Whitelisting some XI operations in various hooks.
Note that some additional filtering needs to be done in send or
receive hook in order to prevent clients to receive possibly sensible
input data from the root window.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Filter message sending by clients. Only sending within the same
namespace is allowed (except for clients in a NS with superpowers,
e.g. root)
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Filter device access, whitelist several commonly used operations that
should be safe (eg. query keyboard layout).
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
CreateWindow() needs access to root window, in order to create
top level windows. Whitelisting this operation.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Whitelist several extension calls that are safe. Also allow namespaces
to be configured for unrestricted access.
TBD: doesn't actually reject yet
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Only namespaces with allowMouseOption flag enabled can receive
raw mouse motion events. Raw key press events are always blocked.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Redirecting access to root window properties to the per-namespace
virtual root windows. This isolates a lot of communication via root
window, e.g. the cut buffers.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
For each namespace creating a fake (invisible) root window, which can be
used for storing per-namespace properties (eg. cut buffers), etc.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Selection names (as seen by the client) are internally prefixed with the
namespace ID, so each client can only access those within it's namespace.
If a client within namespace "foo" want's to operate on "PRIMARY",
it actually will be doing so on "<foo>PRIMARY", w/o ever noticing it.
Events will sent back to the client still pointing to "PRIMARY".
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Adding data structure and initial data for namespace configuration.
Built-in namespaces are ROOT and ANONYMOUS.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Add tiny skeleton for the namespace extension. Disabled by default,
can be enabled via +extension arg, but doesn't actually do something yet.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
a) no need to checking for win->optional == NULL before calling
MakeWindowOptional(), because it checks itself
(except some cases where it's presence has it's own semantics,
or prevent unnecessary allocations)
b) lots of call sites didn't check for allocation failure.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
a) an internal function that's not used by any drivers
b) conflicting with function/define of same name on win32
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
XID = 0 already is used as sign for error in several places,
so let's use that here, too.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Pass each client we're considering to report through XaceHookClientAccess(),
so security extensions have a chance to filter them out.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Pass each client we're considering to report through XaceHookClientAccess(),
so security extensions have a chance to filter them out.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Pass each client we're considering to report through XaceHookClientAccess(),
so security extensions have a chance to filter them out.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Pass each client we're considering to report through XaceHookClientAccess(),
so security extensions have a chance to filter them out.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
There's really no practical use for disabling GEEext, would just
cause the Xserver misbehaviour (eg. missing byte swapping)
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1812>
SyncChangeAlarmAttributes() would apply the various changes while
checking for errors.
If one of the changes triggers an error, the changes for the trigger,
counter or delta value would remain, possibly leading to inconsistent
changes.
Postpone the actual changes until we're sure nothing else can go wrong.
Related to CVE-2025-26601, ZDI-CAN-25870
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
We do not want to return a failure at the very last step in
SyncInitTrigger() after having all changes applied.
SyncAddTriggerToSyncObject() must not fail on memory allocation, if the
allocation of the SyncTriggerList fails, trigger a FatalError() instead.
Related to CVE-2025-26601, ZDI-CAN-25870
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
In SyncInitTrigger(), we would set the CheckTrigger function before
validating the counter value.
As a result, if the counter value overflowed, we would leave the
function SyncInitTrigger() with the CheckTrigger applied but without
updating the trigger object.
To avoid that issue, move the portion of code checking for the trigger
check value before updating the CheckTrigger function.
Related to CVE-2025-26601, ZDI-CAN-25870
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
When changing an alarm, the change mask values are evaluated one after
the other, changing the trigger values as requested and eventually,
SyncInitTrigger() is called.
SyncInitTrigger() will evaluate the XSyncCACounter first and may free
the existing sync object.
Other changes are then evaluated and may trigger an error and an early
return, not adding the new sync object.
This can be used to cause a use after free when the alarm eventually
triggers.
To avoid the issue, delete the existing sync object as late as possible
only once we are sure that no further error will cause an early exit.
CVE-2025-26601, ZDI-CAN-25870
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
Commit 36dd28129b had an ugly typo
(probably broke on rebase - shame on myself) causing SProcGEQueryVersion()
calling itself recursively. Obviously, ProcGEQueryVersion() needs
to be called instead.
Fixes: 36dd28129b
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1817>
Enrico Weigelt, metux IT consult
Olivier Fourdan