Needed to build with IPv6 disabled using gcc 14 on some platforms to avoid:
In file included from /usr/X11/include/X11/Xtrans/transport.c:67,
from xstrans.c:17:
/usr/X11/include/X11/Xtrans/Xtranssock.c: In function ‘_XSERVTransSocketOpen’:
/usr/X11/include/X11/Xtrans/Xtranssock.c:467:28: error: passing argument 5
of ‘getsockopt’ from incompatible pointer type [-Wincompatible-pointer-types]
467 | (char *) &val, &len) == 0 && val < 64 * 1024)
| ^~~~
| |
| size_t * {aka long unsigned int *}
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1736>
The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
buffer.
However, It didn't update its size properly. It updated `num_si` only,
without updating `size_si`.
This may lead to local privilege escalation if the server is run as root
or remote code execution (e.g. x11 over ssh).
CVE-2024-9632, ZDI-CAN-24756
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: José Expósito <jexposit@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1733>
Found by Oracle Parfait 13.3 static analyzer:
Memory leak [memory-leak]:
Memory leak of pointer event allocated with calloc(1, 16)
at line 470 of hw/xfree86/drivers/modesetting/present.c in
function 'ms_present_unflip'.
event allocated at line 431 with calloc(1, 16)
event leaks when ms_present_check_unflip(...) == 0 at line 438
and i >= config->num_crtc at line 445
Fixes: 13c7d53df ("modesetting: Implement page flipping support for Present.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
Previously, it was looping through sizeof(ev->valuators.mask) * 8
valuators, where valuators.mask is defined as an array of
(MAX_VALUATORS + 7) / 8 entries. Since MAX_VALUATORS is defined as 36,
this made it actually loop through 40 entries. The last 4 bits in this
array should never be set, so we should never access memory outside the
bounds of the arrays defined to be exactly MAX_VALUATORS in length, but
we can make the static analyzer happier and not waste time checking bits
that should never be set.
Found by Oracle Parfait 13.3 static analyzer:
Read outside array bounds [read-outside-array-bounds]:
In array dereference of ev->valuators.data[i] with index i
Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39
at line 741 of dix/eventconvert.c in function 'eventToDeviceEvent'.
Read outside array bounds [read-outside-array-bounds]:
In array dereference of ev->valuators.data[i] with index i
Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39
at line 808 of dix/eventconvert.c in function 'eventToRawEvent'.
Read outside array bounds [read-outside-array-bounds]:
In array dereference of ev->valuators.data_raw[i] with index i
Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39
at line 809 of dix/eventconvert.c in function 'eventToRawEvent'.
Fixes: b2ba77bac ("dix: add EventToXI2 and GetXI2Type.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
Found by Oracle Parfait 13.3 static analyzer:
Buffer Overflow in STD C function [buffer-overflow-call-stdc]:
Buffer overflow in call to memcpy. Buffer &bev->buttons[4] of
size 24 is written at an offset of 28
Array size is 28 bytes, index is 32
at line 743 of dix/enterleave.c in function
'DeliverStateNotifyEvent'.
Fixes: a85f0d6b9 ("Xi: fix use of button->down - bitflags instead of int arrays.")
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
Found by Oracle Parfait 13.3:
Null pointer dereference [null-pointer-deref]:
Read from null pointer pVisual
at line 257 of dix/colormap.c in function 'CreateColormap'.
Null pointer introduced at line 412 of render/picture.c in
function 'PictureFindVisual'.
Constant 'NULL' passed into function CreateColormap, argument
pVisual, from call at line 431 in function
'PictureInitIndexedFormat'.
Function PictureFindVisual may return constant 'NULL' at
line 412, called at line 429.
Fixes: d4a101d4e ("Integration of DAMAGE-XFIXES branch to trunk")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
The comments in that function say "This only happens if master is a
slave device. don't do that" but static analysis doesn't respect that.
Found by Oracle Parfait 13.3:
Null pointer dereference [null-pointer-deref]:
Read from null pointer XTestptr
at line 274 of Xi/xichangehierarchy.c in function 'remove_master'.
Null pointer introduced at line 691 of Xext/xtest.c in function
'GetXTestDevice'.
Function GetXTestDevice may return constant 'NULL' at line 691,
called at line 273 of Xi/xichangehierarchy.c in function
'remove_master'.
Null pointer dereference [null-pointer-deref]:
Read from null pointer XTestkeybd
at line 279 of Xi/xichangehierarchy.c in function 'remove_master'.
Null pointer introduced at line 691 of Xext/xtest.c in function
'GetXTestDevice'.
Function GetXTestDevice may return constant 'NULL' at line 691,
called at line 278 of Xi/xichangehierarchy.c in function
'remove_master'.
Fixes: 0814f511d ("input: store the master device's ID in the devPrivate for XTest devices.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
Found by Oracle Parfait 13.3 static analyzer:
Memory leak [memory-leak]:
Memory leak of pointer optname allocated with asprintf(&optname,
"\"%s\"", p->name)
at line 326 of hw/xfree86/common/xf86Configure.c in function
'configureDeviceSection'.
optname allocated at line 309 with asprintf(&optname, "\"%s\"",
p->name)
Fixes: code inherited from XFree86
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
Xwin's DestroyPixmap proc just free()s the PixmapRec directly, w/o catering
for devPrivate's, so leaving a memleak. The correct DIX function for this
is FreePixmap().
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1710>
2nd release this year:
* added syslog support
* xfree86: fixed DRI crash bug (#1053, #1534)
* bunch of little cleanups and fixes
* by default only builds Xnest DDX (others still can be enabled via options)
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
This branch is specifically for just Xnest only, so disable anything else
per default. The others still can be enabled via meson options.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
The code is easier to understand when variables are declared where they're
used for the first time, scoped to where they're needed and not reused
for separate things.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
If DRI2ScreenInit hasn't been called yet, DRI2Authenticate and
DRI2CreateDrawable2 cause the X server to crash. This has been observed
to happen on multiple modern Linux distros in various conditions,
including QEMU and VMware VMs. Make these functions more robust in order
to prevent the crash.
This patch was originally provided by Bernhard Übelacker and expanded
upon by Mark Wagner.
Signed-off-by: Doug Brown <doug@schmorgal.com>
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1053
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1534
Right now, we're only registering the depths of our visuals, which are
mirroring upstream's visuals. But forgotten to register the pixmap depths
that don't have an assiocated visual.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
This new lookup function retrieves a pointer to WindowRec structure by
associated XID. Unlike dixLookupWindow(), this one works globally, instead
of just on one specific client, and it doesn't do any XACE calls.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
The old PCCONS driver only seems to be used on minimal install disks and
cannot coexist with newer ones, so there's probably no practical use case for
supporting it in Xorg anymore.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
arc4random_buf() is a pretty standard libc function on Unix'oid platforms,
but not all our targets have it, thus we need a fallback there. Currently we
have GenerateRandomData(), which either just wraps arc4random_buf() or provides
some fallback implementation.
For those cases it's easier to just implement missing functions directly
instead of having custom wrapper functions. So, drop GenerateRandomData()
in favor of arc4random_buf() and provide fallback implementation for where
it is missing.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
(submit/cursor-api) dix: drop superfluous XineramaGetCursorScreen()
It's only used for record extension, no external callers, thus doesn't
need to be exported. Since it's just for retrieving one struct value,
it's not needed at all - we can do this directly (just like we do in
many other places)
Note: the check on noPanoramixExtensions is superfluous, since the only
call site already does it.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
These are exclusively used in one source file, so no need to keep them
in a global header.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
This pointer field isn't used anywhere, neither in Xorg nor in drivers.
No need to keep it around any longer.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Since LogVMessageVerb() is now signal safe, we can use this one instead.
Leaving VErrorF() macro for backwards compat with drivers.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
It really doesn't seem to be necessary to protect a LogVMessageVerb()
call by extra mutex on windows only, while obviously not needed on
any other platform.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Since VErrorF() is now signal safe, we can use this one instead.
Leaving VErrorFSigSafe() macro for backwards compat with drivers.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Since ErrorF() is now signal safe, we can use this one instead.
Leaving ErrorFSigSafe() macro for backwards compat with drivers.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Since LogMessageVerb() is now signal safe, we can use this one instead.
Leaving LogMessageVerbSigSafe() macro for backwards compat with drivers.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
We already have our own signal safe vnsprintf() implementation, which is used
for formatting log messages while being in a signal handler, there's no need
to have two separate implementations of all the logging functions.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Simplify log formatting functions and remove redundancies, e.g.:
* common function for line termination
* copy prefix directly instead of *printf'ing it
* now just exactly one LogSWrite() call per message
(good for other log targets like syslog)
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Since we're only going through macros (that are calling these), this extra wrapper
function isn't needed at all - using LogMessageVerb() directly.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Parses an option that may either be used for setting an integer value or
given one or multiple times (without argument) to increase an value
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
This allows us to do further probing in the included meson files:
Individual subdirectories (eg. DDXes, extensions, OS layer, ...)
can now probe things that are only relevant to them - no need to fill
the already too fat includes/meson.build with even more things.
Preparation for upcoming commits that'll make us of that.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
The variables that can be set via this function are all now being
accessed directly. Not callers left, so drop it.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
No need for extra call to some demuxer function for nothing but setting a
simple bool variable. Setting the sync flag really is nothing more than just
writing some value into a variable, so it's trivial to just to do that, instead
of having an unncessarily complex "universal setter" for that.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
No need for extra call to some demuxer function for nothing but setting a
simple int variable. Setting verbosity level really is nothing more than just
writing some value into a variable, so it's trivial to just to do that, instead
of having an unncessarily complex "universal setter" for that.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
No need for extra call to some demuxer function for nothing but setting a
simple int variable. Setting verbosity level really is nothing more than just
writing some value into a variable, so it's trivial to just to do that, instead
of having an unncessarily complex "universal setter" for that.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Lots of logging functions, especially init and teardown aren't called
by any drivers/modules, so no need to keep them exported.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Alan Coopersmith
Matthieu Herrb
Tj
Enrico Weigelt, metux IT consult
Olivier Fourdan
Doug Brown