-
3bda7d11
by Patrik Jakobsson at 2025-02-05T15:02:23+01:00
modesetting: Fix dirty updates for sw rotation
Rotation is broken for all drm drivers not providing hardware rotation
support. Drivers that give direct access to vram and not needing dirty
updates still work but only by accident. The problem is caused by
modesetting not sending the correct fb_id to drmModeDirtyFB() and
passing the damage rects in the rotated state and not as the crtc
expects them. This patch takes care of both problems.
Signed-off-by: Patrik Jakobsson <pjakobsson@suse.de>
(cherry picked from commit db9e9d45e8ba73510f11eb9e534c176102f6623e)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767>
-
743f66d6
by Olivier Fourdan at 2025-02-05T15:02:23+01:00
glamor: Fix possible double-free
If glamor_link_glsl_prog() fails, we may jump to the failed code path
which frees the variable vs_prog_string and fs_prog_string.
But those variables were already freed just before, so in that case we
end up freeing the memory twice.
Simply move the free at the end of the success code path so we are sure
to free the values only once, either in the successful of failed code
paths.
Fixes: 2906ee5e4 - glamor: Fix leak in glamor_build_program()
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 34ea020344ef5f2ea8ffce78c7e1abd6436b21ec)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767>
-
de2e2e8d
by Peter Hutterer at 2025-02-05T15:02:23+01:00
dix: don't push the XKB state to a non-existing master keyboard
If our master keyboard is disabled, GetMaster() returns NULL and
we segfault in XkbPushLockedStateToSlaves().
Fixes 45fb3a934dc0db51584aba37c2f9d73deff9191d
Fixes #1611
(cherry picked from commit 9b983fecf999b9f50946973f2379a5ce00491cad)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767>
-
f241e4f8
by Peter Hutterer at 2025-02-05T15:02:23+01:00
Xi: when removing a master search for a disabled paired device
If either the master pointer or keyboard was disabled, the respective
GetMaster() call returns NULL, causing a segfault later accessing the
deviceid.
Fix this by looking in the off_devices list for any master
device of the type we're looking for. Master devices lose the pairing
when disabled (on enabling a keyboard we simply pair with the first
available unpaired pointer).
And for readability, split the device we get from the protocol request
into a new "dev" variable instead of re-using ptr.
Fixes #1611
(cherry picked from commit e7c876ab0b0daa546a23d4ef82537fdf8fd88e04)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767>
-
ac48573a
by Olivier Fourdan at 2025-02-05T15:02:23+01:00
os: Fix NULL pointer dereference
RemoveHost() can be called from DisableLocalHost() with a NULL client,
but doesn't actually check whether the given client pointer is valid on
error and assigns the error value unconditionally, leading to a possible
NULL pointer dereference and a crash of the Xserver.
To avoid the issue, simply check whether the client pointer is not NULL
prior to assign the errorValue.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1752
See-also: https://bugzilla.redhat.com/2313799
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 57a446c0f98693bd2e0263e91213344d870f4e03)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767>
-
e38c23e5
by Tj at 2025-02-05T15:02:23+01:00
xfree86: fbdevhw: fix pci detection on recent Linux
Linux kernel v6.9 has changed the symlink to point to the parent device. This
breaks fbdev_open() detection logic. Change it to use the subsystem symlink
instead which will remain stable.
Kernel v6.8:
[ 14.067] (II) fbdev_open() sysfs_path=/sys/class/graphics/fb0
[ 14.067] (II) fbdev_open() buf=../../devices/platform/vesa-framebuffer.0/graphics/fb0
Kernel v6.9:
[ 15.609] (II) fbdev_open() sysfs_path=/sys/class/graphics/fb0
[ 15.609] (II) fbdev_open() buf=../../devices/pci0000:00/0000:00:01.0/vesa-framebuffer.0/graphics/fb0
Originally found in automated Debian ISO QA testing [0] and confirmed in Linux [1].
Tested on kernels v6.9.7 and v6.8.12
[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1075713
[1] https://lore.kernel.org/lkml/lLyvPFC_APGHNfyGNHRpQy5izBikkaTPOpHooZIT3fFAoJPquSI31ZMueA99XTdr8ysir3X7O7IMdc6za-0m79vr_claeparHhoRouVgHOI=@proton.me/
Fixes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1714
Signed-off-by: Tj <tj.iam.tj@proton.me>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Enrico Weigelt, metux IT consult <info@metux.net>
(cherry picked from commit 728b54528d37ffa27b07c9b181c5ed8d2d359379)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767>
-
cbc2c654
by Alan Coopersmith at 2025-02-05T15:02:23+01:00
os: NextDPMSTimeout: mark intentional fallthroughs in switch
The comment at the top of the function tells humans the fallthroughs
are intentional, but gcc doesn't parse that.
Clears 3 -Wimplicit-fallthrough warnings from gcc 14.1
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit b306df5a6060beea82b5157c3603593527b220b0)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767>
-
23b3b719
by Alan Coopersmith at 2025-02-05T15:02:23+01:00
xfree86: avoid memory leak on realloc failure
Found by Oracle Parfait 13.3 static analyzer:
Memory leak [memory-leak]:
Memory leak of pointer optname allocated with asprintf(&optname,
"\"%s\"", p->name)
at line 326 of hw/xfree86/common/xf86Configure.c in function
'configureDeviceSection'.
optname allocated at line 309 with asprintf(&optname, "\"%s\"",
p->name)
Fixes: code inherited from XFree86
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit fa711c486a2c2c958c71d7bd8ac0efe552558717)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767>
-
cec3e55e
by Alan Coopersmith at 2025-02-05T15:02:23+01:00
Xi: avoid NULL pointer dereference if GetXTestDevice returns NULL
The comments in that function say "This only happens if master is a
slave device. don't do that" but static analysis doesn't respect that.
Found by Oracle Parfait 13.3:
Null pointer dereference [null-pointer-deref]:
Read from null pointer XTestptr
at line 274 of Xi/xichangehierarchy.c in function 'remove_master'.
Null pointer introduced at line 691 of Xext/xtest.c in function
'GetXTestDevice'.
Function GetXTestDevice may return constant 'NULL' at line 691,
called at line 273 of Xi/xichangehierarchy.c in function
'remove_master'.
Null pointer dereference [null-pointer-deref]:
Read from null pointer XTestkeybd
at line 279 of Xi/xichangehierarchy.c in function 'remove_master'.
Null pointer introduced at line 691 of Xext/xtest.c in function
'GetXTestDevice'.
Function GetXTestDevice may return constant 'NULL' at line 691,
called at line 278 of Xi/xichangehierarchy.c in function
'remove_master'.
Fixes: 0814f511d ("input: store the master device's ID in the devPrivate for XTest devices.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit d10589cc09c68ad09bebd3a4155c44d1b8f2614b)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767>
-
5406ddd0
by Alan Coopersmith at 2025-02-05T15:02:23+01:00
render: avoid NULL pointer dereference if PictureFindVisual returns NULL
Found by Oracle Parfait 13.3:
Null pointer dereference [null-pointer-deref]:
Read from null pointer pVisual
at line 257 of dix/colormap.c in function 'CreateColormap'.
Null pointer introduced at line 412 of render/picture.c in
function 'PictureFindVisual'.
Constant 'NULL' passed into function CreateColormap, argument
pVisual, from call at line 431 in function
'PictureInitIndexedFormat'.
Function PictureFindVisual may return constant 'NULL' at
line 412, called at line 429.
Fixes: d4a101d4e ("Integration of DAMAGE-XFIXES branch to trunk")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 7af077dd2f939b76e7d6ba84250368b6649fb777)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767>
-
abfd0215
by Alan Coopersmith at 2025-02-05T15:02:23+01:00
dix: fix button offset when generating DeviceButtonStateNotify events
Found by Oracle Parfait 13.3 static analyzer:
Buffer Overflow in STD C function [buffer-overflow-call-stdc]:
Buffer overflow in call to memcpy. Buffer &bev->buttons[4] of
size 24 is written at an offset of 28
Array size is 28 bytes, index is 32
at line 743 of dix/enterleave.c in function
'DeliverStateNotifyEvent'.
Fixes: a85f0d6b9 ("Xi: fix use of button->down - bitflags instead of int arrays.")
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 4b073d65bb5e1f4accb7ed280c8926134582b7ab)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767>
-
fbb636bf
by Alan Coopersmith at 2025-02-05T15:02:23+01:00
dix: limit checks to MAX_VALUATORS when generating Xi events
Previously, it was looping through sizeof(ev->valuators.mask) * 8
valuators, where valuators.mask is defined as an array of
(MAX_VALUATORS + 7) / 8 entries. Since MAX_VALUATORS is defined as 36,
this made it actually loop through 40 entries. The last 4 bits in this
array should never be set, so we should never access memory outside the
bounds of the arrays defined to be exactly MAX_VALUATORS in length, but
we can make the static analyzer happier and not waste time checking bits
that should never be set.
Found by Oracle Parfait 13.3 static analyzer:
Read outside array bounds [read-outside-array-bounds]:
In array dereference of ev->valuators.data[i] with index i
Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39
at line 741 of dix/eventconvert.c in function 'eventToDeviceEvent'.
Read outside array bounds [read-outside-array-bounds]:
In array dereference of ev->valuators.data[i] with index i
Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39
at line 808 of dix/eventconvert.c in function 'eventToRawEvent'.
Read outside array bounds [read-outside-array-bounds]:
In array dereference of ev->valuators.data_raw[i] with index i
Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39
at line 809 of dix/eventconvert.c in function 'eventToRawEvent'.
Fixes: b2ba77bac ("dix: add EventToXI2 and GetXI2Type.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit b65eea43dd18cdf6d389b7f82ee55ae764c3bf31)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767>
-
309ec5a4
by Alan Coopersmith at 2025-02-05T15:02:23+01:00
modesetting: avoid memory leak when ms_present_check_unflip() returns FALSE
Found by Oracle Parfait 13.3 static analyzer:
Memory leak [memory-leak]:
Memory leak of pointer event allocated with calloc(1, 16)
at line 470 of hw/xfree86/drivers/modesetting/present.c in
function 'ms_present_unflip'.
event allocated at line 431 with calloc(1, 16)
event leaks when ms_present_check_unflip(...) == 0 at line 438
and i >= config->num_crtc at line 445
Fixes: 13c7d53df ("modesetting: Implement page flipping support for Present.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit bf63d9b34ef3a24427f884f66a387119dd5cdb8c)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767>
-
6115eb1f
by Olivier Fourdan at 2025-02-05T15:02:24+01:00
xkb: Always use MAP_LENGTH keymap size
Generating the modifier modmap, the helper function generate_modkeymap()
would check the entire range up to the MAP_LENGTH.
However, the given keymap might have less keycodes than MAP_LENGTH, in
which case we would go beyond the size of the modmap, as reported by
ASAN:
==ERROR: AddressSanitizer: heap-buffer-overflow
READ of size 1 at 0x5110001c225b thread T0
#0 0x5e7369393873 in generate_modkeymap ../dix/inpututils.c:309
#1 0x5e736930dcce in ProcGetModifierMapping ../dix/devices.c:1794
#2 0x5e7369336489 in Dispatch ../dix/dispatch.c:550
#3 0x5e736934407d in dix_main ../dix/main.c:275
#5 0x7e46d47b2ecb in __libc_start_main
#6 0x5e73691be324 in _start (xserver/build/hw/xwayland/Xwayland)
Address is located 0 bytes after 219-byte region
allocated by thread T0 here:
#0 0x7e46d4cfc542 in realloc
#1 0x5e73695aa90e in _XkbCopyClientMap ../xkb/xkbUtils.c:1142
#2 0x5e73695aa90e in XkbCopyKeymap ../xkb/xkbUtils.c:1966
#3 0x5e73695b1b2f in XkbDeviceApplyKeymap ../xkb/xkbUtils.c:2023
#4 0x5e73691c6c18 in keyboard_handle_keymap ../hw/xwayland/xwayland-input.c:1194
As MAP_LENGTH is used in various code paths where the max keycode might
not be easily available, best is to always use MAP_LENGTH to allocate the
keymaps so that the code never run past the buffer size.
If the max key code is smaller than the MAP_LENGTH limit, fill-in the gap
with zeros.
That also simplifies the code slightly as we do not constantly need to
reallocate the keymap to adjust to the max key code size.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1780
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 92bcebfd7e248f695503c0a6e7bee80be4c96834)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767>
-
e183b62e
by Olivier Fourdan at 2025-02-05T15:02:24+01:00
os/connection: Make sure partial is initialized
Following the change in Xtrans 1.5 that allows for partial connections
to succeed, we need to make sure partial is properly initialized at
first, otherwise we rely on an uninitialized variable.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Suggested-by: Twaik Yont <twaikyont@gmail.com>
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1783
(cherry picked from commit 080fb49eff4de7ec3a29214994d1403e4d877f6a)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767>
-
a651eefc
by Daniel Kahn Gillmor at 2025-02-06T17:53:16+00:00
autotools: enable static use of Nettle for SHA1
Debian builds xserver 21 using autotools.
When debian builds xserver-xorg for constrained environments like the
installer, it wants to build against the static library of libnettle
for SHA1, see debian/patches/03_static-nettle.diff in the debian
repository at
https://salsa.debian.org/xorg-team/xserver/xorg-server.git
This modification of configure.ac makes it possible to build static
nettle when needed, while preserving the build to use nettle with a
dynamic library when passing a different configuration option.
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1756>
-
0c6a7750
by Doug Brown at 2025-02-25T10:42:21+01:00
dri2: Protect against dri2ClientPrivate assertion failures
If DRI2ScreenInit hasn't been called yet, DRI2Authenticate and
DRI2CreateDrawable2 cause the X server to crash. This has been observed
to happen on multiple modern Linux distros in various conditions,
including QEMU and VMware VMs. Make these functions more robust in order
to prevent the crash.
This patch was originally provided by Bernhard Übelacker and expanded
upon by Mark Wagner.
Signed-off-by: Doug Brown <doug@schmorgal.com>
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1053
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1534
(cherry picked from commit a0834009cfb10b8982a1f2b47b8ed00de254c2c3)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1824>
-
32887f6c
by Olivier Fourdan at 2025-02-25T19:35:55+01:00
test: Fix xsync test
The xsync test is relying on the values being changed even in the case
of a BadMatch value.
Typically, it updates the delta but does not update the test type
comparison, so when passing a negative value, it generates a BadMatch.
That's actually not correct, and that will fail with the new fixes that
check the validity of the values prior to apply the changes.
Fix the test by updating the test type as needed.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 05e54fefafbcec11d847b9f8127bcd4820a20625)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830>
-
9e5ac777
by Olivier Fourdan at 2025-02-25T19:36:29+01:00
Cursor: Refuse to free the root cursor
If a cursor reference count drops to 0, the cursor is freed.
The root cursor however is referenced with a specific global variable,
and when the root cursor is freed, the global variable may still point
to freed memory.
Make sure to prevent the rootCursor from being explicitly freed by a
client.
CVE-2025-26594, ZDI-CAN-25544
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer
<peter.hutterer@who-t.net>)
v3: Return BadCursor instead of BadValue (Michel Dänzer
<michel@daenzer.net>)
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Suggested-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 01642f263f12becf803b19be4db95a4a83f94acc)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830>
-
5f0c4e0b
by Peter Hutterer at 2025-02-25T19:36:29+01:00
dix: keep a ref to the rootCursor
CreateCursor returns a cursor with refcount 1 - that refcount is used by
the resource system, any caller needs to call RefCursor to get their own
reference. That happens correctly for normal cursors but for our
rootCursor we keep a variable to the cursor despite not having a ref for
ourselves.
Fix this by reffing/unreffing the rootCursor to ensure our pointer is
valid.
Related to CVE-2025-26594, ZDI-CAN-25544
Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit b0a09ba6020147961acc62d9c73d807b4cccd9f7)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830>
-
ea526ccb
by Olivier Fourdan at 2025-02-25T19:36:29+01:00
xkb: Fix buffer overflow in XkbVModMaskText()
The code in XkbVModMaskText() allocates a fixed sized buffer on the
stack and copies the virtual mod name.
There's actually two issues in the code that can lead to a buffer
overflow.
First, the bound check mixes pointers and integers using misplaced
parenthesis, defeating the bound check.
But even though, if the check fails, the data is still copied, so the
stack overflow will occur regardless.
Change the logic to skip the copy entirely if the bound check fails.
CVE-2025-26595, ZDI-CAN-25545
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 11fcda8753e994e15eb915d28cf487660ec8e722)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830>
-
b4293650
by Olivier Fourdan at 2025-02-25T19:36:29+01:00
xkb: Fix computation of XkbSizeKeySyms
The computation of the length in XkbSizeKeySyms() differs from what is
actually written in XkbWriteKeySyms(), leading to a heap overflow.
Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms()
does.
CVE-2025-26596, ZDI-CAN-25543
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 80d69f01423fc065c950e1ff4e8ddf9f675df773)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830>
-
8cb23fac
by Olivier Fourdan at 2025-02-25T19:36:29+01:00
xkb: Fix buffer overflow in XkbChangeTypesOfKey()
If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the
key syms to 0 but leave the key actions unchanged.
If later, the same function is called with a non-zero value for nGroups,
this will cause a buffer overflow because the key actions are of the wrong
size.
To avoid the issue, make sure to resize both the key syms and key actions
when nGroups is 0.
CVE-2025-26597, ZDI-CAN-25683
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 0e4ed94952b255c04fe910f6a1d9c852878dcd64)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830>
-
32decb1e
by Olivier Fourdan at 2025-02-25T19:36:29+01:00
Xi: Fix barrier device search
The function GetBarrierDevice() would search for the pointer device
based on its device id and return the matching value, or supposedly NULL
if no match was found.
Unfortunately, as written, it would return the last element of the list
if no matching device id was found which can lead to out of bounds
memory access.
Fix the search function to return NULL if not matching device is found,
and adjust the callers to handle the case where the device cannot be
found.
CVE-2025-26598, ZDI-CAN-25740
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit bba9df1a9d57234c76c0b93f88dacb143d01bca2)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830>
-
7169628a
by Olivier Fourdan at 2025-02-25T19:36:29+01:00
composite: Handle failure to redirect in compRedirectWindow()
The function compCheckRedirect() may fail if it cannot allocate the
backing pixmap.
In that case, compRedirectWindow() will return a BadAlloc error.
However that failure code path will shortcut the validation of the
window tree marked just before, which leaves the validate data partly
initialized.
That causes a use of uninitialized pointer later.
The fix is to not shortcut the call to compHandleMarkedWindows() even in
the case of compCheckRedirect() returning an error.
CVE-2025-26599, ZDI-CAN-25851
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit c1ff84bef2569b4ba4be59323cf575d1798ba9be)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830>
-
d09125fb
by Olivier Fourdan at 2025-02-25T19:36:29+01:00
composite: initialize border clip even when pixmap alloc fails
If it fails to allocate the pixmap, the function compAllocPixmap() would
return early and leave the borderClip region uninitialized, which may
lead to the use of uninitialized value as reported by valgrind:
Conditional jump or move depends on uninitialised value(s)
at 0x4F9B33: compClipNotify (compwindow.c:317)
by 0x484FC9: miComputeClips (mivaltree.c:476)
by 0x48559A: miValidateTree (mivaltree.c:679)
by 0x4F0685: MapWindow (window.c:2693)
by 0x4A344A: ProcMapWindow (dispatch.c:922)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Uninitialised value was created by a heap allocation
at 0x4841866: malloc (vg_replace_malloc.c:446)
by 0x4F47BC: compRedirectWindow (compalloc.c:171)
by 0x4FA8AD: compCreateWindow (compwindow.c:592)
by 0x4EBB89: CreateWindow (window.c:925)
by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Conditional jump or move depends on uninitialised value(s)
at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233)
by 0x4F9255: RegionTranslate (regionstr.h:312)
by 0x4F9B7E: compClipNotify (compwindow.c:319)
by 0x484FC9: miComputeClips (mivaltree.c:476)
by 0x48559A: miValidateTree (mivaltree.c:679)
by 0x4F0685: MapWindow (window.c:2693)
by 0x4A344A: ProcMapWindow (dispatch.c:922)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Uninitialised value was created by a heap allocation
at 0x4841866: malloc (vg_replace_malloc.c:446)
by 0x4F47BC: compRedirectWindow (compalloc.c:171)
by 0x4FA8AD: compCreateWindow (compwindow.c:592)
by 0x4EBB89: CreateWindow (window.c:925)
by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Conditional jump or move depends on uninitialised value(s)
at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241)
by 0x48EEE33: pixman_region_translate (pixman-region.c:2225)
by 0x4F9255: RegionTranslate (regionstr.h:312)
by 0x4F9B7E: compClipNotify (compwindow.c:319)
by 0x484FC9: miComputeClips (mivaltree.c:476)
by 0x48559A: miValidateTree (mivaltree.c:679)
by 0x4F0685: MapWindow (window.c:2693)
by 0x4A344A: ProcMapWindow (dispatch.c:922)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Uninitialised value was created by a heap allocation
at 0x4841866: malloc (vg_replace_malloc.c:446)
by 0x4F47BC: compRedirectWindow (compalloc.c:171)
by 0x4FA8AD: compCreateWindow (compwindow.c:592)
by 0x4EBB89: CreateWindow (window.c:925)
by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Fix compAllocPixmap() to initialize the border clip even if the creation
of the backing pixmap has failed, to avoid depending later on
uninitialized border clip values.
Related to CVE-2025-26599, ZDI-CAN-25851
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit b07192a8bedb90b039dc0f70ae69daf047ff9598)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830>
-
826cef82
by Olivier Fourdan at 2025-02-25T19:36:29+01:00
dix: Dequeue pending events on frozen device on removal
When a device is removed while still frozen, the events queued for that
device remain while the device itself is freed.
As a result, replaying the events will cause a use after free.
To avoid the issue, make sure to dequeue and free any pending events on
a frozen device when removed.
CVE-2025-26600, ZDI-CAN-25871
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 6e0f332ba4c8b8c9a9945dc9d7989bfe06f80e14)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830>
-
e708ad02
by Olivier Fourdan at 2025-02-25T19:36:29+01:00
sync: Do not let sync objects uninitialized
When changing an alarm, the change mask values are evaluated one after
the other, changing the trigger values as requested and eventually,
SyncInitTrigger() is called.
SyncInitTrigger() will evaluate the XSyncCACounter first and may free
the existing sync object.
Other changes are then evaluated and may trigger an error and an early
return, not adding the new sync object.
This can be used to cause a use after free when the alarm eventually
triggers.
To avoid the issue, delete the existing sync object as late as possible
only once we are sure that no further error will cause an early exit.
CVE-2025-26601, ZDI-CAN-25870
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 16a1242d0ffc7f45ed3c595ee7564b5c04287e0b)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830>
-
330b4068
by Olivier Fourdan at 2025-02-25T19:36:29+01:00
sync: Check values before applying changes
In SyncInitTrigger(), we would set the CheckTrigger function before
validating the counter value.
As a result, if the counter value overflowed, we would leave the
function SyncInitTrigger() with the CheckTrigger applied but without
updating the trigger object.
To avoid that issue, move the portion of code checking for the trigger
check value before updating the CheckTrigger function.
Related to CVE-2025-26601, ZDI-CAN-25870
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit f52cea2f93a0c891494eb3334894442a92368030)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830>
-
043a4e95
by Olivier Fourdan at 2025-02-25T19:36:29+01:00
sync: Do not fail SyncAddTriggerToSyncObject()
We do not want to return a failure at the very last step in
SyncInitTrigger() after having all changes applied.
SyncAddTriggerToSyncObject() must not fail on memory allocation, if the
allocation of the SyncTriggerList fails, trigger a FatalError() instead.
Related to CVE-2025-26601, ZDI-CAN-25870
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 8cbc90c8817306af75a60f494ec9dbb1061e50db)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830>
-
a2c0f84c
by Olivier Fourdan at 2025-02-25T19:36:29+01:00
sync: Apply changes last in SyncChangeAlarmAttributes()
SyncChangeAlarmAttributes() would apply the various changes while
checking for errors.
If one of the changes triggers an error, the changes for the trigger,
counter or delta value would remain, possibly leading to inconsistent
changes.
Postpone the actual changes until we're sure nothing else can go wrong.
Related to CVE-2025-26601, ZDI-CAN-25870
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit c285798984c6bb99e454a33772cde23d394d3dcd)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830>
-
b7f84e6d
by Olivier Fourdan at 2025-02-25T19:36:29+01:00
xserver 21.1.16
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830>
-
7da78a3d
by Emilio Pozuelo Monfort at 2025-02-26T09:56:52+01:00
Merge branch 'upstream-unstable' into debian-unstable
-
a477fb5a
by Emilio Pozuelo Monfort at 2025-02-26T09:57:58+01:00
New upstream release
-
84691727
by Emilio Pozuelo Monfort at 2025-02-26T10:01:42+01:00
Add CVE numbers
-
3acff7e4
by Emilio Pozuelo Monfort at 2025-02-26T10:03:26+01:00
Drop nettle patch, merged upstream
-
6032994d
by Emilio Pozuelo Monfort at 2025-02-26T10:06:50+01:00
Also drop fbdevhw patch
-
5d12459e
by Emilio Pozuelo Monfort at 2025-02-26T10:22:22+01:00
Add CVE descriptions
-
88a9bd8d
by Emilio Pozuelo Monfort at 2025-02-26T10:22:49+01:00
Release to sid