diff --git a/0001-Disallow-byte-swapped-clients-by-default.patch b/0001-Disallow-byte-swapped-clients-by-default.patch new file mode 100644 index 0000000000000000000000000000000000000000..2cbf79829350a585528e0d455708614cac47823e --- /dev/null +++ b/0001-Disallow-byte-swapped-clients-by-default.patch @@ -0,0 +1,272 @@ +From 73d6e888c6058b28a0e87ab65aa4172b17d8327d Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 19 Dec 2022 10:34:29 +1000 +Subject: [PATCH xserver] Fix some indentation issues + +Signed-off-by: Peter Hutterer +--- + dix/dispatch.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index 210df75c63..e38a8fecaa 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -492,10 +492,10 @@ Dispatch(void) + if (!WaitForSomething(clients_are_ready())) + continue; + +- /***************** +- * Handle events in round robin fashion, doing input between +- * each round +- *****************/ ++ /***************** ++ * Handle events in round robin fashion, doing input between ++ * each round ++ *****************/ + + if (!dispatchException && clients_are_ready()) { + client = SmartScheduleClient(); +@@ -3657,11 +3657,11 @@ ProcInitialConnection(ClientPtr client) + prefix = (xConnClientPrefix *) ((char *)stuff + sz_xReq); + order = prefix->byteOrder; + if (order != 'l' && order != 'B' && order != 'r' && order != 'R') +- return client->noClientException = -1; ++ return client->noClientException = -1; + if (((*(char *) &whichbyte) && (order == 'B' || order == 'R')) || +- (!(*(char *) &whichbyte) && (order == 'l' || order == 'r'))) { +- client->swapped = TRUE; +- SwapConnClientPrefix(prefix); ++ (!(*(char *) &whichbyte) && (order == 'l' || order == 'r'))) { ++ client->swapped = TRUE; ++ SwapConnClientPrefix(prefix); + } + stuff->reqType = 2; + stuff->length += bytes_to_int32(prefix->nbytesAuthProto) + +@@ -3670,7 +3670,7 @@ ProcInitialConnection(ClientPtr client) + swaps(&stuff->length); + } + if (order == 'r' || order == 'R') { +- client->local = FALSE; ++ client->local = FALSE; + } + ResetCurrentRequest(client); + return Success; +@@ -3781,8 +3781,8 @@ ProcEstablishConnection(ClientPtr client) + auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto); + + if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix + +- pad_to_int32(prefix->nbytesAuthProto) + +- pad_to_int32(prefix->nbytesAuthString)) ++ pad_to_int32(prefix->nbytesAuthProto) + ++ pad_to_int32(prefix->nbytesAuthString)) + reason = "Bad length"; + else if ((prefix->majorVersion != X_PROTOCOL) || + (prefix->minorVersion != X_PROTOCOL_REVISION)) +-- +2.39.0 + +From f69280ddcdd3115ee4717f22e85e0f43569b60dd Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 20 Dec 2022 11:40:16 +1000 +Subject: [PATCH xserver] dix: localize two variables + +Signed-off-by: Peter Hutterer +--- + dix/dispatch.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index c651c3d887..92be773e6c 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -3766,14 +3766,11 @@ int + ProcEstablishConnection(ClientPtr client) + { + const char *reason; +- char *auth_proto, *auth_string; + xConnClientPrefix *prefix; + + REQUEST(xReq); + + prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq); +- auth_proto = (char *) prefix + sz_xConnClientPrefix; +- auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto); + + if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix + + pad_to_int32(prefix->nbytesAuthProto) + +@@ -3782,12 +3779,15 @@ ProcEstablishConnection(ClientPtr client) + else if ((prefix->majorVersion != X_PROTOCOL) || + (prefix->minorVersion != X_PROTOCOL_REVISION)) + reason = "Protocol version mismatch"; +- else ++ else { ++ char *auth_proto = (char *) prefix + sz_xConnClientPrefix; ++ char *auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto); + reason = ClientAuthorized(client, + (unsigned short) prefix->nbytesAuthProto, + auth_proto, + (unsigned short) prefix->nbytesAuthString, + auth_string); ++ } + + return (SendConnSetup(client, reason)); + } +-- +2.39.0 + +From 412777664a20dd3561b936c02c96571a756fe9b2 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 20 Dec 2022 10:42:03 +1000 +Subject: [PATCH xserver] Disallow byte-swapped clients by default + +The X server swapping code is a huge attack surface, much of this code +is untested and prone to security issues. The use-case of byte-swapped +clients is very niche, so let's disable this by default and allow it +only when the respective config option or commandline flag is given. + +For Xorg, this adds the ServerFlag "AllowByteSwappedClients" "on". +For all DDX, this adds the commandline options +byteswappedclients and +-byteswappedclients to enable or disable, respectively. + +Fixes #1201 + +https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1029 + +Signed-off-by: Peter Hutterer +--- + dix/dispatch.c | 4 +++- + hw/xfree86/common/xf86Config.c | 8 ++++++++ + hw/xfree86/man/xorg.conf.man | 2 ++ + hw/xwayland/xwayland.pc.in | 1 + + include/opaque.h | 2 ++ + man/Xserver.man | 6 ++++++ + os/utils.c | 9 +++++++++ + 7 files changed, 31 insertions(+), 1 deletion(-) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index 92be773e6c..9c26753a96 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -3772,7 +3772,9 @@ ProcEstablishConnection(ClientPtr client) + + prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq); + +- if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix + ++ if (client->swapped && !AllowByteSwappedClients) { ++ reason = "Prohibited client endianess, see the Xserver man page "; ++ } else if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix + + pad_to_int32(prefix->nbytesAuthProto) + + pad_to_int32(prefix->nbytesAuthString)) + reason = "Bad length"; +diff --git a/hw/xfree86/common/xf86Config.c b/hw/xfree86/common/xf86Config.c +index 5d814c1485..41acb25aa2 100644 +--- a/hw/xfree86/common/xf86Config.c ++++ b/hw/xfree86/common/xf86Config.c +@@ -646,6 +646,7 @@ typedef enum { + FLAG_MAX_CLIENTS, + FLAG_IGLX, + FLAG_DEBUG, ++ FLAG_ALLOW_BYTE_SWAPPED_CLIENTS, + } FlagValues; + + /** +@@ -705,6 +706,8 @@ static OptionInfoRec FlagOptions[] = { + {0}, FALSE}, + {FLAG_DEBUG, "Debug", OPTV_STRING, + {0}, FALSE}, ++ {FLAG_ALLOW_BYTE_SWAPPED_CLIENTS, "AllowByteSwappedClients", OPTV_BOOLEAN, ++ {0}, FALSE}, + {-1, NULL, OPTV_NONE, + {0}, FALSE}, + }; +@@ -746,6 +749,11 @@ configServerFlags(XF86ConfFlagsPtr flagsconf, XF86OptionPtr layoutopts) + xf86Msg(X_CONFIG, "Ignoring ABI Version\n"); + } + ++ xf86GetOptValBool(FlagOptions, FLAG_ALLOW_BYTE_SWAPPED_CLIENTS, &AllowByteSwappedClients); ++ if (AllowByteSwappedClients) { ++ xf86Msg(X_CONFIG, "Allowing byte-swapped clients\n"); ++ } ++ + if (xf86IsOptionSet(FlagOptions, FLAG_AUTO_ADD_DEVICES)) { + xf86GetOptValBool(FlagOptions, FLAG_AUTO_ADD_DEVICES, + &xf86Info.autoAddDevices); +diff --git a/hw/xfree86/man/xorg.conf.man b/hw/xfree86/man/xorg.conf.man +index 01b47247ee..d057f26ecd 100644 +--- a/hw/xfree86/man/xorg.conf.man ++++ b/hw/xfree86/man/xorg.conf.man +@@ -677,6 +677,8 @@ Possible values are + or + .BR sync . + Unset by default. ++.BI "Option \*qAllowByteSwappedClients\*q \*q" boolean \*q ++Allow clients with a different byte-order than the server. Disabled by default. + .SH "MODULE SECTION" + The + .B Module +diff --git a/include/opaque.h b/include/opaque.h +index 256261c2ad..398d4b4e51 100644 +--- a/include/opaque.h ++++ b/include/opaque.h +@@ -74,4 +74,6 @@ extern _X_EXPORT Bool bgNoneRoot; + extern _X_EXPORT Bool CoreDump; + extern _X_EXPORT Bool NoListenAll; + ++extern _X_EXPORT Bool AllowByteSwappedClients; ++ + #endif /* OPAQUE_H */ +diff --git a/man/Xserver.man b/man/Xserver.man +index 764bd1d907..e7adf9eb35 100644 +--- a/man/Xserver.man ++++ b/man/Xserver.man +@@ -114,6 +114,12 @@ pattern. This is the default unless -retro or -wr is specified. + .B \-bs + disables backing store support on all screens. + .TP 8 ++.B \+byteswappedclients ++Allow connections from clients with an endianess different to that of the server. ++.TP 8 ++.B \-byteswappedclients ++Prohibit connections from clients with an endianess different to that of the server. ++.TP 8 + .B \-c + turns off key-click. + .TP 8 +diff --git a/os/utils.c b/os/utils.c +index fe94912f34..405bf7d8b4 100644 +--- a/os/utils.c ++++ b/os/utils.c +@@ -189,6 +189,8 @@ Bool CoreDump; + + Bool enableIndirectGLX = FALSE; + ++Bool AllowByteSwappedClients = FALSE; ++ + #ifdef PANORAMIX + Bool PanoramiXExtensionDisabledHack = FALSE; + #endif +@@ -523,6 +525,8 @@ UseMsg(void) + ErrorF("-br create root window with black background\n"); + ErrorF("+bs enable any backing store support\n"); + ErrorF("-bs disable any backing store support\n"); ++ ErrorF("+byteswappedclients Allow clients with endianess different to that of the server\n"); ++ ErrorF("-byteswappedclients Prohibit clients with endianess different to that of the server\n"); + ErrorF("-c turns off key-click\n"); + ErrorF("c # key-click volume (0-100)\n"); + ErrorF("-cc int default color visual class\n"); +@@ -720,6 +724,11 @@ ProcessCommandLine(int argc, char *argv[]) + else + UseMsg(); + } ++ else if (strcmp(argv[i], "-byteswappedclients") == 0) { ++ AllowByteSwappedClients = FALSE; ++ } else if (strcmp(argv[i], "+byteswappedclients") == 0) { ++ AllowByteSwappedClients = TRUE; ++ } + else if (strcmp(argv[i], "-br") == 0); /* default */ + else if (strcmp(argv[i], "+bs") == 0) + enableBackingStore = TRUE; +-- +2.39.0 + diff --git a/0001-Don-t-hardcode-fps-for-fake-screen.patch b/0001-Don-t-hardcode-fps-for-fake-screen.patch new file mode 100644 index 0000000000000000000000000000000000000000..465a92b7cd1958fbbc74e7c86160d467837bde1f --- /dev/null +++ b/0001-Don-t-hardcode-fps-for-fake-screen.patch @@ -0,0 +1,135 @@ +From 6497eeeb1a6552315132340565a3901d4db2144c Mon Sep 17 00:00:00 2001 +From: Boris-Barboris +Date: Tue, 22 Jun 2021 00:51:08 +0300 +Subject: [PATCH] Don't hardcode fps for fake screen + +Currently, when main hardware screen is powered-off, +X server initializes fake screen's timer with +1 second update interval. + +Streaming software like Nomachine or Vnc, as well as +desktop input automation suffers from it, since it +will forever be stuck on 1 fps until the display is +turned back on. + +This commit adds command line option -fakescreenfps +that allows the user to change the default fake screen +timer. + +Signed-off-by: Baranin Alexander +--- + man/Xserver.man | 3 +++ + os/utils.c | 12 ++++++++++++ + present/present.h | 2 ++ + present/present_fake.c | 28 ++++++++++++++++++---------- + 4 files changed, 35 insertions(+), 10 deletions(-) + +diff --git a/man/Xserver.man b/man/Xserver.man +index 31ffb8c..b1a3f40 100644 +--- a/man/Xserver.man ++++ b/man/Xserver.man +@@ -169,6 +169,9 @@ sets default cursor font. + .B \-fn \fIfont\fP + sets the default font. + .TP 8 ++.B \-fakescreenfps \fFps\fP ++sets fake presenter screen default fps (allowable range: 1-600). ++.TP 8 + .B \-fp \fIfontPath\fP + sets the search path for fonts. This path is a comma separated list + of directories which the X server searches for font databases. +diff --git a/os/utils.c b/os/utils.c +index 2ba1c80..721d4e9 100644 +--- a/os/utils.c ++++ b/os/utils.c +@@ -110,6 +110,8 @@ __stdcall unsigned long GetTickCount(void); + + #include "picture.h" + ++#include "present.h" ++ + Bool noTestExtensions; + + #ifdef COMPOSITE +@@ -526,6 +528,7 @@ UseMsg(void) + ErrorF + ("-deferglyphs [none|all|16] defer loading of [no|all|16-bit] glyphs\n"); + ErrorF("-f # bell base (0-100)\n"); ++ ErrorF("-fakescreenfps # fake screen default fps (1-600)\n"); + ErrorF("-fc string cursor font\n"); + ErrorF("-fn string default font name\n"); + ErrorF("-fp string default font path\n"); +@@ -776,6 +779,15 @@ ProcessCommandLine(int argc, char *argv[]) + else + UseMsg(); + } ++ else if (strcmp(argv[i], "-fakescreenfps") == 0) { ++ if (++i < argc) { ++ FakeScreenFps = (uint32_t) atoi(argv[i]); ++ if (FakeScreenFps < 1 || FakeScreenFps > 600) ++ FatalError("fakescreenfps must be an integer in [1;600] range\n"); ++ } ++ else ++ UseMsg(); ++ } + else if (strcmp(argv[i], "-fc") == 0) { + if (++i < argc) + defaultCursorFont = argv[i]; +diff --git a/present/present.h b/present/present.h +index 3d0b972..e7cc50d 100644 +--- a/present/present.h ++++ b/present/present.h +@@ -190,4 +190,6 @@ present_register_complete_notify(present_complete_notify_proc proc); + extern _X_EXPORT Bool + present_can_window_flip(WindowPtr window); + ++extern _X_EXPORT uint32_t FakeScreenFps; ++ + #endif /* _PRESENT_H_ */ +diff --git a/present/present_fake.c b/present/present_fake.c +index 2350638..d9ac598 100644 +--- a/present/present_fake.c ++++ b/present/present_fake.c +@@ -117,21 +117,29 @@ present_fake_queue_vblank(ScreenPtr screen, + return Success; + } + ++uint32_t FakeScreenFps = 0; ++ + void + present_fake_screen_init(ScreenPtr screen) + { ++ uint32_t fake_fps; + present_screen_priv_ptr screen_priv = present_screen_priv(screen); + +- /* For screens with hardware vblank support, the fake code +- * will be used for off-screen windows and while screens are blanked, +- * in which case we want a slow interval here +- * +- * Otherwise, pretend that the screen runs at 60Hz +- */ +- if (screen_priv->info && screen_priv->info->get_crtc) +- screen_priv->fake_interval = 1000000; +- else +- screen_priv->fake_interval = 16667; ++ if (FakeScreenFps) ++ fake_fps = FakeScreenFps; ++ else { ++ /* For screens with hardware vblank support, the fake code ++ * will be used for off-screen windows and while screens are blanked, ++ * in which case we want a large interval here: 1Hz ++ * ++ * Otherwise, pretend that the screen runs at 60Hz ++ */ ++ if (screen_priv->info && screen_priv->info->get_crtc) ++ fake_fps = 1; ++ else ++ fake_fps = 60; ++ } ++ screen_priv->fake_interval = 1000000 / fake_fps; + } + + void +-- +2.34.1 + diff --git a/0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch b/0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch new file mode 100644 index 0000000000000000000000000000000000000000..238989583c9f525b37ec525fcc53871d524f4d6e --- /dev/null +++ b/0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch @@ -0,0 +1,35 @@ +From 7150ba655c0cc08fa6ded309b81265bb672f2869 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Wed, 25 Jan 2023 11:41:40 +1000 +Subject: [PATCH xserver] Xi: fix potential use-after-free in + DeepCopyPointerClasses + +CVE-2023-0494, ZDI-CAN 19596 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer +--- + Xi/exevents.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/Xi/exevents.c b/Xi/exevents.c +index 217baa9561..dcd4efb3bc 100644 +--- a/Xi/exevents.c ++++ b/Xi/exevents.c +@@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) + memcpy(to->button->xkb_acts, from->button->xkb_acts, + sizeof(XkbAction)); + } +- else ++ else { + free(to->button->xkb_acts); ++ to->button->xkb_acts = NULL; ++ } + + memcpy(to->button->labels, from->button->labels, + from->button->numButtons * sizeof(Atom)); +-- +2.39.0 + diff --git a/0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch b/0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch new file mode 100644 index 0000000000000000000000000000000000000000..017f2474b9d0384df4ad8e595d0f3aeddfe217f0 --- /dev/null +++ b/0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch @@ -0,0 +1,52 @@ +From 8dba686dc277d6d262ad0c77b4632a5b276697ba Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 29 Nov 2022 12:55:45 +1000 +Subject: [PATCH xserver 1/7] Xtest: disallow GenericEvents in + XTestSwapFakeInput + +XTestSwapFakeInput assumes all events in this request are +sizeof(xEvent) and iterates through these in 32-byte increments. +However, a GenericEvent may be of arbitrary length longer than 32 bytes, +so any GenericEvent in this list would result in subsequent events to be +misparsed. + +Additional, the swapped event is written into a stack-allocated struct +xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes, +swapping the event may thus smash the stack like an avocado on toast. + +Catch this case early and return BadValue for any GenericEvent. +Which is what would happen in unswapped setups anyway since XTest +doesn't support GenericEvent. + +CVE-2022-46340, ZDI-CAN 19265 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer +Acked-by: Olivier Fourdan +--- + Xext/xtest.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/Xext/xtest.c b/Xext/xtest.c +index bf27eb590b..2985a4ce6e 100644 +--- a/Xext/xtest.c ++++ b/Xext/xtest.c +@@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req) + + nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent); + for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) { ++ int evtype = ev->u.u.type & 0x177; + /* Swap event */ +- proc = EventSwapVector[ev->u.u.type & 0177]; ++ proc = EventSwapVector[evtype]; + /* no swapping proc; invalid event type? */ +- if (!proc || proc == NotImplemented) { ++ if (!proc || proc == NotImplemented || evtype == GenericEvent) { + client->errorValue = ev->u.u.type; + return BadValue; + } +-- +2.38.1 + diff --git a/0001-add-a-quirk-for-apple-silicon.patch b/0001-add-a-quirk-for-apple-silicon.patch new file mode 100644 index 0000000000000000000000000000000000000000..17c40e500ec2c82b1a60efcc8bf2cd2c7e0e0376 --- /dev/null +++ b/0001-add-a-quirk-for-apple-silicon.patch @@ -0,0 +1,30 @@ +commit 39934a656a44722d16a80bf4db411c53e2d67b38 (HEAD -> master, origin/master, origin/HEAD) +Author: Eric Curtin +Date: Fri Dec 16 11:10:12 2022 +0000 + + config: add a quirk for Apple Silicon appledrm + + Xorg server does not correctly select the DCP for the display without a + quirk on Apple Silicon. + + Signed-off-by: Eric Curtin + Suggested-by: Hector Martin + +diff --git a/config/10-quirks.conf b/config/10-quirks.conf +index 47907d82d..54dd908a7 100644 +--- a/config/10-quirks.conf ++++ b/config/10-quirks.conf +@@ -36,3 +36,13 @@ Section "InputClass" + MatchDriver "evdev" + Option "TypeName" "MOUSE" + EndSection ++ ++# https://bugzilla.redhat.com/show_bug.cgi?id=2152414 ++# Xorg server does not correctly select the DCP for the display without ++# a quirk on Apple Silicon ++Section "OutputClass" ++ Identifier "appledrm" ++ MatchDriver "apple" ++ Driver "modesetting" ++ Option "PrimaryGPU" "true" ++EndSection diff --git a/0001-configure.ac-search-for-the-fontrootdir-ourselves.patch b/0001-configure.ac-search-for-the-fontrootdir-ourselves.patch new file mode 100644 index 0000000000000000000000000000000000000000..3e293580aede9f1e7ec78c453a5aa13009a01796 --- /dev/null +++ b/0001-configure.ac-search-for-the-fontrootdir-ourselves.patch @@ -0,0 +1,72 @@ +From e67e988730346c63d2f0cdf2531ed36b0c7ad5a6 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Wed, 23 Nov 2022 14:50:29 +1000 +Subject: [PATCH xserver] configure.ac: search for the fontrootdir ourselves + +This replaces the use of font-utils' .m4 macro set with a copy of the +only one we actually want: the bit for the fontrootpath. + +We don't need configure options for every single subfont directory, so +let's hardcode those in the default font path. Like meson does upstream +too. + +With this patch we no longer require the font-utils dependency. + +Signed-off-by: Peter Hutterer +--- + configure.ac | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 0909cc5b4d..2349320888 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -49,9 +49,6 @@ XORG_WITH_XSLTPROC + XORG_ENABLE_UNIT_TESTS + XORG_LD_WRAP([optional]) + +-m4_ifndef([XORG_FONT_MACROS_VERSION], [m4_fatal([must install font-util 1.1 or later before running autoconf/autogen])]) +-XORG_FONT_MACROS_VERSION(1.1) +- + dnl this gets generated by autoheader, and thus contains all the defines. we + dnl don't ever actually use it, internally. + AC_CONFIG_HEADERS(include/do-not-use-config.h) +@@ -450,18 +447,27 @@ AC_MSG_RESULT([$FALLBACK_INPUT_DRIVER]) + AC_DEFINE_UNQUOTED(FALLBACK_INPUT_DRIVER, ["$FALLBACK_INPUT_DRIVER"], [ Fallback input driver ]) + + dnl Determine font path +-XORG_FONTROOTDIR +-XORG_FONTSUBDIR(FONTMISCDIR, fontmiscdir, misc) +-XORG_FONTSUBDIR(FONTOTFDIR, fontotfdir, OTF) +-XORG_FONTSUBDIR(FONTTTFDIR, fontttfdir, TTF) +-XORG_FONTSUBDIR(FONTTYPE1DIR, fonttype1dir, Type1) +-XORG_FONTSUBDIR(FONT75DPIDIR, font75dpidir, 75dpi) +-XORG_FONTSUBDIR(FONT100DPIDIR, font100dpidir, 100dpi) ++dnl This is a copy of XORG_FONTROOTDIR from font-utils so we can drop the dependency ++AC_MSG_CHECKING([for root directory for font files]) ++AC_ARG_WITH(fontrootdir, ++ AS_HELP_STRING([--with-fontrootdir=DIR], ++ [Path to root directory for font files]), ++ [FONTROOTDIR="$withval"]) ++# if --with-fontrootdir not specified... ++if test "x${FONTROOTDIR}" = "x"; then ++ FONTROOTDIR=`$PKG_CONFIG --variable=fontrootdir fontutil` ++fi ++# ...and if pkg-config didn't find fontdir in fontutil.pc... ++if test "x${FONTROOTDIR}" = "x"; then ++ FONTROOTDIR="${datadir}/fonts/X11" ++fi ++AC_SUBST(FONTROOTDIR) ++AC_MSG_RESULT([${FONTROOTDIR}]) + + dnl Uses --with-default-font-path if set, otherwise uses standard + dnl subdirectories of FONTROOTDIR. Some distros set the default font path to + dnl "catalogue:/etc/X11/fontpath.d,built-ins" +-DEFAULT_FONT_PATH="${FONTMISCDIR}/,${FONTTTFDIR}/,${FONTOTFDIR}/,${FONTTYPE1DIR}/,${FONT100DPIDIR}/,${FONT75DPIDIR}/" ++DEFAULT_FONT_PATH="${FONTROOTDIR}/misc,${FONTROOTDIR}/OTF,${FONTROOTDIR}/TTF,${FONTROOTDIR}/Type1,${FONTROOTDIR}/75dpi,${FONTROOTDIR}/100dpi" + case $host_os in + darwin*) DEFAULT_FONT_PATH="${DEFAULT_FONT_PATH},/Library/Fonts,/System/Library/Fonts" ;; + esac +-- +2.38.1 + diff --git a/0001-hw-Rename-boolean-config-value-field-from-bool-to-bo.patch b/0001-hw-Rename-boolean-config-value-field-from-bool-to-bo.patch new file mode 100644 index 0000000000000000000000000000000000000000..52ea4d01f9243952c186e4b1f2d93056474d13ce --- /dev/null +++ b/0001-hw-Rename-boolean-config-value-field-from-bool-to-bo.patch @@ -0,0 +1,154 @@ +From 454b3a826edb5fc6d0fea3a9cfd1a5e8fc568747 Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Mon, 22 Jul 2019 13:51:06 -0400 +Subject: [PATCH xserver] hw: Rename boolean config value field from bool to + boolean + +"bool" conflicts with C++ (meh) and stdbool.h (ngh alright fine). This +is a driver-visible change and will likely break the build for mach64, +but it can be fixed by simply using xf86ReturnOptValBool like every +other driver. + +Signed-off-by: Adam Jackson +--- + hw/xfree86/common/xf86Opt.h | 2 +- + hw/xfree86/common/xf86Option.c | 10 +++++----- + hw/xwin/winconfig.c | 22 +++++++++++----------- + hw/xwin/winconfig.h | 2 +- + 4 files changed, 18 insertions(+), 18 deletions(-) + +diff --git a/hw/xfree86/common/xf86Opt.h b/hw/xfree86/common/xf86Opt.h +index 3be2a0fc7..3046fbd41 100644 +--- a/hw/xfree86/common/xf86Opt.h ++++ b/hw/xfree86/common/xf86Opt.h +@@ -41,7 +41,7 @@ typedef union { + unsigned long num; + const char *str; + double realnum; +- Bool bool; ++ Bool boolean; + OptFrequency freq; + } ValueUnion; + +diff --git a/hw/xfree86/common/xf86Option.c b/hw/xfree86/common/xf86Option.c +index 06973bca3..ca538cc57 100644 +--- a/hw/xfree86/common/xf86Option.c ++++ b/hw/xfree86/common/xf86Option.c +@@ -213,7 +213,7 @@ LookupBoolOption(XF86OptionPtr optlist, const char *name, int deflt, + o.name = name; + o.type = OPTV_BOOLEAN; + if (ParseOptionValue(-1, optlist, &o, markUsed)) +- deflt = o.value.bool; ++ deflt = o.value.boolean; + return deflt; + } + +@@ -474,7 +474,7 @@ xf86ShowUnusedOptions(int scrnIndex, XF86OptionPtr opt) + static Bool + GetBoolValue(OptionInfoPtr p, const char *s) + { +- return xf86getBoolValue(&p->value.bool, s); ++ return xf86getBoolValue(&p->value.boolean, s); + } + + static Bool +@@ -678,7 +678,7 @@ ParseOptionValue(int scrnIndex, XF86OptionPtr options, OptionInfoPtr p, + if (markUsed) + xf86MarkOptionUsedByName(options, newn); + if (GetBoolValue(&opt, s)) { +- p->value.bool = !opt.value.bool; ++ p->value.boolean = !opt.value.boolean; + p->found = TRUE; + } + else { +@@ -869,7 +869,7 @@ xf86GetOptValBool(const OptionInfoRec * table, int token, Bool *value) + + p = xf86TokenToOptinfo(table, token); + if (p && p->found) { +- *value = p->value.bool; ++ *value = p->value.boolean; + return TRUE; + } + else +@@ -883,7 +883,7 @@ xf86ReturnOptValBool(const OptionInfoRec * table, int token, Bool def) + + p = xf86TokenToOptinfo(table, token); + if (p && p->found) { +- return p->value.bool; ++ return p->value.boolean; + } + else + return def; +diff --git a/hw/xwin/winconfig.c b/hw/xwin/winconfig.c +index 31894d2fb..646d69006 100644 +--- a/hw/xwin/winconfig.c ++++ b/hw/xwin/winconfig.c +@@ -623,7 +623,7 @@ winSetBoolOption(void *optlist, const char *name, int deflt) + o.name = name; + o.type = OPTV_BOOLEAN; + if (ParseOptionValue(-1, optlist, &o)) +- deflt = o.value.bool; ++ deflt = o.value.boolean; + return deflt; + } + +@@ -918,7 +918,7 @@ ParseOptionValue(int scrnIndex, void *options, OptionInfoPtr p) + } + if ((s = winFindOptionValue(options, newn)) != NULL) { + if (GetBoolValue(&opt, s)) { +- p->value.bool = !opt.value.bool; ++ p->value.boolean = !opt.value.boolean; + p->found = TRUE; + } + else { +@@ -968,25 +968,25 @@ static Bool + GetBoolValue(OptionInfoPtr p, const char *s) + { + if (*s == 0) { +- p->value.bool = TRUE; ++ p->value.boolean = TRUE; + } + else { + if (winNameCompare(s, "1") == 0) +- p->value.bool = TRUE; ++ p->value.boolean = TRUE; + else if (winNameCompare(s, "on") == 0) +- p->value.bool = TRUE; ++ p->value.boolean = TRUE; + else if (winNameCompare(s, "true") == 0) +- p->value.bool = TRUE; ++ p->value.boolean = TRUE; + else if (winNameCompare(s, "yes") == 0) +- p->value.bool = TRUE; ++ p->value.boolean = TRUE; + else if (winNameCompare(s, "0") == 0) +- p->value.bool = FALSE; ++ p->value.boolean = FALSE; + else if (winNameCompare(s, "off") == 0) +- p->value.bool = FALSE; ++ p->value.boolean = FALSE; + else if (winNameCompare(s, "false") == 0) +- p->value.bool = FALSE; ++ p->value.boolean = FALSE; + else if (winNameCompare(s, "no") == 0) +- p->value.bool = FALSE; ++ p->value.boolean = FALSE; + } + return TRUE; + } +diff --git a/hw/xwin/winconfig.h b/hw/xwin/winconfig.h +index f079368c7..bd1f59650 100644 +--- a/hw/xwin/winconfig.h ++++ b/hw/xwin/winconfig.h +@@ -199,7 +199,7 @@ typedef union { + unsigned long num; + char *str; + double realnum; +- Bool bool; ++ Bool boolean; + OptFrequency freq; + } ValueUnion; + +-- +2.39.0 + diff --git a/0001-modesetting-Fix-msSharePixmapBacking-Segfault-Regres.patch b/0001-modesetting-Fix-msSharePixmapBacking-Segfault-Regres.patch deleted file mode 100644 index 4c8752780e11034bb031346875505684b93564e5..0000000000000000000000000000000000000000 --- a/0001-modesetting-Fix-msSharePixmapBacking-Segfault-Regres.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 98bea5a38ea17fd71b3fbb1f32f4c9a2875f73ca Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Tue, 12 Jul 2022 07:59:29 -0400 -Subject: [PATCH] modesetting Fix - ---- - hw/xfree86/drivers/modesetting/driver.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c -index 7075547..391e699 100644 ---- a/hw/xfree86/drivers/modesetting/driver.c -+++ b/hw/xfree86/drivers/modesetting/driver.c -@@ -1462,10 +1462,11 @@ CreateScreenResources(ScreenPtr pScreen) - } - - static Bool --msSharePixmapBacking(PixmapPtr ppix, ScreenPtr screen, void **handle) -+msSharePixmapBacking(PixmapPtr ppix, ScreenPtr slave, void **handle) - { - #ifdef GLAMOR_HAS_GBM -- modesettingPtr ms = modesettingPTR(xf86ScreenToScrn(screen)); -+ modesettingPtr ms = -+ modesettingPTR(xf86ScreenToScrn(ppix->drawable.pScreen)); - int ret; - CARD16 stride; - CARD32 size; --- -2.27.0 - diff --git a/0001-mustard-xfree86-Disable-the-PCI-probe-path.patch b/0001-mustard-xfree86-Disable-the-PCI-probe-path.patch deleted file mode 100644 index 0528cc6b12a25fac8d23816b243fae496a488cf9..0000000000000000000000000000000000000000 --- a/0001-mustard-xfree86-Disable-the-PCI-probe-path.patch +++ /dev/null @@ -1,83 +0,0 @@ -From b3afd9ccefe156ab2dee993118fcdba40341f66e Mon Sep 17 00:00:00 2001 -From: Adam Jackson -Date: Fri, 1 Oct 2021 11:47:21 -0400 -Subject: [PATCH xserver] mustard: xfree86: Disable the PCI probe path - -RHEL 9 does not support userspace modesetting drivers for Xorg. Ideally -it would only support DRM drivers, but there are some fallback paths -(efifb mainly) that still require fbdev support. Since the primary use -of the PCI probe path is devices _without_ kernel support, we can safely -disable it. And indeed we want to, because there are some devices -(hyperv v1 e.g.) with both a platform and a PCI presentation, which the -PCI probe code fails to handle such that the server fails to start. - -Thus: we #if 0 out the PCI probe in xf86CallDriverProbe. - -It might be nice if the platform code knew about fbdev devices, but it -does not, and teaching it would be a large change for little benefit -given we do intend to sunset the fbdev path as well. Since the fbdev -path exists solely for cases where we have only the rudimentary firmare -framebuffer, we should only use it if _no_ platform driver is available. - -Thus: we only call the legacy probe method if xf86ProbeIgnorePrimary. - -Having done this, we need to go back into fbdevhw and undo fc78bcca: - - commit fc78bcca21e767697de6ad4d8e03b6728856f613 (merge-requests/38) - Author: Adam Jackson - Date: Wed Oct 10 14:09:11 2018 -0400 - - fbdevhw: Refuse to touch PCI devices on the fallback probe path - -Which was well intentioned, but given the above changes we know by the -time we're trying to probe fbdev we really do want it, either because of -the above fallback path or because xorg.conf asked for it. In either -case we shouldn't spuriously fail just because it happens to be PCI. - -Thus: We if (0) out the code added in fc78bcca. - -Any one of the above might be questionable upstream, hence the mustard -nature of this patch. ---- - hw/xfree86/common/xf86Bus.c | 4 ++-- - hw/xfree86/fbdevhw/fbdevhw.c | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/hw/xfree86/common/xf86Bus.c b/hw/xfree86/common/xf86Bus.c -index fd144dbe7a..844ce5a890 100644 ---- a/hw/xfree86/common/xf86Bus.c -+++ b/hw/xfree86/common/xf86Bus.c -@@ -84,7 +84,7 @@ xf86CallDriverProbe(DriverPtr drv, Bool detect_only) - } - #endif - --#ifdef XSERVER_LIBPCIACCESS -+#if 0 - if (!foundScreen && (drv->PciProbe != NULL)) { - if (xf86DoConfigure && xf86DoConfigurePass1) { - assert(detect_only); -@@ -96,7 +96,7 @@ xf86CallDriverProbe(DriverPtr drv, Bool detect_only) - } - } - #endif -- if (!foundScreen && (drv->Probe != NULL)) { -+ if (!foundScreen && xf86ProbeIgnorePrimary && (drv->Probe != NULL)) { - xf86Msg(X_WARNING, "Falling back to old probe method for %s\n", - drv->driverName); - foundScreen = (*drv->Probe) (drv, (detect_only) ? PROBE_DETECT -diff --git a/hw/xfree86/fbdevhw/fbdevhw.c b/hw/xfree86/fbdevhw/fbdevhw.c -index 3d8b92e669..171038f46d 100644 ---- a/hw/xfree86/fbdevhw/fbdevhw.c -+++ b/hw/xfree86/fbdevhw/fbdevhw.c -@@ -330,7 +330,7 @@ fbdev_open(int scrnIndex, const char *dev, char **namep) - } - - /* only touch non-PCI devices on this path */ -- { -+ if (0) { - char buf[PATH_MAX]; - char *sysfs_path = NULL; - char *node = strrchr(dev, '/') + 1; --- -2.31.1 - diff --git a/0001-record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch b/0001-record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch deleted file mode 100644 index b53c7bf4f122e1f93c899d95f9607bf8ff495df2..0000000000000000000000000000000000000000 --- a/0001-record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch +++ /dev/null @@ -1,35 +0,0 @@ -From acc50e6097d51fec0c6c34d84c35018a50c52d5a Mon Sep 17 00:00:00 2001 -From: Povilas Kanapickas -Date: Tue, 14 Dec 2021 15:00:00 +0200 -Subject: [PATCH xserver 1/4] record: Fix out of bounds access in - SwapCreateRegister() - -ZDI-CAN-14952, CVE-2021-4011 - -This vulnerability was discovered and the fix was suggested by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Povilas Kanapickas -(cherry picked from commit e56f61c79fc3cee26d83cda0f84ae56d5979f768) ---- - record/record.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/record/record.c b/record/record.c -index 05d751ac2..a8aec23bd 100644 ---- a/record/record.c -+++ b/record/record.c -@@ -2515,8 +2515,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff) - swapl(pClientID); - } - if (stuff->nRanges > -- client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) -- - stuff->nClients) -+ (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) -+ - stuff->nClients) / bytes_to_int32(sz_xRecordRange)) - return BadLength; - RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); - return Success; --- -2.33.1 - diff --git a/0001-xkb-Drop-check-for-XkbSetMapResizeTypes.patch b/0001-xkb-Drop-check-for-XkbSetMapResizeTypes.patch deleted file mode 100644 index a7bf744c61a98a155a6cd769f452faf20e473685..0000000000000000000000000000000000000000 --- a/0001-xkb-Drop-check-for-XkbSetMapResizeTypes.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 36bcef5e5fd175e95ed4e0a014f6b1d8598b719d Mon Sep 17 00:00:00 2001 -From: Ray Strode -Date: Mon, 4 Oct 2021 14:27:54 -0400 -Subject: [PATCH] xkb: Drop check for XkbSetMapResizeTypes - -Commit 446ff2d3177087b8173fa779fa5b77a2a128988b added checks to -prevalidate the size of incoming SetMap requests. - -That commit checks for the XkbSetMapResizeTypes flag to be set before -allowing key types data to be processed. - -key types data can be changed or even just sent wholesale unchanged -without the number of key types changing, however. The check for -XkbSetMapResizeTypes rejects those legitimate requests. In particular, -XkbChangeMap never sets XkbSetMapResizeTypes and so always fails now -any time XkbKeyTypesMask is in the changed mask. - -This commit drops the check for XkbSetMapResizeTypes in flags when -prevalidating the request length. ---- - xkb/xkb.c | 26 ++++++++++++-------------- - 1 file changed, 12 insertions(+), 14 deletions(-) - -diff --git a/xkb/xkb.c b/xkb/xkb.c -index 183d6ffa1..62dee9cb6 100644 ---- a/xkb/xkb.c -+++ b/xkb/xkb.c -@@ -2378,75 +2378,73 @@ SetVirtualModMap(XkbSrvInfoPtr xkbi, - } - changes->map.first_vmodmap_key = first; - changes->map.num_vmodmap_keys = (last - first) + 1; - } - return (char *) wire; - } - - #define _add_check_len(new) \ - if (len > UINT32_MAX - (new) || len > req_len - (new)) goto bad; \ - else len += new - - /** - * Check the length of the SetMap request - */ - static int - _XkbSetMapCheckLength(xkbSetMapReq *req) - { - size_t len = sz_xkbSetMapReq, req_len = req->length << 2; - xkbKeyTypeWireDesc *keytype; - xkbSymMapWireDesc *symmap; - BOOL preserve; - int i, map_count, nSyms; - - if (req_len < len) - goto bad; - /* types */ - if (req->present & XkbKeyTypesMask) { - keytype = (xkbKeyTypeWireDesc *)(req + 1); - for (i = 0; i < req->nTypes; i++) { - _add_check_len(XkbPaddedSize(sz_xkbKeyTypeWireDesc)); -- if (req->flags & XkbSetMapResizeTypes) { -- _add_check_len(keytype->nMapEntries -- * sz_xkbKTSetMapEntryWireDesc); -- preserve = keytype->preserve; -- map_count = keytype->nMapEntries; -- if (preserve) { -- _add_check_len(map_count * sz_xkbModsWireDesc); -- } -- keytype += 1; -- keytype = (xkbKeyTypeWireDesc *) -- ((xkbKTSetMapEntryWireDesc *)keytype + map_count); -- if (preserve) -- keytype = (xkbKeyTypeWireDesc *) -- ((xkbModsWireDesc *)keytype + map_count); -+ _add_check_len(keytype->nMapEntries -+ * sz_xkbKTSetMapEntryWireDesc); -+ preserve = keytype->preserve; -+ map_count = keytype->nMapEntries; -+ if (preserve) { -+ _add_check_len(map_count * sz_xkbModsWireDesc); - } -+ keytype += 1; -+ keytype = (xkbKeyTypeWireDesc *) -+ ((xkbKTSetMapEntryWireDesc *)keytype + map_count); -+ if (preserve) -+ keytype = (xkbKeyTypeWireDesc *) -+ ((xkbModsWireDesc *)keytype + map_count); - } - } - /* syms */ - if (req->present & XkbKeySymsMask) { - symmap = (xkbSymMapWireDesc *)((char *)req + len); - for (i = 0; i < req->nKeySyms; i++) { - _add_check_len(sz_xkbSymMapWireDesc); - nSyms = symmap->nSyms; - _add_check_len(nSyms*sizeof(CARD32)); - symmap += 1; - symmap = (xkbSymMapWireDesc *)((CARD32 *)symmap + nSyms); - } - } - /* actions */ - if (req->present & XkbKeyActionsMask) { - _add_check_len(req->totalActs * sz_xkbActionWireDesc - + XkbPaddedSize(req->nKeyActs)); - } - /* behaviours */ - if (req->present & XkbKeyBehaviorsMask) { - _add_check_len(req->totalKeyBehaviors * sz_xkbBehaviorWireDesc); - } - /* vmods */ - if (req->present & XkbVirtualModsMask) { - _add_check_len(XkbPaddedSize(Ones(req->virtualMods))); - } - /* explicit */ - if (req->present & XkbExplicitComponentsMask) { - /* two bytes per non-zero explicit componen */ - _add_check_len(XkbPaddedSize(req->totalKeyExplicit * sizeof(CARD16))); --- -2.32.0 - diff --git a/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch b/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch new file mode 100644 index 0000000000000000000000000000000000000000..6e5ebb5a684e41f04daae116eed6439d0117f284 --- /dev/null +++ b/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch @@ -0,0 +1,59 @@ +From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Wed, 13 Jul 2022 11:23:09 +1000 +Subject: [PATCH xserver] xkb: fix some possible memleaks in XkbGetKbdByName + +GetComponentByName returns an allocated string, so let's free that if we +fail somewhere. + +Signed-off-by: Peter Hutterer +--- + xkb/xkb.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 4692895db..b79a269e3 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client) + xkb = dev->key->xkbInfo->desc; + status = Success; + str = (unsigned char *) &stuff[1]; +- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */ +- return BadMatch; ++ { ++ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */ ++ if (keymap) { ++ free(keymap); ++ return BadMatch; ++ } ++ } + names.keycodes = GetComponentSpec(&str, TRUE, &status); + names.types = GetComponentSpec(&str, TRUE, &status); + names.compat = GetComponentSpec(&str, TRUE, &status); + names.symbols = GetComponentSpec(&str, TRUE, &status); + names.geometry = GetComponentSpec(&str, TRUE, &status); +- if (status != Success) ++ if (status == Success) { ++ len = str - ((unsigned char *) stuff); ++ if ((XkbPaddedSize(len) / 4) != stuff->length) ++ status = BadLength; ++ } ++ ++ if (status != Success) { ++ free(names.keycodes); ++ free(names.types); ++ free(names.compat); ++ free(names.symbols); ++ free(names.geometry); + return status; +- len = str - ((unsigned char *) stuff); +- if ((XkbPaddedSize(len) / 4) != stuff->length) +- return BadLength; ++ } + + CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask); + CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask); +-- +2.38.1 + diff --git a/0001-xkb-proof-GetCountedString-against-request-length-at.patch b/0001-xkb-proof-GetCountedString-against-request-length-at.patch new file mode 100644 index 0000000000000000000000000000000000000000..d358a3201d80a3d38f9524ab3001bfd2f169876d --- /dev/null +++ b/0001-xkb-proof-GetCountedString-against-request-length-at.patch @@ -0,0 +1,35 @@ +From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 5 Jul 2022 12:06:20 +1000 +Subject: [PATCH xserver] xkb: proof GetCountedString against request length + attacks + +GetCountedString did a check for the whole string to be within the +request buffer but not for the initial 2 bytes that contain the length +field. A swapped client could send a malformed request to trigger a +swaps() on those bytes, writing into random memory. + +Signed-off-by: Peter Hutterer +--- + xkb/xkb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index f42f59ef3..1841cff26 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) + CARD16 len; + + wire = *wire_inout; ++ ++ if (client->req_len < ++ bytes_to_int32(wire + 2 - (char *) client->requestBuffer)) ++ return BadValue; ++ + len = *(CARD16 *) wire; + if (client->swapped) { + swaps(&len); +-- +2.38.1 + diff --git a/0001-xkb-switch-to-array-index-loops-to-moving-pointers.patch b/0001-xkb-switch-to-array-index-loops-to-moving-pointers.patch new file mode 100644 index 0000000000000000000000000000000000000000..a4efb7a3da7d30617811ebe2d2c0106c830bc0fb --- /dev/null +++ b/0001-xkb-switch-to-array-index-loops-to-moving-pointers.patch @@ -0,0 +1,76 @@ +From f1070c01d616c5f21f939d5ebc533738779451ac Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 5 Jul 2022 12:40:47 +1000 +Subject: [PATCH xserver 1/3] xkb: switch to array index loops to moving + pointers + +Most similar loops here use a pointer that advances with each loop +iteration, let's do the same here for consistency. + +No functional changes. + +Signed-off-by: Peter Hutterer +Reviewed-by: Olivier Fourdan +--- + xkb/xkb.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index a29262c24..64e52611e 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5368,16 +5368,16 @@ _CheckSetSections(XkbGeometryPtr geom, + row->left = rWire->left; + row->vertical = rWire->vertical; + kWire = (xkbKeyWireDesc *) &rWire[1]; +- for (k = 0; k < rWire->nKeys; k++) { ++ for (k = 0; k < rWire->nKeys; k++, kWire++) { + XkbKeyPtr key; + + key = XkbAddGeomKey(row); + if (!key) + return BadAlloc; +- memcpy(key->name.name, kWire[k].name, XkbKeyNameLength); +- key->gap = kWire[k].gap; +- key->shape_ndx = kWire[k].shapeNdx; +- key->color_ndx = kWire[k].colorNdx; ++ memcpy(key->name.name, kWire->name, XkbKeyNameLength); ++ key->gap = kWire->gap; ++ key->shape_ndx = kWire->shapeNdx; ++ key->color_ndx = kWire->colorNdx; + if (key->shape_ndx >= geom->num_shapes) { + client->errorValue = _XkbErrCode3(0x10, key->shape_ndx, + geom->num_shapes); +@@ -5389,7 +5389,7 @@ _CheckSetSections(XkbGeometryPtr geom, + return BadMatch; + } + } +- rWire = (xkbRowWireDesc *) &kWire[rWire->nKeys]; ++ rWire = (xkbRowWireDesc *)kWire; + } + wire = (char *) rWire; + if (sWire->nDoodads > 0) { +@@ -5454,16 +5454,16 @@ _CheckSetShapes(XkbGeometryPtr geom, + return BadAlloc; + ol->corner_radius = olWire->cornerRadius; + ptWire = (xkbPointWireDesc *) &olWire[1]; +- for (p = 0, pt = ol->points; p < olWire->nPoints; p++, pt++) { +- pt->x = ptWire[p].x; +- pt->y = ptWire[p].y; ++ for (p = 0, pt = ol->points; p < olWire->nPoints; p++, pt++, ptWire++) { ++ pt->x = ptWire->x; ++ pt->y = ptWire->y; + if (client->swapped) { + swaps(&pt->x); + swaps(&pt->y); + } + } + ol->num_points = olWire->nPoints; +- olWire = (xkbOutlineWireDesc *) (&ptWire[olWire->nPoints]); ++ olWire = (xkbOutlineWireDesc *)ptWire; + } + if (shapeWire->primaryNdx != XkbNoShape) + shape->primary = &shape->outlines[shapeWire->primaryNdx]; +-- +2.36.1 + diff --git a/0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch b/0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch new file mode 100644 index 0000000000000000000000000000000000000000..72bcadbdcc36b82d77d7d732bcb53616fedb2190 --- /dev/null +++ b/0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch @@ -0,0 +1,41 @@ +From c5ff57676698f19ed3a1402aef58a15552e32d27 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 29 Nov 2022 13:24:00 +1000 +Subject: [PATCH xserver 2/7] Xi: return an error from XI property changes if + verification failed + +Both ProcXChangeDeviceProperty and ProcXIChangeProperty checked the +property for validity but didn't actually return the potential error. + +Signed-off-by: Peter Hutterer +Acked-by: Olivier Fourdan +--- + Xi/xiproperty.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c +index a36f7d61df..68c362c628 100644 +--- a/Xi/xiproperty.c ++++ b/Xi/xiproperty.c +@@ -902,6 +902,8 @@ ProcXChangeDeviceProperty(ClientPtr client) + + rc = check_change_property(client, stuff->property, stuff->type, + stuff->format, stuff->mode, stuff->nUnits); ++ if (rc != Success) ++ return rc; + + len = stuff->nUnits; + if (len > (bytes_to_int32(0xffffffff - sizeof(xChangeDevicePropertyReq)))) +@@ -1141,6 +1143,9 @@ ProcXIChangeProperty(ClientPtr client) + + rc = check_change_property(client, stuff->property, stuff->type, + stuff->format, stuff->mode, stuff->num_items); ++ if (rc != Success) ++ return rc; ++ + len = stuff->num_items; + if (len > bytes_to_int32(0xffffffff - sizeof(xXIChangePropertyReq))) + return BadLength; +-- +2.38.1 + diff --git a/0002-xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch b/0002-xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch deleted file mode 100644 index 35f88ed54dee5a4f0246b69222863dfd3dae8b49..0000000000000000000000000000000000000000 --- a/0002-xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 6bb8aeb30a2686facc48733016caade97ece10ad Mon Sep 17 00:00:00 2001 -From: Povilas Kanapickas -Date: Tue, 14 Dec 2021 15:00:01 +0200 -Subject: [PATCH xserver 2/4] xfixes: Fix out of bounds access in - *ProcXFixesCreatePointerBarrier() - -ZDI-CAN-14950, CVE-2021-4009 - -This vulnerability was discovered and the fix was suggested by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Povilas Kanapickas -(cherry picked from commit b5196750099ae6ae582e1f46bd0a6dad29550e02) ---- - xfixes/cursor.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/xfixes/cursor.c b/xfixes/cursor.c -index d4b68f3af..5f531a89a 100644 ---- a/xfixes/cursor.c -+++ b/xfixes/cursor.c -@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client) - { - REQUEST(xXFixesCreatePointerBarrierReq); - -- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); -+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, -+ pad_to_int32(stuff->num_devices * sizeof(CARD16))); - LEGAL_NEW_RESOURCE(stuff->barrier, client); - - return XICreatePointerBarrier(client, stuff); -@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client) - - swaps(&stuff->length); - swaps(&stuff->num_devices); -- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); -+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, -+ pad_to_int32(stuff->num_devices * sizeof(CARD16))); - - swapl(&stuff->barrier); - swapl(&stuff->window); --- -2.33.1 - diff --git a/0002-xfree86-Link-fb-statically.patch b/0002-xfree86-Link-fb-statically.patch deleted file mode 100644 index bbace8ca24b1cdf71462088fec31b97a0b9a4511..0000000000000000000000000000000000000000 --- a/0002-xfree86-Link-fb-statically.patch +++ /dev/null @@ -1,153 +0,0 @@ -From c2eb1e2eac99ef0b8e6cf47ab0a94371cf47e939 Mon Sep 17 00:00:00 2001 -From: Adam Jackson -Date: Tue, 23 Jul 2019 11:54:15 -0400 -Subject: [PATCH xserver 02/11] xfree86: Link fb statically - -There's no real benefit to leaving this loadable, virtually every driver -is going to load it. - -Reviewed-by: Jon Turney -(cherry picked from commit c1703cdf3b0d6663fcac68598eefe324ae4e1e71) ---- - hw/xfree86/Makefile.am | 1 + - hw/xfree86/dixmods/Makefile.am | 8 +------- - hw/xfree86/dixmods/meson.build | 14 -------------- - hw/xfree86/drivers/modesetting/meson.build | 1 - - hw/xfree86/loader/loadmod.c | 1 + - hw/xfree86/meson.build | 1 + - hw/xfree86/sdksyms.sh | 6 +++--- - test/Makefile.am | 1 + - 8 files changed, 8 insertions(+), 25 deletions(-) - -diff --git a/hw/xfree86/Makefile.am b/hw/xfree86/Makefile.am -index 9aeaea1a6..1d494cd0f 100644 ---- a/hw/xfree86/Makefile.am -+++ b/hw/xfree86/Makefile.am -@@ -75,6 +75,7 @@ LOCAL_LIBS = \ - $(DRI2_LIB) \ - $(DRI3_LIB) \ - $(GLXVND_LIB) \ -+ $(top_builddir)/fb/libfb.la \ - $(top_builddir)/miext/sync/libsync.la \ - $(top_builddir)/mi/libmi.la \ - $(top_builddir)/os/libos.la \ -diff --git a/hw/xfree86/dixmods/Makefile.am b/hw/xfree86/dixmods/Makefile.am -index 856659f98..a1f97056a 100644 ---- a/hw/xfree86/dixmods/Makefile.am -+++ b/hw/xfree86/dixmods/Makefile.am -@@ -4,8 +4,7 @@ if GLX - GLXMODS = libglx.la - endif - --module_LTLIBRARIES = libfb.la \ -- libwfb.la \ -+module_LTLIBRARIES = libwfb.la \ - libshadow.la - - extsmoduledir = $(moduledir)/extensions -@@ -17,11 +16,6 @@ AM_CPPFLAGS = @XORG_INCS@ \ - -I$(top_srcdir)/miext/shadow \ - -I$(top_srcdir)/glx - --libfb_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG) --libfb_la_LIBADD = $(top_builddir)/fb/libfb.la --libfb_la_SOURCES = fbmodule.c --libfb_la_CFLAGS = $(AM_CFLAGS) -- - libwfb_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG) - libwfb_la_LIBADD = $(top_builddir)/fb/libwfb.la - libwfb_la_SOURCES = fbmodule.c -diff --git a/hw/xfree86/dixmods/meson.build b/hw/xfree86/dixmods/meson.build -index 0562b630f..e4ac02228 100644 ---- a/hw/xfree86/dixmods/meson.build -+++ b/hw/xfree86/dixmods/meson.build -@@ -1,17 +1,3 @@ --fb = shared_module( -- 'fb', -- 'fbmodule.c', -- -- include_directories: [inc, xorg_inc], -- c_args: xorg_c_args, -- dependencies: common_dep, -- link_whole: libxserver_fb, -- link_with: e, -- -- install: true, -- install_dir: module_dir, --) -- - shared_module( - 'wfb', - 'fbmodule.c', -diff --git a/hw/xfree86/drivers/modesetting/meson.build b/hw/xfree86/drivers/modesetting/meson.build -index 5e13f1a53..02852a716 100644 ---- a/hw/xfree86/drivers/modesetting/meson.build -+++ b/hw/xfree86/drivers/modesetting/meson.build -@@ -30,7 +30,6 @@ shared_module( - xorg_build_root = join_paths(meson.build_root(), 'hw', 'xfree86') - symbol_test_args = [] - symbol_test_args += join_paths(xorg_build_root, 'libxorgserver.so') --symbol_test_args += join_paths(xorg_build_root, 'dixmods', 'libfb.so') - symbol_test_args += join_paths(xorg_build_root, 'dixmods', 'libshadow.so') - if gbm_dep.found() - symbol_test_args += join_paths(xorg_build_root, 'glamor_egl', 'libglamoregl.so') -diff --git a/hw/xfree86/loader/loadmod.c b/hw/xfree86/loader/loadmod.c -index a6356bd8f..f0983b2f8 100644 ---- a/hw/xfree86/loader/loadmod.c -+++ b/hw/xfree86/loader/loadmod.c -@@ -621,6 +621,7 @@ DuplicateModule(ModuleDescPtr mod, ModuleDescPtr parent) - - static const char *compiled_in_modules[] = { - "ddc", -+ "fb", - "i2c", - "ramdac", - "dbe", -diff --git a/hw/xfree86/meson.build b/hw/xfree86/meson.build -index cacf56d4c..c80964ea4 100644 ---- a/hw/xfree86/meson.build -+++ b/hw/xfree86/meson.build -@@ -61,6 +61,7 @@ xorg_link = [ - xorg_os_support, - xorg_parser, - xorg_ramdac, -+ libxserver_fb, - libxserver_xext_vidmode, - libxserver_main, - libxserver_config, -diff --git a/hw/xfree86/sdksyms.sh b/hw/xfree86/sdksyms.sh -index 7897aae22..2ebc4c019 100755 ---- a/hw/xfree86/sdksyms.sh -+++ b/hw/xfree86/sdksyms.sh -@@ -21,13 +21,13 @@ cat > sdksyms.c << EOF - #include "picturestr.h" - - --/* fb/Makefile.am -- module */ --/* -+/* fb/Makefile.am */ - #include "fb.h" - #include "fbrop.h" - #include "fboverlay.h" --#include "wfbrename.h" - #include "fbpict.h" -+/* wfb is still a module -+#include "wfbrename.h" - */ - - -diff --git a/test/Makefile.am b/test/Makefile.am -index 12ac327a3..ce07c3551 100644 ---- a/test/Makefile.am -+++ b/test/Makefile.am -@@ -146,6 +146,7 @@ tests_LDADD += \ - $(top_builddir)/hw/xfree86/i2c/libi2c.la \ - $(top_builddir)/hw/xfree86/xkb/libxorgxkb.la \ - $(top_builddir)/Xext/libXvidmode.la \ -+ $(top_builddir)/fb/libfb.la \ - $(XSERVER_LIBS) \ - $(XORG_LIBS) - --- -2.33.1 - diff --git a/0002-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch b/0002-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch new file mode 100644 index 0000000000000000000000000000000000000000..8973a0e3c8179b35e2b23f037befdeb040742b75 --- /dev/null +++ b/0002-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch @@ -0,0 +1,179 @@ +From dd8caf39e9e15d8f302e54045dd08d8ebf1025dc Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 5 Jul 2022 09:50:41 +1000 +Subject: [PATCH xserver 2/3] xkb: swap XkbSetDeviceInfo and + XkbSetDeviceInfoCheck + +XKB often uses a FooCheck and Foo function pair, the former is supposed +to check all values in the request and error out on BadLength, +BadValue, etc. The latter is then called once we're confident the values +are good (they may still fail on an individual device, but that's a +different topic). + +In the case of XkbSetDeviceInfo, those functions were incorrectly +named, with XkbSetDeviceInfo ending up as the checker function and +XkbSetDeviceInfoCheck as the setter function. As a result, the setter +function was called before the checker function, accessing request +data and modifying device state before we ensured that the data is +valid. + +In particular, the setter function relied on values being already +byte-swapped. This in turn could lead to potential OOB memory access. + +Fix this by correctly naming the functions and moving the length checks +over to the checker function. These were added in 87c64fc5b0 to the +wrong function, probably due to the incorrect naming. + +Fixes ZDI-CAN 16070, CVE-2022-2320. + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Introduced in c06e27b2f6fd9f7b9f827623a48876a225264132 + +Signed-off-by: Peter Hutterer +--- + xkb/xkb.c | 46 +++++++++++++++++++++++++--------------------- + 1 file changed, 25 insertions(+), 21 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 64e52611e..34b2c290b 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -6550,7 +6550,8 @@ ProcXkbGetDeviceInfo(ClientPtr client) + static char * + CheckSetDeviceIndicators(char *wire, + DeviceIntPtr dev, +- int num, int *status_rtrn, ClientPtr client) ++ int num, int *status_rtrn, ClientPtr client, ++ xkbSetDeviceInfoReq * stuff) + { + xkbDeviceLedsWireDesc *ledWire; + int i; +@@ -6558,6 +6559,11 @@ CheckSetDeviceIndicators(char *wire, + + ledWire = (xkbDeviceLedsWireDesc *) wire; + for (i = 0; i < num; i++) { ++ if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) { ++ *status_rtrn = BadLength; ++ return (char *) ledWire; ++ } ++ + if (client->swapped) { + swaps(&ledWire->ledClass); + swaps(&ledWire->ledID); +@@ -6585,6 +6591,11 @@ CheckSetDeviceIndicators(char *wire, + atomWire = (CARD32 *) &ledWire[1]; + if (nNames > 0) { + for (n = 0; n < nNames; n++) { ++ if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) { ++ *status_rtrn = BadLength; ++ return (char *) atomWire; ++ } ++ + if (client->swapped) { + swapl(atomWire); + } +@@ -6596,6 +6607,10 @@ CheckSetDeviceIndicators(char *wire, + mapWire = (xkbIndicatorMapWireDesc *) atomWire; + if (nMaps > 0) { + for (n = 0; n < nMaps; n++) { ++ if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) { ++ *status_rtrn = BadLength; ++ return (char *) mapWire; ++ } + if (client->swapped) { + swaps(&mapWire->virtualMods); + swapl(&mapWire->ctrls); +@@ -6647,11 +6662,6 @@ SetDeviceIndicators(char *wire, + xkbIndicatorMapWireDesc *mapWire; + XkbSrvLedInfoPtr sli; + +- if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) { +- *status_rtrn = BadLength; +- return (char *) ledWire; +- } +- + namec = mapc = statec = 0; + sli = XkbFindSrvLedInfo(dev, ledWire->ledClass, ledWire->ledID, + XkbXI_IndicatorMapsMask); +@@ -6670,10 +6680,6 @@ SetDeviceIndicators(char *wire, + memset((char *) sli->names, 0, XkbNumIndicators * sizeof(Atom)); + for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) { + if (ledWire->namesPresent & bit) { +- if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) { +- *status_rtrn = BadLength; +- return (char *) atomWire; +- } + sli->names[n] = (Atom) *atomWire; + if (sli->names[n] == None) + ledWire->namesPresent &= ~bit; +@@ -6691,10 +6697,6 @@ SetDeviceIndicators(char *wire, + if (ledWire->mapsPresent) { + for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) { + if (ledWire->mapsPresent & bit) { +- if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) { +- *status_rtrn = BadLength; +- return (char *) mapWire; +- } + sli->maps[n].flags = mapWire->flags; + sli->maps[n].which_groups = mapWire->whichGroups; + sli->maps[n].groups = mapWire->groups; +@@ -6730,13 +6732,17 @@ SetDeviceIndicators(char *wire, + } + + static int +-_XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev, ++_XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev, + xkbSetDeviceInfoReq * stuff) + { + char *wire; + + wire = (char *) &stuff[1]; + if (stuff->change & XkbXI_ButtonActionsMask) { ++ int sz = stuff->nBtns * SIZEOF(xkbActionWireDesc); ++ if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz)) ++ return BadLength; ++ + if (!dev->button) { + client->errorValue = _XkbErrCode2(XkbErr_BadClass, ButtonClass); + return XkbKeyboardErrorCode; +@@ -6747,13 +6753,13 @@ _XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev, + dev->button->numButtons); + return BadMatch; + } +- wire += (stuff->nBtns * SIZEOF(xkbActionWireDesc)); ++ wire += sz; + } + if (stuff->change & XkbXI_IndicatorsMask) { + int status = Success; + + wire = CheckSetDeviceIndicators(wire, dev, stuff->nDeviceLedFBs, +- &status, client); ++ &status, client, stuff); + if (status != Success) + return status; + } +@@ -6764,8 +6770,8 @@ _XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev, + } + + static int +-_XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev, +- xkbSetDeviceInfoReq * stuff) ++_XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev, ++ xkbSetDeviceInfoReq * stuff) + { + char *wire; + xkbExtensionDeviceNotify ed; +@@ -6789,8 +6795,6 @@ _XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev, + if (stuff->firstBtn + stuff->nBtns > nBtns) + return BadValue; + sz = stuff->nBtns * SIZEOF(xkbActionWireDesc); +- if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz)) +- return BadLength; + memcpy((char *) &acts[stuff->firstBtn], (char *) wire, sz); + wire += sz; + ed.reason |= XkbXI_ButtonActionsMask; +-- +2.36.1 + diff --git a/0003-Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch b/0003-Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch deleted file mode 100644 index 698dea202000b11255c3edf04a5d8c61519195d7..0000000000000000000000000000000000000000 --- a/0003-Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 67425fcab50ef24a5617e109897f38876dd81277 Mon Sep 17 00:00:00 2001 -From: Povilas Kanapickas -Date: Tue, 14 Dec 2021 15:00:02 +0200 -Subject: [PATCH xserver 3/4] Xext: Fix out of bounds access in - SProcScreenSaverSuspend() - -ZDI-CAN-14951, CVE-2021-4010 - -This vulnerability was discovered and the fix was suggested by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Povilas Kanapickas -(cherry picked from commit 6c4c53010772e3cb4cb8acd54950c8eec9c00d21) ---- - Xext/saver.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Xext/saver.c b/Xext/saver.c -index c27a66c80..c23907dbb 100644 ---- a/Xext/saver.c -+++ b/Xext/saver.c -@@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client) - REQUEST(xScreenSaverSuspendReq); - - swaps(&stuff->length); -- swapl(&stuff->suspend); - REQUEST_SIZE_MATCH(xScreenSaverSuspendReq); -+ swapl(&stuff->suspend); - return ProcScreenSaverSuspend(client); - } - --- -2.33.1 - diff --git a/0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch b/0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch new file mode 100644 index 0000000000000000000000000000000000000000..d3c654169caee98204e1c9d282878eef9e103dae --- /dev/null +++ b/0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch @@ -0,0 +1,71 @@ +From f9c435822c852659e3926502829f1b13ce6efc37 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 29 Nov 2022 13:26:57 +1000 +Subject: [PATCH xserver 3/7] Xi: avoid integer truncation in length check of + ProcXIChangeProperty + +This fixes an OOB read and the resulting information disclosure. + +Length calculation for the request was clipped to a 32-bit integer. With +the correct stuff->num_items value the expected request size was +truncated, passing the REQUEST_FIXED_SIZE check. + +The server then proceeded with reading at least stuff->num_items bytes +(depending on stuff->format) from the request and stuffing whatever it +finds into the property. In the process it would also allocate at least +stuff->num_items bytes, i.e. 4GB. + +The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty, +so let's fix that too. + +CVE-2022-46344, ZDI-CAN 19405 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer +Acked-by: Olivier Fourdan +--- + Xi/xiproperty.c | 4 ++-- + dix/property.c | 3 ++- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c +index 68c362c628..066ba21fba 100644 +--- a/Xi/xiproperty.c ++++ b/Xi/xiproperty.c +@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client) + REQUEST(xChangeDevicePropertyReq); + DeviceIntPtr dev; + unsigned long len; +- int totalSize; ++ uint64_t totalSize; + int rc; + + REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq); +@@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client) + { + int rc; + DeviceIntPtr dev; +- int totalSize; ++ uint64_t totalSize; + unsigned long len; + + REQUEST(xXIChangePropertyReq); +diff --git a/dix/property.c b/dix/property.c +index 94ef5a0ec0..acce94b2c6 100644 +--- a/dix/property.c ++++ b/dix/property.c +@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client) + WindowPtr pWin; + char format, mode; + unsigned long len; +- int sizeInBytes, totalSize, err; ++ int sizeInBytes, err; ++ uint64_t totalSize; + + REQUEST(xChangePropertyReq); + +-- +2.38.1 + diff --git a/0003-xkb-add-request-length-validation-for-XkbSetGeometry.patch b/0003-xkb-add-request-length-validation-for-XkbSetGeometry.patch new file mode 100644 index 0000000000000000000000000000000000000000..dca4d7cf64edf96e5532cf762998ff50c0e5ed44 --- /dev/null +++ b/0003-xkb-add-request-length-validation-for-XkbSetGeometry.patch @@ -0,0 +1,182 @@ +From 6907b6ea2b4ce949cb07271f5b678d5966d9df42 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 5 Jul 2022 11:11:06 +1000 +Subject: [PATCH xserver 3/3] xkb: add request length validation for + XkbSetGeometry + +No validation of the various fields on that report were done, so a +malicious client could send a short request that claims it had N +sections, or rows, or keys, and the server would process the request for +N sections, running out of bounds of the actual request data. + +Fix this by adding size checks to ensure our data is valid. + +ZDI-CAN 16062, CVE-2022-2319. + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer +--- + xkb/xkb.c | 43 ++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 38 insertions(+), 5 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 34b2c290b..4692895db 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5156,7 +5156,7 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) + } + + static Status +-_CheckSetDoodad(char **wire_inout, ++_CheckSetDoodad(char **wire_inout, xkbSetGeometryReq *req, + XkbGeometryPtr geom, XkbSectionPtr section, ClientPtr client) + { + char *wire; +@@ -5167,6 +5167,9 @@ _CheckSetDoodad(char **wire_inout, + Status status; + + dWire = (xkbDoodadWireDesc *) (*wire_inout); ++ if (!_XkbCheckRequestBounds(client, req, dWire, dWire + 1)) ++ return BadLength; ++ + any = dWire->any; + wire = (char *) &dWire[1]; + if (client->swapped) { +@@ -5269,7 +5272,7 @@ _CheckSetDoodad(char **wire_inout, + } + + static Status +-_CheckSetOverlay(char **wire_inout, ++_CheckSetOverlay(char **wire_inout, xkbSetGeometryReq *req, + XkbGeometryPtr geom, XkbSectionPtr section, ClientPtr client) + { + register int r; +@@ -5280,6 +5283,9 @@ _CheckSetOverlay(char **wire_inout, + + wire = *wire_inout; + olWire = (xkbOverlayWireDesc *) wire; ++ if (!_XkbCheckRequestBounds(client, req, olWire, olWire + 1)) ++ return BadLength; ++ + if (client->swapped) { + swapl(&olWire->name); + } +@@ -5291,6 +5297,9 @@ _CheckSetOverlay(char **wire_inout, + xkbOverlayKeyWireDesc *kWire; + XkbOverlayRowPtr row; + ++ if (!_XkbCheckRequestBounds(client, req, rWire, rWire + 1)) ++ return BadLength; ++ + if (rWire->rowUnder > section->num_rows) { + client->errorValue = _XkbErrCode4(0x20, r, section->num_rows, + rWire->rowUnder); +@@ -5299,6 +5308,9 @@ _CheckSetOverlay(char **wire_inout, + row = XkbAddGeomOverlayRow(ol, rWire->rowUnder, rWire->nKeys); + kWire = (xkbOverlayKeyWireDesc *) &rWire[1]; + for (k = 0; k < rWire->nKeys; k++, kWire++) { ++ if (!_XkbCheckRequestBounds(client, req, kWire, kWire + 1)) ++ return BadLength; ++ + if (XkbAddGeomOverlayKey(ol, row, + (char *) kWire->over, + (char *) kWire->under) == NULL) { +@@ -5332,6 +5344,9 @@ _CheckSetSections(XkbGeometryPtr geom, + register int r; + xkbRowWireDesc *rWire; + ++ if (!_XkbCheckRequestBounds(client, req, sWire, sWire + 1)) ++ return BadLength; ++ + if (client->swapped) { + swapl(&sWire->name); + swaps(&sWire->top); +@@ -5357,6 +5372,9 @@ _CheckSetSections(XkbGeometryPtr geom, + XkbRowPtr row; + xkbKeyWireDesc *kWire; + ++ if (!_XkbCheckRequestBounds(client, req, rWire, rWire + 1)) ++ return BadLength; ++ + if (client->swapped) { + swaps(&rWire->top); + swaps(&rWire->left); +@@ -5371,6 +5389,9 @@ _CheckSetSections(XkbGeometryPtr geom, + for (k = 0; k < rWire->nKeys; k++, kWire++) { + XkbKeyPtr key; + ++ if (!_XkbCheckRequestBounds(client, req, kWire, kWire + 1)) ++ return BadLength; ++ + key = XkbAddGeomKey(row); + if (!key) + return BadAlloc; +@@ -5396,7 +5417,7 @@ _CheckSetSections(XkbGeometryPtr geom, + register int d; + + for (d = 0; d < sWire->nDoodads; d++) { +- status = _CheckSetDoodad(&wire, geom, section, client); ++ status = _CheckSetDoodad(&wire, req, geom, section, client); + if (status != Success) + return status; + } +@@ -5405,7 +5426,7 @@ _CheckSetSections(XkbGeometryPtr geom, + register int o; + + for (o = 0; o < sWire->nOverlays; o++) { +- status = _CheckSetOverlay(&wire, geom, section, client); ++ status = _CheckSetOverlay(&wire, req, geom, section, client); + if (status != Success) + return status; + } +@@ -5439,6 +5460,9 @@ _CheckSetShapes(XkbGeometryPtr geom, + xkbOutlineWireDesc *olWire; + XkbOutlinePtr ol; + ++ if (!_XkbCheckRequestBounds(client, req, shapeWire, shapeWire + 1)) ++ return BadLength; ++ + shape = + XkbAddGeomShape(geom, shapeWire->name, shapeWire->nOutlines); + if (!shape) +@@ -5449,12 +5473,18 @@ _CheckSetShapes(XkbGeometryPtr geom, + XkbPointPtr pt; + xkbPointWireDesc *ptWire; + ++ if (!_XkbCheckRequestBounds(client, req, olWire, olWire + 1)) ++ return BadLength; ++ + ol = XkbAddGeomOutline(shape, olWire->nPoints); + if (!ol) + return BadAlloc; + ol->corner_radius = olWire->cornerRadius; + ptWire = (xkbPointWireDesc *) &olWire[1]; + for (p = 0, pt = ol->points; p < olWire->nPoints; p++, pt++, ptWire++) { ++ if (!_XkbCheckRequestBounds(client, req, ptWire, ptWire + 1)) ++ return BadLength; ++ + pt->x = ptWire->x; + pt->y = ptWire->y; + if (client->swapped) { +@@ -5560,12 +5590,15 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client) + return status; + + for (i = 0; i < req->nDoodads; i++) { +- status = _CheckSetDoodad(&wire, geom, NULL, client); ++ status = _CheckSetDoodad(&wire, req, geom, NULL, client); + if (status != Success) + return status; + } + + for (i = 0; i < req->nKeyAliases; i++) { ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbKeyNameLength)) ++ return BadLength; ++ + if (XkbAddGeomKeyAlias(geom, &wire[XkbKeyNameLength], wire) == NULL) + return BadAlloc; + wire += 2 * XkbKeyNameLength; +-- +2.36.1 + diff --git a/0004-Xi-disallow-passive-grabs-with-a-detail-255.patch b/0004-Xi-disallow-passive-grabs-with-a-detail-255.patch new file mode 100644 index 0000000000000000000000000000000000000000..5b189ea8a3d6835b38a40bb93be1ec0e7aac75d3 --- /dev/null +++ b/0004-Xi-disallow-passive-grabs-with-a-detail-255.patch @@ -0,0 +1,82 @@ +From 0dab0b527ac5c4fe0272ea679522bd87238a733b Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 29 Nov 2022 13:55:32 +1000 +Subject: [PATCH xserver 4/7] Xi: disallow passive grabs with a detail > 255 + +The XKB protocol effectively prevents us from ever using keycodes above +255. For buttons it's theoretically possible but realistically too niche +to worry about. For all other passive grabs, the detail must be zero +anyway. + +This fixes an OOB write: + +ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a +temporary grab struct which contains tempGrab->detail.exact = stuff->detail. +For matching existing grabs, DeleteDetailFromMask is called with the +stuff->detail value. This function creates a new mask with the one bit +representing stuff->detail cleared. + +However, the array size for the new mask is 8 * sizeof(CARD32) bits, +thus any detail above 255 results in an OOB array write. + +CVE-2022-46341, ZDI-CAN 19381 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer +Acked-by: Olivier Fourdan +--- + Xi/xipassivegrab.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c +index 2769fb7c94..c9ac2f8553 100644 +--- a/Xi/xipassivegrab.c ++++ b/Xi/xipassivegrab.c +@@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client) + return BadValue; + } + ++ /* XI2 allows 32-bit keycodes but thanks to XKB we can never ++ * implement this. Just return an error for all keycodes that ++ * cannot work anyway, same for buttons > 255. */ ++ if (stuff->detail > 255) ++ return XIAlreadyGrabbed; ++ + if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1], + stuff->mask_len * 4) != Success) + return BadValue; +@@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client) + ¶m, XI2, &mask); + break; + case XIGrabtypeKeycode: +- /* XI2 allows 32-bit keycodes but thanks to XKB we can never +- * implement this. Just return an error for all keycodes that +- * cannot work anyway */ +- if (stuff->detail > 255) +- status = XIAlreadyGrabbed; +- else +- status = GrabKey(client, dev, mod_dev, stuff->detail, +- ¶m, XI2, &mask); ++ status = GrabKey(client, dev, mod_dev, stuff->detail, ++ ¶m, XI2, &mask); + break; + case XIGrabtypeEnter: + case XIGrabtypeFocusIn: +@@ -334,6 +334,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client) + return BadValue; + } + ++ /* We don't allow passive grabs for details > 255 anyway */ ++ if (stuff->detail > 255) { ++ client->errorValue = stuff->detail; ++ return BadValue; ++ } ++ + rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess); + if (rc != Success) + return rc; +-- +2.38.1 + diff --git a/0004-loader-Move-LoaderSymbolFromModule-to-public-API.patch b/0004-loader-Move-LoaderSymbolFromModule-to-public-API.patch deleted file mode 100644 index 7c681b630638ed38be8ae915e3811a5709e81630..0000000000000000000000000000000000000000 --- a/0004-loader-Move-LoaderSymbolFromModule-to-public-API.patch +++ /dev/null @@ -1,42 +0,0 @@ -From e763a4fa114ba6c0abddf2b43a7297b8b9054855 Mon Sep 17 00:00:00 2001 -From: Adam Jackson -Date: Tue, 8 Oct 2019 13:29:22 -0400 -Subject: [PATCH xserver 04/11] loader: Move LoaderSymbolFromModule() to public - API - -Bare LoaderSymbol() isn't really a great API, this is more of a direct -map to dlsym like you want. - -Gitlab: https://gitlab.freedesktop.org/xorg/xserver/issues/692 -(cherry picked from commit 8760fab0a15805bdd12bb8f12bb1c665fde86cc2) ---- - hw/xfree86/common/xf86Module.h | 1 + - hw/xfree86/loader/loader.h | 1 - - 2 files changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/xfree86/common/xf86Module.h b/hw/xfree86/common/xf86Module.h -index 00aa84ae2..fab8842c4 100644 ---- a/hw/xfree86/common/xf86Module.h -+++ b/hw/xfree86/common/xf86Module.h -@@ -156,6 +156,7 @@ extern _X_EXPORT void *LoadSubModule(void *, const char *, const char **, - extern _X_EXPORT void UnloadSubModule(void *); - extern _X_EXPORT void UnloadModule(void *); - extern _X_EXPORT void *LoaderSymbol(const char *); -+extern _X_EXPORT void *LoaderSymbolFromModule(void *, const char *); - extern _X_EXPORT void LoaderErrorMsg(const char *, const char *, int, int); - extern _X_EXPORT Bool LoaderShouldIgnoreABI(void); - extern _X_EXPORT int LoaderGetABIVersion(const char *abiclass); -diff --git a/hw/xfree86/loader/loader.h b/hw/xfree86/loader/loader.h -index 5a2fe6c60..4e83730a2 100644 ---- a/hw/xfree86/loader/loader.h -+++ b/hw/xfree86/loader/loader.h -@@ -72,6 +72,5 @@ extern unsigned long LoaderOptions; - - /* Internal Functions */ - void *LoaderOpen(const char *, int *); --void *LoaderSymbolFromModule(void *, const char *); - - #endif /* _LOADER_H */ --- -2.33.1 - diff --git a/0004-render-Fix-out-of-bounds-access-in-SProcRenderCompos.patch b/0004-render-Fix-out-of-bounds-access-in-SProcRenderCompos.patch deleted file mode 100644 index f2de6936b17257142017323c59ee15963359ac43..0000000000000000000000000000000000000000 --- a/0004-render-Fix-out-of-bounds-access-in-SProcRenderCompos.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 35b4681c79480d980bd8dcba390146aad7817c47 Mon Sep 17 00:00:00 2001 -From: Povilas Kanapickas -Date: Tue, 14 Dec 2021 15:00:03 +0200 -Subject: [PATCH xserver 4/4] render: Fix out of bounds access in - SProcRenderCompositeGlyphs() - -ZDI-CAN-14192, CVE-2021-4008 - -This vulnerability was discovered and the fix was suggested by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Povilas Kanapickas -(cherry picked from commit ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60) ---- - render/render.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/render/render.c b/render/render.c -index c376090ca..456f156d4 100644 ---- a/render/render.c -+++ b/render/render.c -@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client) - - i = elt->len; - if (i == 0xff) { -+ if (buffer + 4 > end) { -+ return BadLength; -+ } - swapl((int *) buffer); - buffer += 4; - } -@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client) - buffer += i; - break; - case 2: -+ if (buffer + i * 2 > end) { -+ return BadLength; -+ } - while (i--) { - swaps((short *) buffer); - buffer += 2; - } - break; - case 4: -+ if (buffer + i * 4 > end) { -+ return BadLength; -+ } - while (i--) { - swapl((int *) buffer); - buffer += 4; --- -2.33.1 - diff --git a/0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch b/0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch new file mode 100644 index 0000000000000000000000000000000000000000..dc2a9d9b521f2de3351969f1c432485f8ce40563 --- /dev/null +++ b/0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch @@ -0,0 +1,48 @@ +From 94f6fe99d87cf6ba0adadd95c595158c345b7d29 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 29 Nov 2022 14:53:07 +1000 +Subject: [PATCH xserver 5/7] Xext: free the screen saver resource when + replacing it + +This fixes a use-after-free bug: + +When a client first calls ScreenSaverSetAttributes(), a struct +ScreenSaverAttrRec is allocated and added to the client's +resources. + +When the same client calls ScreenSaverSetAttributes() again, a new +struct ScreenSaverAttrRec is allocated, replacing the old struct. The +old struct was freed but not removed from the clients resources. + +Later, when the client is destroyed the resource system invokes +ScreenSaverFreeAttr and attempts to clean up the already freed struct. + +Fix this by letting the resource system free the old attrs instead. + +CVE-2022-46343, ZDI-CAN 19404 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer +Acked-by: Olivier Fourdan +--- + Xext/saver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Xext/saver.c b/Xext/saver.c +index f813ba08d1..fd6153c313 100644 +--- a/Xext/saver.c ++++ b/Xext/saver.c +@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client) + pVlist++; + } + if (pPriv->attr) +- FreeScreenAttr(pPriv->attr); ++ FreeResource(pPriv->attr->resource, AttrType); + pPriv->attr = pAttr; + pAttr->resource = FakeClientID(client->index); + if (!AddResource(pAttr->resource, AttrType, (void *) pAttr)) +-- +2.38.1 + diff --git a/0005-loader-Make-LoaderSymbolFromModule-take-a-ModuleDesc.patch b/0005-loader-Make-LoaderSymbolFromModule-take-a-ModuleDesc.patch deleted file mode 100644 index ac36114b019ba6ffa9f1da26e3391e0e308828c9..0000000000000000000000000000000000000000 --- a/0005-loader-Make-LoaderSymbolFromModule-take-a-ModuleDesc.patch +++ /dev/null @@ -1,50 +0,0 @@ -From b01ca791b9ba62e25e3533ba35f8e825f02f0f80 Mon Sep 17 00:00:00 2001 -From: Adam Jackson -Date: Mon, 18 Nov 2019 16:43:50 -0500 -Subject: [PATCH xserver 05/11] loader: Make LoaderSymbolFromModule take a - ModuleDescPtr -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The thing you get back from xf86LoadSubModule is a ModuleDescPtr, not a -dlsym handle. We don't expose ModuleDescPtr to the drivers, so change -LoaderSymbolFromModule to cast its void * argument to a ModuleDescPtr. - -Reviewed-by: Michel Dänzer -(cherry picked from commit ab61c16ef07fde6eb7110c63c344c54eb2a2d117) ---- - hw/xfree86/loader/loader.c | 3 ++- - hw/xfree86/loader/loadmod.c | 2 +- - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/hw/xfree86/loader/loader.c b/hw/xfree86/loader/loader.c -index 503c47e3a..2580e93d9 100644 ---- a/hw/xfree86/loader/loader.c -+++ b/hw/xfree86/loader/loader.c -@@ -135,7 +135,8 @@ LoaderSymbol(const char *name) - void * - LoaderSymbolFromModule(void *handle, const char *name) - { -- return dlsym(handle, name); -+ ModuleDescPtr mod = handle; -+ return dlsym(mod->handle, name); - } - - void -diff --git a/hw/xfree86/loader/loadmod.c b/hw/xfree86/loader/loadmod.c -index a93a76aa9..81a3a1dd9 100644 ---- a/hw/xfree86/loader/loadmod.c -+++ b/hw/xfree86/loader/loadmod.c -@@ -776,7 +776,7 @@ LoadModule(const char *module, void *options, const XF86ModReqInfo *modreq, - *errmaj = LDR_NOMEM; - goto LoadModule_fail; - } -- initdata = LoaderSymbolFromModule(ret->handle, p); -+ initdata = LoaderSymbolFromModule(ret, p); - if (initdata) { - ModuleSetupProc setup; - ModuleTearDownProc teardown; --- -2.33.1 - diff --git a/0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch b/0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch new file mode 100644 index 0000000000000000000000000000000000000000..ba8b8fa05a4a4324623a24d32ba8bfdcab196db9 --- /dev/null +++ b/0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch @@ -0,0 +1,74 @@ +From a42635ee3c01f71a49052d83a372933504c9db04 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Wed, 30 Nov 2022 11:20:40 +1000 +Subject: [PATCH xserver 6/7] Xext: free the XvRTVideoNotify when turning off + from the same client + +This fixes a use-after-free bug: + +When a client first calls XvdiSelectVideoNotify() on a drawable with a +TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct +is added twice to the resources: + - as the drawable's XvRTVideoNotifyList. This happens only once per + drawable, subsequent calls append to this list. + - as the client's XvRTVideoNotify. This happens for every client. + +The struct keeps the ClientPtr around once it has been added for a +client. The idea, presumably, is that if the client disconnects we can remove +all structs from the drawable's list that match the client (by resetting +the ClientPtr to NULL), but if the drawable is destroyed we can remove +and free the whole list. + +However, if the same client then calls XvdiSelectVideoNotify() on the +same drawable with a FALSE onoff argument, only the ClientPtr on the +existing struct was set to NULL. The struct itself remained in the +client's resources. + +If the drawable is now destroyed, the resource system invokes +XvdiDestroyVideoNotifyList which frees the whole list for this drawable +- including our struct. This function however does not free the resource +for the client since our ClientPtr is NULL. + +Later, when the client is destroyed and the resource system invokes +XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On +a struct that has been freed previously. This is generally frowned upon. + +Fix this by calling FreeResource() on the second call instead of merely +setting the ClientPtr to NULL. This removes the struct from the client +resources (but not from the list), ensuring that it won't be accessed +again when the client quits. + +Note that the assignment tpn->client = NULL; is superfluous since the +XvdiDestroyVideoNotify function will do this anyway. But it's left for +clarity and to match a similar invocation in XvdiSelectPortNotify. + +CVE-2022-46342, ZDI-CAN 19400 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer +Acked-by: Olivier Fourdan +--- + Xext/xvmain.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/Xext/xvmain.c b/Xext/xvmain.c +index f627471938..2a08f8744a 100644 +--- a/Xext/xvmain.c ++++ b/Xext/xvmain.c +@@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff) + tpn = pn; + while (tpn) { + if (tpn->client == client) { +- if (!onoff) ++ if (!onoff) { + tpn->client = NULL; ++ FreeResource(tpn->id, XvRTVideoNotify); ++ } + return Success; + } + if (!tpn->client) +-- +2.38.1 + diff --git a/0006-modesetting-Indirect-the-shadow-API-through-LoaderSy.patch b/0006-modesetting-Indirect-the-shadow-API-through-LoaderSy.patch deleted file mode 100644 index ca0c56303a1deeb19c54213f8bbe06da202b618d..0000000000000000000000000000000000000000 --- a/0006-modesetting-Indirect-the-shadow-API-through-LoaderSy.patch +++ /dev/null @@ -1,144 +0,0 @@ -From 13d3bc7a05eb7500c8987358c68c20a4bfe18079 Mon Sep 17 00:00:00 2001 -From: Adam Jackson -Date: Tue, 8 Oct 2019 12:52:28 -0400 -Subject: [PATCH xserver 06/11] modesetting: Indirect the shadow API through - LoaderSymbol - -Prerequisite for building all of xserver with -z now. - -Gitlab: https://gitlab.freedesktop.org/xorg/xserver/issues/692 -(cherry picked from commit 45f35a0c6666c5f35df482948e0c8e91167429ef) ---- - hw/xfree86/drivers/modesetting/driver.c | 34 +++++++++++-------------- - hw/xfree86/drivers/modesetting/driver.h | 12 ++++++++- - 2 files changed, 26 insertions(+), 20 deletions(-) - -diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c -index ec4189a2c..a385e7ee2 100644 ---- a/hw/xfree86/drivers/modesetting/driver.c -+++ b/hw/xfree86/drivers/modesetting/driver.c -@@ -50,7 +50,6 @@ - #include "xf86Crtc.h" - #include "miscstruct.h" - #include "dixstruct.h" --#include "shadow.h" - #include "xf86xv.h" - #include - #include -@@ -60,7 +59,6 @@ - #ifdef XSERVER_LIBPCIACCESS - #include - #endif -- - #include "driver.h" - - static void AdjustFrame(ScrnInfoPtr pScrn, int x, int y); -@@ -1084,9 +1082,16 @@ PreInit(ScrnInfoPtr pScrn, int flags) - } - - if (ms->drmmode.shadow_enable) { -- if (!xf86LoadSubModule(pScrn, "shadow")) { -+ void *mod = xf86LoadSubModule(pScrn, "shadow"); -+ -+ if (!mod) - return FALSE; -- } -+ -+ ms->shadow.Setup = LoaderSymbolFromModule(mod, "shadowSetup"); -+ ms->shadow.Add = LoaderSymbolFromModule(mod, "shadowAdd"); -+ ms->shadow.Remove = LoaderSymbolFromModule(mod, "shadowRemove"); -+ ms->shadow.Update32to24 = LoaderSymbolFromModule(mod, "shadowUpdate32to24"); -+ ms->shadow.UpdatePacked = LoaderSymbolFromModule(mod, "shadowUpdatePacked"); - } - - return TRUE; -@@ -1191,9 +1196,9 @@ msUpdatePacked(ScreenPtr pScreen, shadowBufPtr pBuf) - } while (0); - - if (use_3224) -- shadowUpdate32to24(pScreen, pBuf); -+ ms->shadow.Update32to24(pScreen, pBuf); - else -- shadowUpdatePacked(pScreen, pBuf); -+ ms->shadow.UpdatePacked(pScreen, pBuf); - } - - static Bool -@@ -1380,8 +1385,8 @@ CreateScreenResources(ScreenPtr pScreen) - FatalError("Couldn't adjust screen pixmap\n"); - - if (ms->drmmode.shadow_enable) { -- if (!shadowAdd(pScreen, rootPixmap, msUpdatePacked, msShadowWindow, -- 0, 0)) -+ if (!ms->shadow.Add(pScreen, rootPixmap, msUpdatePacked, msShadowWindow, -+ 0, 0)) - return FALSE; - } - -@@ -1415,15 +1420,6 @@ CreateScreenResources(ScreenPtr pScreen) - return ret; - } - --static Bool --msShadowInit(ScreenPtr pScreen) --{ -- if (!shadowSetup(pScreen)) { -- return FALSE; -- } -- return TRUE; --} -- - static Bool - msSharePixmapBacking(PixmapPtr ppix, ScreenPtr screen, void **handle) - { -@@ -1643,7 +1639,7 @@ ScreenInit(ScreenPtr pScreen, int argc, char **argv) - return FALSE; - } - -- if (ms->drmmode.shadow_enable && !msShadowInit(pScreen)) { -+ if (ms->drmmode.shadow_enable && !ms->shadow.Setup(pScreen)) { - xf86DrvMsg(pScrn->scrnIndex, X_ERROR, "shadow fb init failed\n"); - return FALSE; - } -@@ -1887,7 +1883,7 @@ CloseScreen(ScreenPtr pScreen) - } - - if (ms->drmmode.shadow_enable) { -- shadowRemove(pScreen, pScreen->GetScreenPixmap(pScreen)); -+ ms->shadow.Remove(pScreen, pScreen->GetScreenPixmap(pScreen)); - free(ms->drmmode.shadow_fb); - ms->drmmode.shadow_fb = NULL; - free(ms->drmmode.shadow_fb2); -diff --git a/hw/xfree86/drivers/modesetting/driver.h b/hw/xfree86/drivers/modesetting/driver.h -index a99f37871..394a20fc1 100644 ---- a/hw/xfree86/drivers/modesetting/driver.h -+++ b/hw/xfree86/drivers/modesetting/driver.h -@@ -33,7 +33,7 @@ - #include - #include - #include -- -+#include - #ifdef GLAMOR_HAS_GBM - #define GLAMOR_FOR_XORG 1 - #include "glamor.h" -@@ -122,6 +122,16 @@ typedef struct _modesettingRec { - - Bool kms_has_modifiers; - -+ /* shadow API */ -+ struct { -+ Bool (*Setup)(ScreenPtr); -+ Bool (*Add)(ScreenPtr, PixmapPtr, ShadowUpdateProc, ShadowWindowProc, -+ int, void *); -+ void (*Remove)(ScreenPtr, PixmapPtr); -+ void (*Update32to24)(ScreenPtr, shadowBufPtr); -+ void (*UpdatePacked)(ScreenPtr, shadowBufPtr); -+ } shadow; -+ - } modesettingRec, *modesettingPtr; - - #define modesettingPTR(p) ((modesettingPtr)((p)->driverPrivate)) --- -2.33.1 - diff --git a/0007-modesetting-Indirect-the-glamor-API-through-LoaderSy.patch b/0007-modesetting-Indirect-the-glamor-API-through-LoaderSy.patch deleted file mode 100644 index 396dd8a2d5c1221536a8b0b19ebfbb8c971f9447..0000000000000000000000000000000000000000 --- a/0007-modesetting-Indirect-the-glamor-API-through-LoaderSy.patch +++ /dev/null @@ -1,332 +0,0 @@ -From 94612044171975466f605d5f01769d1c2b9acc5d Mon Sep 17 00:00:00 2001 -From: Adam Jackson -Date: Tue, 8 Oct 2019 13:11:09 -0400 -Subject: [PATCH xserver 07/11] modesetting: Indirect the glamor API through - LoaderSymbol - -Prerequisite for building all of xserver with -z now. - -Gitlab: https://gitlab.freedesktop.org/xorg/xserver/issues/692 -(cherry picked from commit dd63f717fe8636315343f421f4f2ee299258f079) ---- - hw/xfree86/drivers/modesetting/dri2.c | 10 ++-- - hw/xfree86/drivers/modesetting/driver.c | 49 ++++++++++++++----- - hw/xfree86/drivers/modesetting/driver.h | 24 +++++++++ - .../drivers/modesetting/drmmode_display.c | 17 ++++--- - hw/xfree86/drivers/modesetting/pageflip.c | 4 +- - hw/xfree86/drivers/modesetting/present.c | 4 +- - 6 files changed, 82 insertions(+), 26 deletions(-) - -diff --git a/hw/xfree86/drivers/modesetting/dri2.c b/hw/xfree86/drivers/modesetting/dri2.c -index d89904b53..724d9d34c 100644 ---- a/hw/xfree86/drivers/modesetting/dri2.c -+++ b/hw/xfree86/drivers/modesetting/dri2.c -@@ -123,6 +123,7 @@ ms_dri2_create_buffer2(ScreenPtr screen, DrawablePtr drawable, - unsigned int attachment, unsigned int format) - { - ScrnInfoPtr scrn = xf86ScreenToScrn(screen); -+ modesettingPtr ms = modesettingPTR(scrn); - DRI2Buffer2Ptr buffer; - PixmapPtr pixmap; - CARD32 size; -@@ -200,7 +201,7 @@ ms_dri2_create_buffer2(ScreenPtr screen, DrawablePtr drawable, - */ - buffer->flags = 0; - -- buffer->name = glamor_name_from_pixmap(pixmap, &pitch, &size); -+ buffer->name = ms->glamor.name_from_pixmap(pixmap, &pitch, &size); - buffer->pitch = pitch; - if (buffer->name == -1) { - xf86DrvMsg(scrn->scrnIndex, X_ERROR, -@@ -509,11 +510,12 @@ update_front(DrawablePtr draw, DRI2BufferPtr front) - ScreenPtr screen = draw->pScreen; - PixmapPtr pixmap = get_drawable_pixmap(draw); - ms_dri2_buffer_private_ptr priv = front->driverPrivate; -+ modesettingPtr ms = modesettingPTR(xf86ScreenToScrn(screen)); - CARD32 size; - CARD16 pitch; - int name; - -- name = glamor_name_from_pixmap(pixmap, &pitch, &size); -+ name = ms->glamor.name_from_pixmap(pixmap, &pitch, &size); - if (name < 0) - return FALSE; - -@@ -617,7 +619,7 @@ ms_dri2_exchange_buffers(DrawablePtr draw, DRI2BufferPtr front, - *front_pix = *back_pix; - *back_pix = tmp_pix; - -- glamor_egl_exchange_buffers(front_priv->pixmap, back_priv->pixmap); -+ ms->glamor.egl_exchange_buffers(front_priv->pixmap, back_priv->pixmap); - - /* Post damage on the front buffer so that listeners, such - * as DisplayLink know take a copy and shove it over the USB. -@@ -1036,7 +1038,7 @@ ms_dri2_screen_init(ScreenPtr screen) - DRI2InfoRec info; - const char *driver_names[2] = { NULL, NULL }; - -- if (!glamor_supports_pixmap_import_export(screen)) { -+ if (!ms->glamor.supports_pixmap_import_export(screen)) { - xf86DrvMsg(scrn->scrnIndex, X_WARNING, - "DRI2: glamor lacks support for pixmap import/export\n"); - } -diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c -index a385e7ee2..4f4db67b7 100644 ---- a/hw/xfree86/drivers/modesetting/driver.c -+++ b/hw/xfree86/drivers/modesetting/driver.c -@@ -615,7 +615,7 @@ redisplay_dirty(ScreenPtr screen, PixmapDirtyUpdatePtr dirty, int *timeout) - * the shared pixmap, but not all). - */ - if (ms->drmmode.glamor) -- glamor_finish(screen); -+ ms->glamor.finish(screen); - #endif - /* Ensure the slave processes the damage immediately */ - if (timeout) -@@ -743,6 +743,26 @@ FreeRec(ScrnInfoPtr pScrn) - - } - -+static void -+bind_glamor_api(void *mod, modesettingPtr ms) -+{ -+ ms->glamor.back_pixmap_from_fd = LoaderSymbolFromModule(mod, "glamor_back_pixmap_from_fd"); -+ ms->glamor.block_handler = LoaderSymbolFromModule(mod, "glamor_block_handler"); -+ ms->glamor.egl_create_textured_pixmap = LoaderSymbolFromModule(mod, "glamor_egl_create_textured_pixmap"); -+ ms->glamor.egl_create_textured_pixmap_from_gbm_bo = LoaderSymbolFromModule(mod, "glamor_egl_create_textured_pixmap_from_gbm_bo"); -+ ms->glamor.egl_exchange_buffers = LoaderSymbolFromModule(mod, "glamor_egl_exchange_buffers"); -+ ms->glamor.egl_get_gbm_device = LoaderSymbolFromModule(mod, "glamor_egl_get_gbm_device"); -+ ms->glamor.egl_init = LoaderSymbolFromModule(mod, "glamor_egl_init"); -+ ms->glamor.finish = LoaderSymbolFromModule(mod, "glamor_finish"); -+ ms->glamor.gbm_bo_from_pixmap = LoaderSymbolFromModule(mod, "glamor_gbm_bo_from_pixmap"); -+ ms->glamor.init = LoaderSymbolFromModule(mod, "glamor_init"); -+ ms->glamor.name_from_pixmap = LoaderSymbolFromModule(mod, "glamor_name_from_pixmap"); -+ ms->glamor.set_drawable_modifiers_func = LoaderSymbolFromModule(mod, "glamor_set_drawable_modifiers_func"); -+ ms->glamor.shareable_fd_from_pixmap = LoaderSymbolFromModule(mod, "glamor_shareable_fd_from_pixmap"); -+ ms->glamor.supports_pixmap_import_export = LoaderSymbolFromModule(mod, "glamor_supports_pixmap_import_export"); -+ ms->glamor.xv_init = LoaderSymbolFromModule(mod, "glamor_xv_init"); -+} -+ - static void - try_enable_glamor(ScrnInfoPtr pScrn) - { -@@ -751,6 +771,7 @@ try_enable_glamor(ScrnInfoPtr pScrn) - OPTION_ACCEL_METHOD); - Bool do_glamor = (!accel_method_str || - strcmp(accel_method_str, "glamor") == 0); -+ void *mod; - - ms->drmmode.glamor = FALSE; - -@@ -765,8 +786,10 @@ try_enable_glamor(ScrnInfoPtr pScrn) - return; - } - -- if (xf86LoadSubModule(pScrn, GLAMOR_EGL_MODULE_NAME)) { -- if (glamor_egl_init(pScrn, ms->fd)) { -+ mod = xf86LoadSubModule(pScrn, GLAMOR_EGL_MODULE_NAME); -+ if (mod) { -+ bind_glamor_api(mod, ms); -+ if (ms->glamor.egl_init(pScrn, ms->fd)) { - xf86DrvMsg(pScrn->scrnIndex, X_INFO, "glamor initialized\n"); - ms->drmmode.glamor = TRUE; - } else { -@@ -1424,11 +1447,12 @@ static Bool - msSharePixmapBacking(PixmapPtr ppix, ScreenPtr screen, void **handle) - { - #ifdef GLAMOR_HAS_GBM -+ modesettingPtr ms = modesettingPTR(xf86ScreenToScrn(screen)); - int ret; - CARD16 stride; - CARD32 size; -- ret = glamor_shareable_fd_from_pixmap(ppix->drawable.pScreen, ppix, -- &stride, &size); -+ ret = ms->glamor.shareable_fd_from_pixmap(ppix->drawable.pScreen, ppix, -+ &stride, &size); - if (ret == -1) - return FALSE; - -@@ -1453,11 +1477,12 @@ msSetSharedPixmapBacking(PixmapPtr ppix, void *fd_handle) - return drmmode_SetSlaveBO(ppix, &ms->drmmode, ihandle, 0, 0); - - if (ms->drmmode.reverse_prime_offload_mode) { -- ret = glamor_back_pixmap_from_fd(ppix, ihandle, -- ppix->drawable.width, -- ppix->drawable.height, -- ppix->devKind, ppix->drawable.depth, -- ppix->drawable.bitsPerPixel); -+ ret = ms->glamor.back_pixmap_from_fd(ppix, ihandle, -+ ppix->drawable.width, -+ ppix->drawable.height, -+ ppix->devKind, -+ ppix->drawable.depth, -+ ppix->drawable.bitsPerPixel); - } else { - int size = ppix->devKind * ppix->drawable.height; - ret = drmmode_SetSlaveBO(ppix, &ms->drmmode, ihandle, ppix->devKind, size); -@@ -1574,7 +1599,7 @@ ScreenInit(ScreenPtr pScreen, int argc, char **argv) - - #ifdef GLAMOR_HAS_GBM - if (ms->drmmode.glamor) -- ms->drmmode.gbm = glamor_egl_get_gbm_device(pScreen); -+ ms->drmmode.gbm = ms->glamor.egl_get_gbm_device(pScreen); - #endif - - /* HW dependent - FIXME */ -@@ -1718,7 +1743,7 @@ ScreenInit(ScreenPtr pScreen, int argc, char **argv) - if (ms->drmmode.glamor) { - XF86VideoAdaptorPtr glamor_adaptor; - -- glamor_adaptor = glamor_xv_init(pScreen, 16); -+ glamor_adaptor = ms->glamor.xv_init(pScreen, 16); - if (glamor_adaptor != NULL) - xf86XVScreenInit(pScreen, &glamor_adaptor, 1); - else -diff --git a/hw/xfree86/drivers/modesetting/driver.h b/hw/xfree86/drivers/modesetting/driver.h -index 394a20fc1..5e4d2509a 100644 ---- a/hw/xfree86/drivers/modesetting/driver.h -+++ b/hw/xfree86/drivers/modesetting/driver.h -@@ -132,6 +132,30 @@ typedef struct _modesettingRec { - void (*UpdatePacked)(ScreenPtr, shadowBufPtr); - } shadow; - -+ /* glamor API */ -+ struct { -+ Bool (*back_pixmap_from_fd)(PixmapPtr, int, CARD16, CARD16, CARD16, -+ CARD8, CARD8); -+ void (*block_handler)(ScreenPtr); -+ Bool (*egl_create_textured_pixmap)(PixmapPtr, int, int); -+ Bool (*egl_create_textured_pixmap_from_gbm_bo)(PixmapPtr, -+ struct gbm_bo *, -+ Bool); -+ void (*egl_exchange_buffers)(PixmapPtr, PixmapPtr); -+ struct gbm_device *(*egl_get_gbm_device)(ScreenPtr); -+ Bool (*egl_init)(ScrnInfoPtr, int); -+ void (*finish)(ScreenPtr); -+ struct gbm_bo *(*gbm_bo_from_pixmap)(ScreenPtr, PixmapPtr); -+ Bool (*init)(ScreenPtr, unsigned int); -+ int (*name_from_pixmap)(PixmapPtr, CARD16 *, CARD32 *); -+ void (*set_drawable_modifiers_func)(ScreenPtr, -+ GetDrawableModifiersFuncPtr); -+ int (*shareable_fd_from_pixmap)(ScreenPtr, PixmapPtr, CARD16 *, -+ CARD32 *); -+ Bool (*supports_pixmap_import_export)(ScreenPtr); -+ XF86VideoAdaptorPtr (*xv_init)(ScreenPtr, int); -+ } glamor; -+ - } modesettingRec, *modesettingPtr; - - #define modesettingPTR(p) ((modesettingPtr)((p)->driverPrivate)) -diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c -index 6f5f8caf6..28609db7c 100644 ---- a/hw/xfree86/drivers/modesetting/drmmode_display.c -+++ b/hw/xfree86/drivers/modesetting/drmmode_display.c -@@ -770,7 +770,7 @@ drmmode_crtc_set_mode(xf86CrtcPtr crtc, Bool test_only) - #ifdef GLAMOR_HAS_GBM - /* Make sure any pending drawing will be visible in a new scanout buffer */ - if (drmmode->glamor) -- glamor_finish(screen); -+ ms->glamor.finish(screen); - #endif - - if (ms->atomic_modeset) { -@@ -1385,6 +1385,7 @@ create_pixmap_for_fbcon(drmmode_ptr drmmode, ScrnInfoPtr pScrn, int fbcon_id) - PixmapPtr pixmap = drmmode->fbcon_pixmap; - drmModeFBPtr fbcon; - ScreenPtr pScreen = xf86ScrnToScreen(pScrn); -+ modesettingPtr ms = modesettingPTR(pScrn); - Bool ret; - - if (pixmap) -@@ -1405,7 +1406,8 @@ create_pixmap_for_fbcon(drmmode_ptr drmmode, ScrnInfoPtr pScrn, int fbcon_id) - if (!pixmap) - goto out_free_fb; - -- ret = glamor_egl_create_textured_pixmap(pixmap, fbcon->handle, fbcon->pitch); -+ ret = ms->glamor.egl_create_textured_pixmap(pixmap, fbcon->handle, -+ fbcon->pitch); - if (!ret) { - FreePixmap(pixmap); - pixmap = NULL; -@@ -1424,6 +1426,7 @@ drmmode_copy_fb(ScrnInfoPtr pScrn, drmmode_ptr drmmode) - #ifdef GLAMOR_HAS_GBM - xf86CrtcConfigPtr xf86_config = XF86_CRTC_CONFIG_PTR(pScrn); - ScreenPtr pScreen = xf86ScrnToScreen(pScrn); -+ modesettingPtr ms = modesettingPTR(pScrn); - PixmapPtr src, dst; - int fbcon_id = 0; - GCPtr gc; -@@ -3108,12 +3111,13 @@ drmmode_set_pixmap_bo(drmmode_ptr drmmode, PixmapPtr pixmap, drmmode_bo *bo) - { - #ifdef GLAMOR_HAS_GBM - ScrnInfoPtr scrn = drmmode->scrn; -+ modesettingPtr ms = modesettingPTR(scrn); - - if (!drmmode->glamor) - return TRUE; - -- if (!glamor_egl_create_textured_pixmap_from_gbm_bo(pixmap, bo->gbm, -- bo->used_modifiers)) { -+ if (!ms->glamor.egl_create_textured_pixmap_from_gbm_bo(pixmap, bo->gbm, -+ bo->used_modifiers)) { - xf86DrvMsg(scrn->scrnIndex, X_ERROR, "Failed to create pixmap\n"); - return FALSE; - } -@@ -3436,13 +3440,14 @@ drmmode_init(ScrnInfoPtr pScrn, drmmode_ptr drmmode) - { - #ifdef GLAMOR_HAS_GBM - ScreenPtr pScreen = xf86ScrnToScreen(pScrn); -+ modesettingPtr ms = modesettingPTR(pScrn); - - if (drmmode->glamor) { -- if (!glamor_init(pScreen, GLAMOR_USE_EGL_SCREEN)) { -+ if (!ms->glamor.init(pScreen, GLAMOR_USE_EGL_SCREEN)) { - return FALSE; - } - #ifdef GBM_BO_WITH_MODIFIERS -- glamor_set_drawable_modifiers_func(pScreen, get_drawable_modifiers); -+ ms->glamor.set_drawable_modifiers_func(pScreen, get_drawable_modifiers); - #endif - } - #endif -diff --git a/hw/xfree86/drivers/modesetting/pageflip.c b/hw/xfree86/drivers/modesetting/pageflip.c -index 1d54816e2..841fa917c 100644 ---- a/hw/xfree86/drivers/modesetting/pageflip.c -+++ b/hw/xfree86/drivers/modesetting/pageflip.c -@@ -243,9 +243,9 @@ ms_do_pageflip(ScreenPtr screen, - uint32_t flags; - int i; - struct ms_flipdata *flipdata; -- glamor_block_handler(screen); -+ ms->glamor.block_handler(screen); - -- new_front_bo.gbm = glamor_gbm_bo_from_pixmap(screen, new_front); -+ new_front_bo.gbm = ms->glamor.gbm_bo_from_pixmap(screen, new_front); - new_front_bo.dumb = NULL; - - if (!new_front_bo.gbm) { -diff --git a/hw/xfree86/drivers/modesetting/present.c b/hw/xfree86/drivers/modesetting/present.c -index 186309a29..c700cf116 100644 ---- a/hw/xfree86/drivers/modesetting/present.c -+++ b/hw/xfree86/drivers/modesetting/present.c -@@ -166,7 +166,7 @@ ms_present_flush(WindowPtr window) - modesettingPtr ms = modesettingPTR(scrn); - - if (ms->drmmode.glamor) -- glamor_block_handler(screen); -+ ms->glamor.block_handler(screen); - #endif - } - -@@ -262,7 +262,7 @@ ms_present_check_unflip(RRCrtcPtr crtc, - - #ifdef GBM_BO_WITH_MODIFIERS - /* Check if buffer format/modifier is supported by all active CRTCs */ -- gbm = glamor_gbm_bo_from_pixmap(screen, pixmap); -+ gbm = ms->glamor.gbm_bo_from_pixmap(screen, pixmap); - if (gbm) { - uint32_t format; - uint64_t modifier; --- -2.33.1 - diff --git a/0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch b/0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch new file mode 100644 index 0000000000000000000000000000000000000000..c6b235222d80547c97a08e6519cf27c858a96828 --- /dev/null +++ b/0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch @@ -0,0 +1,36 @@ +From 774260dbae1fa505cd2848c786baed9a8db5179d Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 5 Dec 2022 15:55:54 +1000 +Subject: [PATCH xserver 7/7] xkb: reset the radio_groups pointer to NULL after + freeing it + +Unlike other elements of the keymap, this pointer was freed but not +reset. On a subsequent XkbGetKbdByName request, the server may access +already freed memory. + +CVE-2022-46283, ZDI-CAN-19530 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer +Acked-by: Olivier Fourdan +--- + xkb/xkbUtils.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c +index dd089c2046..3f5791a183 100644 +--- a/xkb/xkbUtils.c ++++ b/xkb/xkbUtils.c +@@ -1326,6 +1326,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr dst) + } + else { + free(dst->names->radio_groups); ++ dst->names->radio_groups = NULL; + } + dst->names->num_rg = src->names->num_rg; + +-- +2.38.1 + diff --git a/0008-Xext-fix-invalid-event-type-mask-in-XTestSwapFakeInp.patch b/0008-Xext-fix-invalid-event-type-mask-in-XTestSwapFakeInp.patch new file mode 100644 index 0000000000000000000000000000000000000000..c84d387f9f75128790ca8ec44e60c7b553b14143 --- /dev/null +++ b/0008-Xext-fix-invalid-event-type-mask-in-XTestSwapFakeInp.patch @@ -0,0 +1,35 @@ +From bb1711b7fba42f2a0c7d1c09beee241a1b2bcc30 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 19 Dec 2022 10:06:45 +1000 +Subject: [PATCH xserver] Xext: fix invalid event type mask in + XTestSwapFakeInput + +In commit b320ca0 the mask was inadvertently changed from octal 0177 to +hexadecimal 0x177. + +Fixes commit b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 + Xtest: disallow GenericEvents in XTestSwapFakeInput + +Found by Stuart Cassoff + +Signed-off-by: Peter Hutterer +--- + Xext/xtest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Xext/xtest.c b/Xext/xtest.c +index 2985a4ce6e..dde5c4cf9d 100644 +--- a/Xext/xtest.c ++++ b/Xext/xtest.c +@@ -502,7 +502,7 @@ XTestSwapFakeInput(ClientPtr client, xReq * req) + + nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent); + for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) { +- int evtype = ev->u.u.type & 0x177; ++ int evtype = ev->u.u.type & 0177; + /* Swap event */ + proc = EventSwapVector[evtype]; + /* no swapping proc; invalid event type? */ +-- +2.38.1 + diff --git a/0008-modesetting-Add-glamor_finish-convenience-macro.patch b/0008-modesetting-Add-glamor_finish-convenience-macro.patch deleted file mode 100644 index 6c8e0bc9122da816af574810b38c14511aa3256e..0000000000000000000000000000000000000000 --- a/0008-modesetting-Add-glamor_finish-convenience-macro.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 7f1bedcf27cfd09162544ff1b18c21c8e5695a9d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michel=20D=C3=A4nzer?= -Date: Fri, 22 Nov 2019 18:05:04 +0100 -Subject: [PATCH xserver 08/11] modesetting: Add glamor_finish() convenience - macro - -This will simplify backporting the following fix to the 1.20 branch. - -Reviewed-by: Adam Jackson -(cherry picked from commit 06ef320e9bc1f1098df9cd5581f072528f28128e) ---- - hw/xfree86/drivers/modesetting/driver.c | 2 +- - hw/xfree86/drivers/modesetting/driver.h | 2 ++ - hw/xfree86/drivers/modesetting/drmmode_display.c | 2 +- - 3 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c -index 4f4db67b7..afba8538a 100644 ---- a/hw/xfree86/drivers/modesetting/driver.c -+++ b/hw/xfree86/drivers/modesetting/driver.c -@@ -615,7 +615,7 @@ redisplay_dirty(ScreenPtr screen, PixmapDirtyUpdatePtr dirty, int *timeout) - * the shared pixmap, but not all). - */ - if (ms->drmmode.glamor) -- ms->glamor.finish(screen); -+ glamor_finish(screen); - #endif - /* Ensure the slave processes the damage immediately */ - if (timeout) -diff --git a/hw/xfree86/drivers/modesetting/driver.h b/hw/xfree86/drivers/modesetting/driver.h -index 5e4d2509a..c6e7cd0c8 100644 ---- a/hw/xfree86/drivers/modesetting/driver.h -+++ b/hw/xfree86/drivers/modesetting/driver.h -@@ -158,6 +158,8 @@ typedef struct _modesettingRec { - - } modesettingRec, *modesettingPtr; - -+#define glamor_finish(screen) ms->glamor.finish(screen) -+ - #define modesettingPTR(p) ((modesettingPtr)((p)->driverPrivate)) - modesettingEntPtr ms_ent_priv(ScrnInfoPtr scrn); - -diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c -index 28609db7c..6516fac5f 100644 ---- a/hw/xfree86/drivers/modesetting/drmmode_display.c -+++ b/hw/xfree86/drivers/modesetting/drmmode_display.c -@@ -770,7 +770,7 @@ drmmode_crtc_set_mode(xf86CrtcPtr crtc, Bool test_only) - #ifdef GLAMOR_HAS_GBM - /* Make sure any pending drawing will be visible in a new scanout buffer */ - if (drmmode->glamor) -- ms->glamor.finish(screen); -+ glamor_finish(screen); - #endif - - if (ms->atomic_modeset) { --- -2.33.1 - diff --git a/0009-modesetting-Use-EGL_MESA_query_driver-to-select-DRI-.patch b/0009-modesetting-Use-EGL_MESA_query_driver-to-select-DRI-.patch deleted file mode 100644 index 45592b6167dc9044b59802c1d33c72e122b459dc..0000000000000000000000000000000000000000 --- a/0009-modesetting-Use-EGL_MESA_query_driver-to-select-DRI-.patch +++ /dev/null @@ -1,63 +0,0 @@ -From ae40c508fbd88869157412a1b159c0d71eb1e708 Mon Sep 17 00:00:00 2001 -From: Kenneth Graunke -Date: Thu, 21 Nov 2019 23:03:50 -0800 -Subject: [PATCH xserver 09/11] modesetting: Use EGL_MESA_query_driver to - select DRI driver if possible - -New now ask Glamor to use EGL_MESA_query_driver to obtain the DRI driver -name; if successful, we use that as the DRI driver name. Following the -existing dri2.c logic, we also use the same name for the VDPAU driver, -except for i965 (and now iris), where we switch to the "va_gl" fallback. - -This allows us to bypass the PCI ID lists in xserver and centralize the -driver selection mechanism inside Mesa. The hope is that we no longer -have to update these lists for any future hardware. - -(cherry picked from commit 8d4be7f6c4f7c673d7ec1a6bfdef944907a3916e) ---- - hw/xfree86/drivers/modesetting/dri2.c | 3 ++- - hw/xfree86/drivers/modesetting/driver.c | 1 + - hw/xfree86/drivers/modesetting/driver.h | 1 + - 3 files changed, 4 insertions(+), 1 deletion(-) - -diff --git a/hw/xfree86/drivers/modesetting/dri2.c b/hw/xfree86/drivers/modesetting/dri2.c -index 724d9d34c..255c72cac 100644 ---- a/hw/xfree86/drivers/modesetting/dri2.c -+++ b/hw/xfree86/drivers/modesetting/dri2.c -@@ -1076,7 +1076,8 @@ ms_dri2_screen_init(ScreenPtr screen) - info.CopyRegion2 = ms_dri2_copy_region2; - - /* Ask Glamor to obtain the DRI driver name via EGL_MESA_query_driver. */ -- driver_names[0] = glamor_egl_get_driver_name(screen); -+ if (ms->glamor.egl_get_driver_name) -+ driver_names[0] = ms->glamor.egl_get_driver_name(screen); - - if (driver_names[0]) { - /* There is no VDPAU driver for Intel, fallback to the generic -diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c -index afba8538a..08cf6a1b4 100644 ---- a/hw/xfree86/drivers/modesetting/driver.c -+++ b/hw/xfree86/drivers/modesetting/driver.c -@@ -761,6 +761,7 @@ bind_glamor_api(void *mod, modesettingPtr ms) - ms->glamor.shareable_fd_from_pixmap = LoaderSymbolFromModule(mod, "glamor_shareable_fd_from_pixmap"); - ms->glamor.supports_pixmap_import_export = LoaderSymbolFromModule(mod, "glamor_supports_pixmap_import_export"); - ms->glamor.xv_init = LoaderSymbolFromModule(mod, "glamor_xv_init"); -+ ms->glamor.egl_get_driver_name = LoaderSymbolFromModule(mod, "glamor_egl_get_driver_name"); - } - - static void -diff --git a/hw/xfree86/drivers/modesetting/driver.h b/hw/xfree86/drivers/modesetting/driver.h -index c6e7cd0c8..328a97de1 100644 ---- a/hw/xfree86/drivers/modesetting/driver.h -+++ b/hw/xfree86/drivers/modesetting/driver.h -@@ -154,6 +154,7 @@ typedef struct _modesettingRec { - CARD32 *); - Bool (*supports_pixmap_import_export)(ScreenPtr); - XF86VideoAdaptorPtr (*xv_init)(ScreenPtr, int); -+ const char *(*egl_get_driver_name)(ScreenPtr); - } glamor; - - } modesettingRec, *modesettingPtr; --- -2.33.1 - diff --git a/0010-modesetting-Fix-build-with-glamor-disabled.patch b/0010-modesetting-Fix-build-with-glamor-disabled.patch deleted file mode 100644 index d5e1d02567eb457ff6807efff8c958aa9db8c4d2..0000000000000000000000000000000000000000 --- a/0010-modesetting-Fix-build-with-glamor-disabled.patch +++ /dev/null @@ -1,94 +0,0 @@ -From d8271417a5986240f1f81cbe269e0cd07a9104d1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michel=20D=C3=A4nzer?= -Date: Mon, 10 Feb 2020 18:41:44 +0100 -Subject: [PATCH xserver 10/11] modesetting: Fix build with glamor disabled - -Fixes: cb1b1e184723 "modesetting: Indirect the glamor API through - LoaderSymbol" -Reviewed-by: Adam Jackson -(cherry picked from commit 0cb9fa7949d6c5398de220fbdbe1e262e943fcbb) ---- - hw/xfree86/drivers/modesetting/driver.c | 21 +++++++++++++++------ - hw/xfree86/drivers/modesetting/driver.h | 3 ++- - 2 files changed, 17 insertions(+), 7 deletions(-) - -diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c -index 08cf6a1b4..ce8bac9f5 100644 ---- a/hw/xfree86/drivers/modesetting/driver.c -+++ b/hw/xfree86/drivers/modesetting/driver.c -@@ -743,9 +743,17 @@ FreeRec(ScrnInfoPtr pScrn) - - } - --static void --bind_glamor_api(void *mod, modesettingPtr ms) -+#ifdef GLAMOR_HAS_GBM -+ -+static Bool -+load_glamor(ScrnInfoPtr pScrn) - { -+ void *mod = xf86LoadSubModule(pScrn, GLAMOR_EGL_MODULE_NAME); -+ modesettingPtr ms = modesettingPTR(pScrn); -+ -+ if (!mod) -+ return FALSE; -+ - ms->glamor.back_pixmap_from_fd = LoaderSymbolFromModule(mod, "glamor_back_pixmap_from_fd"); - ms->glamor.block_handler = LoaderSymbolFromModule(mod, "glamor_block_handler"); - ms->glamor.egl_create_textured_pixmap = LoaderSymbolFromModule(mod, "glamor_egl_create_textured_pixmap"); -@@ -762,8 +770,12 @@ bind_glamor_api(void *mod, modesettingPtr ms) - ms->glamor.supports_pixmap_import_export = LoaderSymbolFromModule(mod, "glamor_supports_pixmap_import_export"); - ms->glamor.xv_init = LoaderSymbolFromModule(mod, "glamor_xv_init"); - ms->glamor.egl_get_driver_name = LoaderSymbolFromModule(mod, "glamor_egl_get_driver_name"); -+ -+ return TRUE; - } - -+#endif -+ - static void - try_enable_glamor(ScrnInfoPtr pScrn) - { -@@ -772,7 +784,6 @@ try_enable_glamor(ScrnInfoPtr pScrn) - OPTION_ACCEL_METHOD); - Bool do_glamor = (!accel_method_str || - strcmp(accel_method_str, "glamor") == 0); -- void *mod; - - ms->drmmode.glamor = FALSE; - -@@ -787,9 +798,7 @@ try_enable_glamor(ScrnInfoPtr pScrn) - return; - } - -- mod = xf86LoadSubModule(pScrn, GLAMOR_EGL_MODULE_NAME); -- if (mod) { -- bind_glamor_api(mod, ms); -+ if (load_glamor(pScrn)) { - if (ms->glamor.egl_init(pScrn, ms->fd)) { - xf86DrvMsg(pScrn->scrnIndex, X_INFO, "glamor initialized\n"); - ms->drmmode.glamor = TRUE; -diff --git a/hw/xfree86/drivers/modesetting/driver.h b/hw/xfree86/drivers/modesetting/driver.h -index 328a97de1..261f1aac4 100644 ---- a/hw/xfree86/drivers/modesetting/driver.h -+++ b/hw/xfree86/drivers/modesetting/driver.h -@@ -132,6 +132,7 @@ typedef struct _modesettingRec { - void (*UpdatePacked)(ScreenPtr, shadowBufPtr); - } shadow; - -+#ifdef GLAMOR_HAS_GBM - /* glamor API */ - struct { - Bool (*back_pixmap_from_fd)(PixmapPtr, int, CARD16, CARD16, CARD16, -@@ -156,7 +157,7 @@ typedef struct _modesettingRec { - XF86VideoAdaptorPtr (*xv_init)(ScreenPtr, int); - const char *(*egl_get_driver_name)(ScreenPtr); - } glamor; -- -+#endif - } modesettingRec, *modesettingPtr; - - #define glamor_finish(screen) ms->glamor.finish(screen) --- -2.33.1 - diff --git a/0011-modesetting-set-gbm-as-dependency-for-autotools.patch b/0011-modesetting-set-gbm-as-dependency-for-autotools.patch deleted file mode 100644 index 92e9af2657f04c7ca1690972813ca761789fbf5e..0000000000000000000000000000000000000000 --- a/0011-modesetting-set-gbm-as-dependency-for-autotools.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 55fb707d037004e001623a0d066f748d8ba48d48 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Tue, 23 Nov 2021 12:19:48 +0100 -Subject: [PATCH xserver 11/11] modesetting: set gbm as dependency for - autotools - -Same as commit 9d628ee5f for automake. - -Modifiers support needs gbm as a dependency. Without setting the dependency -included headers are not found reliably and the build might fail if the -headers are not placed in the default system include paths. - -Signed-off-by: Olivier Fourdan ---- - hw/xfree86/drivers/modesetting/Makefile.am | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/xfree86/drivers/modesetting/Makefile.am b/hw/xfree86/drivers/modesetting/Makefile.am -index 961c57408..ac5091be3 100644 ---- a/hw/xfree86/drivers/modesetting/Makefile.am -+++ b/hw/xfree86/drivers/modesetting/Makefile.am -@@ -41,7 +41,7 @@ AM_CPPFLAGS = \ - - modesetting_drv_la_LTLIBRARIES = modesetting_drv.la - modesetting_drv_la_LDFLAGS = -module -avoid-version --modesetting_drv_la_LIBADD = $(UDEV_LIBS) $(DRM_LIBS) -+modesetting_drv_la_LIBADD = $(UDEV_LIBS) $(DRM_LIBS) $(GBM_LIBS) - modesetting_drv_ladir = @moduledir@/drivers - - modesetting_drv_la_SOURCES = \ --- -2.33.1 - diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 5ba52d0ac228ddaf5a6687eea7d5e9cf4e5133c9..48287674776d1373d0d318dc7cee25df2fccea71 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -1,4 +1,4 @@ -%define anolis_release 4 +%define anolis_release 5 # X.org requires lazy relocations to work. %undefine _hardened_build %undefine _strict_symbol_defs_build @@ -34,43 +34,69 @@ Source31: xserver-sdk-abi-requires.git # maintainer convenience script Source40: driver-abi-rebuild.sh +# From Debian use intel ddx driver only for gen4 and older chipsets Patch1: 06_use-intel-only-on-pre-gen4.diff -# Default to xf86-video-modesetting +# Default to xf86-video-modesetting on GeForce 8 and newer Patch2: 0001-xfree86-use-modesetting-driver-by-default-on-GeForce.patch + # Default to va_gl on intel i965 as we use the modesetting drv there # va_gl should probably just be the default everywhere ? Patch3: 0001-xf86-dri2-Use-va_gl-as-vdpau_driver-for-Intel-i965-G.patch + # Submitted upstream, but not going anywhere Patch5: 0001-autobind-GPUs-to-the-screen.patch + # because the display-managers are not ready yet, do not upstream Patch6: 0001-Fedora-hack-Make-the-suid-root-wrapper-always-start-.patch -# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/761 -Patch7: 0001-xkb-Drop-check-for-XkbSetMapResizeTypes.patch -# 1988922 - [Hyper-V]Installation failed with: 'x or window manager startup failed' when the VM was created with GEN1 -# 2029769 - fbdev Xorg driver no longer works as a fallback with unsupported hardware -Patch8: 0001-mustard-xfree86-Disable-the-PCI-probe-path.patch - + +# Not sure anyone else cares about this so let's keep this Fedora-only for now +# Upstream PR for the meson.build equivalent is here, so we can drop this patch +# when we start building with meson. +# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1001` +Patch7: 0001-configure.ac-search-for-the-fontrootdir-ourselves.patch + # Backports from current stable "server-1.20-branch": # + # Backports from "master" upstream: -Patch9: 0002-xfree86-Link-fb-statically.patch -Patch10: 0004-loader-Move-LoaderSymbolFromModule-to-public-API.patch -Patch11: 0005-loader-Make-LoaderSymbolFromModule-take-a-ModuleDesc.patch -Patch12: 0006-modesetting-Indirect-the-shadow-API-through-LoaderSy.patch -Patch13: 0007-modesetting-Indirect-the-glamor-API-through-LoaderSy.patch -Patch14: 0008-modesetting-Add-glamor_finish-convenience-macro.patch -Patch15: 0009-modesetting-Use-EGL_MESA_query_driver-to-select-DRI-.patch -Patch16: 0010-modesetting-Fix-build-with-glamor-disabled.patch -# Because we still use automake -Patch17: 0011-modesetting-set-gbm-as-dependency-for-autotools.patch -# Xorg crashes with NVIDIA proprietary driver when uisng Present -# https://bugzilla.redhat.com/show_bug.cgi?id=2046330 -Patch18: 0001-present-Check-for-NULL-to-prevent-crash.patch -# Fix a regression with hybrid gfx and NVIDIA proprietary driver -# https://bugzilla.redhat.com/show_bug.cgi?id=2052605 -Patch19: 0001-modesetting-Fix-msSharePixmapBacking-Segfault-Regres.patch -Patch20: 0001-xf86-Accept-devices-with-the-simpledrm-driver.patch -Patch1001: 0001-render-Fix-build-with-gcc-12.patch +Patch100: 0001-present-Check-for-NULL-to-prevent-crash.patch +Patch101: 0001-render-Fix-build-with-gcc-12.patch +Patch102: 0001-xf86-Accept-devices-with-the-simpledrm-driver.patch +Patch103: 0001-Don-t-hardcode-fps-for-fake-screen.patch +Patch104: 0001-hw-Rename-boolean-config-value-field-from-bool-to-bo.patch +Patch105: 0001-add-a-quirk-for-apple-silicon.patch + +# CVE-2022-2319/ZDI-CAN-16062, CVE-2022-2320/ZDI-CAN-16070 +Patch110: 0001-xkb-switch-to-array-index-loops-to-moving-pointers.patch +Patch111: 0002-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch +Patch112: 0003-xkb-add-request-length-validation-for-XkbSetGeometry.patch + +# CVE-2022-3550 +Patch113: 0001-xkb-proof-GetCountedString-against-request-length-at.patch +# CVE-2022-3551 +Patch114: 0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch + +# CVE-2022-46340 +Patch115: 0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch +# related to CVE-2022-46344 +Patch116: 0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch +# CVE-2022-46344 +Patch117: 0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch +# CVE-2022-46341 +Patch118: 0004-Xi-disallow-passive-grabs-with-a-detail-255.patch +# CVE-2022-46343 +Patch119: 0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch +# CVE-2022-46342 +Patch120: 0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch +# CVE-2022-46283 +Patch121: 0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch +# Fix for buggy patch to CVE-2022-46340 +Patch122: 0008-Xext-fix-invalid-event-type-mask-in-XTestSwapFakeInp.patch +# CVE-2023-0494 +Patch123: 0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch + +# Upstream commits 73d6e88, f69280dd and 4127776, minus the xwayland.pc.in change +Patch3801: 0001-Disallow-byte-swapped-clients-by-default.patch BuildRequires: make BuildRequires: systemtap-sdt-devel @@ -385,6 +411,7 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/xorg/modules/lib{int10,vbe}.so %dir %{_libdir}/xorg/modules/input %{_libdir}/xorg/modules/libfbdevhw.so %{_libdir}/xorg/modules/libexa.so +%{_libdir}/xorg/modules/libfb.so %{_libdir}/xorg/modules/libglamoregl.so %{_libdir}/xorg/modules/libshadow.so %{_libdir}/xorg/modules/libshadowfb.so @@ -453,6 +480,9 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/xorg/modules/lib{int10,vbe}.so %changelog +* Sun Feb 26 2023 Funda Wang - 1:1.20.14-5 +- Sync with upstream patches + * Thu Dec 15 2022 Funda Wang - 1:1.20.14-4 - Disable int10 only under non-x86 arch