In Wayland, mouse coordinates are not updated after all x11 clients have left,
causing the mouse information to remain at the position left by the last x11
client. However, if CheckMotion is called at this point for other reasons
(such as window mapped, reactive, etc.), xwayland might continue to send enter
events to x11 clients, even if the mouse is actually on a Wayland client.
This MR introduces and checks pointer_enter_count to determine if the mouse
has left an x11 client and is now on a Wayland client. When it's confirmed
that the mouse is no longer on an x11 client but on a Wayland client,
returning TRUE in sprite_check_lost_focus causes XYToWindow to return to the
root window, preventing further enter events from being sent to x11 clients.
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2112>
Make sure the code change does not contain tab characters nor stray
newlines.
This is contributed by Peter Hutterer, adapted from the libinput similar
CI check.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2121>
When running rootful, i.e. as a regular Wayland client, Xwayland needs
to wait for the initial configure event before posting its initial
buffer and commit the surface.
Not doing so may cause mutter to log a warning when Xwayland is started
rootful:
| Buggy client (org.freedesktop.Xwayland) committed initial non-empty
| content without acknowledging configuration, working around.
Or running rootful with libdecor:
| Client provided invalid window geometry for xdg_surface#nn
| (org.freedesktop.Xwayland - Wnn (Xwayland on :nn)). Working around.
|
| Buggy client (org.freedesktop.Xwayland) committed initial non-empty
| content without acknowledging configuration, working around.
This is actually mutter being nice, as this should be treated as a
protocol error and Xwayland would be terminated.
To avoid the issue, we need to hold on attaching a buffer and committing
the surface until we actually get the first configure event from the
compositor.
That, however, only applies to rootful mode, so we can leave the default
code path for rootless untouched.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1853
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
v2: commit the surface after attaching the first buffer on configure
event only for the initial configure (Michel Dänzer).
v3: return early in present flip if we didn't get the initial configure
event (Michel Dänzer).
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2110>
Up to the native mode, as reported by the wl_output protocol.
This ensures that fullscreen apps can always use the native mode.
Also ensure the root window is large enough for the output at its
current position with the native mode.
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2095>
In the rootless case, Xwayland receives pointer motion events only while
the pointer is over one of its Wayland surfaces, so there's no need for
constraining them to RandR boundaries.
This also avoids them getting spuriously constrained when using RandR
emulation for modes larger than the default one.
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2095>
Always add it as the first mode, which makes it considered the preferred
mode per the RandR protocol.
Mark the logical mode as currently set.
v2:
* Drop change in xwl_window_should_enable_viewport which seems
unnecessary and coult result in a crash. (Olivier Fourdan)
* Use 'native' instead of 'actual'.
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2095>
When compiling with gcc 15.2.0 using -O3 -m64 on Solaris SPARC & x64,
we'd get a test failure of:
Assertion failed: strcmp(logmsg, expected) == 0,
file ../test/signal-logging.c, line 339, function logging_format
because 'num *= 1' produced a value that was out of the range of the
int64_t it was being stored in. (Compiling with -O2 worked fine with
the same compiler/configuration/platform though.)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2117>
In `Fopen` function variable `iop` may store NULL as a result of `fopen`
call. In this case, if later privileges couldn't be restored (`seteuid`
call fails), further `fclose(iop)` call will cause runtime error.
This commit adds check `iop` for NULL before calling `fclose` to prevent
potential NULL pointer dereference.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2115>
Xwayland was sending incorrect pointer coordinates to X clients on
pointer enter events.
This was caused by calling CheckMotion() with a NULL event, which
prevented the pointer sprite hot coordinates from being updated
properly.
Fix this by constructing a proper DeviceEvent of type ET_Enter in
pointer_handle_enter, initializing it with the current timestamp
and EVENT_SOURCE_FOCUS, and passing it to CheckMotion() instead
of NULL.
This ensures the pointer sprite coordinates are correctly updated
when the pointer enters a window.
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2113>
dixLookupResourceByType always overwrites the pointer passed in as the
first arg, so we shouldn't use the union it's in after that to get the
requested XID value to put in the errorValue.
Closes: #1857
Fixes: 2d7eb4a19 ("Pre-validate ChangeGC XIDs.")
Reported-by: Mouse <mouse@Rodents-Montreal.ORG>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2111>
The old code tried to use a screen pointer that was uninitialized and set to NULL.
This caused it to segfault when this option was set.
When this option was used with the modesetting driver, `glamor_egl_init`
is called indirectly in the driver PreInit proc.
`xf86ScrnToScreen(scrn)` then returns NULL.
This patch moves setting the gl vendor later in the initialization process,
when we already have a non-null pScreen.
Minimal reproducer:
```
$ cat /etc/X11/xorg.conf.d/99-screen.conf
Section "Screen"
Identifier "Default"
Option "GlxVendorLibrary" "Name"
EndSection
```
Backtrace:
```
| #0 in abort ()
| #1 in OsAbort () at os/utils.c:1361
| #2 in AbortServer () at os/log.c:879
| #3 FatalError () at os/log.c:1017
| #4 in OsSigHandler () at os/osinit.c:156
| #5 OsSigHandler () at os/osinit.c:110
| #6 <signal handler called>
| #7 in __pthread_kill_implementation () from /lib64/libc.so.6
| #8 in raise () from /lib64/libc.so.6
| #9 in abort () from /lib64/libc.so.6
| #10 in __assert_fail_base.cold () from /lib64/libc.so.6
| #11 in xf86ScrnToScreen () at hw/xfree86/common/xf86Helper.c:1734
| #12 in glamor_egl_init () at glamor/glamor_egl.c:1108
| #13 in try_enable_glamor () at hw/xfree86/drivers/modesetting/driver.c:984
| #14 PreInit () at hw/xfree86/drivers/modesetting/driver.c:1211
| #15 in InitOutput () at hw/xfree86/common/xf86Init.c:478
| #16 in dix_main () at dix/main.c:190
| #17 main () at dix/stubmain.c:34
```
Fixes: a449bb4c5 - glamor_egl: add support of GlxVendorLibrary option
Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2096>
Provide information on where to report or learn of security bugs,
and what we do or do not consider to be a security bug.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2103>
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../glamor/glamor_render.c:1577:21:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2094>
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../glamor/glamor_dash.c:152:10:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2094>
We know that if gc->tileIsPixel is false, then gc->tile.pixmap must be
a valid pixmap, but gcc's static analyzer doesn't and needs to be told.
Silences false positive reported in #1817:
xwayland-24.1.6/redhat-linux-build/../glamor/glamor_core.c:205:19:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2094>
Unlike GetPictureScreen(), GetPictureScreenIfSet() checks if the
private key is registered, and returns NULL if it is not.
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../glamor/glamor.c:926:5:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘ps’
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2094>
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../dri3/dri3_screen.c:143:13:
warning[-Wanalyzer-out-of-bounds]: stack-based buffer over-read
xwayland-24.1.6/redhat-linux-build/../dri3/dri3_screen.c:143:13:
danger: out-of-bounds read from byte 16 till byte 19
but ‘fds’ ends at byte 16
141| int i;
142| for (i = 0; i < num_fds; i++)
143|-> close(fds[i]);
144| return -1;
145| }
Only possible if fds_from_pixmap returns a value > 4, but the analyzer
doesn't know the interface is defined not to do that.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2085>
The XkbCompatMap structure stores its "num_si" and "size_si" fields
using an unsigned short.
However, the function _XkbSetCompatMap() will store the sum of the
input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and
"size_si" without first checking if the sum overflows the maximum
unsigned short value, leading to a possible overflow.
To avoid the issue, check whether the sum does not exceed the maximum
unsigned short value, or return a "BadValue" error otherwise.
CVE-2025-62231, ZDI-CAN-27560
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
XkbRemoveResourceClient() would free the XkbInterest data associated
with the device, but not the resource associated with it.
As a result, when the client terminates, the resource delete function
gets called and accesses already freed memory:
| Invalid read of size 8
| at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047)
| by 0x5B3391: XkbClientGone (xkb.c:7094)
| by 0x4DF138: doFreeResource (resource.c:890)
| by 0x4DFB50: FreeClientResources (resource.c:1156)
| by 0x4A9A59: CloseDownClient (dispatch.c:3550)
| by 0x5E0A53: ClientReady (connection.c:601)
| by 0x5E4FEF: ospoll_wait (ospoll.c:657)
| by 0x5DC834: WaitForSomething (WaitFor.c:206)
| by 0x4A1BA5: Dispatch (dispatch.c:491)
| by 0x4B0070: dix_main (main.c:277)
| by 0x4285E7: main (stubmain.c:34)
| Address 0x1893e278 is 184 bytes inside a block of size 928 free'd
| at 0x4842E43: free (vg_replace_malloc.c:989)
| by 0x49C1A6: CloseDevice (devices.c:1067)
| by 0x49C522: CloseOneDevice (devices.c:1193)
| by 0x49C6E4: RemoveDevice (devices.c:1244)
| by 0x5873D4: remove_master (xichangehierarchy.c:348)
| by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504)
| by 0x579BF1: ProcIDispatch (extinit.c:390)
| by 0x4A1D85: Dispatch (dispatch.c:551)
| by 0x4B0070: dix_main (main.c:277)
| by 0x4285E7: main (stubmain.c:34)
| Block was alloc'd at
| at 0x48473F3: calloc (vg_replace_malloc.c:1675)
| by 0x49A118: AddInputDevice (devices.c:262)
| by 0x4A0E58: AllocDevicePair (devices.c:2846)
| by 0x5866EE: add_master (xichangehierarchy.c:153)
| by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493)
| by 0x579BF1: ProcIDispatch (extinit.c:390)
| by 0x4A1D85: Dispatch (dispatch.c:551)
| by 0x4B0070: dix_main (main.c:277)
| by 0x4285E7: main (stubmain.c:34)
To avoid that issue, make sure to free the resources when freeing the
device XkbInterest data.
CVE-2025-62230, ZDI-CAN-27545
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
Currently, the resource in only available to the xkb.c source file.
In preparation for the next commit, to be able to free the resources
from XkbRemoveResourceClient(), make that variable private instead.
This is related to:
CVE-2025-62230, ZDI-CAN-27545
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
Using the Present extension, if an error occurs while processing and
adding the notifications after presenting a pixmap, the function
present_create_notifies() will clean up and remove the notifications
it added.
However, there are two different code paths that can lead to an error
creating the notify, one being before the notify is being added to the
list, and another one after the notify is added.
When the error occurs before it's been added, it removes the elements up
to the last added element, instead of the actual number of elements
which were added.
As a result, in case of error, as with an invalid window for example, it
leaves a dangling pointer to the last element, leading to a use after
free case later:
| Invalid write of size 8
| at 0x5361D5: present_clear_window_notifies (present_notify.c:42)
| by 0x534A56: present_destroy_window (present_screen.c:107)
| by 0x41E441: xwl_destroy_window (xwayland-window.c:1959)
| by 0x4F9EC9: compDestroyWindow (compwindow.c:622)
| by 0x51EAC4: damageDestroyWindow (damage.c:1592)
| by 0x4FDC29: DbeDestroyWindow (dbe.c:1291)
| by 0x4EAC55: FreeWindowResources (window.c:1023)
| by 0x4EAF59: DeleteWindow (window.c:1091)
| by 0x4DE59A: doFreeResource (resource.c:890)
| by 0x4DEFB2: FreeClientResources (resource.c:1156)
| by 0x4A9AFB: CloseDownClient (dispatch.c:3567)
| by 0x5DCC78: ClientReady (connection.c:603)
| Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd
| at 0x4841E43: free (vg_replace_malloc.c:989)
| by 0x5363DD: present_destroy_notifies (present_notify.c:111)
| by 0x53638D: present_create_notifies (present_notify.c:100)
| by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
| by 0x536A7D: proc_present_pixmap (present_request.c:189)
| by 0x536FA9: proc_present_dispatch (present_request.c:337)
| by 0x4A1E4E: Dispatch (dispatch.c:561)
| by 0x4B00F1: dix_main (main.c:284)
| by 0x42879D: main (stubmain.c:34)
| Block was alloc'd at
| at 0x48463F3: calloc (vg_replace_malloc.c:1675)
| by 0x5362A1: present_create_notifies (present_notify.c:81)
| by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
| by 0x536A7D: proc_present_pixmap (present_request.c:189)
| by 0x536FA9: proc_present_dispatch (present_request.c:337)
| by 0x4A1E4E: Dispatch (dispatch.c:561)
| by 0x4B00F1: dix_main (main.c:284)
| by 0x42879D: main (stubmain.c:34)
To fix the issue, count and remove the actual number of notify elements
added in case of error.
CVE-2025-62229, ZDI-CAN-27238
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../dix/property.c:584:5:
warning[-Wanalyzer-malloc-leak]: leak of ‘pAtoms’
Can happen if, and only if, XaceHookPropertyAccess() blocks access
to all properties, so that numProps ends up zero on the second loop.
Fixes: 39f337fd4 ("dix: ProcListProperties: skip unneeded work if numProps is 0")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2078>
If we're swapping 4-byte integers or 2-byte integers, make sure the size
of the buffer doesn't have any bytes left over, since we won't correctly
handle those bytes.
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../dix/swaprep.c:99:22:
warning[-Wanalyzer-allocation-size]:
allocated buffer size is not a multiple of the pointee's size
xwayland-24.1.6/redhat-linux-build/../dix/swaprep.c:146:22:
warning[-Wanalyzer-allocation-size]:
allocated buffer size is not a multiple of the pointee's size
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2078>
The wOtherInputMasks(win) macro will return NULL if
win->optional is NULL.
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../dix/gestures.c:242:9:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘inputMasks’
xwayland-24.1.6/redhat-linux-build/../dix/touch.c:765:9:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘inputMasks’
xwayland-24.1.6/redhat-linux-build/../dix/touch.c:782:9:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘inputMasks’
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2078>
Since 1e728c3e88 ,
Whenever we allocate a composite pixmap, we perform an expensive CopyArea call from the parent pixmap.
This leads to very bad performance when using a framebuffer driver without shadowfb.
My guess is that this call ends up reading memory from the framebuffer memory directly, which is very slow.
Fixes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1814
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2073>
InputOnly windows aren't relevant here.
E.g. mutter-x11-frames uses GTK4, which creates a 1x1 InputOnly child
window, which previously prevented this code from working as intended.
v2: (Olivier Fourdan)
* Rename output_child -> input_output_child.
* Add comment in get_single_input_output_child explaining why we return
NULL if input_output_child is already non-NULL.
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2069>
If the WM client reparents a window, mark the new parent as a WM window.
This helps with current mutter, where decoration windows are created by
a separate mutter-x11-frames client instead of the WM client. There
might be other compositors doing something similar now or in the future.
v2:
* Skip the whole unwrap-and-call-down dance in xwl_reparent_window if
xwl_screen->ReparentWindow is NULL.
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2069>
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xi/xibarriers.c:729:5:
warning[-Wanalyzer-null-dereference]:
dereference of NULL ‘AllocBarrierDevice()’
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2075>
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xi/listdev.c:171:5:
warning[-Wanalyzer-possible-null-dereference]:
dereference of possibly-NULL ‘dev’
xwayland-24.1.6/redhat-linux-build/../Xi/listdev.c:379:23:
acquire_memory: this call could return NULL
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2075>
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xi/getprop.c:163:25:
warning[-Wanalyzer-possible-null-dereference]:
dereference of possibly-NULL ‘buf’
xwayland-24.1.6/redhat-linux-build/../Xi/getprop.c:121:19:
acquire_memory: this call could return NULL
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2075>
