ZDI-CAN-19866/CVE-2023-1393
If a client explicitly destroys the compositor overlay window (aka COW),
we would leave a dangling pointer to that window in the CompScreen
structure, which will trigger a use-after-free later.
Make sure to clear the CompScreen pointer to the COW when the latter gets
destroyed explicitly by the client.
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 26ef545b35)
It could happen with the following call path:
frame_callback
xwl_present_frame_callback
xwl_present_msc_bump
xwl_present_execute
xwl_present_flip
xwl_window_create_frame_callback
The nested loop called xwl_present_reset_timer, which may end up calling
xorg_list_del for the entry after the one frame_callback started the
chain for. This resulted in the outer loop never terminating, because
its next element wasn't hooked up to the list anymore.
We avoid this by calling xwl_present_reset_timer as needed in
frame_callback, and bailing from xwl_window_create_frame_callback if it
was called from the former.
We also catch nested calls and FatalError if they ever happen again due
to another bug.
v2:
* Leave xwl_present_reset_timer call in xwl_present_frame_callback,
needed if xwl_present_msc_bump didn't hook up the window to the frame
callback list again.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1442
(cherry picked from commit 754d6b6dd0)
`glamor_make_current` is always called before any calls to GL.
Apply some dirty-tracking to whenever we call `glamor_make_current` so
that we can avoid a decent amount of redundant GL work on each
Dispatch cycle.
Gamescope previously was waking up an empty Xwayland server with an
XQueryPointer and I noticed a significant amount of churn doing
redundant GL work.
This has been addressed on the Gamescope side as well, but avoiding any
useless GL context switches and flushes when glamor is doing nothing
is still beneficial for CPU and power usage on portable devices.
Signed-off-by: Joshua Ashton <joshua@froggi.es>
Reviewed-by: Emma Anholt <emma@anholt.net>
Acked-by: Olivier Fourdan <ofourdan@redhat.com
(cherry picked from commit 89163917e1)
weston-info has been deprecated for quite some time, whereas wayland-info
may not be available yet.
So we use either, depending on what's actually available.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit fc625fe172)
Commit 3c07a01c4 (xwayland: Use xdg-output name for XRandR) changed the
logic to use a fixed sized buffer allocated on the stack to pass to
RROutputCreate() which would then copy it.
Valgrind complains about this:
== Conditional jump or move depends on uninitialised value(s)
== at 0x49954B: MakeAtom (atom.c:87)
== by 0x5108B3: RRMonitorCrtcName (rrmonitor.c:33)
== by 0x510BBB: RRMonitorSetFromServer (rrmonitor.c:92)
== by 0x511882: RRMonitorMakeList (rrmonitor.c:373)
== by 0x512175: ProcRRGetMonitors (rrmonitor.c:634)
== by 0x508091: ProcRRDispatch (randr.c:748)
== by 0x4A860E: Dispatch (dispatch.c:546)
== by 0x4B692F: dix_main (main.c:271)
== by 0x431C90: main (stubmain.c:34)
== Uninitialised value was created by a stack allocation
== at 0x42122C: xwl_output_create (xwayland-output.c:816)
This is actually harmless, but also simple to avoid by just initializing
the content of the array with zeros, so let's just fix that.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Fixes: commit 3c07a01c4 - xwayland: Use xdg-output name for XRandR
(cherry picked from commit 1209a1bb57)
If we allocated with implicit modifiers, then we shouldn't use the
modifier returned by gbm_bo when checking whether the modifier is
supported or not, since it won't be if the compositor only advertises
implicit modifiers, nor should we use the modifier when creating the
Wayland buffer object, as it wasn't explicitly advertised.
Fixes: c6f2598a4 ("xwayland: don't fall back to wl_drm with explicit modifier")
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
(cherry picked from commit 4e20d96e8d)
If we're using implicit modifiers, we'll pass NULL and zero modifiers.
Lets just use the legacy API directly instead.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
(cherry picked from commit 08b0ea09de)
To correctly render a window making use of SHAPE, a compositor
must query the shape rectangles. This may not be a desirable
feature for a Wayland compositor. Allow SHAPE to be turned off at
runtime, so that the compositor can opt-out.
Signed-off-by: Simon Ser <contact@emersion.fr>
(cherry picked from commit 21b3dad238)
The linux_dmabuf_v1 protocol doesn't guarantee any DRM node type:
the compositor may send a primary node or a render node. Use
drmDevice so that device comparisons are node-type-insensitive.
Signed-off-by: Simon Ser <contact@emersion.fr>
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1447
(cherry picked from commit 6f0b9deed6)
With wl_pointer.axis_v120 support, the wl_seat supported version has
been bumped to 8, but Xwayland is still using MAP_SHARED which is
prohibited, wl_seat version 7 and above enforces the use of MAP_PRIVATE
for keymaps.
Use MAP_PRIVATE for the keymaps mmap().
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1512
Fixes: 3a02f56b4 - hook up wl_pointer.axis_v120 events
(cherry picked from commit d5dd3f3cee)
It's incorrect to strip an explicit modifier. Daniels' docs [1]
states:
> when importing a buffer, the user may supply `DRM_FORMAT_MOD_INVALID` as the
> buffer modifier (or not supply a modifier) to indicate that the modifier is
> unknown for whatever reason; this is only acceptable when the buffer has
> not been allocated with an explicit modifier
[1]: https://lore.kernel.org/dri-devel/20210905122742.86029-1-daniels@collabora.com/
Signed-off-by: Simon Ser <contact@emersion.fr>
(cherry picked from commit c6f2598a4e)
When the modifier is not supported by the compositor, and the
DMA-BUF contains multiple planes, xwl_pixmap->buffer is NULL.
Avoid crashing when calling wl_buffer_add_listener().
Signed-off-by: Simon Ser <contact@emersion.fr>
(cherry picked from commit 76a329e55c)
With the addition of linux_dmabuf v4, the code adds dev_t in various
places but did not include <sys/types.h>.
While that works on glibc, it may fail to build on other libc
implementations such as musl libc.
Make sure to explicitly include <sys/types.h> where we use dev_t.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1445
Fixes: bddfe190de - Implement linux_dmabuf_feedback event handlers
(cherry picked from commit 24171bb710)
The increment sign wasn't taking into account when checking if the next
value is past our current value. The result was that for negative
increments, we kept looping indefinitely, locking up the server.
Easiest to reproduce with the evdev driver which has a negative
increment on the y axis.
Fixes 0a22502c34
dix: switch scroll button emulation to multiples of increment
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit d2158d4063)
We're keeping it for unit tests, but we don't want to ship it from this
branch.
Also disable Xvfb in CI for ninja test. It's still built and used for
unit tests as part of ninja dist, but we don't want to run XTS on Xvfb.
(cherry picked from commit 0408fcb329)
And simplify build_glamor logic, we don't need the separate
glamor_option variable anymore.
(cherry picked from commit fdc61c5a3c)
(cherry picked from commit 274d54d1c3)
The current algorithm triggers a bug in Xwayland when two devices have
different granularity of scrolling. In Xwayland, the scroll increment is
1 and all physical devices scroll through the same (x)wayland pointer
device.
This may cause events to get lost when changing devices:
- mouse scrolls by full increment, current value is 1.0
last scroll button was sent for valuator value 0.0,
delta is 1.0 and we emulate a button event.
- touchpad scrolls by partial increment, current value is 1.3
last scroll button was sent for valuator value 1.0, delta is 0.3
and no button event is emulated
- mouse scrolls by full increment, current value is -0.7,
last scroll button was sent for valuator value 1.0, delta is -0.7
and no button event is emulated
Thus the wheel event appears to get lost. Xwayland cannot reliably
detect this case because we don't see the physical devices.
We can work around this by instead emulating buttons whenever we cross
a multiple of increment. However, this has a drawback:
high-resolution scroll devices can now trigger a button event storm by
jittering across the multiple of increment. e.g. in the example above
the touchpad moving from 1.3 to 1.0 would cause a click, despite this
being a third of an increment.
Fixes#1339
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
storeLastValuators() takes the index in the mask for the x and y axis.
Completely pointless because any device that doesn't have x/y on 0 and
1, respectively, is going to break in fun ways anyway. And we only have
two callers two this function, both of which hardcode 0 and 1.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
This enables fixing a deadlock case on the client side, where the client
ends up blocked waiting for a Present event that will never come because
the window was destroyed. The new PresentWindowDestroyed flag allows the
client to avoid blocking indefinitely.
Signed-off-by: Adam Jackson <ajax@redhat.com>
See-also: https://gitlab.freedesktop.org/mesa/mesa/-/issues/116
See-also: https://gitlab.freedesktop.org/mesa/mesa/-/issues/6685
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
This allows developers to setup Xwayland as a subproject of a
Wayland compositor, and have it correctly pick up the features
advertised in the dependency variables.
Signed-off-by: Simon Ser <contact@emersion.fr>
Remove the xwayland.pc.in file:
- This avoids writing down each pkg-config variable twice: once in
the Meson files to set the configuration data, once in the .pc.in
file to print it.
- We'll be able to re-use the same variables for use as a
subproject.
Signed-off-by: Simon Ser <contact@emersion.fr>
If wl_output provides us with an output name, use that as well.
If we have both xdg_output.name and wl_output.name (from version >= 4),
prefer the latter.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>#
See-also: https://gitlab.freedesktop.org/wayland/wayland-protocols/-/merge_requests/189
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
With the wl_output protocol, the actual bind to the interface is done in
xwl_output_create().
Pass the version number from the registry so we can bind to the minimum
version.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Currently, Xwayland assigns sequential output names for XRandR. When an
output is hotplugged, a new name is assigned sequentially (XWAYLAND0,
XWAYLAND1, etc.). This is a problem because if a monitor is unplugged
and plugged again, it will get a new name each time.
Luckily, xdg-output provides us with a name for the outputs.
Even though the protocol states that the name is not a reflection of the
underlying DRM connector name, it is to remain consistent across
sessions with the same hardware and software configuration.
So we could use the xdg-output name for the XRandR reported name for the
output.
Doing so is a bit tricky though, because the output name is set at
creation and is not supposed to change. The xdg-output event that
provides us with the name will come at a later time.
So we just allocate a default fixed size for the output name at creation
and just replace the default output name with the xdg-output name when
that is known.
Also, historically, some X11 clients were expecting output names in
Xwayland to be named XWAYLAND<x> and used that to check whether they
were running on Xwayland. Those clients should now use the Xwayland X11
extension which is designed specifically for that purpose.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1353
See-also: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/954
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Since commit 204f10c2, we notify XRandR clients that the randr
configuration has changes as soon as an new output is created.
Yet, this might be premature, considering that at that point, we are
still to receive the wl_output and xdg-output events that will most
likely change the setup.
So instead of calling RRTellChanged() from xwl_output_create(), wait
until we get to call apply_output_change(), which occurs after the done
events from both xdg-output and wl_output are received.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Some drivers (e.g. AMD GFX8-) don't support explicit format
modifiers. On these drivers, gbm_bo_create_with_modifiers()
will fail. This results in "Error getting buffer" in the logs
later on with all X11 windows staying invisible.
Fallback to the modifier-less API gbm_bo_create() in that case.
Signed-off-by: Simon Ser <contact@emersion.fr>
The window might be retained in the damage list after
`xwl_screen_post_damage` in certain conditions. This means we need to
check if the window is already in the list to avoid adding the same
window twice which will lead to list corruption resulting in server freeze
in `xwl_screen_post_damage`.
Signed-off-by: Minh Phan <phanquangminh217@gmail.com>
The code in AttachDevice() may free the dev->spriteInfo->sprite under
some circumstances and later call GetCurrentRootWindow() which uses
the same dev->spriteInfo->sprite.
While it seems unlikely that this is actually an issue, considering the
cases where one or the other get called, it still makes the code look
suspicious.
Make sure to clear set dev->spriteInfo->sprite to NULL immediately
after it's freed to avoid any confusion, even if only to clarify the
code.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1436
