fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-06-07 02:58:22 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
read-only mirror of https://gitlab.freedesktop.org/xorg/xserver
18808 commits 91 branches 546 tags 68 MiB
C 96.5%
Roff 1.1%
Objective-C 1%
Meson 0.8%
Python 0.2%
Other 0.2%
Find a file
Peter Hutterer 4b9638714e sync: fix deletion of counters and fences 
Both FreeCounter() and miSyncDestroyFence() iterate over the trigger list
and invoke the CounterDestroyed callback on each trigger.

The CounterDestroyed callback (e.g. SyncAwaitTriggerFired) may call
FreeResource/FreeAwait, which frees the SyncAwaitUnion containing all
SyncAwait structs in the same Await group.

When multiple conditions in a single Await reference the same sync
object (counter or fence), the first callback frees all SyncAwait
structs while subsequent trigger list nodes still reference them. On the
next iteration, reading ptl->next or ptl->pTrigger dereferences freed
memory, leading to a use-after-free.

We need separate fixes for separate issues here to fix this in one go
- use our null-terminated list macro to make sure our next pointer stays
  valid (the code accessed ptl->next after freeing it)
- update the list head before deleting the trigger, eventually this ends
  up being NULL anyway but meanwhile the list head is a valid list
  during CounterDestroyed
- check if we actually do have a trigger before dereferencing the
  callback
- Set all triggers to NULL if they are shared so we don't dereference
  potentially freed memory

This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative

ZDI-CAN-30159 (miSyncDestroyFence), ZDI-CAN-30163 (FreeCounter)

Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit f5abfb6199)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2230>
2026-06-02 09:53:34 +10:00
.gitlab-ci CI: update libdecor from 0.1.0 to 0.1.1 2024-09-24 11:33:02 +02:00
composite composite: initialize border clip even when pixmap alloc fails 2025-02-25 19:38:11 +01:00
damageext Remove autotools support 2021-10-27 13:15:40 +03:00
dbe Drop Xorg DDX 2024-04-12 10:40:05 +02:00
dix dix: avoid null ptr deref at doListFontsAndAliases 2026-04-09 08:59:09 +00:00
doc dix: dixutils: make workQueue pointer dix-private 2024-02-23 23:06:38 +00:00
dri3 Drop Xorg DDX 2024-04-12 10:40:05 +02:00
fb Drop Xorg DDX 2024-04-12 10:40:05 +02:00
glamor glamor: avoid double free in glamor_make_pixmap_exportable() 2026-04-09 08:59:08 +00:00
glx glx: reject negative size in FeedbackBuffer and SelectBuffer requests 2026-05-30 10:47:07 -07:00
hw xwayland: Avoid NULL pointer dereference in damage_report() 2026-04-24 09:44:33 +02:00
include xkb: Make the RT_XKBCLIENT resource private 2025-10-28 14:27:03 +01:00
man Drop Xorg DDX 2024-04-12 10:40:05 +02:00
mi mi: guard miPointer functions against NULL dereferences 2025-04-08 10:03:30 +02:00
miext sync: fix deletion of counters and fences 2026-06-02 09:53:34 +10:00
os os: include <assert.h> in ospoll.c 2026-04-09 08:59:09 +00:00
present present: actually return the created notifies 2026-05-30 10:46:58 -07:00
randr randr: clear primary screen's primaryOutput when the output is deleted 2026-04-09 08:59:09 +00:00
record record: Check for overflow in RecordSanityCheckRegisterClients() 2025-06-17 15:08:10 +02:00
render render: fix multiple mem leaks on err paths 2026-04-09 08:59:09 +00:00
test test: Fix xsync test 2025-02-25 19:38:08 +01:00
Xext sync: fix deletion of counters and fences 2026-06-02 09:53:34 +10:00
xfixes xfixes: Check request length for SetClientDisconnectMode 2025-06-17 15:07:52 +02:00
Xi Xi: add missing gesture grab type checks in ProcXIPassiveUngrabDevice 2026-05-30 10:45:45 -07:00
xkb xkb: Add bounds check for action data in CheckKeyActions() 2026-05-30 10:46:43 -07:00
.appveyor.yml Drop Xephyr / kdrive DDX 2024-04-12 10:40:05 +02:00
.dir-locals.el .dir-locals.el: Add missing final newline 2019-10-01 17:05:28 +00:00
.gitignore Clean up the .gitignore file 2024-01-12 00:50:24 +00:00
.gitlab-ci.yml CI: update libdecor from 0.1.0 to 0.1.1 2024-09-24 11:33:02 +02:00
.mailmap Add a .mailmap file to canonicalize author names and emails 2023-03-15 18:10:51 +00:00
COPYING COPYING: add author to HPND-sell-MIT-disclaimer-xserver 2026-04-09 08:59:09 +00:00
meson.build Bump version to 24.1.11 2026-04-27 09:25:48 +02:00
meson_options.txt meson: Build Xwayland unconditionally 2024-04-12 10:40:05 +02:00
README.md Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
SECURITY.md xwayland: Expunge the SECURITY.md file 2026-04-09 08:59:08 +00:00
xserver.ent.in doc: relocate xserver.ent in the package root directory 2011-05-14 11:22:26 -07:00

README.md

X Server

The X server accepts requests from client applications to create windows, which are (normally rectangular) "virtual screens" that the client program can draw into.

Windows are then composed on the actual screen by the X server (or by a separate composite manager) as directed by the window manager, which usually communicates with the user via graphical controls such as buttons and draggable titlebars and borders.

For a comprehensive overview of X Server and X Window System, consult the following article: https://en.wikipedia.org/wiki/X_server

All questions regarding this software should be directed at the Xorg mailing list:

https://lists.freedesktop.org/mailman/listinfo/xorg

The primary development code repository can be found at:

https://gitlab.freedesktop.org/xorg/xserver

For patch submission instructions, see:

https://www.x.org/wiki/Development/Documentation/SubmittingPatches

As with other projects hosted on freedesktop.org, X.Org follows its Code of Conduct, based on the Contributor Covenant. Please conduct yourself in a respectful and civilized manner when using the above mailing lists, bug trackers, etc:

https://www.freedesktop.org/wiki/CodeOfConduct