| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
CVE-2020-14362 ZDI-CAN-11574
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
Most (but not all) of these were found by using
codespell --builtin clear,rare,usage,informal,code,names
but not everything reported by that was fixed.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
If a client is in the process of being closed down, then its client->osPrivate
pointer will be set to NULL by CloseDownConnection. This can cause a crash if
freeing the client's resources results in a call to AttendClient. For example,
if the client has a pending sync fence:
Thread 1 "X" received signal SIGSEGV, Segmentation fault.
AttendClient (client=0x5571c4aed9a0) at ../os/connection.c:942
(gdb) bt
#0 AttendClient (client=0x5571c4aed9a0) at ../os/connection.c:942
#1 0x00005571c3dbb865 in SyncAwaitTriggerFired (pTrigger=<optimized out>) at ../Xext/sync.c:694
#2 0x00005571c3dd5749 in miSyncDestroyFence (pFence=0x5571c5063980) at ../miext/sync/misync.c:120
#3 0x00005571c3dbbc69 in FreeFence (obj=<optimized out>, id=<optimized out>) at ../Xext/sync.c:1909
#4 0x00005571c3d7a01d in doFreeResource (res=0x5571c506e3d0, skip=skip@entry=0) at ../dix/resource.c:880
#5 0x00005571c3d7b1dc in FreeClientResources (client=0x5571c4aed9a0) at ../dix/resource.c:1146
#6 FreeClientResources (client=0x5571c4aed9a0) at ../dix/resource.c:1109
#7 0x00005571c3d5525f in CloseDownClient (client=0x5571c4aed9a0) at ../dix/dispatch.c:3473
#8 0x00005571c3d55eeb in Dispatch () at ../dix/dispatch.c:492
#9 0x00005571c3d59e96 in dix_main (argc=3, argv=0x7ffe7854bc28, envp=<optimized out>) at ../dix/main.c:276
#10 0x00007fea4837cb6b in __libc_start_main (main=0x5571c3d1d060 <main>, argc=3, argv=0x7ffe7854bc28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe7854bc18) at ../csu/libc-start.c:308
#11 0x00005571c3d1d09a in _start () at ../Xext/sync.c:2378
(gdb) print client->osPrivate
$1 = (void *) 0x0
Since the client is about to be freed, its ignore count doesn't matter and
AttendClient can simply be a no-op. Check for client->clientGone in AttendClient
and remove similar checks from two callers that had them.
Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
|
|
If we don't have any recording contexts just skip all this. Note this
also skips a pointless trip through malloc(0)/free.
|
|
Separate each statement of the form "assert(a && b);" into "assert(a);"
and "assert(b);" for more precise diagnostics, except for this clever
use in drmmode_display.c where it was used to pass a hint to developers:
assert(num_infos <= 32 && "update return type");
|
|
This is a work in progress that builds Xvfb, Xephyr, Xwayland, Xnest,
and Xdmx so far. The outline of Xquartz/Xwin support is in tree, but
hasn't been built yet. The unit tests are also not done.
The intent is to build this as a complete replacement for the
autotools system, then eventually replace autotools. meson is faster
to generate the build, faster to run the bulid, shorter to write the
build files in, and less error-prone than autotools.
v2: Fix indentation nits, move version declaration to project(), use
existing meson_options for version-config.h's vendor name/web.
Signed-off-by: Eric Anholt <eric@anholt.net>
Acked-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
If a client sends a RecordUnregisterClients request with an nClients
field larger than INT_MAX / 4, an integer overflow leads to an
out of boundary access in RecordSanityCheckClientSpecifiers.
An example line with libXtst would be:
XRecordUnregisterClients(dpy, rc, clients, 0x40000001);
Reviewed-by: Adam Jackson <ajax@redhat.com>
|
|
This touches everything that ends up in the Xorg binary; the big missing
part is GLX since that's all generated code. Cuts about 14k from the
binary on amd64.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
|
|
Reviewed-by: Rémi Cardona <remi@gentoo.org>
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
v2: remove now useless parentheses
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matt Turner <mattst88@gmail.com>
|
|
sed -i "s/[ ]\+$//g" **/*.(c|h)
happy reviewing...
git diff -w is an empty diff.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
This just removes the comment markers from around the formals in
several function prototypes near where pointer -> void * changes were
made. There are plenty more of these to fix.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
This lets us stop using the 'pointer' typedef in Xdefs.h as 'pointer'
is used throughout the X server for other things, and having duplicate
names generates compiler warnings.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
|
|
When building on Solaris with _XOPEN_SOURCE set to a recent XPG release,
<stdlib.h> and other core headers start including <sys/regset.h>, which
has a bunch of unfortunately named macros such as "CS", "ES", etc. for
x86 & x64 registers which clash with existing variable & struct member
names in Xorg - so #undef these so they don't interfere with our use.
(Yes, have filed a bug against the system headers for exposing these,
but this solves the problem for building on existing releases.)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
|
|
Create extinit.h (and xf86Extensions.h, for Xorg-specific extensions) to
hold all our extension initialisation prototypes, rather than
duplicating them everywhere.
Signed-off-by: Daniel Stone <daniel@fooishbar.org>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Tested-by: Daniel Stone <daniel@fooishbar.org>
|
|
When passing variable pointers to functions or otherwise doing long
sequences to compute values for replies, create & use some new
temporary variables, to allow for simpler initialization of reply
structures in the following patches.
Move memsets & other initializations to group with the rest of the
filling in of the reply structure, now that they're not needed so
early in the code path.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Tested-by: Daniel Stone <daniel@fooishbar.org>
|
|
Casting return to (void) was used to tell lint that you intended
to ignore the return value, so it didn't warn you about it.
Casting the third argument to (char *) was used as the most generic
pointer type in the days before compilers supported C89 (void *)
(except for a couple places it's used for byte-sized pointer math).
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Tested-by: Daniel Stone <daniel@fooishbar.org>
|
|
This is strictly the application of the script 'x-indent-all.sh'
from util/modular. Compared to the patch that Daniel posted in
January, I've added a few indent flags:
-bap
-psl
-T PrivatePtr
-T pmWait
-T _XFUNCPROTOBEGIN
-T _XFUNCPROTOEND
-T _X_EXPORT
The typedefs were needed to make the output of sdksyms.sh match the
previous output, otherwise, the code is formatted badly enough that
sdksyms.sh generates incorrect output.
The generated code was compared with the previous version and found to
be essentially identical -- "assert" line numbers and BUILD_TIME were
the only differences found.
The comparison was done with this script:
dir1=$1
dir2=$2
for dir in $dir1 $dir2; do
(cd $dir && find . -name '*.o' | while read file; do
dir=`dirname $file`
base=`basename $file .o`
dump=$dir/$base.dump
objdump -d $file > $dump
done)
done
find $dir1 -name '*.dump' | while read dump; do
otherdump=`echo $dump | sed "s;$dir1;$dir2;"`
diff -u $dump $otherdump
done
Signed-off-by: Keith Packard <keithp@keithp.com>
Acked-by: Daniel Stone <daniel@fooishbar.org>
Acked-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
The record extension needs the major and minor opcodes in the reply
hook, but the request buffer may have been freed by the time the hook
is invoked. Saving the request major and minor codes as the request is
executed avoids fetching from the defunct request buffer.
This patch also eliminates the public MinorOpcodeOfRequest function,
inlining it into Dispatch. Usages of that function have been replaced
with direct access to the new ClientRec field.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
|
|
Any pad bytes in replies are written to the client from a zeroed
array. However, record extension tries to incorrectly access the pad
bytes from the end of reply data.
Signed-off-by: Rami Ylimäki <rami.ylimaki@vincit.fi>
Reviewed-by: Erkki Seppälä <erkki.seppala@vincit.fi>
|
|
Also, fix whitespace, mainly around
swaps(&rep.sequenceNumber)
Reviewed-by: Peter Harris <pharris@opentext.com>
Signed-off-by: Matt Turner <mattst88@gmail.com>
|
|
Since RecordDeleteContext frees its argument, don't fall through to free
it again.
Error: Double free (CWE 415)
Double free of pointer 'malloc(1072)' defined by malloc
at line 1964 of record/record.c in function 'ProcRecordCreateContext'.
Previously freed at line 1960 with RecordDeleteContext.
'malloc(1072)' was allocated at line 1926 with malloc.
[ This bug was found by the Parfait 0.3.7 bug checking tool.
For more information see http://labs.oracle.com/projects/parfait/ ]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
|
|
|
|
record.c:810:9: warning: unused variable 'count'
Scope-shadowed by a later variable of the same name, safe to just
delete.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
|
RecordFlushReplyBuffer can call itself recursively through
WriteClient->CallCallbacks->_CallCallbacks->RecordFlushAllContexts
when the recording client's buffer cannot be completely emptied in one
WriteClient. When a such a recursion occurs, it will not be broken out
of which results in segmentation fault when the stack is exhausted.
This patch adds a counter (a flag, really) that guards against this
situation, to break out of the recursion.
One alternative to this change would be to change _CallCallbacks to
check the corresponding counter before the callback loop, but that
might affect existing behavior, which may be relied upon.
Reviewed-by: Rami Ylimäki <rami.ylimaki@vincit.fi>
Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi>
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
Some event types (notably Expose and GraphicsExpose) require multiple
events, a la XI 1.x. Bring the EventToCore API in line with EventToXI's
and allow it to generate multiple events.
Signed-off-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Execute the following steps to reproduce the issue.
1. Run at least two recording clients simultaneously.
$ cnee --record --request-range 1-127 &
$ cnee --record --request-range 1-127 &
2. Kill the recording clients.
$ killall cnee
3. Give X server something to do so that the clients are closed.
$ xinput list
$ xinput list
As a result RecordUninstallHooks accesses NullClient, because
RecordAClientStateChange doesn't clean the recording clients up
properly.
Fix RecordUninstallHooks to fail locally on an assertion instead of
much later in privates code, if NullClient is still accessed because
of some other bug. Fix RecordAClientStateChange to iterate through all
contexts so that modifications of the iterated array during iteration
don't cause contexts to be skipped.
Signed-off-by: Rami Ylimäki <ext-rami.ylimaki@nokia.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
Running the following command causes an assertion to fail:
cnee --record --request-range 1-127
3 in dixGetPrivateAddr at ../../include/privates.h:122
4 in dixGetPrivate at ../../include/privates.h:137
5 in dixLookupPrivate at ../../include/privates.h:167
6 in RecordInstallHooks at ../../record/record.c:911
7 in ProcRecordEnableContext at ../../record/record.c:2377
8 in ProcRecordDispatch at ../../record/record.c:2571
9 in Dispatch at ../../dix/dispatch.c:432
10 in main at ../../dix/main.c:289
Signed-off-by: Rami Ylimäki <ext-rami.ylimaki@nokia.com>
Reviewed-by: Oliver McFadden <oliver.mcfadden@nokia.com>
Reviewed-by: Tiago Vignatti <tiago.vignatti@nokia.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
No functional change, since free doesn't change the value of the pointer
passed to it, but it makes this code less confusing.
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Signed-off-by: Matt Turner <mattst88@gmail.com>
|
|
This patch has been generated by the following Coccinelle semantic patch:
@@
expression E;
@@
-if(E) { free(E); }
+free(E);
Signed-off-by: Mikhail Gusarov <dottedmag@dottedmag.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Fernando Carrijo <fcarrijo@yahoo.com.br>
Reviewed-by: Matt Turner <mattst88@gmail.com>
|
|
Signed-off-by: Mikhail Gusarov <dottedmag@dottedmag.net>
Reviewed-by: Marcin Baczyński <marbacz@gmail.com>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matt Turner <mattst88@gmail.com>
|
|
This patch only changes the API, not the implementation of the
devPrivates infrastructure. This will permit a new devPrivates
implementation to be layed into the server without requiring
simultaneous changes in every devPrivates user.
Signed-off-by: Keith Packard <keithp@keithp.com>
Tested-by: Tiago Vignatti <tiago.vignatti@nokia.com>
|
|
Many references to the dixScreenOrigins array already had the
corresponding screen pointer handy, which meant they usually looked like
"dixScreenOrigins[pScreen->myNum]". Adding a field to ScreenRec instead
of keeping this information in a parallel array simplifies those
expressions, and eliminates a MAXSCREENS-sized array.
Since dix declared the dixScreenOrigins array, I figure allocating a
screen private for these values is overkill.
Signed-off-by: Jamey Sharp <jamey@minilop.net>
Reviewed-by: Tiago Vignatti <tiago.vignatti@nokia.com>
Tested-by: Tiago Vignatti <tiago.vignatti@nokia.com> (i686 GNU/Linux)
|
|
This eliminates a dynamically-allocated MAXSCREENS-sized array.
Signed-off-by: Jamey Sharp <jamey@minilop.net>
Reviewed-by: Tiago Vignatti <tiago.vignatti@nokia.com>
Tested-by: Tiago Vignatti <tiago.vignatti@nokia.com> (i686 GNU/Linux)
|
|
Signed-off-by: Jamey Sharp <jamey@minilop.net>
Reviewed-by: Adam Jackson <ajax@redhat.com>
|
|
Just let Dispatch() check for a noClientException, rather than making
every single dispatch procedure take care of it.
Signed-off-by: Jamey Sharp <jamey@minilop.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
|
|
The only remaining X-functions used in server are XNF*, the rest is converted to
plain alloc/calloc/realloc/free/strdup.
X* functions are still exported from server and x* macros are still defined in
header file, so both ABI and API are not affected by this change.
Signed-off-by: Mikhail Gusarov <dottedmag@dottedmag.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
RECORD was disabled during the switch to internal events. This patch
modifies the record callback to work with internal events instead of
xEvents. The InternalEvents are converted to core/Xi events as needed.
Since record is a loadable extension, the EventTo* calls must be externed.
Signed-off-by: Chris Dekter <cdekter@gmail.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Convert all calls of CreateNewResourceType to pass name argument
Breaks DIX ABI.
ABI versions bumped:
Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
Calls RegisterResourceName to record the type name for
use by X-Resource, XACE/SELinux/XTsol, and DTrace.
Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
|
|
main.c:134: warning: no previous prototype for 'dix_main'
rootlessScreen.c: In function 'RootlessMarkOverlappedWindows':
rootlessScreen.c:434: warning: function declaration isn't a prototype
backtrace.c:51: warning: format '%lx' expects type 'long unsigned int', but argument 5 has type 'int'
backtrace.c:54: warning: format '%lx' expects type 'long unsigned int', but argument 5 has type 'int'
set.c: In function 'RecordSetMemoryRequirements':
set.c:413: warning: old-style function definition
set.c: In function 'RecordCreateSet':
set.c:425: warning: old-style function definition
stub.c: In function ‘main’:
stub.c:236: warning: ISO C90 forbids mixed declarations and code
Signed-off-by: Jeremy Huddleston <jeremyhu@freedesktop.org>
|
|
include/protocol-versions.h specifies each extension version as supported by
the server and sent back on the wire to the client.
This fixes up several issues with the server potentially reporting a higher
version of the protocol if recompiled against a newer version of the
protocol.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Rémi Cardona <remi@gentoo.org>
Acked-by: Julien Cristau <jcristau@debian.org>
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
warning: passing argument 4 of ‘RecordAProtocolElement’ discards qualifiers
from pointer target type
note: expected ‘pointer’ but argument is of type ‘const void *’
record.c:2745: warning: passing argument 1 of ‘SwapConnSetupInfo’ from
incompatible pointer type
../include/swaprep.h:243: note: expected ‘char *’ but argument is of type
‘struct xConnSetup *’
record.c:2745: warning: passing argument 1 of ‘SwapConnSetupInfo’ from
incompatible pointer type
../include/swaprep.h:243: note: expected ‘char *’ but argument is of type
‘struct xConnSetup *’
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
The RECORD extension is currently broken. By ifdef'ing out the content of
RecordExtensionInit the extension isn't added to the server's internal list
and it does not get advertised to the client. Clients can thus fail
gracefully with a "extension not supported" instead of waiting forever for
events that never arrive.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Callsites updated to use dixLookupResourceBy{Type,Class}.
TODO: Audit access modes to make sure they reflect the usage.
|
