This touches everything that ends up in the Xorg binary; the big missing
part is GLX since that's all generated code. Cuts about 14k from the
binary on amd64.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Commit 6045506be0 changed back
the behavior to only allow the trusted extensions to the untrusted clients,
but left the 8b5d21cc1d
comment intended for Security*Un*trustedExtensions saying that
"untrusted clients shouldn't have access to these".
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Ángel González <ingenit@zoho.com>
XID may be either 'unsigned long' or 'unsigned int' depending on:
typedef unsigned long CARD64;
typedef unsigned int CARD32;
typedef unsigned long long CARD64;
typedef unsigned long CARD32;
typedef unsigned long XID;
typedef CARD32 XID;
so when building with -Wformat, we get some warnings that are benign. This silences them.
security.c:215:52: warning: format specifies type 'int' but the argument has type 'XID' (aka 'unsigned long')
[-Wformat,Format String Issue]
SecurityAudit("revoked authorization ID %d\n", pAuth->id);
~~ ^~~~~~~~~
%lu
CC dpmsstubs.lo
security.c:553:25: warning: format specifies type 'int' but the argument has type 'XID' (aka 'unsigned long')
[-Wformat,Format String Issue]
client->index, pAuth->id, pAuth->trustLevel, pAuth->timeout,
^~~~~~~~~
security.c:553:55: warning: format specifies type 'int' but the argument has type 'CARD32' (aka 'unsigned long')
[-Wformat,Format String Issue]
client->index, pAuth->id, pAuth->trustLevel, pAuth->timeout,
^~~~~~~~~~~~~~
security.c:554:10: warning: format specifies type 'int' but the argument has type 'XID' (aka 'unsigned long')
[-Wformat,Format String Issue]
pAuth->group, eventMask);
^~~~~~~~~~~~
security.c:554:24: warning: format specifies type 'int' but the argument has type 'Mask' (aka 'unsigned long')
[-Wformat,Format String Issue]
pAuth->group, eventMask);
^~~~~~~~~
security.c:781:19: warning: format specifies type 'unsigned int' but the argument has type 'Mask' (aka 'unsigned
long')
[-Wformat,Format String Issue]
requested, rec->id, cid,
^~~~~~~~~
security.c:781:30: warning: format specifies type 'unsigned int' but the argument has type 'XID' (aka 'unsigned long')
[-Wformat,Format String Issue]
requested, rec->id, cid,
^~~~~~~
security.c:863:23: warning: format specifies type 'unsigned int' but the argument has type 'XID' (aka 'unsigned long')
[-Wformat,Format String Issue]
rec->pWin->drawable.id, wClient(rec->pWin)->index,
^~~~~~~~~~~~~~~~~~~~~~
security.c:893:31: warning: format specifies type 'unsigned int' but the argument has type 'XID' (aka 'unsigned long')
[-Wformat,Format String Issue]
rec->pWin->drawable.id,
^~~~~~~~~~~~~~~~~~~~~~
security.c:915:39: warning: format specifies type 'unsigned int' but the argument has type 'XID' (aka 'unsigned long')
[-Wformat,Format String Issue]
rec->client->index, rec->pWin->drawable.id,
^~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
There's no XPrint extension (anymore).
Signed-off-by: Daniel Martin <consume.noise@gmail.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
This lets us stop using the 'pointer' typedef in Xdefs.h as 'pointer'
is used throughout the X server for other things, and having duplicate
names generates compiler warnings.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
If a RetainPermanent client is subsequently killed by a KillClient
request, the reference count is decremented twice. This can cause the
server to prematurely kill other clients using the same Authorization.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Peter Harris <pharris@opentext.com>
Create extinit.h (and xf86Extensions.h, for Xorg-specific extensions) to
hold all our extension initialisation prototypes, rather than
duplicating them everywhere.
Signed-off-by: Daniel Stone <daniel@fooishbar.org>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
INITARGS was a hardcoded define to void. Since knowing the function
signature for your extensions is kinda useful, just replace it with a
hardcoded void, but leave the define there for API compatibility.
Signed-off-by: Tomas Carnecky <tom@dbservice.com>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Reviewed-by: Cyril Brulebois <kibi@debian.org>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Tested-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Tested-by: Daniel Stone <daniel@fooishbar.org>
Casting return to (void) was used to tell lint that you intended
to ignore the return value, so it didn't warn you about it.
Casting the third argument to (char *) was used as the most generic
pointer type in the days before compilers supported C89 (void *)
(except for a couple places it's used for byte-sized pointer math).
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Tested-by: Daniel Stone <daniel@fooishbar.org>
This is strictly the application of the script 'x-indent-all.sh'
from util/modular. Compared to the patch that Daniel posted in
January, I've added a few indent flags:
-bap
-psl
-T PrivatePtr
-T pmWait
-T _XFUNCPROTOBEGIN
-T _XFUNCPROTOEND
-T _X_EXPORT
The typedefs were needed to make the output of sdksyms.sh match the
previous output, otherwise, the code is formatted badly enough that
sdksyms.sh generates incorrect output.
The generated code was compared with the previous version and found to
be essentially identical -- "assert" line numbers and BUILD_TIME were
the only differences found.
The comparison was done with this script:
dir1=$1
dir2=$2
for dir in $dir1 $dir2; do
(cd $dir && find . -name '*.o' | while read file; do
dir=`dirname $file`
base=`basename $file .o`
dump=$dir/$base.dump
objdump -d $file > $dump
done)
done
find $dir1 -name '*.dump' | while read dump; do
otherdump=`echo $dump | sed "s;$dir1;$dir2;"`
diff -u $dump $otherdump
done
Signed-off-by: Keith Packard <keithp@keithp.com>
Acked-by: Daniel Stone <daniel@fooishbar.org>
Acked-by: Alan Coopersmith <alan.coopersmith@oracle.com>
gcc was warning from storing string constants in a char *name field:
auth.c:64:1: warning: initialization discards qualifiers from pointer target type
auth.c:72:1: warning: initialization discards qualifiers from pointer target type
auth.c:81:1: warning: initialization discards qualifiers from pointer target type
Making the field const requires changing AuthorizationFromID to take
a const char ** pointer for the name argument which it sets to point
to the matching name entry.
Changing that argument requires changing its sole caller in the security
extension to pass the address of a const char * variable to it, which it
can do, since the only thing it does with the returned name is to pass
it back to the RemoveAuthorization function that already expects a const
char *name.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
The record extension needs the major and minor opcodes in the reply
hook, but the request buffer may have been freed by the time the hook
is invoked. Saving the request major and minor codes as the request is
executed avoids fetching from the defunct request buffer.
This patch also eliminates the public MinorOpcodeOfRequest function,
inlining it into Dispatch. Usages of that function have been replaced
with direct access to the new ClientRec field.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Also, fix whitespace, mainly around
swaps(&rep.sequenceNumber)
Reviewed-by: Peter Harris <pharris@opentext.com>
Signed-off-by: Matt Turner <mattst88@gmail.com>
The definition of rClient was duplicated across three source files, so
move it to resource.h.
Signed-off-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Fixes OpenSolaris bug 6949754:
Xorg crashes when the magnifier is enabled at gdm login greeter window.
http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6949754
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
This patch was generated by the following Perl code:
perl -i -pe 's/([^_])return\s*\(\s*([^(]+?)\s*\)s*;(\s+(\n))?/$1return $2;$4/g;'
Signed-off-by: Mikhail Gusarov <dottedmag@dottedmag.net>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Keith Packard <keithp@keithp.com>
This patch has been generated by the following Coccinelle semantic patch:
@@
expression E;
@@
-if(E) { free(E); }
+free(E);
Signed-off-by: Mikhail Gusarov <dottedmag@dottedmag.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Fernando Carrijo <fcarrijo@yahoo.com.br>
Reviewed-by: Matt Turner <mattst88@gmail.com>
This patch only changes the API, not the implementation of the
devPrivates infrastructure. This will permit a new devPrivates
implementation to be layed into the server without requiring
simultaneous changes in every devPrivates user.
Signed-off-by: Keith Packard <keithp@keithp.com>
Tested-by: Tiago Vignatti <tiago.vignatti@nokia.com>
TryClientEvents already did this; this commit just moves the assignment
one level down so that no event source has to worry about sequence
numbers.
...No event source, that is, except XKB, which inexplicably calls
WriteToClient directly for several events.
Signed-off-by: Jamey Sharp <jamey@minilop.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Adam Jackson <ajax@redhat.com>
This matches the test in TryClientEvents, and is a superset of tests
done by the callers of these functions. The consequence of forgetting
these tests is a server crash, so they're always desirable. In my
opinion, it's better to not require the callers to remember to do these
checks.
For callers that don't do very much work before calling WriteToClient or
WriteEventsToClient, I've removed the redundant checks.
hw/xquartz/xpr/appledri.c has an interesting case: While its check for
"client == NULL" appears redundant with the test in WriteEventsToClient,
it dereferences client to get the sequence number.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=27497
Signed-off-by: Jamey Sharp <jamey@minilop.net>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Just let Dispatch() check for a noClientException, rather than making
every single dispatch procedure take care of it.
Signed-off-by: Jamey Sharp <jamey@minilop.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
The only remaining X-functions used in server are XNF*, the rest is converted to
plain alloc/calloc/realloc/free/strdup.
X* functions are still exported from server and x* macros are still defined in
header file, so both ABI and API are not affected by this change.
Signed-off-by: Mikhail Gusarov <dottedmag@dottedmag.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Convert all calls of CreateNewResourceType to pass name argument
Breaks DIX ABI.
ABI versions bumped:
Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
include/protocol-versions.h specifies each extension version as supported by
the server and sent back on the wire to the client.
This fixes up several issues with the server potentially reporting a higher
version of the protocol if recompiled against a newer version of the
protocol.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Rémi Cardona <remi@gentoo.org>
Acked-by: Julien Cristau <jcristau@debian.org>
Previously, three extensions were defined as "trusted" by the extension:
BIG-REQUESTS, XC-MISC, and XPrint. No other extensions were permitted
to be used by untrusted clients.
In commit 8b5d21cc1d this was changed for
some reason. Return to the old, compatible behavior.
dixLookupResource attempted to automatically detect whether the caller
wanted a lookup by-type or by-class, unfortunately, it guessed wrong for
RT_NONE. Instead of trying to make the guess better, this patch just reverts
the unification and creates separate functions for each operation.
Lack of validation of the parameters of the
SProcSecurityGenerateAuthorization SProcRecordCreateContext
functions makes it possible for a specially crafted request to trigger
the swapping of bytes outside the parameter of these requests, causing
memory corruption.
To recap: the original XC-SECURITY extension disallowed background "None" if
the window was untrusted. XACE 1.0 preserved this check as a hook function.
XACE pre-2.0 removed the hook and first abolished background "None entirely,
then restored it as a global on/off switch in response to Bug #13683.
Now it's back to being per-window, via a flag instead of a hook function.
