Commit Graph

549 Commits

Author SHA1 Message Date
Olivier Fourdan 948630fa42 randr: Check for overflow in RRChangeProviderProperty()
A client might send a request causing an integer overflow when computing
the total size to allocate in RRChangeProviderProperty().

To avoid the issue, check that total length in bytes won't exceed the
maximum integer value.

CVE-2025-49180

This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
2025-06-17 20:01:25 +02:00
dasha_uwu 27f1094116 randr: export RRGetOutputProperty for nvidia
Signed-off-by: dasha_uwu <dasha@linuxping.win>
2025-06-16 10:32:48 +02:00
dasha_uwu 545f6ca8b7 randr: fix BUG_RETURN_VAL check
nvidia driver can call with numOutputs == 0 and outputs == NULL which is valid

Signed-off-by: dasha_uwu <dasha@linuxping.win>
2025-06-16 10:32:48 +02:00
dasha_uwu 1fe4d2d4ca randr: export RROutputSetSubpixelOrder for nvidia
Signed-off-by: dasha_uwu <dasha@linuxping.win>
2025-06-16 10:32:48 +02:00
dasha_uwu 3c20d33e2c randr: export RRCrtcSetTransformSupport for nvidia
Signed-off-by: dasha_uwu <dasha@linuxping.win>
2025-06-16 10:32:48 +02:00
Enrico Weigelt, metux IT consult e6467895f9 dix: add dixAllocServerXID()
Adding a separate function for allocating server-client's XIDs.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 17:21:48 +02:00
Enrico Weigelt, metux IT consult 41c039948f randr: re-export RRTransformSetFilter() for Nvidia legacy
NVidia's proprietary driver does it's own randr implementation (why ?)
and needs this function for this.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 17:21:48 +02:00
Enrico Weigelt, metux IT consult ec7a89a92c randr: re-export RRClientKnowsRates() for Nvidia legacy
NVidia's proprietary driver does it's own randr implementation (why ?)
and needs this function for this.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 17:21:48 +02:00
Enrico Weigelt, metux IT consult 15bb2bbb37 randr: re-export RRProviderSetCapabilities() for Nvidia legacy
NVidia's proprietary driver does it's own randr implementation (why ?)
and needs this function for this.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 17:21:48 +02:00
Enrico Weigelt, metux IT consult da3791e9ce randr: re-export RRProviderCreate() for Nvidia legacy
NVidia's proprietary driver does it's own randr implementation (why ?)
and needs this function for this.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 17:21:48 +02:00
Enrico Weigelt, metux IT consult 90c1f3b2a8 randr: re-export RRCrtcDetachScanoutPixmap() for Nvidia legacy
NVidia's proprietary driver does it's own randr implementation (why ?)
and needs this function for this.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 17:21:48 +02:00
Enrico Weigelt, metux IT consult 5f91adf017 randr: re-export RRCrtcGetTransform() for Nvidia legacy
NVidia's proprietary driver does it's own randr implementation (why ?)
and needs this function for this.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 17:21:48 +02:00
Enrico Weigelt, metux IT consult 2ec00762f4 randr: re-export RRCrtcGetScanoutSize() for Nvidia legacy
NVidia's proprietary driver does it's own randr implementation (why ?)
and needs this function for this.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 17:21:48 +02:00
Enrico Weigelt, metux IT consult 1a534e204b randr: re-export RROutputSetNonDesktop() for Nvidia legacy
NVidia's proprietary driver does it's own randr implementation (why ?)
and needs this function for this.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 17:21:48 +02:00
Enrico Weigelt, metux IT consult 9696a151dd randr: re-export some resource type fields for NVidia legacy
NVidia's proprietary driver does it's own randr implementation (why ?)
and needs those fields for this.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 17:21:48 +02:00
Enrico Weigelt, metux IT consult 3c028a8cc0 miext: move over extinit_priv.h from include
Since most of the extension init logic (and on/off switches for them)
is driven from miext, this seems the appropriate place for the header.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 17:21:46 +02:00
Enrico Weigelt, metux IT consult f25921f5fb randr: replace xallocarray() by calloc()
Only key difference that calloc(), in contrast to rellocarray(),
is zero-initializing. The overhead is hard to measure on today's
machines, and it's safer programming practise to always allocate
zero-initialized, so one can't forget to do it explicitly.

Cocci rule:

    @@
    expression COUNT;
    expression LEN;
    @@
    - xallocarray(COUNT,LEN)
    + calloc(COUNT,LEN)

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 17:21:43 +02:00
Enrico Weigelt, metux IT consult 8c873c04cb randr: use calloc() instead of malloc()
Using calloc() instead of malloc() as preventive measure, so there
never can be any hidden bugs or leaks due uninitialized memory.

The extra cost of using this compiler intrinsic should be practically
impossible to measure - in many cases a good compiler can even deduce
if certain areas really don't need to be zero'd (because they're written
to right after allocation) and create more efficient machine code.

The code pathes in question are pretty cold anyways, so it's probably
not worth even thinking about potential extra runtime costs.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:49:37 +02:00
Enrico Weigelt, metux IT consult 5a4656a731 randr: use CloseScreen hook
Wrapping ScreenRec's function pointers is problematic for many reasons,
so use the new screen close notify hook instead.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:45:29 +02:00
Enrico Weigelt, metux IT consult 5193f57aae randr: add BUG_* checks for possible NULL pointer issue
The ‘RRCrtcNotify() and RRCrtcSet() functions are exported, so there's chance
that a buggy driver could call them with NULL parameter, leading to segfault.
Those are hard to trace, so it's better having a BUG_* check here.

| ../randr/rrcrtc.c: In function ‘RRCrtcNotify’:
| ../randr/rrcrtc.c:187:5: warning: use of NULL ‘outputs’ where non-null expected [CWE-476] [-Wanalyzer-null-argument]
|   187 |     memcpy(crtc->outputs, outputs, numOutputs * sizeof(RROutputPtr));
|       |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

| ../randr/rrcrtc.c: In function ‘RRCrtcSet’:
| ../randr/rrcrtc.c:742:20: warning: dereference of NULL ‘outputs’ [CWE-476] [-Wanalyzer-null-dereference]
|   742 |         if (outputs[o]) {
|       |             ~~~~~~~^~~

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:32:35 +02:00
Enrico Weigelt, metux IT consult 90cd5c38ee randr: skip payload assembly in ProcRRGetScreenInfo() no data to send
If there's no data to send, the whole reply payload can be skipped entirely.
This can also ease the whole code flow, and we don't need to rely on the
individual copy loops never trying to dereference a NULL pointer.
(what the analyzer can't proof). Also scoping several some variables that
are only used when there actually is data to send.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:32:33 +02:00
Enrico Weigelt, metux IT consult 74a3b2b728 randr: skip payload assembly in rrGetScreenResources() no data to send
If there's no data to send, the whole reply payload can be skipped entirely.
This can also ease the whole code flow, and we don't need to rely on the
individual copy loops never trying to dereference a NULL pointer.
(what the analyzer can't proof). Also scoping several some variables that
are only used when there actually is data to send.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:32:29 +02:00
Enrico Weigelt, metux IT consult 67b78a9f58 randr: simplify reply assembly in ProcRRListProviderProperties()
Moving payload buffer assembly right into the same branch where the buffer is
allocated, so making the whole code flow easier to understand. Also moving the
byteswap there (when the fields should still be in CPU cache), instead of having
some callback doing it much later, so even more simplication.

As a nice by-product, that's also reducing some analyzer noise.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:32:27 +02:00
Enrico Weigelt, metux IT consult 2e05296905 randr: no need to for local temp buffer in ProcRRQueryProviderProperty()
The code can be much simpler by just using CopySwap32Write().
And we also don't need the callback in WriteSwappedDataToClient(),
just call the corresponding write function directly.

This also makes some analyzer warnings go away.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:32:24 +02:00
Enrico Weigelt, metux IT consult b535db955a randr: ProcRRGetOutputInfo() skip payload assembly when nothing to do
If there's no extra payload to send, we can skip the whole payload
assembly chain.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:32:22 +02:00
Enrico Weigelt, metux IT consult 6b5c64d273 randr: simplify extra payload copying in ProcRRGetOutputInfo()
Make it a bit easier to understand how exactly the name string is copied into
the reply payload: just do the little memcpy() right where the target position
is decided any the rest of the payload is filled.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:32:19 +02:00
Enrico Weigelt, metux IT consult b67dabef12 randr: RROutputSetCrtcs(): simplify buffer allocation / copying
Instead of relying on memcpy() coping with NULL buffer when size == 0,
move the call to the branch where we actually have things to copy.

This also silences yet another analyzer warning.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:32:17 +02:00
Enrico Weigelt, metux IT consult acec1156b3 randr: RROutputSetModes(): simplify buffer allocation / copying
Instead of relying on memcpy() coping with NULL buffer when size == 0,
move the call to the branch where we actually have things to copy.

This also silences yet another analyzer warning.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:32:14 +02:00
Enrico Weigelt, metux IT consult 3279b81d7b randr: RROutputSetClones(): simplify buffer allocation / copying
Instead of relying on memcpy() coping with NULL buffer when size == 0,
move the call to the branch where we actually have things to copy.

This also silences yet another analyzer warning.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:32:12 +02:00
Enrico Weigelt, metux IT consult 5b13d85464 randr: refine allocation and copying of optional buffers
Simplifying the code flow allocating/checking/copying some buffers in
RRConfigureOutputProperty() and RRConfigureProviderProperty() so it's
easier to understand for both the human reader as well as the analyzer.

Depending on whether we have elements to process, a temporary buffer needs
to be allocated, checked for successful allocation and copy over data. The
way it's currently done is technically correct, but unnecessarily complex to
understand: instead of just branching on whether there are elements and doing
all the buffer-related things only then, the branching is done just somewhere
in the middle, only on checking for allocation failure, and relying on both
calloc() and memcpy() not doing weird things when size is zero.

It's easy to simplify by putting it all behind one if statement and so make
things easier for both human reader as well as the analyzer (so it's not
spilling out false alarms here anymore) and also drops unnecessary calls
in the zero-size case.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:32:09 +02:00
Enrico Weigelt, metux IT consult aebc3c592e randr: unexport and document RRTransformCopy()
Not used by any external drivers, so no neeed to keep it exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:30:10 +02:00
Enrico Weigelt, metux IT consult 67c086a9f0 randr: unexport and document RRTransformSetFilter()
Not used by any external drivers, so no need to keep it exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:30:07 +02:00
Enrico Weigelt, metux IT consult b2f3ef787c randr: unexport and document RRTransformEqual()
Not used by any external drivers, so no need to keep it exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:30:04 +02:00
Enrico Weigelt, metux IT consult 07950dd411 randr: unexport and document RRTransformInit()
Not used by any external drivers, so no need to keep it exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:30:01 +02:00
Enrico Weigelt, metux IT consult 5f776e857d randr: unexport and document RRXineramaExtensionInit()
Not used by any external drivers, so no need to keep it exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:29:59 +02:00
Enrico Weigelt, metux IT consult 5998871151 randr: unexport and document RRQueryOutputProperty()
Not used by any external drivers, so no need to keep it exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:29:56 +02:00
Enrico Weigelt, metux IT consult 81df43802b randr: unexport and document RRGetOutputProperty()
Not used by any external drivers, so no need to keep it exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:29:53 +02:00
Enrico Weigelt, metux IT consult d3e1cc205c randr: unexport resource type IDs
Not used by any external drivers, so no need to keep them exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:29:50 +02:00
Enrico Weigelt, metux IT consult 097b9e9163 randr: unexport and document RRConfigureProviderProperty()
Not used by any external drivers, so no need to keep it exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:29:47 +02:00
Enrico Weigelt, metux IT consult 7c0c2f1460 randr: unexport and document RRChangeProviderProperty()
Not used by any external drivers, so no need to keep it exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:29:44 +02:00
Enrico Weigelt, metux IT consult 7b303bd8d0 randr: unexport and document RRDeleteProviderProperty()
Not used by any external drivers, so no need to keep it exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:29:39 +02:00
Enrico Weigelt, metux IT consult 538a8a80cd randr: unexport and document RRQueryProviderProperty()
Not used by any external drivers, so no need to keep it exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:29:36 +02:00
Enrico Weigelt, metux IT consult 08110b9192 randr: unexport and document RRGetProviderProperty()
Not used by any external drivers, so no need to keep it exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:29:33 +02:00
Enrico Weigelt, metux IT consult 1e7752f10d randr: unexport and document RRProviderAutoConfigGpuScreen()
Not used by any external drivers, so no need to keep it exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:29:30 +02:00
Enrico Weigelt, metux IT consult 9bbaf79703 randr: unexport and document RRDeliverProviderEvent()
Not used by any external drivers, so no need to keep it exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:29:28 +02:00
Enrico Weigelt, metux IT consult d9ee0e7901 randr: unexport and document RRProviderDestroy()
Not used by any external drivers, so no need to keep it exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:29:25 +02:00
Enrico Weigelt, metux IT consult 8632c2e76e randr: unexport and document RRProviderSetCapabilities()
Not used by any external drivers, so no need to keep it exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:29:22 +02:00
Enrico Weigelt, metux IT consult cc8e32ef5e randr: unexport and document RRProviderCreate()
Not used by any external drivers, so no need to keep it exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:29:19 +02:00
Enrico Weigelt, metux IT consult 506ca26514 randr: unexport and document RRProviderInitErrorValue()
Not used by any external drivers, so no need to keep it exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:29:16 +02:00
Enrico Weigelt, metux IT consult 20d1a1f412 randr: unexport and document RRProviderInit()
Not used by any external drivers, so no need to keep it exported.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-06-12 16:29:13 +02:00