As reported by valgrind:
== Conditional jump or move depends on uninitialised value(s)
== at 0x547E5B: CheckModifierMap (xkb.c:1972)
== by 0x54A086: _XkbSetMapChecks (xkb.c:2574)
== by 0x54A845: ProcXkbSetMap (xkb.c:2741)
== by 0x556EF4: ProcXkbDispatch (xkb.c:7048)
== by 0x454A8C: Dispatch (dispatch.c:553)
== by 0x462CEB: dix_main (main.c:274)
== by 0x405EA7: main (stubmain.c:34)
== Uninitialised value was created by a heap allocation
== at 0x4840B26: malloc (vg_replace_malloc.c:447)
== by 0x592D5A: AllocateInputBuffer (io.c:981)
== by 0x591F77: InsertFakeRequest (io.c:516)
== by 0x45CA27: NextAvailableClient (dispatch.c:3629)
== by 0x58FA81: AllocNewConnection (connection.c:628)
== by 0x58FC70: EstablishNewConnections (connection.c:692)
== by 0x58FFAA: HandleNotifyFd (connection.c:809)
== by 0x593F42: ospoll_wait (ospoll.c:660)
== by 0x58B9B6: WaitForSomething (WaitFor.c:208)
== by 0x4548AC: Dispatch (dispatch.c:493)
== by 0x462CEB: dix_main (main.c:274)
== by 0x405EA7: main (stubmain.c:34)
The issue is that the loop in CheckModifierMap() reads from wire without
verifying that the data is within the request bounds.
The req->totalModMapKeys value could exceed the actual data provided,
causing reads of uninitialized memory.
To fix that issue, we add a bounds check using _XkbCheckRequestBounds,
but for that, we need to also pass a ClientPtr parameter, which is not
a problem since CheckModifierMap() is a private, static function.
CVE-2026-34002, ZDI-CAN-28737
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit f056ce1cc9)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2177>
As reported by valgrind:
== Invalid read of size 8
== at 0x568C14: miSyncTriggerFence (misync.c:140)
== by 0x540688: ProcSyncTriggerFence (sync.c:1957)
== by 0x540CCC: ProcSyncDispatch (sync.c:2152)
== by 0x4A28C5: Dispatch (dispatch.c:553)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
== Address 0x17e35488 is 8 bytes inside a block of size 16 free'd
== at 0x4843E43: free (vg_replace_malloc.c:990)
== by 0x53D683: SyncDeleteTriggerFromSyncObject (sync.c:169)
== by 0x53F14D: FreeAwait (sync.c:1208)
== by 0x4DFB06: doFreeResource (resource.c:888)
== by 0x4DFC59: FreeResource (resource.c:918)
== by 0x53E349: SyncAwaitTriggerFired (sync.c:701)
== by 0x568C52: miSyncTriggerFence (misync.c:142)
== by 0x540688: ProcSyncTriggerFence (sync.c:1957)
== by 0x540CCC: ProcSyncDispatch (sync.c:2152)
== by 0x4A28C5: Dispatch (dispatch.c:553)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
== Block was alloc'd at
== at 0x4840B26: malloc (vg_replace_malloc.c:447)
== by 0x5E50E1: XNFalloc (utils.c:1129)
== by 0x53D772: SyncAddTriggerToSyncObject (sync.c:206)
== by 0x53DCA8: SyncInitTrigger (sync.c:414)
== by 0x5409C7: ProcSyncAwaitFence (sync.c:2089)
== by 0x540D04: ProcSyncDispatch (sync.c:2160)
== by 0x4A28C5: Dispatch (dispatch.c:553)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
When walking the list of fences to trigger, miSyncTriggerFence() may
call TriggerFence() for the current trigger, which end up calling the
function SyncAwaitTriggerFired().
SyncAwaitTriggerFired() frees the entire await resource, which removes
all triggers from that await - including pNext which may be another
trigger from the same await attached to the same fence.
On the next iteration, ptl = pNext points to freed memory...
To avoid the issue, we need to restart the iteration from the beginning
of the list each time a trigger fires, since the callback can modify the
list.
CVE-2026-34001, ZDI-CAN-28706
This vulnerability was discovered by:
Jan-Niklas Sohn working with TrendAI Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit f19ab94ba9)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2177>
As reported by valgrind:
== Conditional jump or move depends on uninitialised value(s)
== at 0x5CBE66: SrvXkbAddGeomKeyAlias (XKBGAlloc.c:585)
== by 0x5AC7D5: _CheckSetGeom (xkb.c:5607)
== by 0x5AC952: _XkbSetGeometry (xkb.c:5643)
== by 0x5ACB58: ProcXkbSetGeometry (xkb.c:5684)
== by 0x5B0DAC: ProcXkbDispatch (xkb.c:7070)
== by 0x4A28C5: Dispatch (dispatch.c:553)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
== Uninitialised value was created by a heap allocation
== at 0x4840B26: malloc (vg_replace_malloc.c:447)
== by 0x5E13B0: AllocateInputBuffer (io.c:981)
== by 0x5E05CD: InsertFakeRequest (io.c:516)
== by 0x4AA860: NextAvailableClient (dispatch.c:3629)
== by 0x5DE0D7: AllocNewConnection (connection.c:628)
== by 0x5DE2C6: EstablishNewConnections (connection.c:692)
== by 0x5DE600: HandleNotifyFd (connection.c:809)
== by 0x5E2598: ospoll_wait (ospoll.c:660)
== by 0x5DA00C: WaitForSomething (WaitFor.c:208)
== by 0x4A26E5: Dispatch (dispatch.c:493)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
Each key alias entry contains two key names (the alias and the real key
name), each of size XkbKeyNameLength.
The current bounds check only validates the first name, allowing
XkbAddGeomKeyAlias to potentially read uninitialized memory when
accessing the second name at &wire[XkbKeyNameLength].
To fix this, change the value to check to use 2 * XkbKeyNameLength to
validate the bounds.
CVE-2026-34000, ZDI-CAN-28679
This vulnerability was discovered by:
Jan-Niklas Sohn working with TrendAI Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 81b6a34f90)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2177>
If the "compat" buffer has previously been truncated, there will be
unused space in the buffer. The code uses this space, but does not
update the number of valid entries in the buffer.
In the best case, this leads to the new compat entries being ignored. In the
worst case, if there are any "skipped" compat entries, the number of
valid entries will be corrupted, potentially leading to a buffer read
overrun when processing a future request.
Set the number of used "compat" entries when re-using previously
allocated space in the buffer.
CVE-2026-33999, ZDI-CAN-28593
This vulnerability was discovered by:
Jan-Niklas Sohn working with TrendAI Zero Day Initiative
Signed-off-by: Peter Harris <pharris2@rocketsoftware.com>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit b024ae1749)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2177>
When Xwayland is used rootful with hidpi, a viewport is in effect and a
scale applied.
This is however "transparent" to the Xserver which uses unscaled
coordinates, so to set the fake cursor position with a viewport and a
scale applied, we need to factor the scale to the coordinates before
passing the coordinate to the Wayland compositor through the method
zwp_locked_pointer_v1_set_cursor_position_hint().
Failing to do that will introduce a shift when warping the cursor
position.
v2: Use an xwl_window instead of an xwl_seat to improve readability
(Michel)
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1875
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 0e580872b0)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
Nettle 2.6 (released in 2013) split the sha.h header into sha1.h & sha2.h,
but left the sha.h header for compatibility until the recent Nettle 4.0
release finally removed it.
Nettle 4.0 also dropped the length argument from the sha1_digest function.
Closes: #1871
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit f8355b8821)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
There've been reports downstream of Xwayland segfaulting in the function
xwl_present_execute() because xwl_window_get_damage_region() returned an
invalid pointer:
#10 RegionUninit at ../include/regionstr.h:165
#11 RegionEmpty at ../include/regionstr.h:194
#12 xwl_present_execute at ../hw/xwayland/xwayland-present.c:1138
#13 xwl_present_pixmap at ../hw/xwayland/xwayland-present.c:1274
#14 present_pixmap at ../present/present.c:249
#15 proc_present_pixmap_common at ../present/present_request.c:166
#16 proc_present_pixmap at ../present/present_request.c:186
#17 Dispatch at ../dix/dispatch.c:550
#18 dix_main at ../dix/main.c:277
The most likely reason for this is that window_get_damage() returned
NULL, which might happen if xwl_window_update_surface_window() didn't
call register_damage().
To avoid that issue, move the call to register_damage() back to
xwl_realize_window before calling ensure_surface_for_window().
This reverts commit 07f6032627.
See-also: https://bugzilla.redhat.com/2329815
See-also: https://bugzilla.redhat.com/2428249
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1862
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit c76d495612)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
This fix use after free when a pluggable gpu screen (such as displaylink)
was set as primary screen and unpluged.
gdb backtrace:
#0 OssigHandler (signo=11, sip=0x7fff2e0a50f0, unused=0x7fff2e0a4fc0) at ../../../../os/osinit.c:138
#1 <signal handler called>
#2 rrGetscreenResources (client=0x3195160, query=0) at ../../../../randr/rrscreen.c:577
#3 0x0000000000562bae in ProcRRGetscreenResourcesCurrent (client=0x3195160) at ../../../../randr/rrscreen.c:652
#4 OxOOOOB0000054de63 in ProcRRDispatch (client=0x3195160) at ../../../../randr/randr.c:717
#5 0x00000000004322c6 in Dispatch () at ../../../../dix/dispatch.c:485
#6 0x0900900990443139 in dix_main (argc=12, argv=0x7fff2e0a5f78, envp=0x7fff2e0a5fe0) at ../../../../dix/main.c:276
#7 0X0000000000421d9a in main (argc=12, argv=0x7fff2e0a5f78, envp=0x7fff2e0a5fe0) at ../../../../dix/stubmain.c:34
Signed-off-by: hongao <hongao@uniontech.com>
(cherry picked from commit 1443fd34ea)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
Before this commit the count of key type level names was wrongly set
in `XkbGetNames`: for key type without names, it was set to the level
count, while it should be 0:
- `XkbComputeGetNamesReplySize()` does not account key type without
level names;
- `XkbSendNames()` does not write any level entry for key types without
level names.
This causes a mismatch offset while parsing the response and its
processing would ultimately fail.
Fixed by setting the correct level name count: 0 if there is no level
name, else the number of levels.
(cherry picked from commit c49cbc176a)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
A key type that has no level names is legit. Before this commit,
`XkbCopyKeymap` would make such level inconsistent by setting its
number of levels to 0 while keeping its map entries. It suffices
to clear the names array.
Fixed by copying the level count from the source type.
WARNING: this will trigger an error in `XkbGetNames`, which worked
before this commit only by chance. This is fixed in the next commit.
(cherry picked from commit 12605989af)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
the license notice comes from these files:
- dix/registry.c
- Xext/xselinuxint.h
- Xext/xselinux_label.c
- Xext/xselinux_hooks.c
- Xext/xselinux_ext.c
- Xext/xselinux.h
- Xext/xacestr.h
- Xext/xace.h
- Xext/xace.c
while this is not like the standard `Copyright (C)` lines I think it
still belongs to the license, even if just to make it more clearly
separate from the MIT license above
(cherry picked from commit fff0023339)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
In the `doListFontsAndAliases` function in dixfonts.c, when a font alias
is encountered (`err == FontNameAlias`) as a result of
`list_next_font_or_alias` call, the code allocates memory for
`resolved` variable (`resolvedlen + 1` bytes) for storing target font
name. In this case, if the `malloc(resolvedlen + 1)` call fails,
`resolved` remains NULL.
Later, when check (`else if (err == FontNameAlias)`) is TRUE, the code
uses `memcpy` to copy nullable `resolved` into `tmp_pattern` without
checking if `resolved` is NULL, so there is a potential null ptr
dereference.
This commit replaces `malloc` with `XNFalloc` for allocating memory for
`resolved`. `XNFalloc` will internally check result of `malloc` and stop
program execution if allocation was failed, preventing potential NULL
dereferencing.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
(cherry picked from commit 0237462d32)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
Free nested allocations when initialization fails.
Several code paths returned early on error without releasing
memory owned by embedded structures, leading to leaks.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
(cherry picked from commit 809402414e)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
When a group indicator (or a latched indicator of any kind) is defined,
e.g.:
indicator "Scroll Lock" { groups = Group2; }
the logical and physical indicator state may desync across multiple
connected keyboards.
This is caused by XkbPushLockedStateToSlaves only pushing locked_mods to
the slave devices. Pushing locked_group (as well as latched groups/mods)
along with locked_mods resolves the issue.
The issue is not observed with API calls because a different code path
is taken (avoiding XkbPushLockedStateToSlaves altogether).
Signed-off-by: Alexander Melnyk <inboxnumberzero@zoho.com>
(cherry picked from commit 36a7fdd315)
(cherry picked from commit a9ee6b7326)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
In Wayland, mouse coordinates are not updated after all x11 clients have left,
causing the mouse information to remain at the position left by the last x11
client. However, if CheckMotion is called at this point for other reasons
(such as window mapped, reactive, etc.), xwayland might continue to send enter
events to x11 clients, even if the mouse is actually on a Wayland client.
This MR introduces and checks pointer_enter_count to determine if the mouse
has left an x11 client and is now on a Wayland client. When it's confirmed
that the mouse is no longer on an x11 client but on a Wayland client,
returning TRUE in sprite_check_lost_focus causes XYToWindow to return to the
root window, preventing further enter events from being sent to x11 clients.
(cherry picked from commit e673a4bda0)
(cherry picked from commit 6bef11002f)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
When compiling with gcc 15.2.0 using -O3 -m64 on Solaris SPARC & x64,
we'd get a test failure of:
Assertion failed: strcmp(logmsg, expected) == 0,
file ../test/signal-logging.c, line 339, function logging_format
because 'num *= 1' produced a value that was out of the range of the
int64_t it was being stored in. (Compiling with -O2 worked fine with
the same compiler/configuration/platform though.)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 7f68b58865)
(cherry picked from commit 3eac9393d7)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
In `Fopen` function variable `iop` may store NULL as a result of `fopen`
call. In this case, if later privileges couldn't be restored (`seteuid`
call fails), further `fclose(iop)` call will cause runtime error.
This commit adds check `iop` for NULL before calling `fclose` to prevent
potential NULL pointer dereference.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
(cherry picked from commit f83807647e)
(cherry picked from commit dd2255c309)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
Xwayland was sending incorrect pointer coordinates to X clients on
pointer enter events.
This was caused by calling CheckMotion() with a NULL event, which
prevented the pointer sprite hot coordinates from being updated
properly.
Fix this by constructing a proper DeviceEvent of type ET_Enter in
pointer_handle_enter, initializing it with the current timestamp
and EVENT_SOURCE_FOCUS, and passing it to CheckMotion() instead
of NULL.
This ensures the pointer sprite coordinates are correctly updated
when the pointer enters a window.
(cherry picked from commit 7fb5e00ad8)
(cherry picked from commit b4c5796e4b)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
dixLookupResourceByType always overwrites the pointer passed in as the
first arg, so we shouldn't use the union it's in after that to get the
requested XID value to put in the errorValue.
Closes: #1857
Fixes: 2d7eb4a19 ("Pre-validate ChangeGC XIDs.")
Reported-by: Mouse <mouse@Rodents-Montreal.ORG>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit ac42c39145)
(cherry picked from commit 7f1050de78)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../glamor/glamor_render.c:1577:21:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 6a4ec30af4)
(cherry picked from commit 2df83c5566)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../glamor/glamor_dash.c:152:10:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit c6522229b8)
(cherry picked from commit 84dccbc45a)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
We know that if gc->tileIsPixel is false, then gc->tile.pixmap must be
a valid pixmap, but gcc's static analyzer doesn't and needs to be told.
Silences false positive reported in #1817:
xwayland-24.1.6/redhat-linux-build/../glamor/glamor_core.c:205:19:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit a79bdc495e)
(cherry picked from commit 03b40ee38d)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
Unlike GetPictureScreen(), GetPictureScreenIfSet() checks if the
private key is registered, and returns NULL if it is not.
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../glamor/glamor.c:926:5:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘ps’
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 69b48423bd)
(cherry picked from commit 394cb2d824)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
CI meson-disable-options builds were failing with:
../hw/xwayland/xwayland-screen.c: In function ‘xwl_close_screen’:
../hw/xwayland/xwayland-screen.c:246:5: error: implicit declaration of
function ‘XaceDeleteCallback’; did you mean ‘DeleteCallback’?
[-Werror=implicit-function-declaration]
246 | XaceDeleteCallback(XACE_PROPERTY_ACCESS, xwl_access_property_callback, screen);
| ^~~~~~~~~~~~~~~~~~
| DeleteCallback
../hw/xwayland/xwayland-screen.c:246:24: error: ‘XACE_PROPERTY_ACCESS’
undeclared (first use in this function)
246 | XaceDeleteCallback(XACE_PROPERTY_ACCESS, xwl_access_property_callback, screen);
| ^~~~~~~~~~~~~~~~~~~~
../hw/xwayland/xwayland-screen.c: In function ‘xwl_screen_init’:
../hw/xwayland/xwayland-screen.c:1174:5: error: implicit declaration of
function ‘XaceRegisterCallback’ [-Werror=implicit-function-declaration]
1174 | XaceRegisterCallback(XACE_PROPERTY_ACCESS, xwl_access_property_callback, pScreen);
| ^~~~~~~~~~~~~~~~~~~~
../hw/xwayland/xwayland-screen.c:1174:26: error: ‘XACE_PROPERTY_ACCESS’
undeclared (first use in this function)
1174 | XaceRegisterCallback(XACE_PROPERTY_ACCESS, xwl_access_property_callback, pScreen);
| ^~~~~~~~~~~~~~~~~~~~
Fixes: a07c2cda9 ("xwayland: Add an XACE property access handler")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 48acd1ae78)
(cherry picked from commit 3298b0a3e0)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
Build breaks with gcc 14 & later when xf86bigfont is enabled:
../Xext/xf86bigfont.c: In function ‘XFree86BigfontExtensionInit’:
../Xext/xf86bigfont.c:709:28: error: implicit declaration of function
‘xfont2_allocate_font_private_index’;
did you mean ‘AllocateFontPrivateIndex’? [-Wimplicit-function-declaration]
709 | FontShmdescIndex = xfont2_allocate_font_private_index();
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| AllocateFontPrivateIndex
Fixes: 05a793f5b ("dix: Switch to the libXfont2 API (v2)")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 0617f6075b)
(cherry picked from commit 5a1fe4e4f1)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
In most typical Linux X servers (like Xvfb, Xephyr, or Xwayland),
no child process outlives the server, so this issue rarely arises.
However, in embedded X servers (based on Xvfb or Kdrive) or in
custom Xorg modules, the server might launch a long-running command
with regular fork+exec calls. If the X server crashes or exits while
that command is still running (for example, it spawns a tombstone
generator or any process that hangs or turns to zombie), the file
descriptor associated with the abstract socket can remain open in the
child process. This leads to the kernel refusing to allow another X
server to bind the same socket until the child process terminates
(because there is no explicit way to unlink abstract socket, unlike
Unix socket). By marking the file descriptor as close-on-exec, we
ensure it is automatically closed in child processes, preserving the
ability of a new X server process to bind the socket immediately.
Signed-off-by: Twaik Yont <9674930+twaik@users.noreply.github.com>
(cherry picked from commit 5568b0f83f)
(cherry picked from commit 59673c0503)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
Xwayland has its own XYToWindow() handler to account for the case when
the pointer leaves an X11 surface to enter another Wayland native
window.
When that occurs, Xwayland will treat it as if the pointer had entered
the root window so that the X11 clients receive an appropriate leave
event.
When the pointer leaves the X11 surface, Xwayland will call
CheckMotion() to update the sprite coordinates and possibly the cursor.
However, if we left the surface with a button down, it means the wayland
compositor has grabbed the pointer so we will not get button release
events from the compositor.
Once the button is released, Xwayland will get a pointer enter event from
the compositor, and Xwayland will clear up the buttons pressed.
But that might confuse Xwayland in thinking the pointer has crossed the
windows and leave the wrong cursor showing in the X11 surface.
To avoid the issue, if buttons are down, do not pretend the cursor has
left the X11 surface for the root window.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1811
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 8cb078f8b6)
(cherry picked from commit 3c80595c7e)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2151>
The XkbCompatMap structure stores its "num_si" and "size_si" fields
using an unsigned short.
However, the function _XkbSetCompatMap() will store the sum of the
input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and
"size_si" without first checking if the sum overflows the maximum
unsigned short value, leading to a possible overflow.
To avoid the issue, check whether the sum does not exceed the maximum
unsigned short value, or return a "BadValue" error otherwise.
CVE-2025-62231, ZDI-CAN-27560
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 475d9f49ac)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
XkbRemoveResourceClient() would free the XkbInterest data associated
with the device, but not the resource associated with it.
As a result, when the client terminates, the resource delete function
gets called and accesses already freed memory:
| Invalid read of size 8
| at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047)
| by 0x5B3391: XkbClientGone (xkb.c:7094)
| by 0x4DF138: doFreeResource (resource.c:890)
| by 0x4DFB50: FreeClientResources (resource.c:1156)
| by 0x4A9A59: CloseDownClient (dispatch.c:3550)
| by 0x5E0A53: ClientReady (connection.c:601)
| by 0x5E4FEF: ospoll_wait (ospoll.c:657)
| by 0x5DC834: WaitForSomething (WaitFor.c:206)
| by 0x4A1BA5: Dispatch (dispatch.c:491)
| by 0x4B0070: dix_main (main.c:277)
| by 0x4285E7: main (stubmain.c:34)
| Address 0x1893e278 is 184 bytes inside a block of size 928 free'd
| at 0x4842E43: free (vg_replace_malloc.c:989)
| by 0x49C1A6: CloseDevice (devices.c:1067)
| by 0x49C522: CloseOneDevice (devices.c:1193)
| by 0x49C6E4: RemoveDevice (devices.c:1244)
| by 0x5873D4: remove_master (xichangehierarchy.c:348)
| by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504)
| by 0x579BF1: ProcIDispatch (extinit.c:390)
| by 0x4A1D85: Dispatch (dispatch.c:551)
| by 0x4B0070: dix_main (main.c:277)
| by 0x4285E7: main (stubmain.c:34)
| Block was alloc'd at
| at 0x48473F3: calloc (vg_replace_malloc.c:1675)
| by 0x49A118: AddInputDevice (devices.c:262)
| by 0x4A0E58: AllocDevicePair (devices.c:2846)
| by 0x5866EE: add_master (xichangehierarchy.c:153)
| by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493)
| by 0x579BF1: ProcIDispatch (extinit.c:390)
| by 0x4A1D85: Dispatch (dispatch.c:551)
| by 0x4B0070: dix_main (main.c:277)
| by 0x4285E7: main (stubmain.c:34)
To avoid that issue, make sure to free the resources when freeing the
device XkbInterest data.
CVE-2025-62230, ZDI-CAN-27545
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 10c94238bd)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
Currently, the resource in only available to the xkb.c source file.
In preparation for the next commit, to be able to free the resources
from XkbRemoveResourceClient(), make that variable private instead.
This is related to:
CVE-2025-62230, ZDI-CAN-27545
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 99790a2c92)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
Using the Present extension, if an error occurs while processing and
adding the notifications after presenting a pixmap, the function
present_create_notifies() will clean up and remove the notifications
it added.
However, there are two different code paths that can lead to an error
creating the notify, one being before the notify is being added to the
list, and another one after the notify is added.
When the error occurs before it's been added, it removes the elements up
to the last added element, instead of the actual number of elements
which were added.
As a result, in case of error, as with an invalid window for example, it
leaves a dangling pointer to the last element, leading to a use after
free case later:
| Invalid write of size 8
| at 0x5361D5: present_clear_window_notifies (present_notify.c:42)
| by 0x534A56: present_destroy_window (present_screen.c:107)
| by 0x41E441: xwl_destroy_window (xwayland-window.c:1959)
| by 0x4F9EC9: compDestroyWindow (compwindow.c:622)
| by 0x51EAC4: damageDestroyWindow (damage.c:1592)
| by 0x4FDC29: DbeDestroyWindow (dbe.c:1291)
| by 0x4EAC55: FreeWindowResources (window.c:1023)
| by 0x4EAF59: DeleteWindow (window.c:1091)
| by 0x4DE59A: doFreeResource (resource.c:890)
| by 0x4DEFB2: FreeClientResources (resource.c:1156)
| by 0x4A9AFB: CloseDownClient (dispatch.c:3567)
| by 0x5DCC78: ClientReady (connection.c:603)
| Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd
| at 0x4841E43: free (vg_replace_malloc.c:989)
| by 0x5363DD: present_destroy_notifies (present_notify.c:111)
| by 0x53638D: present_create_notifies (present_notify.c:100)
| by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
| by 0x536A7D: proc_present_pixmap (present_request.c:189)
| by 0x536FA9: proc_present_dispatch (present_request.c:337)
| by 0x4A1E4E: Dispatch (dispatch.c:561)
| by 0x4B00F1: dix_main (main.c:284)
| by 0x42879D: main (stubmain.c:34)
| Block was alloc'd at
| at 0x48463F3: calloc (vg_replace_malloc.c:1675)
| by 0x5362A1: present_create_notifies (present_notify.c:81)
| by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
| by 0x536A7D: proc_present_pixmap (present_request.c:189)
| by 0x536FA9: proc_present_dispatch (present_request.c:337)
| by 0x4A1E4E: Dispatch (dispatch.c:561)
| by 0x4B00F1: dix_main (main.c:284)
| by 0x42879D: main (stubmain.c:34)
To fix the issue, count and remove the actual number of notify elements
added in case of error.
CVE-2025-62229, ZDI-CAN-27238
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 5a4286b13f)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../dix/property.c:584:5:
warning[-Wanalyzer-malloc-leak]: leak of ‘pAtoms’
Can happen if, and only if, XaceHookPropertyAccess() blocks access
to all properties, so that numProps ends up zero on the second loop.
Fixes: 39f337fd4 ("dix: ProcListProperties: skip unneeded work if numProps is 0")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit ed92eae84d)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2076>
If we're swapping 4-byte integers or 2-byte integers, make sure the size
of the buffer doesn't have any bytes left over, since we won't correctly
handle those bytes.
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../dix/swaprep.c:99:22:
warning[-Wanalyzer-allocation-size]:
allocated buffer size is not a multiple of the pointee's size
xwayland-24.1.6/redhat-linux-build/../dix/swaprep.c:146:22:
warning[-Wanalyzer-allocation-size]:
allocated buffer size is not a multiple of the pointee's size
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit cf49354b60)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2076>
The wOtherInputMasks(win) macro will return NULL if
win->optional is NULL.
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../dix/gestures.c:242:9:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘inputMasks’
xwayland-24.1.6/redhat-linux-build/../dix/touch.c:765:9:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘inputMasks’
xwayland-24.1.6/redhat-linux-build/../dix/touch.c:782:9:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘inputMasks’
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 15496a5e3d)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2076>
