Commits:
-
89d237c5
by Olivier Fourdan at 2023-11-29T11:31:29+01:00
xwayland: Add xwl_output to the Xwayland types
No functional change.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Kenny Levinsen <kl@kl.wtf>
(cherry picked from commit 2f84e3fe0d1bb22a44c8a4a9eb4c9bd92f66b1a3)
-
8046b0c2
by Olivier Fourdan at 2023-11-29T11:31:34+01:00
xwayland: Add a helper function to update fullscreen
Whenever the output configuration changes, if Xwayland is running
fullscreen, we may need to update the viewport in use or even update the
output on which Xwayland is currently running fullscreen.
Add a new helper function xwl_window_rootful_update_fullscreen() that
will recompute the fullscreen state and the viewport setup so that the
fullscreen Xwayland rootful window matches the new setup.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Kenny Levinsen <kl@kl.wtf>
(cherry picked from commit 73b9ff53c39a56c8d84a20214e9f8da162d56059)
-
654fca9c
by Olivier Fourdan at 2023-11-29T11:31:39+01:00
xwayland: Update the fullscreen window on output change
Make sure to update the fullscreen rootful window configuration whenever
the output setup changes.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Kenny Levinsen <kl@kl.wtf>
(cherry picked from commit 06eb7271a92fb677837811d42452d38d6fb68f25)
-
074c2a1e
by Olivier Fourdan at 2023-11-29T11:31:57+01:00
xwayland: Do not resize when running fullscreen
When running fullscreen, if an X11 client has changed the resolution,
Xwayland is using a viewport to emulate the expected resolution.
When changing focus, the Wayland compositor will send a configure event
with the actual surface size, not the size of the emulated XRandR
resolution.
As a result, changing focus while XRandR emulation (and hence the
viewport) is active in Xwayland will revert the resolution to the actual
output size, defeating the XRandR emulation.
To avoid that issue, only change the size when not running fullscreen.
Fixes: 53b6d4db7 - xwayland: Apply root toplevel configure dimensions
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Kenny Levinsen <kl@kl.wtf>
(cherry picked from commit a797776ff29e67b5dd60aebf3cef144a743d3cb4)
-
7883646a
by Olivier Fourdan at 2023-11-29T11:32:05+01:00
build: Allow for custom server config directory
Most X servers, even those which do not have specific configuration
files, can use the directory specified by SERVER_MISC_CONFIG_PATH when
they have either the XSECURITY or XSELINUX extensions enabled, or when
support for DTRACE is enabled at build time, because this is also where
the "protocol.txt" file is searched for at runtime.
Unfortunately, the SERVER_MISC_CONFIG_PATH is set from serverconfigdir
which is hardcoded in the build system to "$prefix/$libdir/xorg", and
all X server builds share the same path.
That makes it harder for different X servers such as Xwayland to install
in the same path without sharing the same server configuration path
(and hence the same "protocol.txt" file).
Allow for the customization of server configuration path from the build
options so that different X servers can use completely different and
independent paths.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 411a61f571aa1dde54d52b0200a4e1a9d0def336)
-
a07ce75d
by Olivier Fourdan at 2023-12-04T09:20:53+01:00
xwayland: Update output nameLength
At creation, Xwayland uses a generic output name ("XWAYLAND0", etc.) for
the XRandR outputs, and later, once the name is known from the Wayland
protocols, updates the output names using the actual names from the
Wayland compositor.
However, when doing so, it simply updates the string, the "nameLength"
isn't updated, so the name passed to the clients might either end up
being truncated or contain portions of the previous (initial) output
name.
Note, this is using a fixed size buffer initialized with zeros, so this
cannot leak any data other than the previous output name, so this is
mainly a cosmetic issue.
Update the output's "nameLength" when updating the output name.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Fixes: 3c07a01c42 - xwayland: Use xdg-output name for XRandR
Reviewed-by: Simon Ser <contact@emersion.fr>
(cherry picked from commit 0e314afef62b1d03c67273a8479bfdf8fe9f2573)
-
eea4c753
by Olivier Fourdan at 2023-12-04T09:20:58+01:00
xwayland: Use the right nameLength by default
When creating the output with the default "XWAYLAND<n>" name, we use
the MAX_OUTPUT_NAME value to allocate a lot more memory than necessary
to accommodate for future output names once they get updated, but by
doing so, we also send XRandR way too much (zeroed) data since the
"nameLength" value is (purposely) set too big.
So, instead, let's just update the name after creating the RR output,
this way we set both the name and nameLength to their correct values
while keeping the initial large allocation.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Fixes: 3c07a01c42 - xwayland: Use xdg-output name for XRandR
Reviewed-by: Simon Ser <contact@emersion.fr>
(cherry picked from commit 83453fb51e20c9763f437ca3c3defb2956682686)
-
aaf854fb
by Peter Hutterer at 2023-12-13T11:42:25+10:00
randr: avoid integer truncation in length check of ProcRRChange*Property
Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
See also xserver@8f454b79 where this same bug was fixed for the core
protocol and XI.
This fixes an OOB read and the resulting information disclosure.
Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->nUnits value the expected request size was
truncated, passing the REQUEST_FIXED_SIZE check.
The server then proceeded with reading at least stuff->num_items bytes
(depending on stuff->format) from the request and stuffing whatever it
finds into the property. In the process it would also allocate at least
stuff->nUnits bytes, i.e. 4GB.
CVE-2023-6478, ZDI-CAN-22561
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
(cherry picked from commit 14f480010a93ff962fef66a16412fafff81ad632)
-
19e9f199
by Peter Hutterer at 2023-12-13T11:42:26+10:00
Xi: allocate enough XkbActions for our buttons
button->xkb_acts is supposed to be an array sufficiently large for all
our buttons, not just a single XkbActions struct. Allocating
insufficient memory here means when we memcpy() later in
XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
leading to the usual security ooopsiedaisies.
CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
(cherry picked from commit 0c1a93d319558fe3ab2d94f51d174b4f93810afd)
-
7439e9c6
by Peter Hutterer at 2023-12-13T11:52:59+10:00
Bump version to 23.2.3
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
10 changed files:
Changes:
Xi/exevents.c
... |
... |
@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) |
611
|
611
|
}
|
612
|
612
|
|
613
|
613
|
if (from->button->xkb_acts) {
|
614
|
|
- if (!to->button->xkb_acts) {
|
615
|
|
- to->button->xkb_acts = calloc(1, sizeof(XkbAction));
|
616
|
|
- if (!to->button->xkb_acts)
|
617
|
|
- FatalError("[Xi] not enough memory for xkb_acts.\n");
|
618
|
|
- }
|
|
614
|
+ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
|
|
615
|
+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
|
|
616
|
+ maxbuttons,
|
|
617
|
+ sizeof(XkbAction));
|
|
618
|
+ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
|
619
|
619
|
memcpy(to->button->xkb_acts, from->button->xkb_acts,
|
620
|
|
- sizeof(XkbAction));
|
|
620
|
+ from->button->numButtons * sizeof(XkbAction));
|
621
|
621
|
}
|
622
|
622
|
else {
|
623
|
623
|
free(to->button->xkb_acts);
|
dix/devices.c
... |
... |
@@ -2530,6 +2530,8 @@ RecalculateMasterButtons(DeviceIntPtr slave) |
2530
|
2530
|
|
2531
|
2531
|
if (master->button && master->button->numButtons != maxbuttons) {
|
2532
|
2532
|
int i;
|
|
2533
|
+ int last_num_buttons = master->button->numButtons;
|
|
2534
|
+
|
2533
|
2535
|
DeviceChangedEvent event = {
|
2534
|
2536
|
.header = ET_Internal,
|
2535
|
2537
|
.type = ET_DeviceChanged,
|
... |
... |
@@ -2540,6 +2542,14 @@ RecalculateMasterButtons(DeviceIntPtr slave) |
2540
|
2542
|
};
|
2541
|
2543
|
|
2542
|
2544
|
master->button->numButtons = maxbuttons;
|
|
2545
|
+ if (last_num_buttons < maxbuttons) {
|
|
2546
|
+ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
|
|
2547
|
+ maxbuttons,
|
|
2548
|
+ sizeof(XkbAction));
|
|
2549
|
+ memset(&master->button->xkb_acts[last_num_buttons],
|
|
2550
|
+ 0,
|
|
2551
|
+ (maxbuttons - last_num_buttons) * sizeof(XkbAction));
|
|
2552
|
+ }
|
2543
|
2553
|
|
2544
|
2554
|
memcpy(&event.buttons.names, master->button->labels, maxbuttons *
|
2545
|
2555
|
sizeof(Atom));
|
hw/xwayland/xwayland-output.c
... |
... |
@@ -601,6 +601,7 @@ static void |
601
|
601
|
apply_output_change(struct xwl_output *xwl_output)
|
602
|
602
|
{
|
603
|
603
|
struct xwl_screen *xwl_screen = xwl_output->xwl_screen;
|
|
604
|
+ struct xwl_window *xwl_window;
|
604
|
605
|
struct xwl_output *it;
|
605
|
606
|
int mode_width, mode_height, count;
|
606
|
607
|
int width = 0, height = 0, has_this_output = 0;
|
... |
... |
@@ -658,6 +659,15 @@ apply_output_change(struct xwl_output *xwl_output) |
658
|
659
|
update_screen_size(xwl_screen, width, height);
|
659
|
660
|
else
|
660
|
661
|
RRTellChanged(xwl_screen->screen);
|
|
662
|
+
|
|
663
|
+ /* If running rootful and fullscreen, make sure to match the new setup */
|
|
664
|
+ if (xwl_screen->fullscreen) {
|
|
665
|
+ /* The root window may not yet be created */
|
|
666
|
+ if (xwl_screen->screen->root) {
|
|
667
|
+ xwl_window = xwl_window_get(xwl_screen->screen->root);
|
|
668
|
+ xwl_window_rootful_update_fullscreen(xwl_window, xwl_output);
|
|
669
|
+ }
|
|
670
|
+ }
|
661
|
671
|
}
|
662
|
672
|
|
663
|
673
|
static void
|
... |
... |
@@ -673,6 +683,7 @@ xwl_output_set_name(struct xwl_output *xwl_output, const char *name) |
673
|
683
|
}
|
674
|
684
|
|
675
|
685
|
snprintf(xwl_output->randr_output->name, MAX_OUTPUT_NAME, "%s", name);
|
|
686
|
+ xwl_output->randr_output->nameLength = strlen(xwl_output->randr_output->name);
|
676
|
687
|
}
|
677
|
688
|
|
678
|
689
|
static void
|
... |
... |
@@ -836,9 +847,6 @@ xwl_output_create(struct xwl_screen *xwl_screen, uint32_t id, |
836
|
847
|
xwl_output->xwl_screen = xwl_screen;
|
837
|
848
|
|
838
|
849
|
if (with_xrandr) {
|
839
|
|
- snprintf(name, MAX_OUTPUT_NAME, "XWAYLAND%d",
|
840
|
|
- xwl_screen_get_next_output_serial(xwl_screen));
|
841
|
|
-
|
842
|
850
|
xwl_output->randr_crtc = RRCrtcCreate(xwl_screen->screen, xwl_output);
|
843
|
851
|
if (!xwl_output->randr_crtc) {
|
844
|
852
|
ErrorF("Failed creating RandR CRTC\n");
|
... |
... |
@@ -846,12 +854,17 @@ xwl_output_create(struct xwl_screen *xwl_screen, uint32_t id, |
846
|
854
|
}
|
847
|
855
|
RRCrtcSetRotations (xwl_output->randr_crtc, ALL_ROTATIONS);
|
848
|
856
|
|
|
857
|
+ /* Allocate MAX_OUTPUT_NAME data for the output name, all filled with zeros */
|
849
|
858
|
xwl_output->randr_output = RROutputCreate(xwl_screen->screen, name,
|
850
|
859
|
MAX_OUTPUT_NAME, xwl_output);
|
851
|
860
|
if (!xwl_output->randr_output) {
|
852
|
861
|
ErrorF("Failed creating RandR Output\n");
|
853
|
862
|
goto err;
|
854
|
863
|
}
|
|
864
|
+ /* Set the default output name to a sensible value */
|
|
865
|
+ snprintf(name, MAX_OUTPUT_NAME, "XWAYLAND%d",
|
|
866
|
+ xwl_screen_get_next_output_serial(xwl_screen));
|
|
867
|
+ xwl_output_set_name(xwl_output, name);
|
855
|
868
|
xwl_output_set_emulated(xwl_output);
|
856
|
869
|
|
857
|
870
|
RRCrtcGammaSetSize(xwl_output->randr_crtc, 256);
|
hw/xwayland/xwayland-types.h
... |
... |
@@ -31,5 +31,6 @@ struct xwl_window; |
31
|
31
|
struct xwl_screen;
|
32
|
32
|
struct xwl_egl_backend;
|
33
|
33
|
struct xwl_drm_lease;
|
|
34
|
+struct xwl_output;
|
34
|
35
|
|
35
|
36
|
#endif /* XWAYLAND_TYPES_H */ |
hw/xwayland/xwayland-window.c
... |
... |
@@ -569,6 +569,29 @@ xwl_window_set_fullscreen(struct xwl_window *xwl_window) |
569
|
569
|
return TRUE;
|
570
|
570
|
}
|
571
|
571
|
|
|
572
|
+void
|
|
573
|
+xwl_window_rootful_update_fullscreen(struct xwl_window *xwl_window,
|
|
574
|
+ struct xwl_output *xwl_output)
|
|
575
|
+{
|
|
576
|
+ struct xwl_screen *xwl_screen = xwl_window->xwl_screen;
|
|
577
|
+
|
|
578
|
+ if (!xwl_screen->fullscreen)
|
|
579
|
+ return;
|
|
580
|
+
|
|
581
|
+ if (xwl_window->window != xwl_screen->screen->root)
|
|
582
|
+ return;
|
|
583
|
+
|
|
584
|
+ if (xwl_window->wl_output_fullscreen != xwl_output->output)
|
|
585
|
+ return;
|
|
586
|
+
|
|
587
|
+ /* The size and position of the output may have changed, clear our
|
|
588
|
+ * output to make sure the next call to xwl_window_set_fullscreen()
|
|
589
|
+ * recomputes the size and updates the viewport as needed.
|
|
590
|
+ */
|
|
591
|
+ xwl_window->wl_output_fullscreen = NULL;
|
|
592
|
+ xwl_window_set_fullscreen(xwl_window);
|
|
593
|
+}
|
|
594
|
+
|
572
|
595
|
void
|
573
|
596
|
xwl_window_rootful_update_title(struct xwl_window *xwl_window)
|
574
|
597
|
{
|
... |
... |
@@ -766,13 +789,16 @@ xdg_toplevel_handle_configure(void *data, |
766
|
789
|
struct wl_array *states)
|
767
|
790
|
{
|
768
|
791
|
struct xwl_window *xwl_window = data;
|
|
792
|
+ struct xwl_screen *xwl_screen = xwl_window->xwl_screen;
|
769
|
793
|
|
770
|
794
|
/* Maintain our current size if no dimensions are requested */
|
771
|
795
|
if (width == 0 && height == 0)
|
772
|
796
|
return;
|
773
|
797
|
|
774
|
|
- /* This will be committed by the xdg_surface.configure handler */
|
775
|
|
- xwl_window_maybe_resize(xwl_window, width, height);
|
|
798
|
+ if (!xwl_screen->fullscreen) {
|
|
799
|
+ /* This will be committed by the xdg_surface.configure handler */
|
|
800
|
+ xwl_window_maybe_resize(xwl_window, width, height);
|
|
801
|
+ }
|
776
|
802
|
}
|
777
|
803
|
|
778
|
804
|
static void
|
hw/xwayland/xwayland-window.h
... |
... |
@@ -135,7 +135,8 @@ Bool xwl_window_has_viewport_enabled(struct xwl_window *xwl_window); |
135
|
135
|
Bool xwl_window_is_toplevel(WindowPtr window);
|
136
|
136
|
void xwl_window_check_resolution_change_emulation(struct xwl_window *xwl_window);
|
137
|
137
|
void xwl_window_rootful_update_title(struct xwl_window *xwl_window);
|
138
|
|
-
|
|
138
|
+void xwl_window_rootful_update_fullscreen(struct xwl_window *xwl_window,
|
|
139
|
+ struct xwl_output *xwl_output);
|
139
|
140
|
void xwl_window_set_window_pixmap(WindowPtr window, PixmapPtr pixmap);
|
140
|
141
|
|
141
|
142
|
Bool xwl_realize_window(WindowPtr window);
|
meson.build
... |
... |
@@ -3,10 +3,10 @@ project('xwayland', 'c', |
3
|
3
|
'buildtype=debugoptimized',
|
4
|
4
|
'c_std=gnu99',
|
5
|
5
|
],
|
6
|
|
- version: '23.2.2',
|
|
6
|
+ version: '23.2.3',
|
7
|
7
|
meson_version: '>= 0.52.0',
|
8
|
8
|
)
|
9
|
|
-release_date = '2023-10-25'
|
|
9
|
+release_date = '2023-12-13'
|
10
|
10
|
|
11
|
11
|
add_project_arguments('-DHAVE_DIX_CONFIG_H', language: ['c', 'objc'])
|
12
|
12
|
cc = meson.get_compiler('c')
|
... |
... |
@@ -476,7 +476,10 @@ glx_inc = include_directories('glx') |
476
|
476
|
|
477
|
477
|
top_dir_inc = include_directories('.')
|
478
|
478
|
|
479
|
|
-serverconfigdir = join_paths(get_option('prefix'), get_option('libdir'), 'xorg')
|
|
479
|
+serverconfigdir = get_option('serverconfigdir')
|
|
480
|
+if serverconfigdir == ''
|
|
481
|
+ serverconfigdir = join_paths(get_option('prefix'), get_option('libdir'), 'xorg')
|
|
482
|
+endif
|
480
|
483
|
|
481
|
484
|
manpage_config = configuration_data()
|
482
|
485
|
manpage_config.set('vendorversion', '"xorg-server @0@" "X Version 11"'.format(meson.project_version()))
|
meson_options.txt
... |
... |
@@ -14,6 +14,8 @@ option('builder_string', type: 'string', description: 'Additional builder string |
14
|
14
|
option('default_font_path', type: 'string')
|
15
|
15
|
option('fontrootdir', type: 'string',
|
16
|
16
|
description: 'Root directory for legacy fonts. Default: from font-utils.pc or $datadir/fonts/X11')
|
|
17
|
+option('serverconfigdir', type: 'string',
|
|
18
|
+ description: 'Miscellaneous server configuration files path. Default: $libdir/xorg')
|
17
|
19
|
|
18
|
20
|
option('glx', type: 'boolean', value: true)
|
19
|
21
|
option('xdmcp', type: 'boolean', value: true)
|
randr/rrproperty.c
... |
... |
@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client) |
530
|
530
|
char format, mode;
|
531
|
531
|
unsigned long len;
|
532
|
532
|
int sizeInBytes;
|
533
|
|
- int totalSize;
|
|
533
|
+ uint64_t totalSize;
|
534
|
534
|
int err;
|
535
|
535
|
|
536
|
536
|
REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
|
randr/rrproviderproperty.c
... |
... |
@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client) |
498
|
498
|
char format, mode;
|
499
|
499
|
unsigned long len;
|
500
|
500
|
int sizeInBytes;
|
501
|
|
- int totalSize;
|
|
501
|
+ uint64_t totalSize;
|
502
|
502
|
int err;
|
503
|
503
|
|
504
|
504
|
REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
|
|