IgnoreABI option is kept in a single bit of an unsigned long variable
LoaderOptions that has no other use.
This patch replaces it with a variable named LoaderIgnoreAbi
and a proc for setting it.
Inspired by b61b35a0b3
Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
This is a proprietary DDX driver made by nvidia.
We can't rebuild it against Xlibre, so the abi check would always fail.
Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
Add matching call for xf86_cursors_init to clean memory, as during
initialization it allocates memory (depends, but is something like ~256Kb)
and it leaks when XServer resets.
Signed-off-by: Tautvis <gtautvis@gmail.com>
Yet another very internal function that the proprietary Nvidia driver
is using for unknown reasons. NVidia really needs a separate function
for just for some trivial struct initialization and don't manage to
add three simple lines to their code, so we have to make an extra
function for them.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Yet another very internal function that the proprietary Nvidia driver
is using for unknown reasons.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
The XkbCompatMap structure stores its "num_si" and "size_si" fields
using an unsigned short.
However, the function _XkbSetCompatMap() will store the sum of the
input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and
"size_si" without first checking if the sum overflows the maximum
unsigned short value, leading to a possible overflow.
To avoid the issue, check whether the sum does not exceed the maximum
unsigned short value, or return a "BadValue" error otherwise.
CVE-2025-62231, ZDI-CAN-27560
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
XkbRemoveResourceClient() would free the XkbInterest data associated
with the device, but not the resource associated with it.
As a result, when the client terminates, the resource delete function
gets called and accesses already freed memory:
| Invalid read of size 8
| at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047)
| by 0x5B3391: XkbClientGone (xkb.c:7094)
| by 0x4DF138: doFreeResource (resource.c:890)
| by 0x4DFB50: FreeClientResources (resource.c:1156)
| by 0x4A9A59: CloseDownClient (dispatch.c:3550)
| by 0x5E0A53: ClientReady (connection.c:601)
| by 0x5E4FEF: ospoll_wait (ospoll.c:657)
| by 0x5DC834: WaitForSomething (WaitFor.c:206)
| by 0x4A1BA5: Dispatch (dispatch.c:491)
| by 0x4B0070: dix_main (main.c:277)
| by 0x4285E7: main (stubmain.c:34)
| Address 0x1893e278 is 184 bytes inside a block of size 928 free'd
| at 0x4842E43: free (vg_replace_malloc.c:989)
| by 0x49C1A6: CloseDevice (devices.c:1067)
| by 0x49C522: CloseOneDevice (devices.c:1193)
| by 0x49C6E4: RemoveDevice (devices.c:1244)
| by 0x5873D4: remove_master (xichangehierarchy.c:348)
| by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504)
| by 0x579BF1: ProcIDispatch (extinit.c:390)
| by 0x4A1D85: Dispatch (dispatch.c:551)
| by 0x4B0070: dix_main (main.c:277)
| by 0x4285E7: main (stubmain.c:34)
| Block was alloc'd at
| at 0x48473F3: calloc (vg_replace_malloc.c:1675)
| by 0x49A118: AddInputDevice (devices.c:262)
| by 0x4A0E58: AllocDevicePair (devices.c:2846)
| by 0x5866EE: add_master (xichangehierarchy.c:153)
| by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493)
| by 0x579BF1: ProcIDispatch (extinit.c:390)
| by 0x4A1D85: Dispatch (dispatch.c:551)
| by 0x4B0070: dix_main (main.c:277)
| by 0x4285E7: main (stubmain.c:34)
To avoid that issue, make sure to free the resources when freeing the
device XkbInterest data.
CVE-2025-62230, ZDI-CAN-27545
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
Currently, the resource in only available to the xkb.c source file.
In preparation for the next commit, to be able to free the resources
from XkbRemoveResourceClient(), make that variable private instead.
This is related to:
CVE-2025-62230, ZDI-CAN-27545
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
Using the Present extension, if an error occurs while processing and
adding the notifications after presenting a pixmap, the function
present_create_notifies() will clean up and remove the notifications
it added.
However, there are two different code paths that can lead to an error
creating the notify, one being before the notify is being added to the
list, and another one after the notify is added.
When the error occurs before it's been added, it removes the elements up
to the last added element, instead of the actual number of elements
which were added.
As a result, in case of error, as with an invalid window for example, it
leaves a dangling pointer to the last element, leading to a use after
free case later:
| Invalid write of size 8
| at 0x5361D5: present_clear_window_notifies (present_notify.c:42)
| by 0x534A56: present_destroy_window (present_screen.c:107)
| by 0x41E441: xwl_destroy_window (xwayland-window.c:1959)
| by 0x4F9EC9: compDestroyWindow (compwindow.c:622)
| by 0x51EAC4: damageDestroyWindow (damage.c:1592)
| by 0x4FDC29: DbeDestroyWindow (dbe.c:1291)
| by 0x4EAC55: FreeWindowResources (window.c:1023)
| by 0x4EAF59: DeleteWindow (window.c:1091)
| by 0x4DE59A: doFreeResource (resource.c:890)
| by 0x4DEFB2: FreeClientResources (resource.c:1156)
| by 0x4A9AFB: CloseDownClient (dispatch.c:3567)
| by 0x5DCC78: ClientReady (connection.c:603)
| Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd
| at 0x4841E43: free (vg_replace_malloc.c:989)
| by 0x5363DD: present_destroy_notifies (present_notify.c:111)
| by 0x53638D: present_create_notifies (present_notify.c:100)
| by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
| by 0x536A7D: proc_present_pixmap (present_request.c:189)
| by 0x536FA9: proc_present_dispatch (present_request.c:337)
| by 0x4A1E4E: Dispatch (dispatch.c:561)
| by 0x4B00F1: dix_main (main.c:284)
| by 0x42879D: main (stubmain.c:34)
| Block was alloc'd at
| at 0x48463F3: calloc (vg_replace_malloc.c:1675)
| by 0x5362A1: present_create_notifies (present_notify.c:81)
| by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
| by 0x536A7D: proc_present_pixmap (present_request.c:189)
| by 0x536FA9: proc_present_dispatch (present_request.c:337)
| by 0x4A1E4E: Dispatch (dispatch.c:561)
| by 0x4B00F1: dix_main (main.c:284)
| by 0x42879D: main (stubmain.c:34)
To fix the issue, count and remove the actual number of notify elements
added in case of error.
CVE-2025-62229, ZDI-CAN-27238
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
Call DeleteCallbackList(&pScreen->hookPostCreateResources) during
dixFreeScreen, because otherwise it will be heap-use-after-free during
DeleteCallbackManager call.
Signed-off-by: Tautvis <gtautvis@gmail.com>
For cpu_family(), meson returns "sparc" for 32-bit sparc,
and "sparc64" for 64-bit sparc, regardless of the OS in use.
For cpu(), meson returns values like "sun4v" on Solaris/SPARC,
and doesn't promise stability of the values, or portability across
OS'es, unlike cpu_family().
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2070>
Removing the namespace assignment of killed clients in ClientState-hook
is too early - we still need it later. Using the new ClientDestroyCallback
instead.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Existing client-state hook isn't sufficient for this, and so easy to
be extended cleanly (*1). Adding a new callback is trivial and cheap,
so preferring this way, instead of trying to tweak the existing hook
for something it's never been designed for.
*1) see discussion here: https://github.com/X11Libre/xserver/pull/1077
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
f.d.o is failing too often in recent times, so switching to our
own mirrors at github.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Fix pedantic warnings:
> ../include/os.h:144:71: warning: ISO C does not allow extra ‘;’ outside of a function [-Wpedantic]
> 144 | XNFalloc(unsigned long /*amount */ ) __attribute__((returns_nonnull));;
> ../include/os.h:158:76: warning: ISO C does not allow extra ‘;’ outside of a function [-Wpedantic]
> 158 | XNFcallocarray(size_t nmemb, size_t size) __attribute__((returns_nonnull));;
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Now that the test suite has been fixed to work on the CI, we no longer
need (and should) ignore broken test runs.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
MacOS build suddenly missing xvfb-run, which did work up until few hours ago.
Therefore, make a quick workaround, until the situation is clearly resolved.
The only impact is that some XTS tests (which are ignored on MacOS anyways)
might not work properly.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Make sure the release message won't be created when build jobs on the
release tag didn't succeed.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
The GLES tests need an actual GPU (/dev/dri/* device), which is not available
within github CI runners, so we need to skip those when running there.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
We need to run the Xts build inside Xvfb, because it needs a running
Xserver for creating tetexec.cfg.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Run various common checking commands like xdpyinfo, xvinfo, etc
on both Xvfb directly, as well as Xephyr inside Xvfb.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
The triangles test of rendercheck is known to be (partially broken on Xephyr,
since it doesn't fully support transparency (eg. a8 surfaces).
Therefore make it optional, so we're not spammed too much by false alarms
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Several sites we need to clone our dependencies from (eg. freedesktop.org)
have pretty unreliable servers, so our CI jobs often fail just because
of temporary clone failure.
Therefore adding a separate cloning script, which is more clever with automatic
retries, but it also tries to keep the traffic low (eg. trying shallow clones
if possible) and automatically detecting whether we're pulling a ref or a
direct commit.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Also store the piglit results into the build artifacts, so we can now
easily look at them later.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
We've been adding the individual sub-packet's payload bytes *after*
the swapping, which is leading to totally wrong sizes.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
