine.cpu_family() == 'arm'
+    elif host_machine.cpu_family() == 'arm' or host_machine.cpu_family() == 'aarch64'
        srcs_xorg_os_support += 'bsd/arm_video.c'
    elif host_machine.cpu_family() == 'ppc' or host_machine.cpu_family() == 'ppc64'
        srcs_xorg_os_support += 'bsd/ppc_video.c'

--- a/include/eventstr.h
+++ b/include/eventstr.h
@@ -335,4 +335,7 @@ union _InternalEvent {
    GestureEvent gesture_event;
 };

+extern void
+LeaveWindow(DeviceIntPtr dev);
+
 #endif
--- a/include/meson.build
+++ b/include/meson.build
@@ -379,7 +379,7 @@ xorg_data.set('HAVE_SYS_VT_H', cc.has_header('sys/vt.h') ? '1' : false)
 xorg_data.set('HAVE_MODESETTING_DRIVER', build_modesetting ? '1' : false)

 if host_machine.system() == 'freebsd' or host_machine.system() == 'dragonfly'
-    if host_machine.cpu_family() == 'x86' or host_machine.cpu_family() == 'x86_64'
+    if host_machine.cpu_family() == 'x86' or host_machine.cpu_family() == 'x86_64' or host_machine.cpu_family() == 'aarch64'
        xorg_data.set('USE_DEV_IO', '1')
    endif
 elif host_machine.system() == 'netbsd'

--- a/mi/mipointer.c
+++ b/mi/mipointer.c
@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
 #ifdef PANORAMIX
        && noPanoramiXExtension
 #endif
-        )
-        UpdateSpriteForScreen(pDev, pScreen);
+        ) {
+            DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
+            /* Hack for CVE-2023-5380: if we're moving
+             * screens PointerWindows[] keeps referring to the
+             * old window. If that gets destroyed we have a UAF
+             * bug later. Only happens when jumping from a window
+             * to the root window on the other screen.
+             * Enter/Leave events are incorrect for that case but
+             * too niche to fix.
+             */
+            LeaveWindow(pDev);
+            if (master)
+                LeaveWindow(master);
+            UpdateSpriteForScreen(pDev, pScreen);
+    }
 }

 /**

--- a/randr/rrproperty.c
+++ b/randr/rrproperty.c
@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
                RRDestroyOutputProperty(prop);
            return BadAlloc;
        }
-        new_value.size = len;
+        new_value.size = total_len;
        new_value.type = type;
        new_value.format = format;

@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
        case PropModePrepend:
            new_data = new_value.data;
            old_data = (void *) (((char *) new_value.data) +
-                                  (prop_value->size * size_in_bytes));
+                                  (len * size_in_bytes));
            break;
        }
        if (new_data)
No results found