Emilio Pozuelo Monfort pushed to branch debian-unstable at X Strike Force / xserver / xorg-server
Commits: 3bda7d11 by Patrik Jakobsson at 2025-02-05T15:02:23+01:00 modesetting: Fix dirty updates for sw rotation Rotation is broken for all drm drivers not providing hardware rotation support. Drivers that give direct access to vram and not needing dirty updates still work but only by accident. The problem is caused by modesetting not sending the correct fb_id to drmModeDirtyFB() and passing the damage rects in the rotated state and not as the crtc expects them. This patch takes care of both problems. Signed-off-by: Patrik Jakobsson <pjakobs...@suse.de> (cherry picked from commit db9e9d45e8ba73510f11eb9e534c176102f6623e) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767> - - - - - 743f66d6 by Olivier Fourdan at 2025-02-05T15:02:23+01:00 glamor: Fix possible double-free If glamor_link_glsl_prog() fails, we may jump to the failed code path which frees the variable vs_prog_string and fs_prog_string. But those variables were already freed just before, so in that case we end up freeing the memory twice. Simply move the free at the end of the success code path so we are sure to free the values only once, either in the successful of failed code paths. Fixes: 2906ee5e4 - glamor: Fix leak in glamor_build_program() Signed-off-by: Olivier Fourdan <ofour...@redhat.com> (cherry picked from commit 34ea020344ef5f2ea8ffce78c7e1abd6436b21ec) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767> - - - - - de2e2e8d by Peter Hutterer at 2025-02-05T15:02:23+01:00 dix: don't push the XKB state to a non-existing master keyboard If our master keyboard is disabled, GetMaster() returns NULL and we segfault in XkbPushLockedStateToSlaves(). Fixes 45fb3a934dc0db51584aba37c2f9d73deff9191d Fixes #1611 (cherry picked from commit 9b983fecf999b9f50946973f2379a5ce00491cad) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767> - - - - - f241e4f8 by Peter Hutterer at 2025-02-05T15:02:23+01:00 Xi: when removing a master search for a disabled paired device If either the master pointer or keyboard was disabled, the respective GetMaster() call returns NULL, causing a segfault later accessing the deviceid. Fix this by looking in the off_devices list for any master device of the type we're looking for. Master devices lose the pairing when disabled (on enabling a keyboard we simply pair with the first available unpaired pointer). And for readability, split the device we get from the protocol request into a new "dev" variable instead of re-using ptr. Fixes #1611 (cherry picked from commit e7c876ab0b0daa546a23d4ef82537fdf8fd88e04) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767> - - - - - ac48573a by Olivier Fourdan at 2025-02-05T15:02:23+01:00 os: Fix NULL pointer dereference RemoveHost() can be called from DisableLocalHost() with a NULL client, but doesn't actually check whether the given client pointer is valid on error and assigns the error value unconditionally, leading to a possible NULL pointer dereference and a crash of the Xserver. To avoid the issue, simply check whether the client pointer is not NULL prior to assign the errorValue. Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1752 See-also: https://bugzilla.redhat.com/2313799 Signed-off-by: Olivier Fourdan <ofour...@redhat.com> (cherry picked from commit 57a446c0f98693bd2e0263e91213344d870f4e03) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767> - - - - - e38c23e5 by Tj at 2025-02-05T15:02:23+01:00 xfree86: fbdevhw: fix pci detection on recent Linux Linux kernel v6.9 has changed the symlink to point to the parent device. This breaks fbdev_open() detection logic. Change it to use the subsystem symlink instead which will remain stable. Kernel v6.8: [ 14.067] (II) fbdev_open() sysfs_path=/sys/class/graphics/fb0 [ 14.067] (II) fbdev_open() buf=../../devices/platform/vesa-framebuffer.0/graphics/fb0 Kernel v6.9: [ 15.609] (II) fbdev_open() sysfs_path=/sys/class/graphics/fb0 [ 15.609] (II) fbdev_open() buf=../../devices/pci0000:00/0000:00:01.0/vesa-framebuffer.0/graphics/fb0 Originally found in automated Debian ISO QA testing [0] and confirmed in Linux [1]. Tested on kernels v6.9.7 and v6.8.12 [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1075713 [1] https://lore.kernel.org/lkml/lLyvPFC_APGHNfyGNHRpQy5izBikkaTPOpHooZIT3fFAoJPquSI31ZMueA99XTdr8ysir3X7O7IMdc6za-0m79vr_claeparHhoRouVgHOI=@proton.me/ Fixes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1714 Signed-off-by: Tj <tj.iam...@proton.me> Reviewed-by: Thomas Zimmermann <tzimmerm...@suse.de> Reviewed-by: Enrico Weigelt, metux IT consult <i...@metux.net> (cherry picked from commit 728b54528d37ffa27b07c9b181c5ed8d2d359379) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767> - - - - - cbc2c654 by Alan Coopersmith at 2025-02-05T15:02:23+01:00 os: NextDPMSTimeout: mark intentional fallthroughs in switch The comment at the top of the function tells humans the fallthroughs are intentional, but gcc doesn't parse that. Clears 3 -Wimplicit-fallthrough warnings from gcc 14.1 Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> (cherry picked from commit b306df5a6060beea82b5157c3603593527b220b0) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767> - - - - - 23b3b719 by Alan Coopersmith at 2025-02-05T15:02:23+01:00 xfree86: avoid memory leak on realloc failure Found by Oracle Parfait 13.3 static analyzer: Memory leak [memory-leak]: Memory leak of pointer optname allocated with asprintf(&optname, "\"%s\"", p->name) at line 326 of hw/xfree86/common/xf86Configure.c in function 'configureDeviceSection'. optname allocated at line 309 with asprintf(&optname, "\"%s\"", p->name) Fixes: code inherited from XFree86 Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> (cherry picked from commit fa711c486a2c2c958c71d7bd8ac0efe552558717) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767> - - - - - cec3e55e by Alan Coopersmith at 2025-02-05T15:02:23+01:00 Xi: avoid NULL pointer dereference if GetXTestDevice returns NULL The comments in that function say "This only happens if master is a slave device. don't do that" but static analysis doesn't respect that. Found by Oracle Parfait 13.3: Null pointer dereference [null-pointer-deref]: Read from null pointer XTestptr at line 274 of Xi/xichangehierarchy.c in function 'remove_master'. Null pointer introduced at line 691 of Xext/xtest.c in function 'GetXTestDevice'. Function GetXTestDevice may return constant 'NULL' at line 691, called at line 273 of Xi/xichangehierarchy.c in function 'remove_master'. Null pointer dereference [null-pointer-deref]: Read from null pointer XTestkeybd at line 279 of Xi/xichangehierarchy.c in function 'remove_master'. Null pointer introduced at line 691 of Xext/xtest.c in function 'GetXTestDevice'. Function GetXTestDevice may return constant 'NULL' at line 691, called at line 278 of Xi/xichangehierarchy.c in function 'remove_master'. Fixes: 0814f511d ("input: store the master device's ID in the devPrivate for XTest devices.") Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> (cherry picked from commit d10589cc09c68ad09bebd3a4155c44d1b8f2614b) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767> - - - - - 5406ddd0 by Alan Coopersmith at 2025-02-05T15:02:23+01:00 render: avoid NULL pointer dereference if PictureFindVisual returns NULL Found by Oracle Parfait 13.3: Null pointer dereference [null-pointer-deref]: Read from null pointer pVisual at line 257 of dix/colormap.c in function 'CreateColormap'. Null pointer introduced at line 412 of render/picture.c in function 'PictureFindVisual'. Constant 'NULL' passed into function CreateColormap, argument pVisual, from call at line 431 in function 'PictureInitIndexedFormat'. Function PictureFindVisual may return constant 'NULL' at line 412, called at line 429. Fixes: d4a101d4e ("Integration of DAMAGE-XFIXES branch to trunk") Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> (cherry picked from commit 7af077dd2f939b76e7d6ba84250368b6649fb777) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767> - - - - - abfd0215 by Alan Coopersmith at 2025-02-05T15:02:23+01:00 dix: fix button offset when generating DeviceButtonStateNotify events Found by Oracle Parfait 13.3 static analyzer: Buffer Overflow in STD C function [buffer-overflow-call-stdc]: Buffer overflow in call to memcpy. Buffer &bev->buttons[4] of size 24 is written at an offset of 28 Array size is 28 bytes, index is 32 at line 743 of dix/enterleave.c in function 'DeliverStateNotifyEvent'. Fixes: a85f0d6b9 ("Xi: fix use of button->down - bitflags instead of int arrays.") Reviewed-by: Peter Hutterer <peter.hutte...@who-t.net> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> (cherry picked from commit 4b073d65bb5e1f4accb7ed280c8926134582b7ab) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767> - - - - - fbb636bf by Alan Coopersmith at 2025-02-05T15:02:23+01:00 dix: limit checks to MAX_VALUATORS when generating Xi events Previously, it was looping through sizeof(ev->valuators.mask) * 8 valuators, where valuators.mask is defined as an array of (MAX_VALUATORS + 7) / 8 entries. Since MAX_VALUATORS is defined as 36, this made it actually loop through 40 entries. The last 4 bits in this array should never be set, so we should never access memory outside the bounds of the arrays defined to be exactly MAX_VALUATORS in length, but we can make the static analyzer happier and not waste time checking bits that should never be set. Found by Oracle Parfait 13.3 static analyzer: Read outside array bounds [read-outside-array-bounds]: In array dereference of ev->valuators.data[i] with index i Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39 at line 741 of dix/eventconvert.c in function 'eventToDeviceEvent'. Read outside array bounds [read-outside-array-bounds]: In array dereference of ev->valuators.data[i] with index i Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39 at line 808 of dix/eventconvert.c in function 'eventToRawEvent'. Read outside array bounds [read-outside-array-bounds]: In array dereference of ev->valuators.data_raw[i] with index i Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39 at line 809 of dix/eventconvert.c in function 'eventToRawEvent'. Fixes: b2ba77bac ("dix: add EventToXI2 and GetXI2Type.") Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> (cherry picked from commit b65eea43dd18cdf6d389b7f82ee55ae764c3bf31) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767> - - - - - 309ec5a4 by Alan Coopersmith at 2025-02-05T15:02:23+01:00 modesetting: avoid memory leak when ms_present_check_unflip() returns FALSE Found by Oracle Parfait 13.3 static analyzer: Memory leak [memory-leak]: Memory leak of pointer event allocated with calloc(1, 16) at line 470 of hw/xfree86/drivers/modesetting/present.c in function 'ms_present_unflip'. event allocated at line 431 with calloc(1, 16) event leaks when ms_present_check_unflip(...) == 0 at line 438 and i >= config->num_crtc at line 445 Fixes: 13c7d53df ("modesetting: Implement page flipping support for Present.") Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> (cherry picked from commit bf63d9b34ef3a24427f884f66a387119dd5cdb8c) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767> - - - - - 6115eb1f by Olivier Fourdan at 2025-02-05T15:02:24+01:00 xkb: Always use MAP_LENGTH keymap size Generating the modifier modmap, the helper function generate_modkeymap() would check the entire range up to the MAP_LENGTH. However, the given keymap might have less keycodes than MAP_LENGTH, in which case we would go beyond the size of the modmap, as reported by ASAN: ==ERROR: AddressSanitizer: heap-buffer-overflow READ of size 1 at 0x5110001c225b thread T0 #0 0x5e7369393873 in generate_modkeymap ../dix/inpututils.c:309 #1 0x5e736930dcce in ProcGetModifierMapping ../dix/devices.c:1794 #2 0x5e7369336489 in Dispatch ../dix/dispatch.c:550 #3 0x5e736934407d in dix_main ../dix/main.c:275 #5 0x7e46d47b2ecb in __libc_start_main #6 0x5e73691be324 in _start (xserver/build/hw/xwayland/Xwayland) Address is located 0 bytes after 219-byte region allocated by thread T0 here: #0 0x7e46d4cfc542 in realloc #1 0x5e73695aa90e in _XkbCopyClientMap ../xkb/xkbUtils.c:1142 #2 0x5e73695aa90e in XkbCopyKeymap ../xkb/xkbUtils.c:1966 #3 0x5e73695b1b2f in XkbDeviceApplyKeymap ../xkb/xkbUtils.c:2023 #4 0x5e73691c6c18 in keyboard_handle_keymap ../hw/xwayland/xwayland-input.c:1194 As MAP_LENGTH is used in various code paths where the max keycode might not be easily available, best is to always use MAP_LENGTH to allocate the keymaps so that the code never run past the buffer size. If the max key code is smaller than the MAP_LENGTH limit, fill-in the gap with zeros. That also simplifies the code slightly as we do not constantly need to reallocate the keymap to adjust to the max key code size. Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1780 Signed-off-by: Olivier Fourdan <ofour...@redhat.com> (cherry picked from commit 92bcebfd7e248f695503c0a6e7bee80be4c96834) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767> - - - - - e183b62e by Olivier Fourdan at 2025-02-05T15:02:24+01:00 os/connection: Make sure partial is initialized Following the change in Xtrans 1.5 that allows for partial connections to succeed, we need to make sure partial is properly initialized at first, otherwise we rely on an uninitialized variable. Signed-off-by: Olivier Fourdan <ofour...@redhat.com> Suggested-by: Twaik Yont <twaiky...@gmail.com> Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1783 (cherry picked from commit 080fb49eff4de7ec3a29214994d1403e4d877f6a) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1767> - - - - - a651eefc by Daniel Kahn Gillmor at 2025-02-06T17:53:16+00:00 autotools: enable static use of Nettle for SHA1 Debian builds xserver 21 using autotools. When debian builds xserver-xorg for constrained environments like the installer, it wants to build against the static library of libnettle for SHA1, see debian/patches/03_static-nettle.diff in the debian repository at https://salsa.debian.org/xorg-team/xserver/xorg-server.git This modification of configure.ac makes it possible to build static nettle when needed, while preserving the build to use nettle with a dynamic library when passing a different configuration option. Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1756> - - - - - 0c6a7750 by Doug Brown at 2025-02-25T10:42:21+01:00 dri2: Protect against dri2ClientPrivate assertion failures If DRI2ScreenInit hasn't been called yet, DRI2Authenticate and DRI2CreateDrawable2 cause the X server to crash. This has been observed to happen on multiple modern Linux distros in various conditions, including QEMU and VMware VMs. Make these functions more robust in order to prevent the crash. This patch was originally provided by Bernhard Übelacker and expanded upon by Mark Wagner. Signed-off-by: Doug Brown <d...@schmorgal.com> Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1053 Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1534 (cherry picked from commit a0834009cfb10b8982a1f2b47b8ed00de254c2c3) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1824> - - - - - 32887f6c by Olivier Fourdan at 2025-02-25T19:35:55+01:00 test: Fix xsync test The xsync test is relying on the values being changed even in the case of a BadMatch value. Typically, it updates the delta but does not update the test type comparison, so when passing a negative value, it generates a BadMatch. That's actually not correct, and that will fail with the new fixes that check the validity of the values prior to apply the changes. Fix the test by updating the test type as needed. Signed-off-by: Olivier Fourdan <ofour...@redhat.com> (cherry picked from commit 05e54fefafbcec11d847b9f8127bcd4820a20625) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830> - - - - - 9e5ac777 by Olivier Fourdan at 2025-02-25T19:36:29+01:00 Cursor: Refuse to free the root cursor If a cursor reference count drops to 0, the cursor is freed. The root cursor however is referenced with a specific global variable, and when the root cursor is freed, the global variable may still point to freed memory. Make sure to prevent the rootCursor from being explicitly freed by a client. CVE-2025-26594, ZDI-CAN-25544 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer <peter.hutte...@who-t.net>) v3: Return BadCursor instead of BadValue (Michel Dänzer <mic...@daenzer.net>) Signed-off-by: Olivier Fourdan <ofour...@redhat.com> Suggested-by: Peter Hutterer <peter.hutte...@who-t.net> Reviewed-by: Peter Hutterer <peter.hutte...@who-t.net> (cherry picked from commit 01642f263f12becf803b19be4db95a4a83f94acc) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830> - - - - - 5f0c4e0b by Peter Hutterer at 2025-02-25T19:36:29+01:00 dix: keep a ref to the rootCursor CreateCursor returns a cursor with refcount 1 - that refcount is used by the resource system, any caller needs to call RefCursor to get their own reference. That happens correctly for normal cursors but for our rootCursor we keep a variable to the cursor despite not having a ref for ourselves. Fix this by reffing/unreffing the rootCursor to ensure our pointer is valid. Related to CVE-2025-26594, ZDI-CAN-25544 Reviewed-by: Olivier Fourdan <ofour...@redhat.com> (cherry picked from commit b0a09ba6020147961acc62d9c73d807b4cccd9f7) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830> - - - - - ea526ccb by Olivier Fourdan at 2025-02-25T19:36:29+01:00 xkb: Fix buffer overflow in XkbVModMaskText() The code in XkbVModMaskText() allocates a fixed sized buffer on the stack and copies the virtual mod name. There's actually two issues in the code that can lead to a buffer overflow. First, the bound check mixes pointers and integers using misplaced parenthesis, defeating the bound check. But even though, if the check fails, the data is still copied, so the stack overflow will occur regardless. Change the logic to skip the copy entirely if the bound check fails. CVE-2025-26595, ZDI-CAN-25545 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan <ofour...@redhat.com> Reviewed-by: Peter Hutterer <peter.hutte...@who-t.net> (cherry picked from commit 11fcda8753e994e15eb915d28cf487660ec8e722) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830> - - - - - b4293650 by Olivier Fourdan at 2025-02-25T19:36:29+01:00 xkb: Fix computation of XkbSizeKeySyms The computation of the length in XkbSizeKeySyms() differs from what is actually written in XkbWriteKeySyms(), leading to a heap overflow. Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms() does. CVE-2025-26596, ZDI-CAN-25543 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan <ofour...@redhat.com> Reviewed-by: Peter Hutterer <peter.hutte...@who-t.net> (cherry picked from commit 80d69f01423fc065c950e1ff4e8ddf9f675df773) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830> - - - - - 8cb23fac by Olivier Fourdan at 2025-02-25T19:36:29+01:00 xkb: Fix buffer overflow in XkbChangeTypesOfKey() If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the key syms to 0 but leave the key actions unchanged. If later, the same function is called with a non-zero value for nGroups, this will cause a buffer overflow because the key actions are of the wrong size. To avoid the issue, make sure to resize both the key syms and key actions when nGroups is 0. CVE-2025-26597, ZDI-CAN-25683 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan <ofour...@redhat.com> Reviewed-by: Peter Hutterer <peter.hutte...@who-t.net> (cherry picked from commit 0e4ed94952b255c04fe910f6a1d9c852878dcd64) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830> - - - - - 32decb1e by Olivier Fourdan at 2025-02-25T19:36:29+01:00 Xi: Fix barrier device search The function GetBarrierDevice() would search for the pointer device based on its device id and return the matching value, or supposedly NULL if no match was found. Unfortunately, as written, it would return the last element of the list if no matching device id was found which can lead to out of bounds memory access. Fix the search function to return NULL if not matching device is found, and adjust the callers to handle the case where the device cannot be found. CVE-2025-26598, ZDI-CAN-25740 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan <ofour...@redhat.com> Reviewed-by: Peter Hutterer <peter.hutte...@who-t.net> (cherry picked from commit bba9df1a9d57234c76c0b93f88dacb143d01bca2) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830> - - - - - 7169628a by Olivier Fourdan at 2025-02-25T19:36:29+01:00 composite: Handle failure to redirect in compRedirectWindow() The function compCheckRedirect() may fail if it cannot allocate the backing pixmap. In that case, compRedirectWindow() will return a BadAlloc error. However that failure code path will shortcut the validation of the window tree marked just before, which leaves the validate data partly initialized. That causes a use of uninitialized pointer later. The fix is to not shortcut the call to compHandleMarkedWindows() even in the case of compCheckRedirect() returning an error. CVE-2025-26599, ZDI-CAN-25851 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan <ofour...@redhat.com> Acked-by: Peter Hutterer <peter.hutte...@who-t.net> (cherry picked from commit c1ff84bef2569b4ba4be59323cf575d1798ba9be) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830> - - - - - d09125fb by Olivier Fourdan at 2025-02-25T19:36:29+01:00 composite: initialize border clip even when pixmap alloc fails If it fails to allocate the pixmap, the function compAllocPixmap() would return early and leave the borderClip region uninitialized, which may lead to the use of uninitialized value as reported by valgrind: Conditional jump or move depends on uninitialised value(s) at 0x4F9B33: compClipNotify (compwindow.c:317) by 0x484FC9: miComputeClips (mivaltree.c:476) by 0x48559A: miValidateTree (mivaltree.c:679) by 0x4F0685: MapWindow (window.c:2693) by 0x4A344A: ProcMapWindow (dispatch.c:922) by 0x4A25B5: Dispatch (dispatch.c:560) by 0x4B082A: dix_main (main.c:282) by 0x429233: main (stubmain.c:34) Uninitialised value was created by a heap allocation at 0x4841866: malloc (vg_replace_malloc.c:446) by 0x4F47BC: compRedirectWindow (compalloc.c:171) by 0x4FA8AD: compCreateWindow (compwindow.c:592) by 0x4EBB89: CreateWindow (window.c:925) by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) by 0x4A25B5: Dispatch (dispatch.c:560) by 0x4B082A: dix_main (main.c:282) by 0x429233: main (stubmain.c:34) Conditional jump or move depends on uninitialised value(s) at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233) by 0x4F9255: RegionTranslate (regionstr.h:312) by 0x4F9B7E: compClipNotify (compwindow.c:319) by 0x484FC9: miComputeClips (mivaltree.c:476) by 0x48559A: miValidateTree (mivaltree.c:679) by 0x4F0685: MapWindow (window.c:2693) by 0x4A344A: ProcMapWindow (dispatch.c:922) by 0x4A25B5: Dispatch (dispatch.c:560) by 0x4B082A: dix_main (main.c:282) by 0x429233: main (stubmain.c:34) Uninitialised value was created by a heap allocation at 0x4841866: malloc (vg_replace_malloc.c:446) by 0x4F47BC: compRedirectWindow (compalloc.c:171) by 0x4FA8AD: compCreateWindow (compwindow.c:592) by 0x4EBB89: CreateWindow (window.c:925) by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) by 0x4A25B5: Dispatch (dispatch.c:560) by 0x4B082A: dix_main (main.c:282) by 0x429233: main (stubmain.c:34) Conditional jump or move depends on uninitialised value(s) at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241) by 0x48EEE33: pixman_region_translate (pixman-region.c:2225) by 0x4F9255: RegionTranslate (regionstr.h:312) by 0x4F9B7E: compClipNotify (compwindow.c:319) by 0x484FC9: miComputeClips (mivaltree.c:476) by 0x48559A: miValidateTree (mivaltree.c:679) by 0x4F0685: MapWindow (window.c:2693) by 0x4A344A: ProcMapWindow (dispatch.c:922) by 0x4A25B5: Dispatch (dispatch.c:560) by 0x4B082A: dix_main (main.c:282) by 0x429233: main (stubmain.c:34) Uninitialised value was created by a heap allocation at 0x4841866: malloc (vg_replace_malloc.c:446) by 0x4F47BC: compRedirectWindow (compalloc.c:171) by 0x4FA8AD: compCreateWindow (compwindow.c:592) by 0x4EBB89: CreateWindow (window.c:925) by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) by 0x4A25B5: Dispatch (dispatch.c:560) by 0x4B082A: dix_main (main.c:282) by 0x429233: main (stubmain.c:34) Fix compAllocPixmap() to initialize the border clip even if the creation of the backing pixmap has failed, to avoid depending later on uninitialized border clip values. Related to CVE-2025-26599, ZDI-CAN-25851 Signed-off-by: Olivier Fourdan <ofour...@redhat.com> Acked-by: Peter Hutterer <peter.hutte...@who-t.net> (cherry picked from commit b07192a8bedb90b039dc0f70ae69daf047ff9598) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830> - - - - - 826cef82 by Olivier Fourdan at 2025-02-25T19:36:29+01:00 dix: Dequeue pending events on frozen device on removal When a device is removed while still frozen, the events queued for that device remain while the device itself is freed. As a result, replaying the events will cause a use after free. To avoid the issue, make sure to dequeue and free any pending events on a frozen device when removed. CVE-2025-26600, ZDI-CAN-25871 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan <ofour...@redhat.com> Reviewed-by: Peter Hutterer <peter.hutte...@who-t.net> (cherry picked from commit 6e0f332ba4c8b8c9a9945dc9d7989bfe06f80e14) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830> - - - - - e708ad02 by Olivier Fourdan at 2025-02-25T19:36:29+01:00 sync: Do not let sync objects uninitialized When changing an alarm, the change mask values are evaluated one after the other, changing the trigger values as requested and eventually, SyncInitTrigger() is called. SyncInitTrigger() will evaluate the XSyncCACounter first and may free the existing sync object. Other changes are then evaluated and may trigger an error and an early return, not adding the new sync object. This can be used to cause a use after free when the alarm eventually triggers. To avoid the issue, delete the existing sync object as late as possible only once we are sure that no further error will cause an early exit. CVE-2025-26601, ZDI-CAN-25870 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan <ofour...@redhat.com> Reviewed-by: Peter Hutterer <peter.hutte...@who-t.net> (cherry picked from commit 16a1242d0ffc7f45ed3c595ee7564b5c04287e0b) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830> - - - - - 330b4068 by Olivier Fourdan at 2025-02-25T19:36:29+01:00 sync: Check values before applying changes In SyncInitTrigger(), we would set the CheckTrigger function before validating the counter value. As a result, if the counter value overflowed, we would leave the function SyncInitTrigger() with the CheckTrigger applied but without updating the trigger object. To avoid that issue, move the portion of code checking for the trigger check value before updating the CheckTrigger function. Related to CVE-2025-26601, ZDI-CAN-25870 Signed-off-by: Olivier Fourdan <ofour...@redhat.com> Reviewed-by: Peter Hutterer <peter.hutte...@who-t.net> (cherry picked from commit f52cea2f93a0c891494eb3334894442a92368030) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830> - - - - - 043a4e95 by Olivier Fourdan at 2025-02-25T19:36:29+01:00 sync: Do not fail SyncAddTriggerToSyncObject() We do not want to return a failure at the very last step in SyncInitTrigger() after having all changes applied. SyncAddTriggerToSyncObject() must not fail on memory allocation, if the allocation of the SyncTriggerList fails, trigger a FatalError() instead. Related to CVE-2025-26601, ZDI-CAN-25870 Signed-off-by: Olivier Fourdan <ofour...@redhat.com> Reviewed-by: Peter Hutterer <peter.hutte...@who-t.net> (cherry picked from commit 8cbc90c8817306af75a60f494ec9dbb1061e50db) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830> - - - - - a2c0f84c by Olivier Fourdan at 2025-02-25T19:36:29+01:00 sync: Apply changes last in SyncChangeAlarmAttributes() SyncChangeAlarmAttributes() would apply the various changes while checking for errors. If one of the changes triggers an error, the changes for the trigger, counter or delta value would remain, possibly leading to inconsistent changes. Postpone the actual changes until we're sure nothing else can go wrong. Related to CVE-2025-26601, ZDI-CAN-25870 Signed-off-by: Olivier Fourdan <ofour...@redhat.com> Reviewed-by: Peter Hutterer <peter.hutte...@who-t.net> (cherry picked from commit c285798984c6bb99e454a33772cde23d394d3dcd) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830> - - - - - b7f84e6d by Olivier Fourdan at 2025-02-25T19:36:29+01:00 xserver 21.1.16 Signed-off-by: Olivier Fourdan <ofour...@redhat.com> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830> - - - - - 7da78a3d by Emilio Pozuelo Monfort at 2025-02-26T09:56:52+01:00 Merge branch 'upstream-unstable' into debian-unstable - - - - - a477fb5a by Emilio Pozuelo Monfort at 2025-02-26T09:57:58+01:00 New upstream release - - - - - 84691727 by Emilio Pozuelo Monfort at 2025-02-26T10:01:42+01:00 Add CVE numbers - - - - - 3acff7e4 by Emilio Pozuelo Monfort at 2025-02-26T10:03:26+01:00 Drop nettle patch, merged upstream - - - - - 6032994d by Emilio Pozuelo Monfort at 2025-02-26T10:06:50+01:00 Also drop fbdevhw patch - - - - - 5d12459e by Emilio Pozuelo Monfort at 2025-02-26T10:22:22+01:00 Add CVE descriptions - - - - - 88a9bd8d by Emilio Pozuelo Monfort at 2025-02-26T10:22:49+01:00 Release to sid - - - - - 33 changed files: - Xext/sync.c - Xi/xibarriers.c - Xi/xichangehierarchy.c - composite/compalloc.c - configure.ac - debian/changelog - − debian/patches/03_autotools-enable-static-use-of-Nettle-for-SHA1.diff - debian/patches/series - − debian/patches/xfree86-fbdevhw-fix-pci-detection-on-recent-Linux.patch - dix/devices.c - dix/dispatch.c - dix/enterleave.c - dix/eventconvert.c - dix/main.c - glamor/glamor_program.c - hw/xfree86/common/xf86Configure.c - hw/xfree86/dri2/dri2.c - hw/xfree86/drivers/modesetting/driver.c - hw/xfree86/drivers/modesetting/drmmode_display.c - hw/xfree86/drivers/modesetting/drmmode_display.h - hw/xfree86/drivers/modesetting/present.c - hw/xfree86/fbdevhw/fbdevhw.c - meson.build - os/WaitFor.c - os/access.c - os/connection.c - render/picture.c - test/sync/sync.c - xkb/XKBMAlloc.c - xkb/XKBMisc.c - xkb/xkb.c - xkb/xkbUtils.c - xkb/xkbtext.c The diff was not included because it is too large. View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/-/compare/44e59feba4ebacf3eb17c99c74f6079901731b24...88a9bd8d9d9b4a24bcc5ccfc4a5d5abded5fbd40 -- View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/-/compare/44e59feba4ebacf3eb17c99c74f6079901731b24...88a9bd8d9d9b4a24bcc5ccfc4a5d5abded5fbd40 You're receiving this email because of your account on salsa.debian.org.
