XF86_MODULE_DATA_INPUT() creates XF86ModuleData field for input driver,
while XF86_MODULE_DATA_VIDEO creating one for a video driver.
These are filled with given values, _X_EXPORT'ed and properly named so
the module loader can find them. Also creating the associated
XF86ModuleVersionInfo field and link them into the XF86ModuleData.
Example:
XF86_MODULE_DATA_INPUT(
egalax,
eGalaxPlug,
eGalaxUnplug,
"egalax",
PACKAGE_VERSION_MAJOR,
PACKAGE_VERSION_MINOR,
PACKAGE_VERSION_PATCHLEVEL);
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Reduce the effort of declaring/filling an video driver's module version
struct to short statement like this:
XF86_MODULE_VERSION_VIDEO("ati",
PACKAGE_VERSION_MAJOR,
PACKAGE_VERSION_MINOR,
PACKAGE_VERSION_PATCHLEVEL);
This will create a properly filled XF86ModuleVersionInfo structure
named `modInfo`.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Reduce the effort of declaring/filling an input driver's module version
struct to short statement like this:
XF86_MODULE_VERSION_INPUT("egalax",
PACKAGE_VERSION_MAJOR,
PACKAGE_VERSION_MINOR,
PACKAGE_VERSION_PATCHLEVEL);
This will create a properly filled XF86ModuleVersionInfo structure
named `modInfo`.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
This once was needed on including xf86driproto.h, but these day
have gone now for aeons.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
in the future, input and video drivers should reside in separate
sub-directories. still supporting the old dirs until ABI 26.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
That variable is supposed to be used by drivers to query the path to
the xserver config directory (eg /etc/X11/xorg.conf.d), if they have
to install config snippets. It's supposed to replace / phase-out the
sysconfigdir variable, which has a bit misleading name.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Mixing result variables for separate things is making the code hard
to understand, so add a new local variable for temporarily storing
the result of ReadRequestFromClient().
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
This patch reexports a symbol needed by NVidia 340 driver and adds
its "wrapped" version for libwfb to prevent XServer crashes.
Signed-off-by: Oleh Nykyforchyn <oleh.nyk@gmail.com>
winsock2.h needs to be included before windows.h
> /usr/share/mingw-w64/include/winsock2.h:15:2: error: #warning Please include winsock2.h before windows.h [-Werror=cpp]
> 15 | #warning Please include winsock2.h before windows.h
> | ^~~~~~~
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
We're not using gitlab anymore (and the CI config there is totally
unmaintained), so better move the scripts to the right place.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
the target struct type defines char* fields, but we're sure they'll
never be written into, so just add typecast for silencing the warning.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
IgnoreABI option is kept in a single bit of an unsigned long variable
LoaderOptions that has no other use.
This patch replaces it with a variable named LoaderIgnoreAbi
and a proc for setting it.
Inspired by b61b35a0b3
Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
This is a proprietary DDX driver made by nvidia.
We can't rebuild it against Xlibre, so the abi check would always fail.
Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
Add matching call for xf86_cursors_init to clean memory, as during
initialization it allocates memory (depends, but is something like ~256Kb)
and it leaks when XServer resets.
Signed-off-by: Tautvis <gtautvis@gmail.com>
Yet another very internal function that the proprietary Nvidia driver
is using for unknown reasons. NVidia really needs a separate function
for just for some trivial struct initialization and don't manage to
add three simple lines to their code, so we have to make an extra
function for them.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Yet another very internal function that the proprietary Nvidia driver
is using for unknown reasons.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
The XkbCompatMap structure stores its "num_si" and "size_si" fields
using an unsigned short.
However, the function _XkbSetCompatMap() will store the sum of the
input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and
"size_si" without first checking if the sum overflows the maximum
unsigned short value, leading to a possible overflow.
To avoid the issue, check whether the sum does not exceed the maximum
unsigned short value, or return a "BadValue" error otherwise.
CVE-2025-62231, ZDI-CAN-27560
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
XkbRemoveResourceClient() would free the XkbInterest data associated
with the device, but not the resource associated with it.
As a result, when the client terminates, the resource delete function
gets called and accesses already freed memory:
| Invalid read of size 8
| at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047)
| by 0x5B3391: XkbClientGone (xkb.c:7094)
| by 0x4DF138: doFreeResource (resource.c:890)
| by 0x4DFB50: FreeClientResources (resource.c:1156)
| by 0x4A9A59: CloseDownClient (dispatch.c:3550)
| by 0x5E0A53: ClientReady (connection.c:601)
| by 0x5E4FEF: ospoll_wait (ospoll.c:657)
| by 0x5DC834: WaitForSomething (WaitFor.c:206)
| by 0x4A1BA5: Dispatch (dispatch.c:491)
| by 0x4B0070: dix_main (main.c:277)
| by 0x4285E7: main (stubmain.c:34)
| Address 0x1893e278 is 184 bytes inside a block of size 928 free'd
| at 0x4842E43: free (vg_replace_malloc.c:989)
| by 0x49C1A6: CloseDevice (devices.c:1067)
| by 0x49C522: CloseOneDevice (devices.c:1193)
| by 0x49C6E4: RemoveDevice (devices.c:1244)
| by 0x5873D4: remove_master (xichangehierarchy.c:348)
| by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504)
| by 0x579BF1: ProcIDispatch (extinit.c:390)
| by 0x4A1D85: Dispatch (dispatch.c:551)
| by 0x4B0070: dix_main (main.c:277)
| by 0x4285E7: main (stubmain.c:34)
| Block was alloc'd at
| at 0x48473F3: calloc (vg_replace_malloc.c:1675)
| by 0x49A118: AddInputDevice (devices.c:262)
| by 0x4A0E58: AllocDevicePair (devices.c:2846)
| by 0x5866EE: add_master (xichangehierarchy.c:153)
| by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493)
| by 0x579BF1: ProcIDispatch (extinit.c:390)
| by 0x4A1D85: Dispatch (dispatch.c:551)
| by 0x4B0070: dix_main (main.c:277)
| by 0x4285E7: main (stubmain.c:34)
To avoid that issue, make sure to free the resources when freeing the
device XkbInterest data.
CVE-2025-62230, ZDI-CAN-27545
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
Currently, the resource in only available to the xkb.c source file.
In preparation for the next commit, to be able to free the resources
from XkbRemoveResourceClient(), make that variable private instead.
This is related to:
CVE-2025-62230, ZDI-CAN-27545
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
Using the Present extension, if an error occurs while processing and
adding the notifications after presenting a pixmap, the function
present_create_notifies() will clean up and remove the notifications
it added.
However, there are two different code paths that can lead to an error
creating the notify, one being before the notify is being added to the
list, and another one after the notify is added.
When the error occurs before it's been added, it removes the elements up
to the last added element, instead of the actual number of elements
which were added.
As a result, in case of error, as with an invalid window for example, it
leaves a dangling pointer to the last element, leading to a use after
free case later:
| Invalid write of size 8
| at 0x5361D5: present_clear_window_notifies (present_notify.c:42)
| by 0x534A56: present_destroy_window (present_screen.c:107)
| by 0x41E441: xwl_destroy_window (xwayland-window.c:1959)
| by 0x4F9EC9: compDestroyWindow (compwindow.c:622)
| by 0x51EAC4: damageDestroyWindow (damage.c:1592)
| by 0x4FDC29: DbeDestroyWindow (dbe.c:1291)
| by 0x4EAC55: FreeWindowResources (window.c:1023)
| by 0x4EAF59: DeleteWindow (window.c:1091)
| by 0x4DE59A: doFreeResource (resource.c:890)
| by 0x4DEFB2: FreeClientResources (resource.c:1156)
| by 0x4A9AFB: CloseDownClient (dispatch.c:3567)
| by 0x5DCC78: ClientReady (connection.c:603)
| Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd
| at 0x4841E43: free (vg_replace_malloc.c:989)
| by 0x5363DD: present_destroy_notifies (present_notify.c:111)
| by 0x53638D: present_create_notifies (present_notify.c:100)
| by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
| by 0x536A7D: proc_present_pixmap (present_request.c:189)
| by 0x536FA9: proc_present_dispatch (present_request.c:337)
| by 0x4A1E4E: Dispatch (dispatch.c:561)
| by 0x4B00F1: dix_main (main.c:284)
| by 0x42879D: main (stubmain.c:34)
| Block was alloc'd at
| at 0x48463F3: calloc (vg_replace_malloc.c:1675)
| by 0x5362A1: present_create_notifies (present_notify.c:81)
| by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
| by 0x536A7D: proc_present_pixmap (present_request.c:189)
| by 0x536FA9: proc_present_dispatch (present_request.c:337)
| by 0x4A1E4E: Dispatch (dispatch.c:561)
| by 0x4B00F1: dix_main (main.c:284)
| by 0x42879D: main (stubmain.c:34)
To fix the issue, count and remove the actual number of notify elements
added in case of error.
CVE-2025-62229, ZDI-CAN-27238
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
Call DeleteCallbackList(&pScreen->hookPostCreateResources) during
dixFreeScreen, because otherwise it will be heap-use-after-free during
DeleteCallbackManager call.
Signed-off-by: Tautvis <gtautvis@gmail.com>
