Check for another possible integer overflow once we get a complete xReq
with BigRequest.
Related to CVE-2025-49176
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Suggested-by: Peter Harris <pharris2@rocketsoftware.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2028>
(cherry picked from commit 4fc4d76b2c)
Changing XRandR provider properties if the driver has set no provider
function such as the modesetting driver will cause a NULL pointer
dereference and a crash of the Xorg server.
Related to CVE-2025-49180
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
(cherry picked from commit 0235121c6a)
A client might send a request causing an integer overflow when computing
the total size to allocate in RRChangeProviderProperty().
To avoid the issue, check that total length in bytes won't exceed the
maximum integer value.
CVE-2025-49180
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
(cherry picked from commit 3c3a4b767b)
The RecordSanityCheckRegisterClients() checks for the request length,
but does not check for integer overflow.
A client might send a very large value for either the number of clients
or the number of protocol ranges that will cause an integer overflow in
the request length computation, defeating the check for request length.
To avoid the issue, explicitly check the number of clients against the
limit of clients (which is much lower than an maximum integer value) and
the number of protocol ranges (multiplied by the record length) do not
exceed the maximum integer value.
This way, we ensure that the final computation for the request length
will not overflow the maximum integer limit.
CVE-2025-49179
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 2bde9ca49a)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
When reading requests from the clients, the input buffer might be shared
and used between different clients.
If a given client sends a full request with non-zero bytes to ignore,
the bytes to ignore may still be non-zero even though the request is
full, in which case the buffer could be shared with another client who's
request will not be processed because of those bytes to ignore, leading
to a possible hang of the other client request.
To avoid the issue, make sure we have zero bytes to ignore left in the
input request when sharing the input buffer with another client.
CVE-2025-49178
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
(cherry picked from commit d55c54cecb)
The handler of XFixesSetClientDisconnectMode does not check the client
request length.
A client could send a shorter request and read data from a former
request.
Fix the issue by checking the request size matches.
CVE-2025-49177
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Fixes: e167299f6 - xfixes: Add ClientDisconnectMode
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
(cherry picked from commit ab02fb96b1)
The BigRequest extension allows requests larger than the 16-bit length
limit.
It uses integers for the request length and checks for the size not to
exceed the maxBigRequestSize limit, but does so after translating the
length to integer by multiplying the given size in bytes by 4.
In doing so, it might overflow the integer size limit before actually
checking for the overflow, defeating the purpose of the test.
To avoid the issue, make sure to check that the request size does not
overflow the maxBigRequestSize limit prior to any conversion.
The caller Dispatch() function however expects the return value to be in
bytes, so we cannot just return the converted value in case of error, as
that would also overflow the integer size.
To preserve the existing API, we use a negative value for the X11 error
code BadLength as the function only return positive values, 0 or -1 and
update the caller Dispatch() function to take that case into account to
return the error code to the offending client.
CVE-2025-49176
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
(cherry picked from commit 03731b326a)
Animated cursors use a series of cursors that the client can set.
By default, the Xserver assumes at least one cursor is specified
while a client may actually pass no cursor at all.
That causes an out-of-bound read creating the animated cursor and a
crash of the Xserver:
| Invalid read of size 8
| at 0x5323F4: AnimCursorCreate (animcur.c:325)
| by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817)
| by 0x52DC80: ProcRenderDispatch (render.c:1999)
| by 0x4A1E9D: Dispatch (dispatch.c:560)
| by 0x4B0169: dix_main (main.c:284)
| by 0x4287F5: main (stubmain.c:34)
| Address 0x59aa010 is 0 bytes after a block of size 0 alloc'd
| at 0x48468D3: reallocarray (vg_replace_malloc.c:1803)
| by 0x52D3DA: ProcRenderCreateAnimCursor (render.c:1802)
| by 0x52DC80: ProcRenderDispatch (render.c:1999)
| by 0x4A1E9D: Dispatch (dispatch.c:560)
| by 0x4B0169: dix_main (main.c:284)
| by 0x4287F5: main (stubmain.c:34)
|
| Invalid read of size 2
| at 0x5323F7: AnimCursorCreate (animcur.c:325)
| by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817)
| by 0x52DC80: ProcRenderDispatch (render.c:1999)
| by 0x4A1E9D: Dispatch (dispatch.c:560)
| by 0x4B0169: dix_main (main.c:284)
| by 0x4287F5: main (stubmain.c:34)
| Address 0x8 is not stack'd, malloc'd or (recently) free'd
To avoid the issue, check the number of cursors specified and return a
BadValue error in both the proc handler (early) and the animated cursor
creation (as this is a public function) if there is 0 or less cursor.
CVE-2025-49175
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: José Expósito <jexposit@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
(cherry picked from commit 0885e0b262)
Xwayland has its own XYToWindow() handler to account for the case when
the pointer leaves an X11 surface to enter another Wayland native
window.
When that occurs, Xwayland will treat it as if the pointer had entered
the root window so that the X11 clients receive an appropriate leave
event.
When the pointer leaves the X11 surface, Xwayland will call
CheckMotion() to update the sprite coordinates and possibly the cursor.
However, if we left the surface with a button down, it means the wayland
compositor has grabbed the pointer so we will not get button release
events from the compositor.
Once the button is released, Xwayland will get a pointer enter event from
the compositor, and Xwayland will clear up the buttons pressed.
But that might confuse Xwayland in thinking the pointer has crossed the
windows and leave the wrong cursor showing in the X11 surface.
To avoid the issue, if buttons are down, do not pretend the cursor has
left the X11 surface for the root window.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1811
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2008>
(cherry picked from commit 8cb078f8b6)
Gets rid of many warnings from `mandoc -T lint` of the form:
mandoc: ./man/Xserver.man:621:7: STYLE: whitespace at end of input line
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2009>
(cherry picked from commit 6dfe3e7db6)
The list of the associated provider's capabilities was always swapped
unconditionally, while it should only be in case of client having
opposite endianess.
Fixes: 4c92eb00f ("randr: add output source setup")
Reported-By: dasha_uwu
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1977>
(cherry picked from commit 73f3c47608)
Clears warning from clang 19.1.7:
render/miindex.c:27:9: warning: macro is not used [-Wunused-macros]
27 | #define _MIINDEX_H_
| ^
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1910>
(cherry picked from commit 37b7ea8f8a)
We stopped including this in error messages back in 2008
Clears warning from clang 19.1.7:
os/utils.c:1338:9: warning: macro is not used [-Wunused-macros]
1338 | #define BUGADDRESS BUILDERADDR
| ^
Fixes: ef77e4c44 ("Remove useless commentary from environment and argument processing.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1910>
(cherry picked from commit f988558348)
Clears warning from clang 19.1.7:
test/misc.c:239:12: warning: 'return' will never be executed
[-Wunreachable-code-return]
239 | return 0;
Fixes: 46b579e8d ("test: switch the unit tests to something resembling a test suite")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1910>
(cherry picked from commit d1cc5a599f)
Found by clang 19.1.7:
hw/xfree86/drivers/modesetting/driver.c:163:21:
warning: initializer overrides prior initialization of this subobject
[-Winitializer-overrides]
163 | ._modinfo1_ = MODINFOSTRING2,
| ^~~~~~~~~~~~~~
hw/xfree86/drivers/modesetting/driver.c:162:21:
note: previous initialization is here
162 | ._modinfo1_ = MODINFOSTRING1,
| ^~~~~~~~~~~~~~
Fixes: 2a10eff6c ("xfree86: modsetting: use explicit field initializers for XF86ModuleData")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1910>
(cherry picked from commit 062c339519)
Clears warnings from clang 19.1.7:
test/list.c:95:2: warning: extra ';' outside of a function [-Wextra-semi]
95 | };
| ^
test/list.c:137:2: warning: extra ';' outside of a function [-Wextra-semi]
137 | };
| ^
Fixes: 92788e677 ("test: add some tests for basic list manipulation.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1910>
(cherry picked from commit 3eaa19d74b)
Clears warning from clang 19.1.7:
hw/xfree86/common/xf86DefModeSet.c:288:62:
warning: no newline at end of file [-Wnewline-eof]
288 | const int xf86NumDefaultModes = ARRAY_SIZE(xf86DefaultModes);
| ^
Fixes: 3bf7ff703 ("Size xf86DefaultModes explicitly.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1910>
(cherry picked from commit f9d25189fa)
XDM-AUTHORIZATION-2 (IPv6 capable version of -1) was never merged.
SUN-DES-1 was removed by commit 71b207a2e in 2024
MIT-KERBEROS-5 was removed by commit dfbe32b5b in 2007
Fixes: 71b207a2e ("os: drop SUN-DES-1 authentication")
Fixes: dfbe32b5b ("Remove the old Kerberos 5 authentication code.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1913>
(cherry picked from commit 845c4ae518)
Allows nroff to insert a line break between iterm in the font path
instead of displaying it as a single, very overlength line.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1891>
(cherry picked from commit b9c31cc9bc)
This fixes a crash when we try to send focus events and dereference
FollowKeyboardWin (0x3) as WindowPtr.
A device set to XSetDeviceFocus(FollowKeyboard) is supposed to follow
the focus of the corresponding master device. During ActivateKeyboard
a slave device is detached from the master for the duration for the grab
so we don't actually have a master to follow - leaving our oldWin set to
the FollowKeyboardWin constant. This later crashes when we try to
dereference it.
Fix this by getting the current master (if any), or the saved master (if
temporarily detached due to a grab). And if failing that, use the VCK
as fallback device - that is technically wrong but it's such a niche use
case that it shouldn't matter.
Reproducer:
window = XCreateSimpleWindow(...)
deviceid = any device that is IsXExtensionKeyboard device
XSetDeviceFocus(deviceid, FollowKeyboard, ...)
XGrabDevice(deviceid, window, ...)
Fixes: f01ee198ff ("dix: don't use inputInfo.keyboard to get the focus window in ActivateKbdGrab")
Found-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
Tested-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1870>
(cherry picked from commit cab9017485)
The WriteReplyToClient() macro is used for cases where byte swapping
is implemented in a separate callback function (set in a global vector
table). Since Xwl extension doesn't have such a callback, but does the
byte swapping directly in it's request handlers, there's no need to
call the WriteReplyToClient() macro - we can use WriteToClient() instead.
Fixes: 2700bc6045 - xwayland: add support for the XWAYLAND extension
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1878>
(cherry picked from commit c445167da6)
All jobs utilizing kvm (eg. FreeBSD) need the "kvm" runner tag set.
It used to work w/o it, since all runners did have kvm, but in the
new CI there are non-kvm runners, so we really need to set the tag.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1872>
(cherry picked from commit 52c2cb7439)
Use the correct macro for the font change of a single argument or
split the argument into two.
43:.BI Keyboard
46:.BI Pointer
52:.BI PointerAbsolute
58:.BI PointerAbsoluteProximity
62:.BI Touch
103:.BI xf86ITEventWaitForSync
-.-.
Wrong distance between sentences in the input file.
Separate the sentences and subordinate clauses; each begins on a new
line. See man-pages(7) ("Conventions for source file layout") and
"info groff" ("Input Conventions").
19:server as input events. It supports the full set of the xf86 driver APIs
20:exposed by Xorg. The primary use cases of this input driver are various
29:is created after the driver is initialized. The paths to the socket is passed
37:Sets the path where the driver will create a named socket. Any existing file
47:Initializes a relative-mode pointer device. It will have four valuators -
53:Initializes an absolute-mode pointer device. It will have four valuators -
87:specifies the protocol version supported by it. If this version is lower than
91:to the driver. Each event is an instance of one of the
93:structs. The length field defines the full length of the struct in bytes and
96:The responses from the server follow the same structure. Each response is an
99:structs. The length field defines the full length of the struct in bytes and
104:event. After sending such event, the client must read of a
106:events. The completion of the read operation indicates that Xorg has fully
-.-.
The name of a man page is typeset in bold and the section in roman
(see man-pages(7)).
24:Please refer to xorg.conf(5) for general configuration
112:Xorg(1), xorg.conf(5), Xserver(1), X(7)
-.-
Additionally:
"read of a xf86... event" -> "read an xf86... event"
Originally from: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095449
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1875>
(cherry picked from commit bcf743f356)
Wrong distance between sentences in the input file.
Separate the sentences and subordinate clauses; each begins on a new
line. See man-pages(7) ("Conventions for source file layout") and
"info groff" ("Input Conventions").
Mark a final abbreviation point as such by suffixing it with "\&".
25:Disables acceleration of uploading pixmap data to the framebuffer. Default: No.
-.-.
Split a punctuation mark from a single argument for a two-font macro
40:.BR xorg.conf(5).
-.-.
Section headings (.SH and .SS) do not need quoting.
38:.SH "SEE ALSO"
-.-.
Output from "test-groff -mandoc -t -K utf8 -rF0 -rHY=0 -rCHECKSTYLE=10 -ww -z ":
an.tmac:<stdin>:40: misuse, warning: .BR is for at least 2 arguments, got 1
Use macro '.B' for one argument or split argument.
Originally from: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095446
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1875>
(cherry picked from commit 49378eb510)
Output from "mandoc -T lint Xserver.1": (possibly shortened list)
mandoc: Xserver.1:117:4: WARNING: undefined escape, printing literally: \+
mandoc: Xserver.1:118:81: STYLE: input text line longer than 80 bytes: Allow connections fr...
mandoc: Xserver.1:122:84: STYLE: input text line longer than 80 bytes: Prohibit connections...
Add a comma (or \&) after "e.g." and "i.e.", or use English words
(man-pages(7)).
81:sets pointer acceleration (i.e. the ratio of how much is reported to how much
273:sets pointer acceleration threshold in pixels (i.e. after how many pixels
468:contain either an Internet hostname (e.g. expo.lcs.mit.edu)
Split lines longer than 80 characters into two or more lines.
Appropriate break points are the end of a sentence and a subordinate
clause; after punctuation marks.
Xserver.1: line 118 length 81
Allow connections from clients with an endianess different to that of the server.
Xserver.1: line 122 length 84
Prohibit connections from clients with an endianess different to that of the server.
Originally from: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072500
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1875>
(cherry picked from commit 359d12aa0b)
Wrong distance between sentences.
Separate the sentences and subordinate clauses; each begins on a new
line. See man-pages(7) ("Conventions for source file layout") and
"info groff" ("Input Conventions").
Split lines longer than 100 characters into two or more lines.
Appropriate break points are the end of a sentence and a subordinate
clause; after punctuation marks.
"[" and "]", showing optional arguments to options, should be typeset in roman.
Output from "test-groff -b -mandoc -dAD=l -rF0 -rHY=0 -t -w w -z -rSTYLECHECK=3":
an.tmac:<stdin>:104: style: .BI expects at least 2 arguments, got 1
troff: backtrace: '/home/bg/git/groff/build/s-tmac/an.tmac':524: macro 'B'
troff: backtrace: file '<stdin>':167
troff:<stdin>:167: warning: cannot select font 'F'
Originally from: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041094
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1875>
(cherry picked from commit 056b447a33)
xtrans 1.6 will use struct sockaddr_storage if HAVE_STRUCT_SOCKADDR_STORAGE
is defined, even if IPv6 is disabled, unlike previous versions which tied
it to the IPv6 #define.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1864>
(cherry picked from commit 4b5d410591)
Grabbing a disabled (pointer) device will lead to a segfault later
in the myriad of places where we look at the device's spriteInfo - which
will be NULL.
As a workaround, disallow grabbing a disabled device by pretending it's
already grabbed. Since the point of a grab is to receive all events by
that device and disabled devices cannot send events, this should be Good
Enough.
Tested-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1856>
(cherry picked from commit 797f63b8be)
Currently each driver build job also builds the server. This is bad use
of resources because server build takes way more resources compared to a
driver build. Reusing already built xserver would resolve the issue.
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1806>
(cherry picked from commit 68054d0fe3)
This ensures that the pkg-config files installed to
xserver-tarball/install will have correct paths. This is needed so that
xf86-driver-build-test will be able to reuse this installation of
xserver. It will be passed to that job via artifacts (subsequent
commits)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1806>
(cherry picked from commit f7d2e810ba)
