CVE-2020-14346 / ZDI-CAN-11429
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
This touches everything that ends up in the Xorg binary; the big missing
part is GLX since that's all generated code. Cuts about 14k from the
binary on amd64.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
The previous code only worked when the barrier was created by the same client
as the one calling XIChangeDeviceHierarchy.
http://bugzilla.redhat.com/show_bug.cgi?id=1384432
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Daniel Stone <daniels@collabora.com>
xichangehierarchy.c:424:23: warning: comparison of constant 536870911 with expression of type 'uint16_t'
(aka 'unsigned short') is always false [-Wtautological-constant-out-of-range-compare,Semantic Issue]
if (stuff->length > (INT_MAX >> 2))
~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~
xichangehierarchy.c:438:26: warning: comparison of constant 536870911 with expression of type 'uint16_t'
(aka 'unsigned short') is always false [-Wtautological-constant-out-of-range-compare,Semantic Issue]
if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2)))
~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Multiple functions in the Xinput extension handling of requests from
clients failed to check that the length of the request sent by the
client was large enough to perform all the required operations and
thus could read or write to memory outside the bounds of the request
buffer.
This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE
macro in include/dix.h for the common case of needing to ensure a
request is large enough to include both the request itself and a
minimum amount of extra data following the request header.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
Xi/xichangehierarchy.c
Small conflict with the patch from
Xi: don't use devices after removing them
Was easily resolved by hand.
Signed-off-by: Keith Packard <keithp@keithp.com>
RemoveDevice() frees the DeviceIntPtr, we shouldn't use the pointer after
that
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
The formatter confused address operators preceded by casts with
bitwise-and expressions, placing spaces on either side of both.
That syntax isn't used by ordinary address operators, however,
so fix them for consistency.
Signed-off-by: Yaakov Selkowitz <yselkowitz@users.sourceforge.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Devices are unpaired as needed on DisableDevice now.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Chase Douglas <chase.douglas@canonical.com>
If the typedef wasn't perfect, indent would get confused and change:
foo = (SomePointlessTypedef *) &stuff[1];
to:
foo = (SomePointlessTypedef *) & stuff[1];
Fix this up with a really naïve sed script, plus some hand-editing to
change some false positives in XKB back.
Signed-off-by: Daniel Stone <daniel@fooishbar.org>
This is strictly the application of the script 'x-indent-all.sh'
from util/modular. Compared to the patch that Daniel posted in
January, I've added a few indent flags:
-bap
-psl
-T PrivatePtr
-T pmWait
-T _XFUNCPROTOBEGIN
-T _XFUNCPROTOEND
-T _X_EXPORT
The typedefs were needed to make the output of sdksyms.sh match the
previous output, otherwise, the code is formatted badly enough that
sdksyms.sh generates incorrect output.
The generated code was compared with the previous version and found to
be essentially identical -- "assert" line numbers and BUILD_TIME were
the only differences found.
The comparison was done with this script:
dir1=$1
dir2=$2
for dir in $dir1 $dir2; do
(cd $dir && find . -name '*.o' | while read file; do
dir=`dirname $file`
base=`basename $file .o`
dump=$dir/$base.dump
objdump -d $file > $dump
done)
done
find $dir1 -name '*.dump' | while read dump; do
otherdump=`echo $dump | sed "s;$dir1;$dir2;"`
diff -u $dump $otherdump
done
Signed-off-by: Keith Packard <keithp@keithp.com>
Acked-by: Daniel Stone <daniel@fooishbar.org>
Acked-by: Alan Coopersmith <alan.coopersmith@oracle.com>
It doesn't return anything, nor does it's caller expect it to.
Fixes Solaris Studio compiler error:
"xichangehierarchy.c", line 214: Function has no return statement : disable_clientpointer
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
if a client had the to-be-removed device as ClientPointer, reset to NULL.
Fixes#43165
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
Swapping the wrong size was never caught because swap{l,s} are macros.
It's clear in the case of Xext/xres.c, that the author believed
client_major/minor to be CARD16 from looking at the code in the first
hunk.
v2: dmx.c fixes from Keith.
Reviewed-by: Peter Harris <pharris@opentext.com>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Also, fix whitespace, mainly around
swaps(&rep.sequenceNumber)
Reviewed-by: Peter Harris <pharris@opentext.com>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Grabbing an SD device temporary floats the device but we must not release
the buttons. Introduced in
commit 9d23459415
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date: Fri Feb 25 11:08:19 2011 +1000
dix: release all buttons and keys before reattaching a device (#34182)
X.Org Bug 36146 <http://bugs.freedesktop.org/show_bug.cgi?id=36146>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
Conditional jump or move depends on uninitialised value(s)
at 0x4357A1: GetEventMask (events.c:454)
by 0x43B9E8: DeliverEventsToWindow (events.c:2029)
by 0x4E0C59: SendEventToAllWindows (exevents.c:2125)
by 0x4E8301: XISendDeviceHierarchyEvent (xichangehierarchy.c:118)
by 0x426F99: DisableDevice (devices.c:507)
by 0x46BF72: xf86Wakeup (xf86Events.c:457)
by 0x432ABA: WakeupHandler (dixutils.c:419)
by 0x45B708: WaitForSomething (WaitFor.c:235)
by 0x42E8D9: Dispatch (dispatch.c:367)
by 0x422DC9: main (main.c:287)
Uninitialised value was created by a stack allocation
at 0x4E8190: XISendDeviceHierarchyEvent (xichangehierarchy.c:61)
Conditional jump or move depends on uninitialised value(s)
at 0x43BB78: DeliverEventsToWindow (events.c:2010)
by 0x4DDEEA: FindInterestedChildren (exevents.c:2103)
by 0x4DDEFF: FindInterestedChildren (exevents.c:2104)
by 0x4DDEFF: FindInterestedChildren (exevents.c:2104)
by 0x4DDEFF: FindInterestedChildren (exevents.c:2104)
by 0x4DDEFF: FindInterestedChildren (exevents.c:2104)
by 0x4E0C6F: SendEventToAllWindows (exevents.c:2127)
by 0x4E8301: XISendDeviceHierarchyEvent (xichangehierarchy.c:118)
by 0x426F99: DisableDevice (devices.c:507)
by 0x46BF72: xf86Wakeup (xf86Events.c:457)
by 0x432ABA: WakeupHandler (dixutils.c:419)
by 0x45B708: WaitForSomething (WaitFor.c:235)
Uninitialised value was created by a stack allocation
at 0x4E8190: XISendDeviceHierarchyEvent (xichangehierarchy.c:61)
Set the type of dummyDev to SLAVE. The jump listed above comes from a check
to IsMaster() in GetEventMask() that would then set the
XIAllMasterDevices mask.
Hierarchy events can only be set for XIAllDevices so the above IsMaster()
check had no effect and the device type doesn't really matter anyway beyond
shuting up valgrind.
Also initialize dummyDev to 0 to ease future debugging.
X.Org Bug 36120 <http://bugs.freedesktop.org/show_bug.cgi?id=36120>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
When system is out of memory, calloc can fail returning a NULL pointer.
Check for this before dereferencing it, and bail out if it fails.
Ref.: https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/720445
Signed-off-by: Bryce Harrington <bryce@canonical.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
When getting close to the MAXDEVICES limit, the creation of XTEST devices
may fail due to device id exhaustion. In that case, fail the creation of
master devices too and return an error to the client.
Theoretically, we could alloc the MDs without the XTEST devices but that
will get interesting when a client starts sending XTEST events through those
devices.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
They were named ptr when everything was in one function to save one more
variable. Now that the stuff is split out, "dev" makes more sense.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
No functional changes, just code cleanup to improve readability.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
The only remaining X-functions used in server are XNF*, the rest is converted to
plain alloc/calloc/realloc/free/strdup.
X* functions are still exported from server and x* macros are still defined in
header file, so both ABI and API are not affected by this change.
Signed-off-by: Mikhail Gusarov <dottedmag@dottedmag.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
This patch corrects a misnaming of XTest-related functions.
The extension itself announces itself as XTEST. Xtst is the library name
itself, but all library functions are prefixed by XTest. Same with the
naming in the server.
- Rename all *Xtst* functions to *XTest* for consistency with the library
and in-server API.
- Rename the "Xtst device" property to "XTEST device" for consistency with
the extension naming.
- Rename the device naming to "<master device name> XTEST device". The
default xtest devices become "Virtual core XTEST pointer" and "Virtual
core XTEST keyboard".
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
The extern declaration in xichangehierarchy.c was broken anyway.
This fixes a crash on creating a new master device.
Reported-by: Maxim Levitsky
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Rather than storing a simple boolean in the devPrivate for XTest devices,
store the actual master device's id (since it is constant for the life of
the device anyway).
Callers should use GetXtstDevice now instead of digging around in the
devPrivates themselves.
This patch allows for a cleanup in the creation of new master devices since
GetMaster and GetXtstDevice spare the need for loops, IsPointer checks and
similar.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Benjamin Close <Benjamin.Close@clearchain.com>
The callers should need to use the dev privates key to look up xtest
devices.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Benjamin Close <Benjamin.Close@clearchain.com>
New access modes are being passed to the device access hook for XI2:
DixCreateAccess for creating a new master device;
DixAdd/RemoveAccess for attaching/removing slave devices to a master; and
DixListProp/GetProp/SetPropAccess for device properties.
Refer to the XACE-Spec document in xorg-docs, section "Device Access."
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Note: ABI break, but ABI_XINPUT_VERSION has NOT been bumped. Recompile input
drivers.
Revert "Xi: return BadImplementation for deviceids 256 and above"
This reverts commit 2b459f44f3.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Some files (notably those merged with MPX before XI2 came along) didn't use
a 'xi' prefix. This patch changes all of them to meaningful names.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Matthieu Herrb
Nathan Kidd
Adam Jackson
Peter Hutterer
Jeremy Huddleston Sequoia
Alan Coopersmith
Keith Packard
Yaakov Selkowitz
Daniel Stone
Matt Turner
Bryce Harrington
Mikhail Gusarov
Eamon Walsh