fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-05-06 23:18:21 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
read-only mirror of https://gitlab.freedesktop.org/xorg/xserver
18055 commits 91 branches 544 tags 60 MiB
C 96.5%
Roff 1.1%
Objective-C 1%
Meson 0.8%
Python 0.2%
Other 0.2%
Find a file
Olivier Fourdan 5328a544ba xkb: Fix out-of-bounds read in CheckModifierMap() 
As reported by valgrind:

  == Conditional jump or move depends on uninitialised value(s)
  ==    at 0x547E5B: CheckModifierMap (xkb.c:1972)
  ==    by 0x54A086: _XkbSetMapChecks (xkb.c:2574)
  ==    by 0x54A845: ProcXkbSetMap (xkb.c:2741)
  ==    by 0x556EF4: ProcXkbDispatch (xkb.c:7048)
  ==    by 0x454A8C: Dispatch (dispatch.c:553)
  ==    by 0x462CEB: dix_main (main.c:274)
  ==    by 0x405EA7: main (stubmain.c:34)
  ==  Uninitialised value was created by a heap allocation
  ==    at 0x4840B26: malloc (vg_replace_malloc.c:447)
  ==    by 0x592D5A: AllocateInputBuffer (io.c:981)
  ==    by 0x591F77: InsertFakeRequest (io.c:516)
  ==    by 0x45CA27: NextAvailableClient (dispatch.c:3629)
  ==    by 0x58FA81: AllocNewConnection (connection.c:628)
  ==    by 0x58FC70: EstablishNewConnections (connection.c:692)
  ==    by 0x58FFAA: HandleNotifyFd (connection.c:809)
  ==    by 0x593F42: ospoll_wait (ospoll.c:660)
  ==    by 0x58B9B6: WaitForSomething (WaitFor.c:208)
  ==    by 0x4548AC: Dispatch (dispatch.c:493)
  ==    by 0x462CEB: dix_main (main.c:274)
  ==    by 0x405EA7: main (stubmain.c:34)

The issue is that the loop in CheckModifierMap() reads from wire without
verifying that the data is within the request bounds.

The req->totalModMapKeys value could exceed the actual data provided,
causing reads of uninitialized memory.

To fix that issue, we add a bounds check using _XkbCheckRequestBounds,
but for that, we need to also pass a ClientPtr parameter, which is not
a problem since CheckModifierMap() is a private, static function.

CVE-2026-34002, ZDI-CAN-28737

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit f056ce1cc9)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2178>
2026-04-14 15:12:24 +02:00
.gitlab-ci ci: Install libxcvt from git 2021-08-06 11:29:29 +00:00
composite composite: initialize border clip even when pixmap alloc fails 2025-02-25 19:36:29 +01:00
config config: add a quirk for Apple Silicon appledrm 2024-12-02 16:11:51 +00:00
damageext More missing version checks in SProcs 2021-08-08 12:43:01 +00:00
dbe meson: hide C API if Xorg is disabled (like autotools) 2021-03-11 00:22:36 +00:00
dix dix: Fix builds with meson -Dxace=false -Dwerror=true 2026-03-28 16:40:00 +00:00
doc meson: Implement developer documentation build 2021-08-20 10:26:07 +00:00
dri3 meson: hide C API if Xorg is disabled (like autotools) 2021-03-11 00:22:36 +00:00
exa exa: rename some badly named variables 2020-07-10 06:17:40 +10:00
fb meson: hide C API if Xorg is disabled (like autotools) 2021-03-11 00:22:36 +00:00
glamor glamor: avoid double free in glamor_make_pixmap_exportable() 2026-03-28 16:40:00 +00:00
glx glx: Call XACE hooks on the GLX buffer 2024-01-16 09:58:09 +01:00
hw xf86: check return value of XF86_CRTC_CONFIG_PTR in xf86CompatOutput() 2026-03-28 16:40:00 +00:00
include xkb: Make the RT_XKBCLIENT resource private 2025-10-28 14:15:35 +01:00
m4 Add ax_pthread.m4 to m4/ 2016-05-29 19:20:51 -07:00
man Xserver.man: correct list of available authorization protocols 2025-06-12 18:08:25 -07:00
mi mi: guard miPointer functions against NULL dereferences 2025-04-08 09:50:18 +02:00
miext miext/sync: Fix use-after-free in miSyncTriggerFence() 2026-04-14 15:12:24 +02:00
os os: fix sha1 build error with Nettle 4.0 2026-03-28 16:40:00 +00:00
present present: Fix use-after-free in present_create_notifies() 2025-10-28 14:15:35 +01:00
pseudoramiX Unvalidated lengths 2017-10-10 23:33:34 +02:00
randr randr: clear primary screen's primaryOutput when the output is deleted 2026-03-28 16:39:59 +00:00
record record: Check for overflow in RecordSanityCheckRegisterClients() 2025-06-17 15:06:30 +02:00
render render: fix multiple mem leaks on err paths 2026-03-28 16:39:59 +00:00
test tests: Add missing files to Makefile build 2025-10-28 17:00:57 +01:00
Xext xf86bigfont: fix -Wimplicit-function-declaration error 2026-03-28 16:40:00 +00:00
xfixes xfixes: Check request length for SetClientDisconnectMode 2025-06-17 15:06:09 +02:00
Xi Xi: handle allocation failure in add_master_func() 2025-10-08 17:54:33 +02:00
xkb xkb: Fix out-of-bounds read in CheckModifierMap() 2026-04-14 15:12:24 +02:00
.appveyor.yml Drop DMX DDX 2021-09-07 09:34:31 +00:00
.dir-locals.el .dir-locals.el: Add missing final newline 2019-10-01 17:05:28 +00:00
.gitignore .gitignore: Add new autotools file 'test-driver' 2014-04-21 13:41:42 -07:00
.gitlab-ci.yml .gitlab-ci: Use meson instead of ninja for running the tests 2025-06-30 11:29:21 +02:00
.travis.yml travis: Add OSX meson build to matrix 2019-05-02 15:42:58 +00:00
autogen.sh autogen: Set a default subject prefix for patches 2016-02-08 17:41:38 -05:00
configure.ac xserver 21.1.21 2025-11-24 18:03:35 +01:00
COPYING COPYING: add author to HPND-sell-MIT-disclaimer-xserver 2026-03-28 16:39:59 +00:00
devbook.am doc: Create a script to filter xmlto output 2015-01-05 14:24:06 -08:00
docbook.am docbook.am: embed css styles inside the HTML HEAD element 2011-09-21 14:07:49 -07:00
Makefile.am Makefile.am: add SECURITY.md to EXTRA_DIST 2025-11-30 17:21:49 +00:00
manpages.am man: Fix automake seddery 2018-05-08 12:15:30 -04:00
meson.build os: fix sha1 build error with Nettle 4.0 2026-03-28 16:40:00 +00:00
meson_options.txt meson: Provide options to set CFBundleVersion and CFBundleVersionString in XQuartz 2022-06-19 23:10:48 -07:00
README.md Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
SECURITY.md Create a SECURITY.md file 2025-11-30 17:21:49 +00:00
xorg-server.m4 xorg-server.m4: just all cflags instead of just sdkdir 2018-09-20 20:12:24 +01:00
xorg-server.pc.in pkgconfig files: Add URL 2025-04-08 10:16:56 +02:00
xserver.ent.in doc: relocate xserver.ent in the package root directory 2011-05-14 11:22:26 -07:00

README.md

X Server

The X server accepts requests from client applications to create windows, which are (normally rectangular) "virtual screens" that the client program can draw into.

Windows are then composed on the actual screen by the X server (or by a separate composite manager) as directed by the window manager, which usually communicates with the user via graphical controls such as buttons and draggable titlebars and borders.

For a comprehensive overview of X Server and X Window System, consult the following article: https://en.wikipedia.org/wiki/X_server

All questions regarding this software should be directed at the Xorg mailing list:

https://lists.freedesktop.org/mailman/listinfo/xorg

The primary development code repository can be found at:

https://gitlab.freedesktop.org/xorg/xserver

For patch submission instructions, see:

https://www.x.org/wiki/Development/Documentation/SubmittingPatches

As with other projects hosted on freedesktop.org, X.Org follows its Code of Conduct, based on the Contributor Covenant. Please conduct yourself in a respectful and civilized manner when using the above mailing lists, bug trackers, etc:

https://www.freedesktop.org/wiki/CodeOfConduct