fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-06-06 23:28:19 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
read-only mirror of https://gitlab.freedesktop.org/xorg/xserver
18074 commits 91 branches 546 tags 68 MiB
C 96.5%
Roff 1.1%
Objective-C 1%
Meson 0.8%
Python 0.2%
Other 0.2%
Find a file
Peter Hutterer 182c23f780 saver: re-fetch screen private after CheckScreenPrivate in CreateSaverWindow 
CreateSaverWindow stores pPriv (the ScreenSaverScreenPrivatePtr) in a local
variable via the SetupScreen macro at function entry. When an existing saver
window is being replaced, the function sets pPriv->hasWindow = FALSE and
calls CheckScreenPrivate(). If at this point pPriv->attr is NULL (cleared
by a prior UnsetAttributes call), pPriv->events is NULL, and
pPriv->installedMap is None, then CheckScreenPrivate determines the screen
private is unused, frees it, and sets the screen private pointer to NULL.

The function then continues to dereference the now-freed pPriv on the very
next line (pPriv->attr), resulting in a use-after-free. On glibc 2.34+,
the tcache key at offset 8 within the freed block makes pPriv->attr appear
non-NULL, causing the function to continue operating on garbage data and
eventually crash.

The attack sequence is:
  1. SetAttributes (creates pPriv with pPriv->attr set)
  2. ForceScreenSaver(Active) (creates saver window, pPriv->hasWindow=TRUE)
  3. UnsetAttributes (sets pPriv->attr = NULL)
  4. ForceScreenSaver(Active) (re-enters CreateSaverWindow → UAF)

Fix by re-fetching pPriv from the screen private after CheckScreenPrivate
returns, so the subsequent NULL check correctly detects the freed state.

ScreenSaverFreeAttr has the same pattern, force pPriv to NULL there too
even though it has no real effect.

This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative

ZDI-CAN-30168

Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit ecc634f1b2)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
2026-06-02 09:47:24 +10:00
.gitlab-ci ci: Install libxcvt from git 2021-08-06 11:29:29 +00:00
composite composite: initialize border clip even when pixmap alloc fails 2025-02-25 19:36:29 +01:00
config config: add a quirk for Apple Silicon appledrm 2024-12-02 16:11:51 +00:00
damageext More missing version checks in SProcs 2021-08-08 12:43:01 +00:00
dbe meson: hide C API if Xorg is disabled (like autotools) 2021-03-11 00:22:36 +00:00
dix dix: Fix builds with meson -Dxace=false -Dwerror=true 2026-03-28 16:40:00 +00:00
doc meson: Implement developer documentation build 2021-08-20 10:26:07 +00:00
dri3 meson: hide C API if Xorg is disabled (like autotools) 2021-03-11 00:22:36 +00:00
exa exa: rename some badly named variables 2020-07-10 06:17:40 +10:00
fb meson: hide C API if Xorg is disabled (like autotools) 2021-03-11 00:22:36 +00:00
glamor glamor: avoid double free in glamor_make_pixmap_exportable() 2026-03-28 16:40:00 +00:00
glx glx: fix reversed length check in ChangeDrawableAttributes 2026-06-02 09:47:22 +10:00
hw xf86: check return value of XF86_CRTC_CONFIG_PTR in xf86CompatOutput() 2026-03-28 16:40:00 +00:00
include xkb: Make the RT_XKBCLIENT resource private 2025-10-28 14:15:35 +01:00
m4 Add ax_pthread.m4 to m4/ 2016-05-29 19:20:51 -07:00
man Xserver.man: correct list of available authorization protocols 2025-06-12 18:08:25 -07:00
mi mi: guard miPointer functions against NULL dereferences 2025-04-08 09:50:18 +02:00
miext sync: fix deletion of counters and fences 2026-06-02 09:47:17 +10:00
os os: fix sha1 build error with Nettle 4.0 2026-03-28 16:40:00 +00:00
present present: actually return the created notifies 2026-05-30 10:35:53 -07:00
pseudoramiX Unvalidated lengths 2017-10-10 23:33:34 +02:00
randr randr: clear primary screen's primaryOutput when the output is deleted 2026-03-28 16:39:59 +00:00
record record: Check for overflow in RecordSanityCheckRegisterClients() 2025-06-17 15:06:30 +02:00
render render: fix multiple mem leaks on err paths 2026-03-28 16:39:59 +00:00
test tests: Add missing files to Makefile build 2025-10-28 17:00:57 +01:00
Xext saver: re-fetch screen private after CheckScreenPrivate in CreateSaverWindow 2026-06-02 09:47:24 +10:00
xfixes xfixes: Check request length for SetClientDisconnectMode 2025-06-17 15:06:09 +02:00
Xi Xi: add missing gesture grab type checks in ProcXIPassiveUngrabDevice 2026-05-30 10:35:53 -07:00
xkb xkb: clamp nMaps to mapWidths buffer size in CheckKeyTypes 2026-06-02 09:47:21 +10:00
.appveyor.yml Drop DMX DDX 2021-09-07 09:34:31 +00:00
.dir-locals.el .dir-locals.el: Add missing final newline 2019-10-01 17:05:28 +00:00
.gitignore .gitignore: Add new autotools file 'test-driver' 2014-04-21 13:41:42 -07:00
.gitlab-ci.yml .gitlab-ci: Use meson instead of ninja for running the tests 2025-06-30 11:29:21 +02:00
.travis.yml travis: Add OSX meson build to matrix 2019-05-02 15:42:58 +00:00
autogen.sh autogen: Set a default subject prefix for patches 2016-02-08 17:41:38 -05:00
configure.ac xserver 21.1.22 2026-04-14 15:12:24 +02:00
COPYING COPYING: add author to HPND-sell-MIT-disclaimer-xserver 2026-03-28 16:39:59 +00:00
devbook.am doc: Create a script to filter xmlto output 2015-01-05 14:24:06 -08:00
docbook.am docbook.am: embed css styles inside the HTML HEAD element 2011-09-21 14:07:49 -07:00
Makefile.am Makefile.am: add SECURITY.md to EXTRA_DIST 2025-11-30 17:21:49 +00:00
manpages.am man: Fix automake seddery 2018-05-08 12:15:30 -04:00
meson.build xserver 21.1.22 2026-04-14 15:12:24 +02:00
meson_options.txt meson: fix types for some build options 2026-05-26 17:38:22 -07:00
README.md Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
SECURITY.md Create a SECURITY.md file 2025-11-30 17:21:49 +00:00
xorg-server.m4 xorg-server.m4: just all cflags instead of just sdkdir 2018-09-20 20:12:24 +01:00
xorg-server.pc.in pkgconfig files: Add URL 2025-04-08 10:16:56 +02:00
xserver.ent.in doc: relocate xserver.ent in the package root directory 2011-05-14 11:22:26 -07:00

README.md

X Server

The X server accepts requests from client applications to create windows, which are (normally rectangular) "virtual screens" that the client program can draw into.

Windows are then composed on the actual screen by the X server (or by a separate composite manager) as directed by the window manager, which usually communicates with the user via graphical controls such as buttons and draggable titlebars and borders.

For a comprehensive overview of X Server and X Window System, consult the following article: https://en.wikipedia.org/wiki/X_server

All questions regarding this software should be directed at the Xorg mailing list:

https://lists.freedesktop.org/mailman/listinfo/xorg

The primary development code repository can be found at:

https://gitlab.freedesktop.org/xorg/xserver

For patch submission instructions, see:

https://www.x.org/wiki/Development/Documentation/SubmittingPatches

As with other projects hosted on freedesktop.org, X.Org follows its Code of Conduct, based on the Contributor Covenant. Please conduct yourself in a respectful and civilized manner when using the above mailing lists, bug trackers, etc:

https://www.freedesktop.org/wiki/CodeOfConduct