When running rootful, i.e. as a regular Wayland client, Xwayland needs
to wait for the initial configure event before posting its initial
buffer and commit the surface.
Not doing so may cause mutter to log a warning when Xwayland is started
rootful:
| Buggy client (org.freedesktop.Xwayland) committed initial non-empty
| content without acknowledging configuration, working around.
Or running rootful with libdecor:
| Client provided invalid window geometry for xdg_surface#nn
| (org.freedesktop.Xwayland - Wnn (Xwayland on :nn)). Working around.
|
| Buggy client (org.freedesktop.Xwayland) committed initial non-empty
| content without acknowledging configuration, working around.
This is actually mutter being nice, as this should be treated as a
protocol error and Xwayland would be terminated.
To avoid the issue, we need to hold on attaching a buffer and committing
the surface until we actually get the first configure event from the
compositor.
That, however, only applies to rootful mode, so we can leave the default
code path for rootless untouched.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1853
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
v2: commit the surface after attaching the first buffer on configure
event only for the initial configure (Michel Dänzer).
v3: return early in present flip if we didn't get the initial configure
event (Michel Dänzer).
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2110>
(cherry picked from commit 37f59e1a4d)
Up to the native mode, as reported by the wl_output protocol.
This ensures that fullscreen apps can always use the native mode.
Also ensure the root window is large enough for the output at its
current position with the native mode.
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2095>
(cherry picked from commit d339284006)
In the rootless case, Xwayland receives pointer motion events only while
the pointer is over one of its Wayland surfaces, so there's no need for
constraining them to RandR boundaries.
This also avoids them getting spuriously constrained when using RandR
emulation for modes larger than the default one.
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2095>
(cherry picked from commit dcfba8a9bd)
Always add it as the first mode, which makes it considered the preferred
mode per the RandR protocol.
Mark the logical mode as currently set.
v2:
* Drop change in xwl_window_should_enable_viewport which seems
unnecessary and coult result in a crash. (Olivier Fourdan)
* Use 'native' instead of 'actual'.
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2095>
(cherry picked from commit 288dcb3128)
When compiling with gcc 15.2.0 using -O3 -m64 on Solaris SPARC & x64,
we'd get a test failure of:
Assertion failed: strcmp(logmsg, expected) == 0,
file ../test/signal-logging.c, line 339, function logging_format
because 'num *= 1' produced a value that was out of the range of the
int64_t it was being stored in. (Compiling with -O2 worked fine with
the same compiler/configuration/platform though.)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2117>
(cherry picked from commit 7f68b58865)
In `Fopen` function variable `iop` may store NULL as a result of `fopen`
call. In this case, if later privileges couldn't be restored (`seteuid`
call fails), further `fclose(iop)` call will cause runtime error.
This commit adds check `iop` for NULL before calling `fclose` to prevent
potential NULL pointer dereference.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2115>
(cherry picked from commit f83807647e)
Xwayland was sending incorrect pointer coordinates to X clients on
pointer enter events.
This was caused by calling CheckMotion() with a NULL event, which
prevented the pointer sprite hot coordinates from being updated
properly.
Fix this by constructing a proper DeviceEvent of type ET_Enter in
pointer_handle_enter, initializing it with the current timestamp
and EVENT_SOURCE_FOCUS, and passing it to CheckMotion() instead
of NULL.
This ensures the pointer sprite coordinates are correctly updated
when the pointer enters a window.
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2113>
(cherry picked from commit 7fb5e00ad8)
dixLookupResourceByType always overwrites the pointer passed in as the
first arg, so we shouldn't use the union it's in after that to get the
requested XID value to put in the errorValue.
Closes: #1857
Fixes: 2d7eb4a19 ("Pre-validate ChangeGC XIDs.")
Reported-by: Mouse <mouse@Rodents-Montreal.ORG>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2111>
(cherry picked from commit ac42c39145)
The old code tried to use a screen pointer that was uninitialized and set to NULL.
This caused it to segfault when this option was set.
When this option was used with the modesetting driver, `glamor_egl_init`
is called indirectly in the driver PreInit proc.
`xf86ScrnToScreen(scrn)` then returns NULL.
This patch moves setting the gl vendor later in the initialization process,
when we already have a non-null pScreen.
Minimal reproducer:
```
$ cat /etc/X11/xorg.conf.d/99-screen.conf
Section "Screen"
Identifier "Default"
Option "GlxVendorLibrary" "Name"
EndSection
```
Backtrace:
```
| #0 in abort ()
| #1 in OsAbort () at os/utils.c:1361
| #2 in AbortServer () at os/log.c:879
| #3 FatalError () at os/log.c:1017
| #4 in OsSigHandler () at os/osinit.c:156
| #5 OsSigHandler () at os/osinit.c:110
| #6 <signal handler called>
| #7 in __pthread_kill_implementation () from /lib64/libc.so.6
| #8 in raise () from /lib64/libc.so.6
| #9 in abort () from /lib64/libc.so.6
| #10 in __assert_fail_base.cold () from /lib64/libc.so.6
| #11 in xf86ScrnToScreen () at hw/xfree86/common/xf86Helper.c:1734
| #12 in glamor_egl_init () at glamor/glamor_egl.c:1108
| #13 in try_enable_glamor () at hw/xfree86/drivers/modesetting/driver.c:984
| #14 PreInit () at hw/xfree86/drivers/modesetting/driver.c:1211
| #15 in InitOutput () at hw/xfree86/common/xf86Init.c:478
| #16 in dix_main () at dix/main.c:190
| #17 main () at dix/stubmain.c:34
```
Fixes: a449bb4c5 - glamor_egl: add support of GlxVendorLibrary option
Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2096>
(cherry picked from commit eccee47185)
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../glamor/glamor_render.c:1577:21:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2094>
(cherry picked from commit 6a4ec30af4)
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../glamor/glamor_dash.c:152:10:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2094>
(cherry picked from commit c6522229b8)
We know that if gc->tileIsPixel is false, then gc->tile.pixmap must be
a valid pixmap, but gcc's static analyzer doesn't and needs to be told.
Silences false positive reported in #1817:
xwayland-24.1.6/redhat-linux-build/../glamor/glamor_core.c:205:19:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2094>
(cherry picked from commit a79bdc495e)
Unlike GetPictureScreen(), GetPictureScreenIfSet() checks if the
private key is registered, and returns NULL if it is not.
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../glamor/glamor.c:926:5:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘ps’
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2094>
(cherry picked from commit 69b48423bd)
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../dri3/dri3_screen.c:143:13:
warning[-Wanalyzer-out-of-bounds]: stack-based buffer over-read
xwayland-24.1.6/redhat-linux-build/../dri3/dri3_screen.c:143:13:
danger: out-of-bounds read from byte 16 till byte 19
but ‘fds’ ends at byte 16
141| int i;
142| for (i = 0; i < num_fds; i++)
143|-> close(fds[i]);
144| return -1;
145| }
Only possible if fds_from_pixmap returns a value > 4, but the analyzer
doesn't know the interface is defined not to do that.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2085>
(cherry picked from commit f05f269f1d)
The XkbCompatMap structure stores its "num_si" and "size_si" fields
using an unsigned short.
However, the function _XkbSetCompatMap() will store the sum of the
input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and
"size_si" without first checking if the sum overflows the maximum
unsigned short value, leading to a possible overflow.
To avoid the issue, check whether the sum does not exceed the maximum
unsigned short value, or return a "BadValue" error otherwise.
CVE-2025-62231, ZDI-CAN-27560
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
(cherry picked from commit 475d9f49ac)
XkbRemoveResourceClient() would free the XkbInterest data associated
with the device, but not the resource associated with it.
As a result, when the client terminates, the resource delete function
gets called and accesses already freed memory:
| Invalid read of size 8
| at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047)
| by 0x5B3391: XkbClientGone (xkb.c:7094)
| by 0x4DF138: doFreeResource (resource.c:890)
| by 0x4DFB50: FreeClientResources (resource.c:1156)
| by 0x4A9A59: CloseDownClient (dispatch.c:3550)
| by 0x5E0A53: ClientReady (connection.c:601)
| by 0x5E4FEF: ospoll_wait (ospoll.c:657)
| by 0x5DC834: WaitForSomething (WaitFor.c:206)
| by 0x4A1BA5: Dispatch (dispatch.c:491)
| by 0x4B0070: dix_main (main.c:277)
| by 0x4285E7: main (stubmain.c:34)
| Address 0x1893e278 is 184 bytes inside a block of size 928 free'd
| at 0x4842E43: free (vg_replace_malloc.c:989)
| by 0x49C1A6: CloseDevice (devices.c:1067)
| by 0x49C522: CloseOneDevice (devices.c:1193)
| by 0x49C6E4: RemoveDevice (devices.c:1244)
| by 0x5873D4: remove_master (xichangehierarchy.c:348)
| by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504)
| by 0x579BF1: ProcIDispatch (extinit.c:390)
| by 0x4A1D85: Dispatch (dispatch.c:551)
| by 0x4B0070: dix_main (main.c:277)
| by 0x4285E7: main (stubmain.c:34)
| Block was alloc'd at
| at 0x48473F3: calloc (vg_replace_malloc.c:1675)
| by 0x49A118: AddInputDevice (devices.c:262)
| by 0x4A0E58: AllocDevicePair (devices.c:2846)
| by 0x5866EE: add_master (xichangehierarchy.c:153)
| by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493)
| by 0x579BF1: ProcIDispatch (extinit.c:390)
| by 0x4A1D85: Dispatch (dispatch.c:551)
| by 0x4B0070: dix_main (main.c:277)
| by 0x4285E7: main (stubmain.c:34)
To avoid that issue, make sure to free the resources when freeing the
device XkbInterest data.
CVE-2025-62230, ZDI-CAN-27545
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
(cherry picked from commit 10c94238bd)
Currently, the resource in only available to the xkb.c source file.
In preparation for the next commit, to be able to free the resources
from XkbRemoveResourceClient(), make that variable private instead.
This is related to:
CVE-2025-62230, ZDI-CAN-27545
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 99790a2c92)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2087>
Using the Present extension, if an error occurs while processing and
adding the notifications after presenting a pixmap, the function
present_create_notifies() will clean up and remove the notifications
it added.
However, there are two different code paths that can lead to an error
creating the notify, one being before the notify is being added to the
list, and another one after the notify is added.
When the error occurs before it's been added, it removes the elements up
to the last added element, instead of the actual number of elements
which were added.
As a result, in case of error, as with an invalid window for example, it
leaves a dangling pointer to the last element, leading to a use after
free case later:
| Invalid write of size 8
| at 0x5361D5: present_clear_window_notifies (present_notify.c:42)
| by 0x534A56: present_destroy_window (present_screen.c:107)
| by 0x41E441: xwl_destroy_window (xwayland-window.c:1959)
| by 0x4F9EC9: compDestroyWindow (compwindow.c:622)
| by 0x51EAC4: damageDestroyWindow (damage.c:1592)
| by 0x4FDC29: DbeDestroyWindow (dbe.c:1291)
| by 0x4EAC55: FreeWindowResources (window.c:1023)
| by 0x4EAF59: DeleteWindow (window.c:1091)
| by 0x4DE59A: doFreeResource (resource.c:890)
| by 0x4DEFB2: FreeClientResources (resource.c:1156)
| by 0x4A9AFB: CloseDownClient (dispatch.c:3567)
| by 0x5DCC78: ClientReady (connection.c:603)
| Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd
| at 0x4841E43: free (vg_replace_malloc.c:989)
| by 0x5363DD: present_destroy_notifies (present_notify.c:111)
| by 0x53638D: present_create_notifies (present_notify.c:100)
| by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
| by 0x536A7D: proc_present_pixmap (present_request.c:189)
| by 0x536FA9: proc_present_dispatch (present_request.c:337)
| by 0x4A1E4E: Dispatch (dispatch.c:561)
| by 0x4B00F1: dix_main (main.c:284)
| by 0x42879D: main (stubmain.c:34)
| Block was alloc'd at
| at 0x48463F3: calloc (vg_replace_malloc.c:1675)
| by 0x5362A1: present_create_notifies (present_notify.c:81)
| by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
| by 0x536A7D: proc_present_pixmap (present_request.c:189)
| by 0x536FA9: proc_present_dispatch (present_request.c:337)
| by 0x4A1E4E: Dispatch (dispatch.c:561)
| by 0x4B00F1: dix_main (main.c:284)
| by 0x42879D: main (stubmain.c:34)
To fix the issue, count and remove the actual number of notify elements
added in case of error.
CVE-2025-62229, ZDI-CAN-27238
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
(cherry picked from commit 5a4286b13f)
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../dix/property.c:584:5:
warning[-Wanalyzer-malloc-leak]: leak of ‘pAtoms’
Can happen if, and only if, XaceHookPropertyAccess() blocks access
to all properties, so that numProps ends up zero on the second loop.
Fixes: 39f337fd4 ("dix: ProcListProperties: skip unneeded work if numProps is 0")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2078>
(cherry picked from commit ed92eae84d)
If we're swapping 4-byte integers or 2-byte integers, make sure the size
of the buffer doesn't have any bytes left over, since we won't correctly
handle those bytes.
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../dix/swaprep.c:99:22:
warning[-Wanalyzer-allocation-size]:
allocated buffer size is not a multiple of the pointee's size
xwayland-24.1.6/redhat-linux-build/../dix/swaprep.c:146:22:
warning[-Wanalyzer-allocation-size]:
allocated buffer size is not a multiple of the pointee's size
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2078>
(cherry picked from commit cf49354b60)
The wOtherInputMasks(win) macro will return NULL if
win->optional is NULL.
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../dix/gestures.c:242:9:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘inputMasks’
xwayland-24.1.6/redhat-linux-build/../dix/touch.c:765:9:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘inputMasks’
xwayland-24.1.6/redhat-linux-build/../dix/touch.c:782:9:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘inputMasks’
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2078>
(cherry picked from commit 15496a5e3d)
Since 1e728c3e88 ,
Whenever we allocate a composite pixmap, we perform an expensive CopyArea call from the parent pixmap.
This leads to very bad performance when using a framebuffer driver without shadowfb.
My guess is that this call ends up reading memory from the framebuffer memory directly, which is very slow.
Fixes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1814
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2073>
(cherry picked from commit 7e6c55cc9f)
InputOnly windows aren't relevant here.
E.g. mutter-x11-frames uses GTK4, which creates a 1x1 InputOnly child
window, which previously prevented this code from working as intended.
v2: (Olivier Fourdan)
* Rename output_child -> input_output_child.
* Add comment in get_single_input_output_child explaining why we return
NULL if input_output_child is already non-NULL.
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2069>
(cherry picked from commit 6f31791945)
If the WM client reparents a window, mark the new parent as a WM window.
This helps with current mutter, where decoration windows are created by
a separate mutter-x11-frames client instead of the WM client. There
might be other compositors doing something similar now or in the future.
v2:
* Skip the whole unwrap-and-call-down dance in xwl_reparent_window if
xwl_screen->ReparentWindow is NULL.
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2069>
(cherry picked from commit 105b5f2402)
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xi/xibarriers.c:729:5:
warning[-Wanalyzer-null-dereference]:
dereference of NULL ‘AllocBarrierDevice()’
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2075>
(cherry picked from commit 0ee6039053)
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xi/listdev.c:171:5:
warning[-Wanalyzer-possible-null-dereference]:
dereference of possibly-NULL ‘dev’
xwayland-24.1.6/redhat-linux-build/../Xi/listdev.c:379:23:
acquire_memory: this call could return NULL
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2075>
(cherry picked from commit 19c6195e71)
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xi/getprop.c:163:25:
warning[-Wanalyzer-possible-null-dereference]:
dereference of possibly-NULL ‘buf’
xwayland-24.1.6/redhat-linux-build/../Xi/getprop.c:121:19:
acquire_memory: this call could return NULL
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2075>
(cherry picked from commit 7b18313e2a)
(The existing setting of led_mask is probably wrong, but has been set
like this since X11R5 and going back as far as the first version in
the X Consortium source control archives.)
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xi/getfctl.c:108:9:
warning[-Wanalyzer-use-of-uninitialized-value]:
use of uninitialized value ‘*k2.led_values’
108|-> swapl(&k2->led_values);
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2075>
(cherry picked from commit 90c8429d35)
The wOtherInputMasks(win) macro will return NULL if
win->optional is NULL.
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xi/exevents.c:1390:13:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’
xwayland-24.1.6/redhat-linux-build/../Xi/exevents.c:1404:13:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’
xwayland-24.1.6/redhat-linux-build/../Xi/exevents.c:2293:9:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’
xwayland-24.1.6/redhat-linux-build/../Xi/exevents.c:3244:22:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘inputMasks’
xwayland-24.1.6/redhat-linux-build/../Xi/exevents.c:3338:9:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2075>
(cherry picked from commit 7b7bcf9231)
If there's nothing to send, skip over a bunch of code to make a list
that won't be used, and hopefully make the code path clearer to both
humans and static analyzers, who raise errors as seen in #1817 of
dereferencing NULL pointers when count == 0.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2072>
(cherry picked from commit d34243606c)
