From e5e90e8e72e383b1ffa87acdad6abf1ecc71c322 Mon Sep 17 00:00:00 2001 From: Jacob Wang Date: Tue, 5 Nov 2024 09:49:09 +0800 Subject: [PATCH 1/5] [CVE] update to xorg-x11-server-1.20.11-25.src.rpm to #bug11665 update to xorg-x11-server-1.20.11-25.src.rpm for CVE-2024-9632 Project: TC2024080204 Signed-off-by: Jacob Wang --- ...-after-free-in-input-device-shutdown.patch | 77 +++ ...enough-space-for-logical-button-maps.patch | 51 ++ ...-copy-paste-error-in-the-DeviceState.patch | 33 ++ ...ncompatible-pointer-type-build-error.patch | 54 ++ ...n-config-value-field-from-bool-to-bo.patch | 153 +++++ ...resentConfigureNotify-event-for-dest.patch | 105 ++++ ...sible-double-free-in-ProcRenderAddGl.patch | 72 +++ ...-buffer-overflow-in-_XkbSetCompatMap.patch | 54 ++ 0100-phytium-xorg-x11-server-bmc.patch | 192 ------- dist | 2 +- xorg-server-1.20.11-sw.patch | 526 ------------------ xorg-x11-server.spec | 169 +++--- 12 files changed, 681 insertions(+), 807 deletions(-) create mode 100644 0001-dix-Fix-use-after-free-in-input-device-shutdown.patch create mode 100644 0001-dix-allocate-enough-space-for-logical-button-maps.patch create mode 100644 0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch create mode 100644 0001-ephyr-Fix-incompatible-pointer-type-build-error.patch create mode 100644 0001-hw-Rename-boolean-config-value-field-from-bool-to-bo.patch create mode 100644 0001-present-Send-a-PresentConfigureNotify-event-for-dest.patch create mode 100644 0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch create mode 100644 0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch delete mode 100644 0100-phytium-xorg-x11-server-bmc.patch delete mode 100644 xorg-server-1.20.11-sw.patch diff --git a/0001-dix-Fix-use-after-free-in-input-device-shutdown.patch b/0001-dix-Fix-use-after-free-in-input-device-shutdown.patch new file mode 100644 index 0000000..c2d723f --- /dev/null +++ b/0001-dix-Fix-use-after-free-in-input-device-shutdown.patch @@ -0,0 +1,77 @@ +From 1801fe0ac3926882d47d7e1ad6c0518a2cdffd41 Mon Sep 17 00:00:00 2001 +From: Povilas Kanapickas +Date: Sun, 19 Dec 2021 18:11:07 +0200 +Subject: [PATCH] dix: Fix use after free in input device shutdown + +This fixes access to freed heap memory via dev->master. E.g. when +running BarrierNotify.ReceivesNotifyEvents/7 test from +xorg-integration-tests: + +==24736==ERROR: AddressSanitizer: heap-use-after-free on address +0x619000065020 at pc 0x55c450e2b9cf bp 0x7fffc532fd20 sp 0x7fffc532fd10 +READ of size 4 at 0x619000065020 thread T0 + #0 0x55c450e2b9ce in GetMaster ../../../dix/devices.c:2722 + #1 0x55c450e9d035 in IsFloating ../../../dix/events.c:346 + #2 0x55c4513209c6 in GetDeviceUse ../../../Xi/xiquerydevice.c:525 +../../../Xi/xichangehierarchy.c:95 + #4 0x55c450e3455c in RemoveDevice ../../../dix/devices.c:1204 +../../../hw/xfree86/common/xf86Xinput.c:1142 + #6 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038 + #7 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068 + #8 0x55c450e837ef in dix_main ../../../dix/main.c:302 + #9 0x55c4517a8d93 in main ../../../dix/stubmain.c:34 +(/lib/x86_64-linux-gnu/libc.so.6+0x28564) + #11 0x55c450d0113d in _start (/usr/lib/xorg/Xorg+0x117713d) + +0x619000065020 is located 160 bytes inside of 912-byte region +[0x619000064f80,0x619000065310) +freed by thread T0 here: +(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf) + #1 0x55c450e19f1c in CloseDevice ../../../dix/devices.c:1014 + #2 0x55c450e343a4 in RemoveDevice ../../../dix/devices.c:1186 +../../../hw/xfree86/common/xf86Xinput.c:1142 + #4 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038 + #5 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068 + #6 0x55c450e837ef in dix_main ../../../dix/main.c:302 + #7 0x55c4517a8d93 in main ../../../dix/stubmain.c:34 +(/lib/x86_64-linux-gnu/libc.so.6+0x28564) + +previously allocated by thread T0 here: +(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6) + #1 0x55c450e1c57b in AddInputDevice ../../../dix/devices.c:259 + #2 0x55c450e34840 in AllocDevicePair ../../../dix/devices.c:2755 + #3 0x55c45130318f in add_master ../../../Xi/xichangehierarchy.c:152 +../../../Xi/xichangehierarchy.c:465 + #5 0x55c4512cb9f5 in ProcIDispatch ../../../Xi/extinit.c:390 + #6 0x55c450e6a92b in Dispatch ../../../dix/dispatch.c:551 + #7 0x55c450e834b7 in dix_main ../../../dix/main.c:272 + #8 0x55c4517a8d93 in main ../../../dix/stubmain.c:34 +(/lib/x86_64-linux-gnu/libc.so.6+0x28564) + +The problem is caused by dev->master being not reset when disabling the +device, which then causes dangling pointer when the master device itself +is being deleted when exiting whole server. + +Note that RecalculateMasterButtons() requires dev->master to be still +valid, so we can reset it only at the end of function. + +Signed-off-by: Povilas Kanapickas +--- + dix/devices.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/dix/devices.c b/dix/devices.c +index e62c34c55..5f9ce1678 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -520,6 +520,7 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) + } + + RecalculateMasterButtons(dev); ++ dev->master = NULL; + + return TRUE; + } +-- +2.43.0 + diff --git a/0001-dix-allocate-enough-space-for-logical-button-maps.patch b/0001-dix-allocate-enough-space-for-logical-button-maps.patch new file mode 100644 index 0000000..e11eb0e --- /dev/null +++ b/0001-dix-allocate-enough-space-for-logical-button-maps.patch @@ -0,0 +1,51 @@ +From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Thu, 14 Dec 2023 11:29:49 +1000 +Subject: [PATCH 1/9] dix: allocate enough space for logical button maps + +Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for +each logical button currently down. Since buttons can be arbitrarily mapped +to anything up to 255 make sure we have enough bits for the maximum mapping. + +CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative +--- + Xi/xiquerypointer.c | 3 +-- + dix/enterleave.c | 5 +++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c +index 5b77b1a44..2b05ac5f3 100644 +--- a/Xi/xiquerypointer.c ++++ b/Xi/xiquerypointer.c +@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client) + if (pDev->button) { + int i; + +- rep.buttons_len = +- bytes_to_int32(bits_to_bytes(pDev->button->numButtons)); ++ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */ + rep.length += rep.buttons_len; + buttons = calloc(rep.buttons_len, 4); + if (!buttons) +diff --git a/dix/enterleave.c b/dix/enterleave.c +index 867ec7436..ded8679d7 100644 +--- a/dix/enterleave.c ++++ b/dix/enterleave.c +@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail, + + mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER); + +- /* XI 2 event */ +- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0; ++ /* XI 2 event contains the logical button map - maps are CARD8 ++ * so we need 256 bits for the possibly maximum mapping */ ++ btlen = (mouse->button) ? bits_to_bytes(256) : 0; + btlen = bytes_to_int32(btlen); + len = sizeof(xXIFocusInEvent) + btlen * 4; + +-- +2.43.0 + diff --git a/0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch b/0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch new file mode 100644 index 0000000..363af1f --- /dev/null +++ b/0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch @@ -0,0 +1,33 @@ +From 133e0d651c5d12bf01999d6289e84e224ba77adc Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 22 Jan 2024 14:22:12 +1000 +Subject: [PATCH] dix: fix valuator copy/paste error in the DeviceStateNotify + event + +Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5 +--- + dix/enterleave.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/dix/enterleave.c b/dix/enterleave.c +index 7b7ba1098..c1e6ac600 100644 +--- a/dix/enterleave.c ++++ b/dix/enterleave.c +@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, + ev->first_valuator = first; + switch (ev->num_valuators) { + case 6: +- ev->valuator2 = v->axisVal[first + 5]; ++ ev->valuator5 = v->axisVal[first + 5]; + case 5: +- ev->valuator2 = v->axisVal[first + 4]; ++ ev->valuator4 = v->axisVal[first + 4]; + case 4: +- ev->valuator2 = v->axisVal[first + 3]; ++ ev->valuator3 = v->axisVal[first + 3]; + case 3: + ev->valuator2 = v->axisVal[first + 2]; + case 2: +-- +2.44.0 + diff --git a/0001-ephyr-Fix-incompatible-pointer-type-build-error.patch b/0001-ephyr-Fix-incompatible-pointer-type-build-error.patch new file mode 100644 index 0000000..345e660 --- /dev/null +++ b/0001-ephyr-Fix-incompatible-pointer-type-build-error.patch @@ -0,0 +1,54 @@ +From e89edec497bac581ca9b614fb00c25365580f045 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Fri, 19 Jan 2024 13:05:51 +0100 +Subject: [PATCH] ephyr: Fix incompatible pointer type build error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix a compilation error on 32 bits architectures with gcc 14: + + ephyr_glamor_xv.c: In function ‘ephyr_glamor_xv_init’: + ephyr_glamor_xv.c:154:31: error: assignment to ‘SetPortAttributeFuncPtr’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int, int, void *)’} from incompatible pointer type ‘int (*)(KdScreenInfo *, Atom, INT32, void *)’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int, long int, void *)’} [-Wincompatible-pointer-types] + 154 | adaptor->SetPortAttribute = ephyr_glamor_xv_set_port_attribute; + | ^ + ephyr_glamor_xv.c:155:31: error: assignment to ‘GetPortAttributeFuncPtr’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int, int *, void *)’} from incompatible pointer type ‘int (*)(KdScreenInfo *, Atom, INT32 *, void *)’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int, long int *, void *)’} [-Wincompatible-pointer-types] + 155 | adaptor->GetPortAttribute = ephyr_glamor_xv_get_port_attribute; + | ^ + +Build error logs: +https://koji.fedoraproject.org/koji/taskinfo?taskID=111964273 + +Signed-off-by: José Expósito +--- + hw/kdrive/ephyr/ephyr_glamor_xv.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/hw/kdrive/ephyr/ephyr_glamor_xv.c b/hw/kdrive/ephyr/ephyr_glamor_xv.c +index 4dd15cf41..b5eae48c8 100644 +--- a/hw/kdrive/ephyr/ephyr_glamor_xv.c ++++ b/hw/kdrive/ephyr/ephyr_glamor_xv.c +@@ -50,16 +50,16 @@ ephyr_glamor_xv_stop_video(KdScreenInfo *screen, void *data, Bool cleanup) + + static int + ephyr_glamor_xv_set_port_attribute(KdScreenInfo *screen, +- Atom attribute, INT32 value, void *data) ++ Atom attribute, int value, void *data) + { +- return glamor_xv_set_port_attribute(data, attribute, value); ++ return glamor_xv_set_port_attribute(data, attribute, (INT32)value); + } + + static int + ephyr_glamor_xv_get_port_attribute(KdScreenInfo *screen, +- Atom attribute, INT32 *value, void *data) ++ Atom attribute, int *value, void *data) + { +- return glamor_xv_get_port_attribute(data, attribute, value); ++ return glamor_xv_get_port_attribute(data, attribute, (INT32 *)value); + } + + static void +-- +2.43.0 + diff --git a/0001-hw-Rename-boolean-config-value-field-from-bool-to-bo.patch b/0001-hw-Rename-boolean-config-value-field-from-bool-to-bo.patch new file mode 100644 index 0000000..441c17d --- /dev/null +++ b/0001-hw-Rename-boolean-config-value-field-from-bool-to-bo.patch @@ -0,0 +1,153 @@ +From 454b3a826edb5fc6d0fea3a9cfd1a5e8fc568747 Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Mon, 22 Jul 2019 13:51:06 -0400 +Subject: [PATCH] hw: Rename boolean config value field from bool to boolean + +"bool" conflicts with C++ (meh) and stdbool.h (ngh alright fine). This +is a driver-visible change and will likely break the build for mach64, +but it can be fixed by simply using xf86ReturnOptValBool like every +other driver. + +Signed-off-by: Adam Jackson +--- + hw/xfree86/common/xf86Opt.h | 2 +- + hw/xfree86/common/xf86Option.c | 10 +++++----- + hw/xwin/winconfig.c | 22 +++++++++++----------- + hw/xwin/winconfig.h | 2 +- + 4 files changed, 18 insertions(+), 18 deletions(-) + +diff --git a/hw/xfree86/common/xf86Opt.h b/hw/xfree86/common/xf86Opt.h +index 3be2a0fc7..3046fbd41 100644 +--- a/hw/xfree86/common/xf86Opt.h ++++ b/hw/xfree86/common/xf86Opt.h +@@ -41,7 +41,7 @@ typedef union { + unsigned long num; + const char *str; + double realnum; +- Bool bool; ++ Bool boolean; + OptFrequency freq; + } ValueUnion; + +diff --git a/hw/xfree86/common/xf86Option.c b/hw/xfree86/common/xf86Option.c +index 06973bca3..ca538cc57 100644 +--- a/hw/xfree86/common/xf86Option.c ++++ b/hw/xfree86/common/xf86Option.c +@@ -213,7 +213,7 @@ LookupBoolOption(XF86OptionPtr optlist, const char *name, int deflt, + o.name = name; + o.type = OPTV_BOOLEAN; + if (ParseOptionValue(-1, optlist, &o, markUsed)) +- deflt = o.value.bool; ++ deflt = o.value.boolean; + return deflt; + } + +@@ -474,7 +474,7 @@ xf86ShowUnusedOptions(int scrnIndex, XF86OptionPtr opt) + static Bool + GetBoolValue(OptionInfoPtr p, const char *s) + { +- return xf86getBoolValue(&p->value.bool, s); ++ return xf86getBoolValue(&p->value.boolean, s); + } + + static Bool +@@ -678,7 +678,7 @@ ParseOptionValue(int scrnIndex, XF86OptionPtr options, OptionInfoPtr p, + if (markUsed) + xf86MarkOptionUsedByName(options, newn); + if (GetBoolValue(&opt, s)) { +- p->value.bool = !opt.value.bool; ++ p->value.boolean = !opt.value.boolean; + p->found = TRUE; + } + else { +@@ -869,7 +869,7 @@ xf86GetOptValBool(const OptionInfoRec * table, int token, Bool *value) + + p = xf86TokenToOptinfo(table, token); + if (p && p->found) { +- *value = p->value.bool; ++ *value = p->value.boolean; + return TRUE; + } + else +@@ -883,7 +883,7 @@ xf86ReturnOptValBool(const OptionInfoRec * table, int token, Bool def) + + p = xf86TokenToOptinfo(table, token); + if (p && p->found) { +- return p->value.bool; ++ return p->value.boolean; + } + else + return def; +diff --git a/hw/xwin/winconfig.c b/hw/xwin/winconfig.c +index 31894d2fb..646d69006 100644 +--- a/hw/xwin/winconfig.c ++++ b/hw/xwin/winconfig.c +@@ -623,7 +623,7 @@ winSetBoolOption(void *optlist, const char *name, int deflt) + o.name = name; + o.type = OPTV_BOOLEAN; + if (ParseOptionValue(-1, optlist, &o)) +- deflt = o.value.bool; ++ deflt = o.value.boolean; + return deflt; + } + +@@ -918,7 +918,7 @@ ParseOptionValue(int scrnIndex, void *options, OptionInfoPtr p) + } + if ((s = winFindOptionValue(options, newn)) != NULL) { + if (GetBoolValue(&opt, s)) { +- p->value.bool = !opt.value.bool; ++ p->value.boolean = !opt.value.boolean; + p->found = TRUE; + } + else { +@@ -968,25 +968,25 @@ static Bool + GetBoolValue(OptionInfoPtr p, const char *s) + { + if (*s == 0) { +- p->value.bool = TRUE; ++ p->value.boolean = TRUE; + } + else { + if (winNameCompare(s, "1") == 0) +- p->value.bool = TRUE; ++ p->value.boolean = TRUE; + else if (winNameCompare(s, "on") == 0) +- p->value.bool = TRUE; ++ p->value.boolean = TRUE; + else if (winNameCompare(s, "true") == 0) +- p->value.bool = TRUE; ++ p->value.boolean = TRUE; + else if (winNameCompare(s, "yes") == 0) +- p->value.bool = TRUE; ++ p->value.boolean = TRUE; + else if (winNameCompare(s, "0") == 0) +- p->value.bool = FALSE; ++ p->value.boolean = FALSE; + else if (winNameCompare(s, "off") == 0) +- p->value.bool = FALSE; ++ p->value.boolean = FALSE; + else if (winNameCompare(s, "false") == 0) +- p->value.bool = FALSE; ++ p->value.boolean = FALSE; + else if (winNameCompare(s, "no") == 0) +- p->value.bool = FALSE; ++ p->value.boolean = FALSE; + } + return TRUE; + } +diff --git a/hw/xwin/winconfig.h b/hw/xwin/winconfig.h +index f079368c7..bd1f59650 100644 +--- a/hw/xwin/winconfig.h ++++ b/hw/xwin/winconfig.h +@@ -199,7 +199,7 @@ typedef union { + unsigned long num; + char *str; + double realnum; +- Bool bool; ++ Bool boolean; + OptFrequency freq; + } ValueUnion; + +-- +2.43.0 + diff --git a/0001-present-Send-a-PresentConfigureNotify-event-for-dest.patch b/0001-present-Send-a-PresentConfigureNotify-event-for-dest.patch new file mode 100644 index 0000000..d9eea48 --- /dev/null +++ b/0001-present-Send-a-PresentConfigureNotify-event-for-dest.patch @@ -0,0 +1,105 @@ +From b98fc07d3442a289c6bef82df50dd0a2d01de71a Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Thu, 2 Feb 2023 12:26:27 -0500 +Subject: [PATCH xserver] present: Send a PresentConfigureNotify event for + destroyed windows +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This enables fixing a deadlock case on the client side, where the client +ends up blocked waiting for a Present event that will never come because +the window was destroyed. The new PresentWindowDestroyed flag allows the +client to avoid blocking indefinitely. + +Signed-off-by: Adam Jackson +See-also: https://gitlab.freedesktop.org/mesa/mesa/-/issues/116 +See-also: https://gitlab.freedesktop.org/mesa/mesa/-/issues/6685 +Reviewed-by: Michel Dänzer +(cherry picked from commit 462b06033e66a32308d940eb5fc47f5e4c914dc0) +--- + present/present_event.c | 5 +++-- + present/present_priv.h | 7 ++++++- + present/present_screen.c | 11 ++++++++++- + 3 files changed, 19 insertions(+), 4 deletions(-) + +diff --git a/present/present_event.c b/present/present_event.c +index 435b26b70..849732dc8 100644 +--- a/present/present_event.c ++++ b/present/present_event.c +@@ -102,7 +102,8 @@ present_event_swap(xGenericEvent *from, xGenericEvent *to) + } + + void +-present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw, WindowPtr sibling) ++present_send_config_notify(WindowPtr window, int x, int y, int w, int h, ++ int bw, WindowPtr sibling, CARD32 flags) + { + present_window_priv_ptr window_priv = present_window_priv(window); + +@@ -122,7 +123,7 @@ present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw, + .off_y = 0, + .pixmap_width = w, + .pixmap_height = h, +- .pixmap_flags = 0 ++ .pixmap_flags = flags + }; + present_event_ptr event; + +diff --git a/present/present_priv.h b/present/present_priv.h +index 6ebd009a2..4ad729864 100644 +--- a/present/present_priv.h ++++ b/present/present_priv.h +@@ -43,6 +43,11 @@ + #define DebugPresent(x) + #endif + ++/* XXX this belongs in presentproto */ ++#ifndef PresentWindowDestroyed ++#define PresentWindowDestroyed (1 << 0) ++#endif ++ + extern int present_request; + + extern DevPrivateKeyRec present_screen_private_key; +@@ -307,7 +312,7 @@ void + present_free_events(WindowPtr window); + + void +-present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw, WindowPtr sibling); ++present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw, WindowPtr sibling, CARD32 flags); + + void + present_send_complete_notify(WindowPtr window, CARD8 kind, CARD8 mode, CARD32 serial, uint64_t ust, uint64_t msc); +diff --git a/present/present_screen.c b/present/present_screen.c +index 15684eda4..2c29aafd2 100644 +--- a/present/present_screen.c ++++ b/present/present_screen.c +@@ -93,6 +93,15 @@ present_destroy_window(WindowPtr window) + present_screen_priv_ptr screen_priv = present_screen_priv(screen); + present_window_priv_ptr window_priv = present_window_priv(window); + ++ present_send_config_notify(window, ++ window->drawable.x, ++ window->drawable.y, ++ window->drawable.width, ++ window->drawable.height, ++ window->borderWidth, ++ window->nextSib, ++ PresentWindowDestroyed); ++ + if (window_priv) { + present_clear_window_notifies(window); + present_free_events(window); +@@ -123,7 +132,7 @@ present_config_notify(WindowPtr window, + ScreenPtr screen = window->drawable.pScreen; + present_screen_priv_ptr screen_priv = present_screen_priv(screen); + +- present_send_config_notify(window, x, y, w, h, bw, sibling); ++ present_send_config_notify(window, x, y, w, h, bw, sibling, 0); + + unwrap(screen_priv, screen, ConfigNotify); + if (screen->ConfigNotify) +-- +2.40.0 + diff --git a/0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch b/0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch new file mode 100644 index 0000000..549f90a --- /dev/null +++ b/0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch @@ -0,0 +1,72 @@ +From 337d8d48b618d4fc0168a7b978be4c3447650b04 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Fri, 5 Apr 2024 15:24:49 +0200 +Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs() + +ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and +then frees it using FreeGlyph() to decrease the reference count, after +AddGlyph() has increased it. + +AddGlyph() however may chose to reuse an existing glyph if it's already +in the glyphSet, and free the glyph that was given, in which case the +caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an +already freed glyph, as reported by ASan: + + READ of size 4 thread T0 + #0 in FreeGlyph xserver/render/glyph.c:252 + #1 in ProcRenderAddGlyphs xserver/render/render.c:1174 + #2 in Dispatch xserver/dix/dispatch.c:546 + #3 in dix_main xserver/dix/main.c:271 + #4 in main xserver/dix/stubmain.c:34 + #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + #6 in __libc_start_main_impl ../csu/libc-start.c:360 + #7 (/usr/bin/Xwayland+0x44fe4) + Address is located 0 bytes inside of 64-byte region + freed by thread T0 here: + #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52 + #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538 + #2 in AddGlyph xserver/render/glyph.c:295 + #3 in ProcRenderAddGlyphs xserver/render/render.c:1173 + #4 in Dispatch xserver/dix/dispatch.c:546 + #5 in dix_main xserver/dix/main.c:271 + #6 in main xserver/dix/stubmain.c:34 + #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + previously allocated by thread T0 here: + #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69 + #1 in AllocateGlyph xserver/render/glyph.c:355 + #2 in ProcRenderAddGlyphs xserver/render/render.c:1085 + #3 in Dispatch xserver/dix/dispatch.c:546 + #4 in dix_main xserver/dix/main.c:271 + #5 in main xserver/dix/stubmain.c:34 + #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph + +To avoid that, make sure not to free the given glyph in AddGlyph(). + +v2: Simplify the test using the boolean returned from AddGlyph() (Michel) +v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter) + +Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs +Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659 +Signed-off-by: Olivier Fourdan +Part-of: +--- + render/glyph.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/render/glyph.c b/render/glyph.c +index 13991f8a1..5fa7f3b5b 100644 +--- a/render/glyph.c ++++ b/render/glyph.c +@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id) + gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature, + TRUE, glyph->sha1); + if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) { +- FreeGlyphPicture(glyph); +- dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH); + glyph = gr->glyph; + } + else if (gr->glyph != glyph) { +-- +2.44.0 + diff --git a/0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch b/0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch new file mode 100644 index 0000000..2db1508 --- /dev/null +++ b/0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch @@ -0,0 +1,54 @@ +From 56351307017e2501f7cd6e31efcfb55c19aba75a Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 10 Oct 2024 10:37:28 +0200 +Subject: [PATCH] xkb: Fix buffer overflow in _XkbSetCompatMap() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The _XkbSetCompatMap() function attempts to resize the `sym_interpret` +buffer. + +However, It didn't update its size properly. It updated `num_si` only, +without updating `size_si`. + +This may lead to local privilege escalation if the server is run as root +or remote code execution (e.g. x11 over ssh). + +CVE-2024-9632, ZDI-CAN-24756 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Reviewed-by: Peter Hutterer +Tested-by: Peter Hutterer +Reviewed-by: José Expósito +--- + xkb/xkb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index f203270d5..70e8279aa 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -2991,13 +2991,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, + XkbSymInterpretPtr sym; + unsigned int skipped = 0; + +- if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) { +- compat->num_si = req->firstSI + req->nSI; ++ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) { ++ compat->num_si = compat->size_si = req->firstSI + req->nSI; + compat->sym_interpret = reallocarray(compat->sym_interpret, +- compat->num_si, ++ compat->size_si, + sizeof(XkbSymInterpretRec)); + if (!compat->sym_interpret) { +- compat->num_si = 0; ++ compat->num_si = compat->size_si = 0; + return BadAlloc; + } + } +-- +2.46.2 + diff --git a/0100-phytium-xorg-x11-server-bmc.patch b/0100-phytium-xorg-x11-server-bmc.patch deleted file mode 100644 index a4e03d0..0000000 --- a/0100-phytium-xorg-x11-server-bmc.patch +++ /dev/null @@ -1,192 +0,0 @@ -From 2a96fbdc5b15c1d430151cf5bb4390b97993772f Mon Sep 17 00:00:00 2001 -From: yuan0927 -Date: Tue, 21 May 2024 09:40:12 +0800 -Subject: [PATCH 2/2] modesetting: add support for phytium S5000C BMC - -This patch has been fixed to address the issue of screen distortion in the Phytium S5000C, and it works in conjunction with the patch integrated into the kernel. - -Signed-off-by: yuan0927 -Signed-off-by: WangHao ---- - hw/xfree86/drivers/modesetting/driver.c | 158 +++++++++++++++++++++++- - 1 file changed, 157 insertions(+), 1 deletion(-) - -diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c -index ef4a314..f9555e4 100644 ---- a/hw/xfree86/drivers/modesetting/driver.c -+++ b/hw/xfree86/drivers/modesetting/driver.c -@@ -1143,6 +1143,162 @@ msUpdateIntersect(modesettingPtr ms, shadowBufPtr pBuf, BoxPtr box, - return dirty; - } - -+static void align_memcpy(void *dest, void *source, size_t size) -+{ -+ char *dst1, *dst2, *p, *src, *dst; -+ -+ src = (char *)source; -+ dst = (char *)dest; -+ -+ dst1 = (char *)(((unsigned long)dst + 0xf) & ~0xf); -+ dst2 = (char *)(((unsigned long)dst + size) & ~0xf); -+ p = dst; -+ -+ while((p< dst1) && size){ -+ *p++ = *src++; -+ size--; -+ }; -+ -+ memcpy(dst1, (char *)src, (size & (~0xf))); -+ -+ src += (size & (~0xf)); -+ size = (size & 0xf); -+ -+ p = dst2; -+ while(size--){ -+ *p++ = *src++; -+ }; -+} -+ -+#define AST_BMC_VENDOR_ID 0x1a03 -+#define FT_BMC_VENDOR_ID 0x1db7 -+#define FT_BMC_DEVICE_ID 0xdc3e -+#define DRM_AST_VRAM_TYPE_DEVICE 0x0 -+#define DRM_IOCTL_AST_VRAM_TYPE_DEVICE DRM_IO(DRM_COMMAND_BASE + DRM_AST_VRAM_TYPE_DEVICE) -+#define DRM_PHYTIUM_VRAM_TYPE_DEVICE 0x0 -+#define DRM_IOCTL_PHYTIUM_VRAM_TYPE_DEVICE DRM_IO(DRM_COMMAND_BASE + DRM_PHYTIUM_VRAM_TYPE_DEVICE) -+ -+static Bool device_is_ast_bmc(struct pci_device *pci) -+{ -+ if (pci->vendor_id == AST_BMC_VENDOR_ID) { -+ return TRUE; -+ } -+ -+ return FALSE; -+} -+ -+static Bool device_is_ft_bmc(struct pci_device *pci) -+{ -+ if (pci->vendor_id == FT_BMC_VENDOR_ID && pci->device_id == FT_BMC_DEVICE_ID) { -+ return TRUE; -+ } -+ -+ return FALSE; -+} -+ -+static void -+msshadowUpdatePacked(ScreenPtr pScreen, shadowBufPtr pBuf) -+{ -+ RegionPtr damage = DamageRegion(pBuf->pDamage); -+ PixmapPtr pShadow = pBuf->pPixmap; -+ int nbox = RegionNumRects(damage); -+ BoxPtr pbox = RegionRects(damage); -+ FbBits *shaBase, *shaLine, *sha; -+ FbStride shaStride; -+ int scrBase, scrLine, scr; -+ int shaBpp; -+ _X_UNUSED int shaXoff, shaYoff; -+ int x, y, w, h, width; -+ int i; -+ FbBits *winBase = NULL, *win; -+ CARD32 winSize; -+ static Bool firstQuery = TRUE; -+ static Bool forceAlign = FALSE; -+ Bool isAstBMC = FALSE; -+ Bool isFtBMC = FALSE; -+ ScrnInfoPtr pScrn = xf86ScreenToScrn(pScreen); -+ modesettingPtr ms = modesettingPTR(pScrn); -+ struct pci_device *pci = NULL; -+ -+ if (BUS_PLATFORM == ms->pEnt->location.type) { -+ pci = ms->pEnt->location.id.plat->pdev; -+ } else if (BUS_PCI == ms->pEnt->location.type) { -+ pci = ms->pEnt->location.id.pci; -+ } -+ -+ if (pci && device_is_ast_bmc(pci)) { -+ isAstBMC = TRUE; -+ if (firstQuery) { -+ if (1 == drmIoctl(ms->fd, DRM_IOCTL_AST_VRAM_TYPE_DEVICE, NULL)) { -+ forceAlign = TRUE; -+ } -+ firstQuery = FALSE; -+ } -+ } else if (pci && device_is_ft_bmc(pci)) { -+ isFtBMC = TRUE; -+ if (firstQuery) { -+ if (1 == drmIoctl(ms->fd, DRM_IOCTL_PHYTIUM_VRAM_TYPE_DEVICE, NULL)) { -+ forceAlign = TRUE; -+ } -+ firstQuery = FALSE; -+ } -+ } -+ -+ fbGetDrawable(&pShadow->drawable, shaBase, shaStride, shaBpp, shaXoff, -+ shaYoff); -+ while (nbox--) { -+ x = pbox->x1 * shaBpp; -+ y = pbox->y1; -+ w = (pbox->x2 - pbox->x1) * shaBpp; -+ h = pbox->y2 - pbox->y1; -+ -+ scrLine = (x >> FB_SHIFT); -+ shaLine = shaBase + y * shaStride + (x >> FB_SHIFT); -+ -+ x &= FB_MASK; -+ w = (w + x + FB_MASK) >> FB_SHIFT; -+ -+ while (h--) { -+ winSize = 0; -+ scrBase = 0; -+ width = w; -+ scr = scrLine; -+ sha = shaLine; -+ while (width) { -+ /* how much remains in this window */ -+ i = scrBase + winSize - scr; -+ if (i <= 0 || scr < scrBase) { -+ winBase = (FbBits *) (*pBuf->window) (pScreen, -+ y, -+ scr * sizeof(FbBits), -+ SHADOW_WINDOW_WRITE, -+ &winSize, -+ pBuf->closure); -+ if (!winBase) -+ return; -+ scrBase = scr; -+ winSize /= sizeof(FbBits); -+ i = winSize; -+ } -+ win = winBase + (scr - scrBase); -+ if (i > width) -+ i = width; -+ width -= i; -+ scr += i; -+ if ((isFtBMC || isAstBMC) && forceAlign) { -+ align_memcpy(win, sha, i * sizeof(FbBits)); -+ } else { -+ memcpy(win, sha, i * sizeof(FbBits)); -+ } -+ sha += i; -+ } -+ shaLine += shaStride; -+ y++; -+ } -+ pbox++; -+ } -+} -+ - static void - msUpdatePacked(ScreenPtr pScreen, shadowBufPtr pBuf) - { -@@ -1193,7 +1349,7 @@ msUpdatePacked(ScreenPtr pScreen, shadowBufPtr pBuf) - if (use_3224) - shadowUpdate32to24(pScreen, pBuf); - else -- shadowUpdatePacked(pScreen, pBuf); -+ msshadowUpdatePacked(pScreen, pBuf); - } - - static Bool --- -2.39.3 - diff --git a/dist b/dist index 9c0e36e..1fe92cf 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8 +an8_10 diff --git a/xorg-server-1.20.11-sw.patch b/xorg-server-1.20.11-sw.patch deleted file mode 100644 index fb97b51..0000000 --- a/xorg-server-1.20.11-sw.patch +++ /dev/null @@ -1,526 +0,0 @@ -From 3ae0cebb8e57926591d659dd43c72f961cc94990 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Thu, 29 Feb 2024 10:50:12 +0800 -Subject: [PATCH] xorg-server-1.20.11-sw.patch - -Signed-off-by: rpm-build ---- - configure.ac | 9 + - hw/xfree86/common/compiler.h | 24 ++- - hw/xfree86/dri/dri.c | 2 +- - hw/xfree86/dri/sarea.h | 2 +- - hw/xfree86/os-support/bsd/Makefile.am | 6 + - hw/xfree86/os-support/bsd/sw_64_video.c | 234 ++++++++++++++++++++++++ - hw/xfree86/os-support/linux/lnx_video.c | 4 +- - hw/xfree86/os-support/meson.build | 2 + - hw/xfree86/os-support/misc/SlowBcopy.c | 4 +- - include/xorg-config.h.in | 4 + - include/xorg-config.h.meson.in | 4 + - xkb/xkbInit.c | 2 +- - 12 files changed, 281 insertions(+), 16 deletions(-) - create mode 100644 hw/xfree86/os-support/bsd/sw_64_video.c - -diff --git a/configure.ac b/configure.ac -index 915941c..7a09cee 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -257,6 +257,14 @@ DEFAULT_INT10="x86emu" - dnl Override defaults as needed for specific platforms: - - case $host_cpu in -+ sw_64*) -+ SW_64_VIDEO=yes -+ case $host_os in -+ *freebsd*) SYS_LIBS=-lio ;; -+ *netbsd*) AC_DEFINE(USE_ALPHA_PIO, 1, [NetBSD PIO sw_64 IO]) ;; -+ esac -+ GLX_ARCH_DEFINES="-D__GLX_ALIGN64 -mieee" -+ ;; - alpha*) - ALPHA_VIDEO=yes - case $host_os in -@@ -318,6 +326,7 @@ AC_SUBST(GLX_ARCH_DEFINES) - - dnl BSD *_video.c selection - AM_CONDITIONAL(ALPHA_VIDEO, [test "x$ALPHA_VIDEO" = xyes]) -+AM_CONDITIONAL(SW_64_VIDEO, [test "x$SW_64_VIDEO" = xyes]) - AM_CONDITIONAL(ARM_VIDEO, [test "x$ARM_VIDEO" = xyes]) - AM_CONDITIONAL(I386_VIDEO, [test "x$I386_VIDEO" = xyes]) - AM_CONDITIONAL(PPC_VIDEO, [test "x$PPC_VIDEO" = xyes]) -diff --git a/hw/xfree86/common/compiler.h b/hw/xfree86/common/compiler.h -index 2b2008b..2657620 100644 ---- a/hw/xfree86/common/compiler.h -+++ b/hw/xfree86/common/compiler.h -@@ -99,6 +99,7 @@ - #if !defined(__arm__) - #if !defined(__sparc__) && !defined(__arm32__) && !defined(__nds32__) \ - && !(defined(__alpha__) && defined(__linux__)) \ -+ && !(defined(__sw_64__) && defined(__linux__)) \ - && !(defined(__ia64__) && defined(__linux__)) \ - && !(defined(__mips64) && defined(__linux__)) \ - -@@ -109,7 +110,7 @@ extern _X_EXPORT unsigned int inb(unsigned short); - extern _X_EXPORT unsigned int inw(unsigned short); - extern _X_EXPORT unsigned int inl(unsigned short); - --#else /* __sparc__, __arm32__, __alpha__, __nds32__ */ -+#else /* __sparc__, __arm32__, __alpha__, __sw_64__, __nds32__ */ - extern _X_EXPORT void outb(unsigned long, unsigned char); - extern _X_EXPORT void outw(unsigned long, unsigned short); - extern _X_EXPORT void outl(unsigned long, unsigned int); -@@ -129,7 +130,7 @@ extern _X_EXPORT void xf86WriteMmio16Le (void *, unsigned long, unsigned int); - extern _X_EXPORT void xf86WriteMmio32Be (void *, unsigned long, unsigned int); - extern _X_EXPORT void xf86WriteMmio32Le (void *, unsigned long, unsigned int); - #endif /* _SUNPRO_C */ --#endif /* __sparc__, __arm32__, __alpha__, __nds32__ */ -+#endif /* __sparc__, __arm32__, __alpha__, __sw_64__, __nds32__ */ - #endif /* __arm__ */ - - #endif /* NO_INLINE || DO_PROTOTYPES */ -@@ -149,6 +150,11 @@ extern _X_EXPORT void xf86WriteMmio32Le (void *, unsigned long, unsigned int); - #define mem_barrier() __asm__ __volatile__ ("lock; addl $0,0(%%esp)" : : : "memory") - #endif - -+#elif defined __sw_64__ -+ -+#define mem_barrier() __asm__ __volatile__ ("memb" : : : "memory") -+#define write_mem_barrier() __asm__ __volatile__ ("memb" : : : "memory") -+ - #elif defined __alpha__ - - #define mem_barrier() __asm__ __volatile__ ("mb" : : : "memory") -@@ -213,7 +219,7 @@ extern _X_EXPORT void xf86WriteMmio32Le (void *, unsigned long, unsigned int); - #endif - - #ifdef __GNUC__ --#if defined(__alpha__) -+#if defined(__alpha__) || defined(__sw_64__) - - #ifdef __linux__ - /* for Linux on Alpha, we use the LIBC _inx/_outx routines */ -@@ -955,7 +961,7 @@ inl(unsigned PORT_SIZE port) - #define MMIO_IS_BE - #endif - --#ifdef __alpha__ -+#if defined __alpha__ || defined __sw_64__ - static inline int - xf86ReadMmio8(void *Base, unsigned long Offset) - { -@@ -1068,7 +1074,7 @@ extern _X_EXPORT void xf86SlowBCopyToBus(unsigned char *, unsigned char *, int); - xf86WriteMmio32(base, offset, (CARD32)(val)) - #endif - --#else /* !__alpha__ && !__powerpc__ && !__sparc__ */ -+#else /* !__alpha__ && !__sw_64__ && !__powerpc__ && !__sparc__ */ - - #define MMIO_IN8(base, offset) \ - *(volatile CARD8 *)(((CARD8*)(base)) + (offset)) -@@ -1083,19 +1089,19 @@ extern _X_EXPORT void xf86SlowBCopyToBus(unsigned char *, unsigned char *, int); - #define MMIO_OUT32(base, offset, val) \ - *(volatile CARD32 *)(void *)(((CARD8*)(base)) + (offset)) = (val) - --#endif /* __alpha__ */ -+#endif /* __alpha__, __sw_64__ */ - - /* - * With Intel, the version in os-support/misc/SlowBcopy.s is used. - * This avoids port I/O during the copy (which causes problems with - * some hardware). - */ --#ifdef __alpha__ -+#if defined __alpha__ || defined __sw_64___ - #define slowbcopy_tobus(src,dst,count) xf86SlowBCopyToBus(src,dst,count) - #define slowbcopy_frombus(src,dst,count) xf86SlowBCopyFromBus(src,dst,count) --#else /* __alpha__ */ -+#else /* __alpha__, __sw_64__ */ - #define slowbcopy_tobus(src,dst,count) xf86SlowBcopy(src,dst,count) - #define slowbcopy_frombus(src,dst,count) xf86SlowBcopy(src,dst,count) --#endif /* __alpha__ */ -+#endif /* __alpha__, __sw_64__ */ - - #endif /* _COMPILER_H */ -diff --git a/hw/xfree86/dri/dri.c b/hw/xfree86/dri/dri.c -index 9f70759..091681e 100644 ---- a/hw/xfree86/dri/dri.c -+++ b/hw/xfree86/dri/dri.c -@@ -2012,7 +2012,7 @@ DRISpinLockTimeout(drmLock * lock, int val, unsigned long timeout /* in mS */ ) - { - int count = 10000; - --#if !defined(__alpha__) && !defined(__powerpc__) -+#if !defined(__alpha__) && !defined(__powerpc__) && !defined(__sw_64__) - char ret; - #else - int ret; -diff --git a/hw/xfree86/dri/sarea.h b/hw/xfree86/dri/sarea.h -index 1bef242..cd7e416 100644 ---- a/hw/xfree86/dri/sarea.h -+++ b/hw/xfree86/dri/sarea.h -@@ -39,7 +39,7 @@ - #include "xf86drm.h" - - /* SAREA area needs to be at least a page */ --#if defined(__alpha__) -+#if defined(__alpha__) || defined(__sw_64__) - #define SAREA_MAX 0x2000 - #elif defined(__ia64__) - #define SAREA_MAX 0x10000 /* 64kB */ -diff --git a/hw/xfree86/os-support/bsd/Makefile.am b/hw/xfree86/os-support/bsd/Makefile.am -index 66ac838..38fe659 100644 ---- a/hw/xfree86/os-support/bsd/Makefile.am -+++ b/hw/xfree86/os-support/bsd/Makefile.am -@@ -29,6 +29,12 @@ ARCH_SOURCES = \ - alpha_video.c - endif - -+if SW_64_VIDEO -+# Cheat here and piggyback other sw_64 bits on SW_64_VIDEO. -+ARCH_SOURCES = \ -+ sw_64_video.c -+endif -+ - if ARM_VIDEO - ARCH_SOURCES = arm_video.c - endif -diff --git a/hw/xfree86/os-support/bsd/sw_64_video.c b/hw/xfree86/os-support/bsd/sw_64_video.c -new file mode 100644 -index 0000000..7c42435 ---- /dev/null -+++ b/hw/xfree86/os-support/bsd/sw_64_video.c -@@ -0,0 +1,234 @@ -+/* -+ * Copyright 1992 by Rich Murphey -+ * Copyright 1993 by David Wexelblat -+ * -+ * Permission to use, copy, modify, distribute, and sell this software and its -+ * documentation for any purpose is hereby granted without fee, provided that -+ * the above copyright notice appear in all copies and that both that -+ * copyright notice and this permission notice appear in supporting -+ * documentation, and that the names of Rich Murphey and David Wexelblat -+ * not be used in advertising or publicity pertaining to distribution of -+ * the software without specific, written prior permission. Rich Murphey and -+ * David Wexelblat make no representations about the suitability of this -+ * software for any purpose. It is provided "as is" without express or -+ * implied warranty. -+ * -+ * RICH MURPHEY AND DAVID WEXELBLAT DISCLAIM ALL WARRANTIES WITH REGARD TO -+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND -+ * FITNESS, IN NO EVENT SHALL RICH MURPHEY OR DAVID WEXELBLAT BE LIABLE FOR -+ * ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER -+ * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF -+ * CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN -+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+ * -+ */ -+ -+#ifdef HAVE_XORG_CONFIG_H -+#include -+#endif -+ -+#include -+#include "xf86.h" -+#include "xf86Priv.h" -+ -+#include -+#ifndef __NetBSD__ -+#include -+#endif -+ -+#include "xf86_OSlib.h" -+#include "xf86OSpriv.h" -+ -+#if defined(__NetBSD__) && !defined(MAP_FILE) -+#define MAP_FLAGS MAP_SHARED -+#else -+#define MAP_FLAGS (MAP_FILE | MAP_SHARED) -+#endif -+ -+#ifndef __NetBSD__ -+extern unsigned long dense_base(void); -+#else /* __NetBSD__ */ -+static struct sw_64_bus_window *abw; -+static int abw_count = -1; -+ -+static void -+init_abw(void) -+{ -+ if (abw_count < 0) { -+ abw_count = sw_64_bus_getwindows(SW_64_BUS_TYPE_PCI_MEM, &abw); -+ if (abw_count <= 0) -+ FatalError("init_abw: sw_64_bus_getwindows failed\n"); -+ } -+} -+ -+static unsigned long -+dense_base(void) -+{ -+ if (abw_count < 0) -+ init_abw(); -+ -+ /* XXX check abst_flags for ABST_DENSE just to be safe? */ -+ xf86Msg(X_INFO, "dense base = %#lx\n", abw[0].abw_abst.abst_sys_start); /* XXXX */ -+ return abw[0].abw_abst.abst_sys_start; -+} -+ -+#endif /* __NetBSD__ */ -+ -+#define BUS_BASE dense_base() -+ -+/***************************************************************************/ -+/* Video Memory Mapping section */ -+/***************************************************************************/ -+ -+#ifdef __OpenBSD__ -+#define SYSCTL_MSG "\tCheck that you have set 'machdep.allowaperture=1'\n"\ -+ "\tin /etc/sysctl.conf and reboot your machine\n" \ -+ "\trefer to xf86(4) for details" -+#endif -+ -+static int devMemFd = -1; -+ -+#ifdef HAS_APERTURE_DRV -+#define DEV_APERTURE "/dev/xf86" -+#endif -+ -+/* -+ * Check if /dev/mem can be mmap'd. If it can't print a warning when -+ * "warn" is TRUE. -+ */ -+static void -+checkDevMem(Bool warn) -+{ -+ static Bool devMemChecked = FALSE; -+ int fd; -+ void *base; -+ -+ if (devMemChecked) -+ return; -+ devMemChecked = TRUE; -+ -+#ifdef HAS_APERTURE_DRV -+ /* Try the aperture driver first */ -+ if ((fd = open(DEV_APERTURE, O_RDWR)) >= 0) { -+ /* Try to map a page at the VGA address */ -+ base = mmap((caddr_t) 0, 4096, PROT_READ | PROT_WRITE, -+ MAP_FLAGS, fd, (off_t) 0xA0000 + BUS_BASE); -+ -+ if (base != MAP_FAILED) { -+ munmap((caddr_t) base, 4096); -+ devMemFd = fd; -+ xf86Msg(X_INFO, "checkDevMem: using aperture driver %s\n", -+ DEV_APERTURE); -+ return; -+ } -+ else { -+ if (warn) { -+ xf86Msg(X_WARNING, "checkDevMem: failed to mmap %s (%s)\n", -+ DEV_APERTURE, strerror(errno)); -+ } -+ } -+ } -+#endif -+ if ((fd = open(DEV_MEM, O_RDWR)) >= 0) { -+ /* Try to map a page at the VGA address */ -+ base = mmap((caddr_t) 0, 4096, PROT_READ | PROT_WRITE, -+ MAP_FLAGS, fd, (off_t) 0xA0000 + BUS_BASE); -+ -+ if (base != MAP_FAILED) { -+ munmap((caddr_t) base, 4096); -+ devMemFd = fd; -+ return; -+ } -+ else { -+ if (warn) { -+ xf86Msg(X_WARNING, "checkDevMem: failed to mmap %s (%s)\n", -+ DEV_MEM, strerror(errno)); -+ } -+ } -+ } -+ if (warn) { -+#ifndef HAS_APERTURE_DRV -+ xf86Msg(X_WARNING, "checkDevMem: failed to open/mmap %s (%s)\n", -+ DEV_MEM, strerror(errno)); -+#else -+#ifndef __OpenBSD__ -+ xf86Msg(X_WARNING, "checkDevMem: failed to open %s and %s\n" -+ "\t(%s)\n", DEV_APERTURE, DEV_MEM, strerror(errno)); -+#else /* __OpenBSD__ */ -+ xf86Msg(X_WARNING, "checkDevMem: failed to open %s and %s\n" -+ "\t(%s)\n%s", DEV_APERTURE, DEV_MEM, strerror(errno), -+ SYSCTL_MSG); -+#endif /* __OpenBSD__ */ -+#endif -+ xf86ErrorF("\tlinear framebuffer access unavailable\n"); -+ } -+ return; -+} -+ -+void -+xf86OSInitVidMem(VidMemInfoPtr pVidMem) -+{ -+ checkDevMem(TRUE); -+ -+ pVidMem->initialised = TRUE; -+} -+ -+#if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) || defined(__OpenBSD__) -+ -+extern int ioperm(unsigned long from, unsigned long num, int on); -+ -+Bool -+xf86EnableIO() -+{ -+ if (!ioperm(0, 65536, TRUE)) -+ return TRUE; -+ return FALSE; -+} -+ -+void -+xf86DisableIO() -+{ -+ return; -+} -+ -+#endif /* __FreeBSD_kernel__ || __OpenBSD__ */ -+ -+#ifdef USE_SW_64_PIO -+ -+Bool -+xf86EnableIO() -+{ -+ sw_64_pci_io_enable(1); -+ return TRUE; -+} -+ -+void -+xf86DisableIO() -+{ -+ sw_64_pci_io_enable(0); -+} -+ -+#endif /* USE_SW_64_PIO */ -+ -+extern int readDense8(void *Base, register unsigned long Offset); -+extern int readDense16(void *Base, register unsigned long Offset); -+extern int readDense32(void *Base, register unsigned long Offset); -+extern void -+ writeDense8(int Value, void *Base, register unsigned long Offset); -+extern void -+ writeDense16(int Value, void *Base, register unsigned long Offset); -+extern void -+ writeDense32(int Value, void *Base, register unsigned long Offset); -+ -+void (*xf86WriteMmio8) (int Value, void *Base, unsigned long Offset) -+ = writeDense8; -+void (*xf86WriteMmio16) (int Value, void *Base, unsigned long Offset) -+ = writeDense16; -+void (*xf86WriteMmio32) (int Value, void *Base, unsigned long Offset) -+ = writeDense32; -+int (*xf86ReadMmio8) (void *Base, unsigned long Offset) -+ = readDense8; -+int (*xf86ReadMmio16) (void *Base, unsigned long Offset) -+ = readDense16; -+int (*xf86ReadMmio32) (void *Base, unsigned long Offset) -+ = readDense32; -diff --git a/hw/xfree86/os-support/linux/lnx_video.c b/hw/xfree86/os-support/linux/lnx_video.c -index 04e4509..d4d7349 100644 ---- a/hw/xfree86/os-support/linux/lnx_video.c -+++ b/hw/xfree86/os-support/linux/lnx_video.c -@@ -111,7 +111,7 @@ hwDisableIO(void) - } - - #elif defined(__i386__) || defined(__x86_64__) || defined(__ia64__) || \ -- defined(__alpha__) -+ defined(__alpha__) || defined(__sw_64__) - - static Bool - hwEnableIO(void) -@@ -121,7 +121,7 @@ hwEnableIO(void) - strerror(errno)); - return FALSE; - } --#if !defined(__alpha__) -+#if !defined(__alpha__) && !defined(__sw_64__) - /* XXX: this is actually not trapping anything because of iopl(3) - * above */ - ioperm(0x40, 4, 0); /* trap access to the timer chip */ -diff --git a/hw/xfree86/os-support/meson.build b/hw/xfree86/os-support/meson.build -index b6e5c97..0e2a127 100644 ---- a/hw/xfree86/os-support/meson.build -+++ b/hw/xfree86/os-support/meson.build -@@ -100,6 +100,8 @@ elif host_machine.system().endswith('bsd') - srcs_xorg_os_support += 'shared/ioperm_noop.c' - elif host_machine.cpu_family() == 'alpha' - srcs_xorg_os_support += 'bsd/alpha_video.c' -+ elif host_machine.cpu_family() == 'sw_64' -+ srcs_xorg_os_support += 'bsd/sw_64_video.c' - endif - - if host_machine.system() == 'freebsd' -diff --git a/hw/xfree86/os-support/misc/SlowBcopy.c b/hw/xfree86/os-support/misc/SlowBcopy.c -index 9d82c71..a7d9a7b 100644 ---- a/hw/xfree86/os-support/misc/SlowBcopy.c -+++ b/hw/xfree86/os-support/misc/SlowBcopy.c -@@ -1,5 +1,5 @@ - /******************************************************************************* -- for Alpha Linux -+ for Alpha/Sw_64 Linux - *******************************************************************************/ - - /* -@@ -55,7 +55,7 @@ xf86SlowBcopy(unsigned char *src, unsigned char *dst, int len) - *dst++ = *src++; - } - --#ifdef __alpha__ -+#if defined __alpha__ || defined __sw_64__ - - #ifdef __linux__ - -diff --git a/include/xorg-config.h.in b/include/xorg-config.h.in -index bf555eb..c1dc7b6 100644 ---- a/include/xorg-config.h.in -+++ b/include/xorg-config.h.in -@@ -82,6 +82,10 @@ - /* Building vgahw module */ - #undef WITH_VGAHW - -+/* NetBSD PIO sw_64 IO */ -+#undef USE_SW_64_PIO -+ -+/* BSD AMD64 iopl */ - /* NetBSD PIO alpha IO */ - #undef USE_ALPHA_PIO - -diff --git a/include/xorg-config.h.meson.in b/include/xorg-config.h.meson.in -index 1e4213f..96d86b2 100644 ---- a/include/xorg-config.h.meson.in -+++ b/include/xorg-config.h.meson.in -@@ -79,6 +79,10 @@ - /* Building vgahw module */ - #mesondefine WITH_VGAHW - -+/* NetBSD PIO sw_64 IO */ -+#mesondefine USE_SW_64_PIO -+ -+/* BSD AMD64 iopl */ - /* NetBSD PIO alpha IO */ - #mesondefine USE_ALPHA_PIO - -diff --git a/xkb/xkbInit.c b/xkb/xkbInit.c -index 9e45b4b..c290fac 100644 ---- a/xkb/xkbInit.c -+++ b/xkb/xkbInit.c -@@ -53,7 +53,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. - - #define CREATE_ATOM(s) MakeAtom(s,sizeof(s)-1,1) - --#if defined(__alpha) || defined(__alpha__) -+#if defined(__alpha) || defined(__alpha__) || defined(__sw_64) || defined(__sw_64__) - #define LED_COMPOSE 2 - #define LED_CAPS 3 - #define LED_SCROLL 4 --- -2.31.1 - diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index f2b1c19..6e250d3 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -9,7 +9,6 @@ # check out the master branch, pull, cherry-pick, and push. # X.org requires lazy relocations to work. -%define anolis_release .0.6 %undefine _hardened_build %undefine _strict_symbol_defs_build @@ -47,7 +46,7 @@ Summary: X.Org X11 X server Name: xorg-x11-server Version: 1.20.11 -Release: 16%{?gitdate:.%{gitdate}}%{anolis_release}%{?dist} +Release: 25%{?gitdate:.%{gitdate}}%{?dist} URL: http://www.x.org License: MIT Group: User Interface/X @@ -103,7 +102,6 @@ Patch18: 0001-mustard-Work-around-broken-fbdev-headers.patch # fix to be upstreamed Patch100: 0001-linux-Make-platform-device-probe-less-fragile.patch Patch102: 0001-xfree86-ensure-the-readlink-buffer-is-null-terminate.patch -Patch103: 0100-phytium-xorg-x11-server-bmc.patch # fix already upstream Patch200: 0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch @@ -112,6 +110,7 @@ Patch202: 0001-modesetting-Reduce-glamor-initialization-failed-mess.patch Patch203: 0001-xfree86-Only-switch-to-original-VT-if-it-is-active.patch Patch204: 0001-xf86-logind-Fix-drm_drop_master-before-vt_reldisp.patch Patch205: 0001-present-Check-for-NULL-to-prevent-crash.patch +Patch206: 0001-present-Send-a-PresentConfigureNotify-event-for-dest.patch # CVE-2021-4011 Patch10009: 0001-record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch @@ -147,44 +146,50 @@ Patch10024: 0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch Patch10025: 0008-Xext-fix-invalid-event-type-mask-in-XTestSwapFakeInp.patch # CVE-2023-0494 Patch10026: 0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch -# upstream: 26ef545b3502f61ca722a7a3373507e88ef64110 # CVE-2023-1393 Patch10027: 0001-composite-Fix-use-after-free-of-the-COW.patch -Patch10028: xorg-server-1.20.11-sw.patch - - -# CVE-2024-31080 CVE-2024-31081 CVE-2024-31082 CVE-2024-31083 from https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463 -# CVE-2024-31080 -Patch10029: 0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch -# CVE-2024-31081 -Patch10030: 0002-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch -# CVE-2024-31082 -Patch10031: 0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch -# CVE-2024-31083 -Patch10032: 0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch - # CVE-2023-5367 -Patch10033: 0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch +Patch10028: 0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch # CVE-2023-5380 -Patch10034: 0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch +Patch10029: 0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch # CVE-2023-6377 -Patch10035: 0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch +Patch10030: 0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch # CVE-2023-6478 -Patch10036: 0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch +Patch10031: 0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch +# CVE-2023-6816 +Patch10032: 0001-dix-allocate-enough-space-for-logical-button-maps.patch # CVE-2024-0229 -Patch10037: 0002-dix-Allocate-sufficient-xEvents-for-our-DeviceStateN.patch -Patch10038: 0003-dix-fix-DeviceStateNotify-event-calculation.patch -Patch10039: 0004-Xi-when-creating-a-new-ButtonClass-set-the-number-of.patch +Patch10033: 0002-dix-Allocate-sufficient-xEvents-for-our-DeviceStateN.patch +Patch10034: 0003-dix-fix-DeviceStateNotify-event-calculation.patch +Patch10035: 0004-Xi-when-creating-a-new-ButtonClass-set-the-number-of.patch # CVE-2024-21885 -Patch10040: 0005-Xi-flush-hierarchy-events-after-adding-removing-mast.patch +Patch10036: 0005-Xi-flush-hierarchy-events-after-adding-removing-mast.patch # CVE-2024-21886 -Patch10041: 0006-Xi-do-not-keep-linked-list-pointer-during-recursion.patch -Patch10042: 0007-dix-when-disabling-a-master-float-disabled-slaved-de.patch +Patch10037: 0006-Xi-do-not-keep-linked-list-pointer-during-recursion.patch +Patch10038: 0007-dix-when-disabling-a-master-float-disabled-slaved-de.patch # CVE-2024-0408 -Patch10043: 0008-glx-Call-XACE-hooks-on-the-GLX-buffer.patch +Patch10039: 0008-glx-Call-XACE-hooks-on-the-GLX-buffer.patch # CVE-2024-0409 -Patch10044: 0009-ephyr-xwayland-Use-the-proper-private-key-for-cursor.patch - +Patch10040: 0009-ephyr-xwayland-Use-the-proper-private-key-for-cursor.patch +# Fix compilation error +Patch10041: 0001-hw-Rename-boolean-config-value-field-from-bool-to-bo.patch +# Related to CVE-2024-21886 +Patch10042: 0001-dix-Fix-use-after-free-in-input-device-shutdown.patch +# Fix compilation error on i686 +Patch10043: 0001-ephyr-Fix-incompatible-pointer-type-build-error.patch +# Fix copy and paste error in CVE-2024-0229 +Patch10044: 0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch +# CVE-2024-31080 +Patch10045: 0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch +# CVE-2024-31081 +Patch10046: 0002-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch +# CVE-2024-31082 +Patch10047: 0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch +# CVE-2024-31083 +Patch10048: 0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch +Patch10049: 0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch +# CVE-2024-9632 +Patch10050: 0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch BuildRequires: make BuildRequires: systemtap-sdt-devel @@ -267,11 +272,6 @@ Obsoletes: xorg-x11-glamor < %{version}-%{release} Provides: xorg-x11-glamor = %{version}-%{release} Obsoletes: xorg-x11-drv-modesetting < %{version}-%{release} Provides: xorg-x11-drv-modesetting = %{version}-%{release} -Provides: /usr/bin/X -Provides: /usr/bin/Xorg -Provides: /usr/bin/cvt -Provides: /usr/bin/gtf - # Dropped from F25 Obsoletes: xorg-x11-drv-vmmouse < 13.1.0-4 @@ -285,7 +285,6 @@ Requires: xorg-x11-drv-vesa %endif %endif Requires: libEGL -Requires: glibc %description Xorg X.org X11 is an open source implementation of the X Window System. It @@ -298,9 +297,7 @@ upon. Summary: A nested server Group: User Interface/X Requires: xorg-x11-server-common >= %{version}-%{release} -Requires: glibc Provides: Xnest -Provides: /usr/bin/Xnest %description Xnest Xnest is an X server which has been implemented as an ordinary @@ -314,20 +311,7 @@ applications without running them on their real X server. Summary: Distributed Multihead X Server and utilities Group: User Interface/X Requires: xorg-x11-server-common >= %{version}-%{release} -Requires: glibc Provides: Xdmx -Provides: /usr/bin/Xdmx -Provides: /usr/bin/dmxaddinput -Provides: /usr/bin/dmxaddscreen -Provides: /usr/bin/dmxinfo -Provides: /usr/bin/dmxreconfig -Provides: /usr/bin/dmxresize -Provides: /usr/bin/dmxrminput -Provides: /usr/bin/dmxrmscreen -Provides: /usr/bin/dmxtodmx -Provides: /usr/bin/dmxwininfo -Provides: /usr/bin/vdltodmx -Provides: /usr/bin/xdmxconfig %description Xdmx Xdmx is proxy X server that provides multi-head support for multiple displays @@ -348,10 +332,8 @@ License: MIT and GPLv2 Requires: xorg-x11-server-common >= %{version}-%{release} # required for xvfb-run Requires: xorg-x11-xauth -Requires: glibc +Requires: util-linux Provides: Xvfb -Provides: /usr/bin/Xvfb -Provides: /usr/bin/xvfb-run %description Xvfb Xvfb (X Virtual Frame Buffer) is an X server that is able to run on @@ -365,9 +347,7 @@ is normally used for testing servers. Summary: A nested server Group: User Interface/X Requires: xorg-x11-server-common >= %{version}-%{release} -Requires: glibc Provides: Xephyr -Provides: /usr/bin/Xephyr %description Xephyr Xephyr is an X server which has been implemented as an ordinary @@ -387,11 +367,9 @@ Requires: xorg-x11-util-macros Requires: xorg-x11-proto-devel Requires: libXfont2-devel Requires: pkgconfig pixman-devel libpciaccess-devel -Requires: glibc Provides: xorg-x11-server-static Obsoletes: xorg-x11-glamor-devel < %{version}-%{release} Provides: xorg-x11-glamor-devel = %{version}-%{release} -Provides: /usr/bin/xserver-sdk-abi-requires %description devel The SDK package provides the developmental files which are necessary for @@ -409,14 +387,6 @@ BuildArch: noarch Xserver source code needed to build VNC server (Xvnc) -%package doc -Summary: Documents for %{name} -BuildArch: noarch -Requires: xorg-x11-server-common = %{version}-%{release} - -%description doc -Doc pages for %{name}. - %prep %autosetup -N -n %{pkgname}-%{?gitdate:%{gitdate}}%{!?gitdate:%{version}} rm -rf .git @@ -545,10 +515,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %endif } -%files doc -%doc COPYING %files common +%doc COPYING %{_mandir}/man1/Xserver.1* %{_libdir}/xorg/protocol.txt %dir %{_localstatedir}/lib/xkb @@ -636,6 +605,7 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_mandir}/man1/Xephyr.1* %files devel +%doc COPYING #{_docdir}/xorg-server %{_bindir}/xserver-sdk-abi-requires %{_libdir}/pkgconfig/xorg-server.pc @@ -648,29 +618,52 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %changelog -* Thu Sep 05 2024 yuan0927 - 1.20.11-16.0.6 -- Fix the splash screen issue in the phytium S5000C - -* Tue Jul 09 2024 lutw - 1.20.11-16.0.5 -- Fix ix CVE-2023-5367 CVE-2023-5380 CVE-2023-6377 CVE-2023-6478 CVE-2024-0229 CVE-2024-21885 CVE-2024-21886 CVE-2024-0408 CVE-2024-0409 - -* Fri Jun 07 2024 Kai Song - 1.20.11-16.0.4 -- Fix CVE-2024-31080,CVE-2024-31081,CVE-2024-31082,CVE-2024-31083 - -* Thu Mar 21 2024 Weisson - 1.20.11-16.0.3 -- cherry-pick: `add sw arch #3b1aa1ee2c00aeebe71a618589826c2d1cab136e`. - -* Thu Mar 21 2024 wxiat - 1.20.11-16.0.2 -- cherry-pick `add sw arch #1ba6a0036d929c82c5516a18350d5c27cc28e210`. - -* Thu Dec 26 2023 Kaiqiang Wang - 1.20.11-16.0.1 +* Tue Oct 29 2024 José Expósito - 1.20.11-25 +- CVE fix for CVE-2024-9632 + +* Wed Apr 10 2024 José Expósito - 1.20.11-24 +- Fix regression caused by the fix for CVE-2024-31083 + +* Thu Apr 04 2024 José Expósito - 1.20.11-23 +- CVE fix for: CVE-2024-31080, CVE-2024-31081, CVE-2024-31082 and + CVE-2024-31083 +- Add util-linux as a dependency of Xvfb +- Fix compilation error on i686 + +* Thu Jan 18 2024 José Expósito - 1.20.11-22 +- Fix use after free related to CVE-2024-21886 + +* Tue Jan 16 2024 José Expósito - 1.20.11-21 +- CVE fix for: CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886, + CVE-2024-0408 and CVE-2024-0409 + Resolves: https://issues.redhat.com/browse/RHEL-21207 + Resolves: https://issues.redhat.com/browse/RHEL-20528 + Resolves: https://issues.redhat.com/browse/RHEL-20378 + Resolves: https://issues.redhat.com/browse/RHEL-20384 + Resolves: https://issues.redhat.com/browse/RHEL-21191 + Resolves: https://issues.redhat.com/browse/RHEL-21198 + +* Thu Dec 14 2023 José Expósito - 1.20.11-20 +- CVE fix for: CVE-2023-6377, CVE-2023-6478 + Resolves: https://issues.redhat.com/browse/RHEL-18321 + Resolves: https://issues.redhat.com/browse/RHEL-18327 + +* Wed Oct 25 2023 José Expósito - 1.20.11-19 +- CVE fix for: CVE-2023-5380 + Resolves: https://issues.redhat.com/browse/RHEL-14060 + +* Wed Oct 25 2023 José Expósito - 1.20.11-18 +- CVE fix for: CVE-2023-5367 + Resolves: https://issues.redhat.com/browse/RHEL-13430 + +* Tue Jun 6 2023 Olivier Fourdan - 1.20.11-17 +- Backport fix for a deadlock with DRI3 + Resolves: rhbz#2192556 + +* Fri Mar 31 2023 Olivier Fourdan - 1.20.11-16 - CVE fix for: CVE-2023-1393 Resolves: rhbz#2180296 -* Mon May 29 2023 Hangbo Fan - 1.20.11-15.0.1 -- Add doc sub package -- Fix doc package installation (wangkaiyuan@inspur.com) - * Wed Feb 22 2023 Olivier Fourdan - 1.20.11-15 - Rebuild for the missing debuginfo Related: rhbz#2169522 -- Gitee From 5151ed56fe6cca1405a4dcac33e970de8c32b541 Mon Sep 17 00:00:00 2001 From: HangBo Fan Date: Sat, 16 Jul 2022 15:41:56 +0800 Subject: [PATCH 2/5] spec: add doc sub package --- xorg-x11-server.spec | 45 +++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 42 insertions(+), 3 deletions(-) diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 6e250d3..a7d4a74 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -9,6 +9,7 @@ # check out the master branch, pull, cherry-pick, and push. # X.org requires lazy relocations to work. +%define anolis_release .0.1 %undefine _hardened_build %undefine _strict_symbol_defs_build @@ -46,7 +47,7 @@ Summary: X.Org X11 X server Name: xorg-x11-server Version: 1.20.11 -Release: 25%{?gitdate:.%{gitdate}}%{?dist} +Release: 25%{?gitdate:.%{gitdate}}%{anolis_release}%{?dist} URL: http://www.x.org License: MIT Group: User Interface/X @@ -272,6 +273,11 @@ Obsoletes: xorg-x11-glamor < %{version}-%{release} Provides: xorg-x11-glamor = %{version}-%{release} Obsoletes: xorg-x11-drv-modesetting < %{version}-%{release} Provides: xorg-x11-drv-modesetting = %{version}-%{release} +Provides: /usr/bin/X +Provides: /usr/bin/Xorg +Provides: /usr/bin/cvt +Provides: /usr/bin/gtf + # Dropped from F25 Obsoletes: xorg-x11-drv-vmmouse < 13.1.0-4 @@ -285,6 +291,7 @@ Requires: xorg-x11-drv-vesa %endif %endif Requires: libEGL +Requires: glibc %description Xorg X.org X11 is an open source implementation of the X Window System. It @@ -297,7 +304,9 @@ upon. Summary: A nested server Group: User Interface/X Requires: xorg-x11-server-common >= %{version}-%{release} +Requires: glibc Provides: Xnest +Provides: /usr/bin/Xnest %description Xnest Xnest is an X server which has been implemented as an ordinary @@ -311,7 +320,20 @@ applications without running them on their real X server. Summary: Distributed Multihead X Server and utilities Group: User Interface/X Requires: xorg-x11-server-common >= %{version}-%{release} +Requires: glibc Provides: Xdmx +Provides: /usr/bin/Xdmx +Provides: /usr/bin/dmxaddinput +Provides: /usr/bin/dmxaddscreen +Provides: /usr/bin/dmxinfo +Provides: /usr/bin/dmxreconfig +Provides: /usr/bin/dmxresize +Provides: /usr/bin/dmxrminput +Provides: /usr/bin/dmxrmscreen +Provides: /usr/bin/dmxtodmx +Provides: /usr/bin/dmxwininfo +Provides: /usr/bin/vdltodmx +Provides: /usr/bin/xdmxconfig %description Xdmx Xdmx is proxy X server that provides multi-head support for multiple displays @@ -334,6 +356,8 @@ Requires: xorg-x11-server-common >= %{version}-%{release} Requires: xorg-x11-xauth Requires: util-linux Provides: Xvfb +Provides: /usr/bin/Xvfb +Provides: /usr/bin/xvfb-run %description Xvfb Xvfb (X Virtual Frame Buffer) is an X server that is able to run on @@ -347,7 +371,9 @@ is normally used for testing servers. Summary: A nested server Group: User Interface/X Requires: xorg-x11-server-common >= %{version}-%{release} +Requires: glibc Provides: Xephyr +Provides: /usr/bin/Xephyr %description Xephyr Xephyr is an X server which has been implemented as an ordinary @@ -367,9 +393,11 @@ Requires: xorg-x11-util-macros Requires: xorg-x11-proto-devel Requires: libXfont2-devel Requires: pkgconfig pixman-devel libpciaccess-devel +Requires: glibc Provides: xorg-x11-server-static Obsoletes: xorg-x11-glamor-devel < %{version}-%{release} Provides: xorg-x11-glamor-devel = %{version}-%{release} +Provides: /usr/bin/xserver-sdk-abi-requires %description devel The SDK package provides the developmental files which are necessary for @@ -387,6 +415,14 @@ BuildArch: noarch Xserver source code needed to build VNC server (Xvnc) +%package doc +Summary: Documents for %{name} +BuildArch: noarch +Requires: %{name} = %{version}-%{release} + +%description doc +Doc pages for %{name}. + %prep %autosetup -N -n %{pkgname}-%{?gitdate:%{gitdate}}%{!?gitdate:%{version}} rm -rf .git @@ -515,9 +551,10 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %endif } +%files doc +%doc COPYING %files common -%doc COPYING %{_mandir}/man1/Xserver.1* %{_libdir}/xorg/protocol.txt %dir %{_localstatedir}/lib/xkb @@ -605,7 +642,6 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_mandir}/man1/Xephyr.1* %files devel -%doc COPYING #{_docdir}/xorg-server %{_bindir}/xserver-sdk-abi-requires %{_libdir}/pkgconfig/xorg-server.pc @@ -618,6 +654,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %changelog +* Tue Nov 05 2024 Hangbo Fan - 1.20.11-25.0.1 +- Add doc sub package + * Tue Oct 29 2024 José Expósito - 1.20.11-25 - CVE fix for CVE-2024-9632 -- Gitee From e63a8408a84480c3fe80344e46d7060d03baa08b Mon Sep 17 00:00:00 2001 From: wangkaiyuan Date: Mon, 19 Dec 2022 01:47:48 +0000 Subject: [PATCH 3/5] Fix doc package installation Signed-off-by: wangkaiyuan --- xorg-x11-server.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index a7d4a74..7c1dde4 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -418,7 +418,7 @@ Xserver source code needed to build VNC server (Xvnc) %package doc Summary: Documents for %{name} BuildArch: noarch -Requires: %{name} = %{version}-%{release} +Requires: xorg-x11-server-common = %{version}-%{release} %description doc Doc pages for %{name}. @@ -656,6 +656,7 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %changelog * Tue Nov 05 2024 Hangbo Fan - 1.20.11-25.0.1 - Add doc sub package +- Fix doc package installation (wangkaiyuan@inspur.com) * Tue Oct 29 2024 José Expósito - 1.20.11-25 - CVE fix for CVE-2024-9632 -- Gitee From 1d660d0364460a29d387ed3c1362ffec64e510ea Mon Sep 17 00:00:00 2001 From: Weisson Date: Thu, 29 Feb 2024 15:14:42 +0800 Subject: [PATCH 4/5] cherry-pick: `add sw arch #3b1aa1ee2c00aeebe71a618589826c2d1cab136e`. Signed-off-by: Weisson --- xorg-server-1.20.11-sw.patch | 526 +++++++++++++++++++++++++++++++++++ xorg-x11-server.spec | 3 + 2 files changed, 529 insertions(+) create mode 100644 xorg-server-1.20.11-sw.patch diff --git a/xorg-server-1.20.11-sw.patch b/xorg-server-1.20.11-sw.patch new file mode 100644 index 0000000..fb97b51 --- /dev/null +++ b/xorg-server-1.20.11-sw.patch @@ -0,0 +1,526 @@ +From 3ae0cebb8e57926591d659dd43c72f961cc94990 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 29 Feb 2024 10:50:12 +0800 +Subject: [PATCH] xorg-server-1.20.11-sw.patch + +Signed-off-by: rpm-build +--- + configure.ac | 9 + + hw/xfree86/common/compiler.h | 24 ++- + hw/xfree86/dri/dri.c | 2 +- + hw/xfree86/dri/sarea.h | 2 +- + hw/xfree86/os-support/bsd/Makefile.am | 6 + + hw/xfree86/os-support/bsd/sw_64_video.c | 234 ++++++++++++++++++++++++ + hw/xfree86/os-support/linux/lnx_video.c | 4 +- + hw/xfree86/os-support/meson.build | 2 + + hw/xfree86/os-support/misc/SlowBcopy.c | 4 +- + include/xorg-config.h.in | 4 + + include/xorg-config.h.meson.in | 4 + + xkb/xkbInit.c | 2 +- + 12 files changed, 281 insertions(+), 16 deletions(-) + create mode 100644 hw/xfree86/os-support/bsd/sw_64_video.c + +diff --git a/configure.ac b/configure.ac +index 915941c..7a09cee 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -257,6 +257,14 @@ DEFAULT_INT10="x86emu" + dnl Override defaults as needed for specific platforms: + + case $host_cpu in ++ sw_64*) ++ SW_64_VIDEO=yes ++ case $host_os in ++ *freebsd*) SYS_LIBS=-lio ;; ++ *netbsd*) AC_DEFINE(USE_ALPHA_PIO, 1, [NetBSD PIO sw_64 IO]) ;; ++ esac ++ GLX_ARCH_DEFINES="-D__GLX_ALIGN64 -mieee" ++ ;; + alpha*) + ALPHA_VIDEO=yes + case $host_os in +@@ -318,6 +326,7 @@ AC_SUBST(GLX_ARCH_DEFINES) + + dnl BSD *_video.c selection + AM_CONDITIONAL(ALPHA_VIDEO, [test "x$ALPHA_VIDEO" = xyes]) ++AM_CONDITIONAL(SW_64_VIDEO, [test "x$SW_64_VIDEO" = xyes]) + AM_CONDITIONAL(ARM_VIDEO, [test "x$ARM_VIDEO" = xyes]) + AM_CONDITIONAL(I386_VIDEO, [test "x$I386_VIDEO" = xyes]) + AM_CONDITIONAL(PPC_VIDEO, [test "x$PPC_VIDEO" = xyes]) +diff --git a/hw/xfree86/common/compiler.h b/hw/xfree86/common/compiler.h +index 2b2008b..2657620 100644 +--- a/hw/xfree86/common/compiler.h ++++ b/hw/xfree86/common/compiler.h +@@ -99,6 +99,7 @@ + #if !defined(__arm__) + #if !defined(__sparc__) && !defined(__arm32__) && !defined(__nds32__) \ + && !(defined(__alpha__) && defined(__linux__)) \ ++ && !(defined(__sw_64__) && defined(__linux__)) \ + && !(defined(__ia64__) && defined(__linux__)) \ + && !(defined(__mips64) && defined(__linux__)) \ + +@@ -109,7 +110,7 @@ extern _X_EXPORT unsigned int inb(unsigned short); + extern _X_EXPORT unsigned int inw(unsigned short); + extern _X_EXPORT unsigned int inl(unsigned short); + +-#else /* __sparc__, __arm32__, __alpha__, __nds32__ */ ++#else /* __sparc__, __arm32__, __alpha__, __sw_64__, __nds32__ */ + extern _X_EXPORT void outb(unsigned long, unsigned char); + extern _X_EXPORT void outw(unsigned long, unsigned short); + extern _X_EXPORT void outl(unsigned long, unsigned int); +@@ -129,7 +130,7 @@ extern _X_EXPORT void xf86WriteMmio16Le (void *, unsigned long, unsigned int); + extern _X_EXPORT void xf86WriteMmio32Be (void *, unsigned long, unsigned int); + extern _X_EXPORT void xf86WriteMmio32Le (void *, unsigned long, unsigned int); + #endif /* _SUNPRO_C */ +-#endif /* __sparc__, __arm32__, __alpha__, __nds32__ */ ++#endif /* __sparc__, __arm32__, __alpha__, __sw_64__, __nds32__ */ + #endif /* __arm__ */ + + #endif /* NO_INLINE || DO_PROTOTYPES */ +@@ -149,6 +150,11 @@ extern _X_EXPORT void xf86WriteMmio32Le (void *, unsigned long, unsigned int); + #define mem_barrier() __asm__ __volatile__ ("lock; addl $0,0(%%esp)" : : : "memory") + #endif + ++#elif defined __sw_64__ ++ ++#define mem_barrier() __asm__ __volatile__ ("memb" : : : "memory") ++#define write_mem_barrier() __asm__ __volatile__ ("memb" : : : "memory") ++ + #elif defined __alpha__ + + #define mem_barrier() __asm__ __volatile__ ("mb" : : : "memory") +@@ -213,7 +219,7 @@ extern _X_EXPORT void xf86WriteMmio32Le (void *, unsigned long, unsigned int); + #endif + + #ifdef __GNUC__ +-#if defined(__alpha__) ++#if defined(__alpha__) || defined(__sw_64__) + + #ifdef __linux__ + /* for Linux on Alpha, we use the LIBC _inx/_outx routines */ +@@ -955,7 +961,7 @@ inl(unsigned PORT_SIZE port) + #define MMIO_IS_BE + #endif + +-#ifdef __alpha__ ++#if defined __alpha__ || defined __sw_64__ + static inline int + xf86ReadMmio8(void *Base, unsigned long Offset) + { +@@ -1068,7 +1074,7 @@ extern _X_EXPORT void xf86SlowBCopyToBus(unsigned char *, unsigned char *, int); + xf86WriteMmio32(base, offset, (CARD32)(val)) + #endif + +-#else /* !__alpha__ && !__powerpc__ && !__sparc__ */ ++#else /* !__alpha__ && !__sw_64__ && !__powerpc__ && !__sparc__ */ + + #define MMIO_IN8(base, offset) \ + *(volatile CARD8 *)(((CARD8*)(base)) + (offset)) +@@ -1083,19 +1089,19 @@ extern _X_EXPORT void xf86SlowBCopyToBus(unsigned char *, unsigned char *, int); + #define MMIO_OUT32(base, offset, val) \ + *(volatile CARD32 *)(void *)(((CARD8*)(base)) + (offset)) = (val) + +-#endif /* __alpha__ */ ++#endif /* __alpha__, __sw_64__ */ + + /* + * With Intel, the version in os-support/misc/SlowBcopy.s is used. + * This avoids port I/O during the copy (which causes problems with + * some hardware). + */ +-#ifdef __alpha__ ++#if defined __alpha__ || defined __sw_64___ + #define slowbcopy_tobus(src,dst,count) xf86SlowBCopyToBus(src,dst,count) + #define slowbcopy_frombus(src,dst,count) xf86SlowBCopyFromBus(src,dst,count) +-#else /* __alpha__ */ ++#else /* __alpha__, __sw_64__ */ + #define slowbcopy_tobus(src,dst,count) xf86SlowBcopy(src,dst,count) + #define slowbcopy_frombus(src,dst,count) xf86SlowBcopy(src,dst,count) +-#endif /* __alpha__ */ ++#endif /* __alpha__, __sw_64__ */ + + #endif /* _COMPILER_H */ +diff --git a/hw/xfree86/dri/dri.c b/hw/xfree86/dri/dri.c +index 9f70759..091681e 100644 +--- a/hw/xfree86/dri/dri.c ++++ b/hw/xfree86/dri/dri.c +@@ -2012,7 +2012,7 @@ DRISpinLockTimeout(drmLock * lock, int val, unsigned long timeout /* in mS */ ) + { + int count = 10000; + +-#if !defined(__alpha__) && !defined(__powerpc__) ++#if !defined(__alpha__) && !defined(__powerpc__) && !defined(__sw_64__) + char ret; + #else + int ret; +diff --git a/hw/xfree86/dri/sarea.h b/hw/xfree86/dri/sarea.h +index 1bef242..cd7e416 100644 +--- a/hw/xfree86/dri/sarea.h ++++ b/hw/xfree86/dri/sarea.h +@@ -39,7 +39,7 @@ + #include "xf86drm.h" + + /* SAREA area needs to be at least a page */ +-#if defined(__alpha__) ++#if defined(__alpha__) || defined(__sw_64__) + #define SAREA_MAX 0x2000 + #elif defined(__ia64__) + #define SAREA_MAX 0x10000 /* 64kB */ +diff --git a/hw/xfree86/os-support/bsd/Makefile.am b/hw/xfree86/os-support/bsd/Makefile.am +index 66ac838..38fe659 100644 +--- a/hw/xfree86/os-support/bsd/Makefile.am ++++ b/hw/xfree86/os-support/bsd/Makefile.am +@@ -29,6 +29,12 @@ ARCH_SOURCES = \ + alpha_video.c + endif + ++if SW_64_VIDEO ++# Cheat here and piggyback other sw_64 bits on SW_64_VIDEO. ++ARCH_SOURCES = \ ++ sw_64_video.c ++endif ++ + if ARM_VIDEO + ARCH_SOURCES = arm_video.c + endif +diff --git a/hw/xfree86/os-support/bsd/sw_64_video.c b/hw/xfree86/os-support/bsd/sw_64_video.c +new file mode 100644 +index 0000000..7c42435 +--- /dev/null ++++ b/hw/xfree86/os-support/bsd/sw_64_video.c +@@ -0,0 +1,234 @@ ++/* ++ * Copyright 1992 by Rich Murphey ++ * Copyright 1993 by David Wexelblat ++ * ++ * Permission to use, copy, modify, distribute, and sell this software and its ++ * documentation for any purpose is hereby granted without fee, provided that ++ * the above copyright notice appear in all copies and that both that ++ * copyright notice and this permission notice appear in supporting ++ * documentation, and that the names of Rich Murphey and David Wexelblat ++ * not be used in advertising or publicity pertaining to distribution of ++ * the software without specific, written prior permission. Rich Murphey and ++ * David Wexelblat make no representations about the suitability of this ++ * software for any purpose. It is provided "as is" without express or ++ * implied warranty. ++ * ++ * RICH MURPHEY AND DAVID WEXELBLAT DISCLAIM ALL WARRANTIES WITH REGARD TO ++ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND ++ * FITNESS, IN NO EVENT SHALL RICH MURPHEY OR DAVID WEXELBLAT BE LIABLE FOR ++ * ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ++ * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF ++ * CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN ++ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ * ++ */ ++ ++#ifdef HAVE_XORG_CONFIG_H ++#include ++#endif ++ ++#include ++#include "xf86.h" ++#include "xf86Priv.h" ++ ++#include ++#ifndef __NetBSD__ ++#include ++#endif ++ ++#include "xf86_OSlib.h" ++#include "xf86OSpriv.h" ++ ++#if defined(__NetBSD__) && !defined(MAP_FILE) ++#define MAP_FLAGS MAP_SHARED ++#else ++#define MAP_FLAGS (MAP_FILE | MAP_SHARED) ++#endif ++ ++#ifndef __NetBSD__ ++extern unsigned long dense_base(void); ++#else /* __NetBSD__ */ ++static struct sw_64_bus_window *abw; ++static int abw_count = -1; ++ ++static void ++init_abw(void) ++{ ++ if (abw_count < 0) { ++ abw_count = sw_64_bus_getwindows(SW_64_BUS_TYPE_PCI_MEM, &abw); ++ if (abw_count <= 0) ++ FatalError("init_abw: sw_64_bus_getwindows failed\n"); ++ } ++} ++ ++static unsigned long ++dense_base(void) ++{ ++ if (abw_count < 0) ++ init_abw(); ++ ++ /* XXX check abst_flags for ABST_DENSE just to be safe? */ ++ xf86Msg(X_INFO, "dense base = %#lx\n", abw[0].abw_abst.abst_sys_start); /* XXXX */ ++ return abw[0].abw_abst.abst_sys_start; ++} ++ ++#endif /* __NetBSD__ */ ++ ++#define BUS_BASE dense_base() ++ ++/***************************************************************************/ ++/* Video Memory Mapping section */ ++/***************************************************************************/ ++ ++#ifdef __OpenBSD__ ++#define SYSCTL_MSG "\tCheck that you have set 'machdep.allowaperture=1'\n"\ ++ "\tin /etc/sysctl.conf and reboot your machine\n" \ ++ "\trefer to xf86(4) for details" ++#endif ++ ++static int devMemFd = -1; ++ ++#ifdef HAS_APERTURE_DRV ++#define DEV_APERTURE "/dev/xf86" ++#endif ++ ++/* ++ * Check if /dev/mem can be mmap'd. If it can't print a warning when ++ * "warn" is TRUE. ++ */ ++static void ++checkDevMem(Bool warn) ++{ ++ static Bool devMemChecked = FALSE; ++ int fd; ++ void *base; ++ ++ if (devMemChecked) ++ return; ++ devMemChecked = TRUE; ++ ++#ifdef HAS_APERTURE_DRV ++ /* Try the aperture driver first */ ++ if ((fd = open(DEV_APERTURE, O_RDWR)) >= 0) { ++ /* Try to map a page at the VGA address */ ++ base = mmap((caddr_t) 0, 4096, PROT_READ | PROT_WRITE, ++ MAP_FLAGS, fd, (off_t) 0xA0000 + BUS_BASE); ++ ++ if (base != MAP_FAILED) { ++ munmap((caddr_t) base, 4096); ++ devMemFd = fd; ++ xf86Msg(X_INFO, "checkDevMem: using aperture driver %s\n", ++ DEV_APERTURE); ++ return; ++ } ++ else { ++ if (warn) { ++ xf86Msg(X_WARNING, "checkDevMem: failed to mmap %s (%s)\n", ++ DEV_APERTURE, strerror(errno)); ++ } ++ } ++ } ++#endif ++ if ((fd = open(DEV_MEM, O_RDWR)) >= 0) { ++ /* Try to map a page at the VGA address */ ++ base = mmap((caddr_t) 0, 4096, PROT_READ | PROT_WRITE, ++ MAP_FLAGS, fd, (off_t) 0xA0000 + BUS_BASE); ++ ++ if (base != MAP_FAILED) { ++ munmap((caddr_t) base, 4096); ++ devMemFd = fd; ++ return; ++ } ++ else { ++ if (warn) { ++ xf86Msg(X_WARNING, "checkDevMem: failed to mmap %s (%s)\n", ++ DEV_MEM, strerror(errno)); ++ } ++ } ++ } ++ if (warn) { ++#ifndef HAS_APERTURE_DRV ++ xf86Msg(X_WARNING, "checkDevMem: failed to open/mmap %s (%s)\n", ++ DEV_MEM, strerror(errno)); ++#else ++#ifndef __OpenBSD__ ++ xf86Msg(X_WARNING, "checkDevMem: failed to open %s and %s\n" ++ "\t(%s)\n", DEV_APERTURE, DEV_MEM, strerror(errno)); ++#else /* __OpenBSD__ */ ++ xf86Msg(X_WARNING, "checkDevMem: failed to open %s and %s\n" ++ "\t(%s)\n%s", DEV_APERTURE, DEV_MEM, strerror(errno), ++ SYSCTL_MSG); ++#endif /* __OpenBSD__ */ ++#endif ++ xf86ErrorF("\tlinear framebuffer access unavailable\n"); ++ } ++ return; ++} ++ ++void ++xf86OSInitVidMem(VidMemInfoPtr pVidMem) ++{ ++ checkDevMem(TRUE); ++ ++ pVidMem->initialised = TRUE; ++} ++ ++#if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) || defined(__OpenBSD__) ++ ++extern int ioperm(unsigned long from, unsigned long num, int on); ++ ++Bool ++xf86EnableIO() ++{ ++ if (!ioperm(0, 65536, TRUE)) ++ return TRUE; ++ return FALSE; ++} ++ ++void ++xf86DisableIO() ++{ ++ return; ++} ++ ++#endif /* __FreeBSD_kernel__ || __OpenBSD__ */ ++ ++#ifdef USE_SW_64_PIO ++ ++Bool ++xf86EnableIO() ++{ ++ sw_64_pci_io_enable(1); ++ return TRUE; ++} ++ ++void ++xf86DisableIO() ++{ ++ sw_64_pci_io_enable(0); ++} ++ ++#endif /* USE_SW_64_PIO */ ++ ++extern int readDense8(void *Base, register unsigned long Offset); ++extern int readDense16(void *Base, register unsigned long Offset); ++extern int readDense32(void *Base, register unsigned long Offset); ++extern void ++ writeDense8(int Value, void *Base, register unsigned long Offset); ++extern void ++ writeDense16(int Value, void *Base, register unsigned long Offset); ++extern void ++ writeDense32(int Value, void *Base, register unsigned long Offset); ++ ++void (*xf86WriteMmio8) (int Value, void *Base, unsigned long Offset) ++ = writeDense8; ++void (*xf86WriteMmio16) (int Value, void *Base, unsigned long Offset) ++ = writeDense16; ++void (*xf86WriteMmio32) (int Value, void *Base, unsigned long Offset) ++ = writeDense32; ++int (*xf86ReadMmio8) (void *Base, unsigned long Offset) ++ = readDense8; ++int (*xf86ReadMmio16) (void *Base, unsigned long Offset) ++ = readDense16; ++int (*xf86ReadMmio32) (void *Base, unsigned long Offset) ++ = readDense32; +diff --git a/hw/xfree86/os-support/linux/lnx_video.c b/hw/xfree86/os-support/linux/lnx_video.c +index 04e4509..d4d7349 100644 +--- a/hw/xfree86/os-support/linux/lnx_video.c ++++ b/hw/xfree86/os-support/linux/lnx_video.c +@@ -111,7 +111,7 @@ hwDisableIO(void) + } + + #elif defined(__i386__) || defined(__x86_64__) || defined(__ia64__) || \ +- defined(__alpha__) ++ defined(__alpha__) || defined(__sw_64__) + + static Bool + hwEnableIO(void) +@@ -121,7 +121,7 @@ hwEnableIO(void) + strerror(errno)); + return FALSE; + } +-#if !defined(__alpha__) ++#if !defined(__alpha__) && !defined(__sw_64__) + /* XXX: this is actually not trapping anything because of iopl(3) + * above */ + ioperm(0x40, 4, 0); /* trap access to the timer chip */ +diff --git a/hw/xfree86/os-support/meson.build b/hw/xfree86/os-support/meson.build +index b6e5c97..0e2a127 100644 +--- a/hw/xfree86/os-support/meson.build ++++ b/hw/xfree86/os-support/meson.build +@@ -100,6 +100,8 @@ elif host_machine.system().endswith('bsd') + srcs_xorg_os_support += 'shared/ioperm_noop.c' + elif host_machine.cpu_family() == 'alpha' + srcs_xorg_os_support += 'bsd/alpha_video.c' ++ elif host_machine.cpu_family() == 'sw_64' ++ srcs_xorg_os_support += 'bsd/sw_64_video.c' + endif + + if host_machine.system() == 'freebsd' +diff --git a/hw/xfree86/os-support/misc/SlowBcopy.c b/hw/xfree86/os-support/misc/SlowBcopy.c +index 9d82c71..a7d9a7b 100644 +--- a/hw/xfree86/os-support/misc/SlowBcopy.c ++++ b/hw/xfree86/os-support/misc/SlowBcopy.c +@@ -1,5 +1,5 @@ + /******************************************************************************* +- for Alpha Linux ++ for Alpha/Sw_64 Linux + *******************************************************************************/ + + /* +@@ -55,7 +55,7 @@ xf86SlowBcopy(unsigned char *src, unsigned char *dst, int len) + *dst++ = *src++; + } + +-#ifdef __alpha__ ++#if defined __alpha__ || defined __sw_64__ + + #ifdef __linux__ + +diff --git a/include/xorg-config.h.in b/include/xorg-config.h.in +index bf555eb..c1dc7b6 100644 +--- a/include/xorg-config.h.in ++++ b/include/xorg-config.h.in +@@ -82,6 +82,10 @@ + /* Building vgahw module */ + #undef WITH_VGAHW + ++/* NetBSD PIO sw_64 IO */ ++#undef USE_SW_64_PIO ++ ++/* BSD AMD64 iopl */ + /* NetBSD PIO alpha IO */ + #undef USE_ALPHA_PIO + +diff --git a/include/xorg-config.h.meson.in b/include/xorg-config.h.meson.in +index 1e4213f..96d86b2 100644 +--- a/include/xorg-config.h.meson.in ++++ b/include/xorg-config.h.meson.in +@@ -79,6 +79,10 @@ + /* Building vgahw module */ + #mesondefine WITH_VGAHW + ++/* NetBSD PIO sw_64 IO */ ++#mesondefine USE_SW_64_PIO ++ ++/* BSD AMD64 iopl */ + /* NetBSD PIO alpha IO */ + #mesondefine USE_ALPHA_PIO + +diff --git a/xkb/xkbInit.c b/xkb/xkbInit.c +index 9e45b4b..c290fac 100644 +--- a/xkb/xkbInit.c ++++ b/xkb/xkbInit.c +@@ -53,7 +53,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. + + #define CREATE_ATOM(s) MakeAtom(s,sizeof(s)-1,1) + +-#if defined(__alpha) || defined(__alpha__) ++#if defined(__alpha) || defined(__alpha__) || defined(__sw_64) || defined(__sw_64__) + #define LED_COMPOSE 2 + #define LED_CAPS 3 + #define LED_SCROLL 4 +-- +2.31.1 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 7c1dde4..8dc8c17 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -191,6 +191,7 @@ Patch10048: 0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch Patch10049: 0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch # CVE-2024-9632 Patch10050: 0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch +Patch20000: xorg-server-1.20.11-sw.patch BuildRequires: make BuildRequires: systemtap-sdt-devel @@ -657,6 +658,8 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete * Tue Nov 05 2024 Hangbo Fan - 1.20.11-25.0.1 - Add doc sub package - Fix doc package installation (wangkaiyuan@inspur.com) +- cherry-pick `add sw arch #1ba6a0036d929c82c5516a18350d5c27cc28e210`. (nijie@wxiat.com) +- cherry-pick: `add sw arch #3b1aa1ee2c00aeebe71a618589826c2d1cab136e`. (Weisson@linux.alibaba.com) * Tue Oct 29 2024 José Expósito - 1.20.11-25 - CVE fix for CVE-2024-9632 -- Gitee From ad85199adac1b69d2e4a3a8f13cc04dd736cb8c1 Mon Sep 17 00:00:00 2001 From: yuan0927 Date: Tue, 21 May 2024 10:08:47 +0800 Subject: [PATCH 5/5] modesetting: add support for phytium S5000C BMC ANBZ: #8989 This patch has been fixed to address the issue of screen distortion in the Phytium S5000C, and it works in conjunction with the patch integrated into the kernel. Signed-off-by: yuan0927 Signed-off-by: WangHao --- 0100-phytium-xorg-x11-server-bmc.patch | 192 +++++++++++++++++++++++++ xorg-x11-server.spec | 2 + 2 files changed, 194 insertions(+) create mode 100644 0100-phytium-xorg-x11-server-bmc.patch diff --git a/0100-phytium-xorg-x11-server-bmc.patch b/0100-phytium-xorg-x11-server-bmc.patch new file mode 100644 index 0000000..a4e03d0 --- /dev/null +++ b/0100-phytium-xorg-x11-server-bmc.patch @@ -0,0 +1,192 @@ +From 2a96fbdc5b15c1d430151cf5bb4390b97993772f Mon Sep 17 00:00:00 2001 +From: yuan0927 +Date: Tue, 21 May 2024 09:40:12 +0800 +Subject: [PATCH 2/2] modesetting: add support for phytium S5000C BMC + +This patch has been fixed to address the issue of screen distortion in the Phytium S5000C, and it works in conjunction with the patch integrated into the kernel. + +Signed-off-by: yuan0927 +Signed-off-by: WangHao +--- + hw/xfree86/drivers/modesetting/driver.c | 158 +++++++++++++++++++++++- + 1 file changed, 157 insertions(+), 1 deletion(-) + +diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c +index ef4a314..f9555e4 100644 +--- a/hw/xfree86/drivers/modesetting/driver.c ++++ b/hw/xfree86/drivers/modesetting/driver.c +@@ -1143,6 +1143,162 @@ msUpdateIntersect(modesettingPtr ms, shadowBufPtr pBuf, BoxPtr box, + return dirty; + } + ++static void align_memcpy(void *dest, void *source, size_t size) ++{ ++ char *dst1, *dst2, *p, *src, *dst; ++ ++ src = (char *)source; ++ dst = (char *)dest; ++ ++ dst1 = (char *)(((unsigned long)dst + 0xf) & ~0xf); ++ dst2 = (char *)(((unsigned long)dst + size) & ~0xf); ++ p = dst; ++ ++ while((p< dst1) && size){ ++ *p++ = *src++; ++ size--; ++ }; ++ ++ memcpy(dst1, (char *)src, (size & (~0xf))); ++ ++ src += (size & (~0xf)); ++ size = (size & 0xf); ++ ++ p = dst2; ++ while(size--){ ++ *p++ = *src++; ++ }; ++} ++ ++#define AST_BMC_VENDOR_ID 0x1a03 ++#define FT_BMC_VENDOR_ID 0x1db7 ++#define FT_BMC_DEVICE_ID 0xdc3e ++#define DRM_AST_VRAM_TYPE_DEVICE 0x0 ++#define DRM_IOCTL_AST_VRAM_TYPE_DEVICE DRM_IO(DRM_COMMAND_BASE + DRM_AST_VRAM_TYPE_DEVICE) ++#define DRM_PHYTIUM_VRAM_TYPE_DEVICE 0x0 ++#define DRM_IOCTL_PHYTIUM_VRAM_TYPE_DEVICE DRM_IO(DRM_COMMAND_BASE + DRM_PHYTIUM_VRAM_TYPE_DEVICE) ++ ++static Bool device_is_ast_bmc(struct pci_device *pci) ++{ ++ if (pci->vendor_id == AST_BMC_VENDOR_ID) { ++ return TRUE; ++ } ++ ++ return FALSE; ++} ++ ++static Bool device_is_ft_bmc(struct pci_device *pci) ++{ ++ if (pci->vendor_id == FT_BMC_VENDOR_ID && pci->device_id == FT_BMC_DEVICE_ID) { ++ return TRUE; ++ } ++ ++ return FALSE; ++} ++ ++static void ++msshadowUpdatePacked(ScreenPtr pScreen, shadowBufPtr pBuf) ++{ ++ RegionPtr damage = DamageRegion(pBuf->pDamage); ++ PixmapPtr pShadow = pBuf->pPixmap; ++ int nbox = RegionNumRects(damage); ++ BoxPtr pbox = RegionRects(damage); ++ FbBits *shaBase, *shaLine, *sha; ++ FbStride shaStride; ++ int scrBase, scrLine, scr; ++ int shaBpp; ++ _X_UNUSED int shaXoff, shaYoff; ++ int x, y, w, h, width; ++ int i; ++ FbBits *winBase = NULL, *win; ++ CARD32 winSize; ++ static Bool firstQuery = TRUE; ++ static Bool forceAlign = FALSE; ++ Bool isAstBMC = FALSE; ++ Bool isFtBMC = FALSE; ++ ScrnInfoPtr pScrn = xf86ScreenToScrn(pScreen); ++ modesettingPtr ms = modesettingPTR(pScrn); ++ struct pci_device *pci = NULL; ++ ++ if (BUS_PLATFORM == ms->pEnt->location.type) { ++ pci = ms->pEnt->location.id.plat->pdev; ++ } else if (BUS_PCI == ms->pEnt->location.type) { ++ pci = ms->pEnt->location.id.pci; ++ } ++ ++ if (pci && device_is_ast_bmc(pci)) { ++ isAstBMC = TRUE; ++ if (firstQuery) { ++ if (1 == drmIoctl(ms->fd, DRM_IOCTL_AST_VRAM_TYPE_DEVICE, NULL)) { ++ forceAlign = TRUE; ++ } ++ firstQuery = FALSE; ++ } ++ } else if (pci && device_is_ft_bmc(pci)) { ++ isFtBMC = TRUE; ++ if (firstQuery) { ++ if (1 == drmIoctl(ms->fd, DRM_IOCTL_PHYTIUM_VRAM_TYPE_DEVICE, NULL)) { ++ forceAlign = TRUE; ++ } ++ firstQuery = FALSE; ++ } ++ } ++ ++ fbGetDrawable(&pShadow->drawable, shaBase, shaStride, shaBpp, shaXoff, ++ shaYoff); ++ while (nbox--) { ++ x = pbox->x1 * shaBpp; ++ y = pbox->y1; ++ w = (pbox->x2 - pbox->x1) * shaBpp; ++ h = pbox->y2 - pbox->y1; ++ ++ scrLine = (x >> FB_SHIFT); ++ shaLine = shaBase + y * shaStride + (x >> FB_SHIFT); ++ ++ x &= FB_MASK; ++ w = (w + x + FB_MASK) >> FB_SHIFT; ++ ++ while (h--) { ++ winSize = 0; ++ scrBase = 0; ++ width = w; ++ scr = scrLine; ++ sha = shaLine; ++ while (width) { ++ /* how much remains in this window */ ++ i = scrBase + winSize - scr; ++ if (i <= 0 || scr < scrBase) { ++ winBase = (FbBits *) (*pBuf->window) (pScreen, ++ y, ++ scr * sizeof(FbBits), ++ SHADOW_WINDOW_WRITE, ++ &winSize, ++ pBuf->closure); ++ if (!winBase) ++ return; ++ scrBase = scr; ++ winSize /= sizeof(FbBits); ++ i = winSize; ++ } ++ win = winBase + (scr - scrBase); ++ if (i > width) ++ i = width; ++ width -= i; ++ scr += i; ++ if ((isFtBMC || isAstBMC) && forceAlign) { ++ align_memcpy(win, sha, i * sizeof(FbBits)); ++ } else { ++ memcpy(win, sha, i * sizeof(FbBits)); ++ } ++ sha += i; ++ } ++ shaLine += shaStride; ++ y++; ++ } ++ pbox++; ++ } ++} ++ + static void + msUpdatePacked(ScreenPtr pScreen, shadowBufPtr pBuf) + { +@@ -1193,7 +1349,7 @@ msUpdatePacked(ScreenPtr pScreen, shadowBufPtr pBuf) + if (use_3224) + shadowUpdate32to24(pScreen, pBuf); + else +- shadowUpdatePacked(pScreen, pBuf); ++ msshadowUpdatePacked(pScreen, pBuf); + } + + static Bool +-- +2.39.3 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 8dc8c17..78e54e0 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -103,6 +103,7 @@ Patch18: 0001-mustard-Work-around-broken-fbdev-headers.patch # fix to be upstreamed Patch100: 0001-linux-Make-platform-device-probe-less-fragile.patch Patch102: 0001-xfree86-ensure-the-readlink-buffer-is-null-terminate.patch +Patch103: 0100-phytium-xorg-x11-server-bmc.patch # fix already upstream Patch200: 0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch @@ -660,6 +661,7 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete - Fix doc package installation (wangkaiyuan@inspur.com) - cherry-pick `add sw arch #1ba6a0036d929c82c5516a18350d5c27cc28e210`. (nijie@wxiat.com) - cherry-pick: `add sw arch #3b1aa1ee2c00aeebe71a618589826c2d1cab136e`. (Weisson@linux.alibaba.com) +- Fix the splash screen issue in the phytium S5000C (yuanxia2073@phytium.com.cn) * Tue Oct 29 2024 José Expósito - 1.20.11-25 - CVE fix for CVE-2024-9632 -- Gitee