fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-06-07 09:58:20 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
xserver/Xext
History
Peter Hutterer b1878535c1 sync: restart trigger list iteration in SyncChangeCounter after TriggerFired 
This is the equivalent check to miSyncTriggerFence() from
commit f19ab94ba9 ("miext/sync: Fix use-after-free in miSyncTriggerFence()")

When a trigger fires via SyncAwaitTriggerFired, the resulting
FreeResource/FreeAwait call invokes SyncDeleteTriggerFromSyncObject for
every trigger in the same Await group. This unlinks and frees the
corresponding trigger list nodes - potentially including the node pnext
points to.

Fix by restarting iteration from the list head after a trigger fires, since
TriggerFired may have arbitrarily mutated the list. Triggers that have fired
are removed from the list by FreeAwait, so restarting cannot cause infinite
loops.

This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative

ZDI-CAN-30164

Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit bdd7bf57af)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2230>
2026-06-02 09:53:37 +10:00
..
bigreq.c dix: unexport global variables 2024-03-09 17:23:43 +00:00
dpms.c dpms: Add support for DPMSInfoNotify event from DPMS 1.2 (xorgproto) 2023-12-18 16:35:51 +03:00
dpmsproc.h dpms: Consolidate a bunch of stuff into Xext/dpms.c 2017-03-27 15:59:47 -04:00
geext.c More missing version checks in SProcs 2021-08-08 12:43:01 +00:00
geext.h Move extension initialisation prototypes into extinit.h 2012-07-09 23:06:41 -07:00
geint.h xge: Hide some implementation details 2015-07-08 16:40:58 -04:00
hashtable.c dix: Fix undefined shift in ht_generic_hash 2019-10-15 14:06:30 -04:00
hashtable.h Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
meson.build Drop Xorg DDX 2024-04-12 10:40:05 +02:00
panoramiX.c panoramix: avoid null dereference in PanoramiXConsolidate() 2026-04-09 08:59:08 +00:00
panoramiX.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
panoramiXh.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
panoramiXprocs.c dix: Call SourceValidate before GetImage 2019-10-30 16:26:01 +00:00
panoramiXsrv.h Replace 'pointer' type with 'void *' 2014-01-12 10:24:11 -08:00
panoramiXSwap.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
saver.c Xext: free the screen saver resource when replacing it 2022-12-14 11:02:40 +10:00
security.c dix: unexport CloseDownClient() 2024-03-13 00:47:36 +00:00
securitysrv.h Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
shape.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
shm.c Xext/shm: avoid null dereference in ShmInitScreenPriv() 2025-10-21 08:56:39 +02:00
shmint.h xext: Fix shmint.h to not use headers outside of sdk_HEADERS 2013-11-14 10:22:15 +09:00
sleepuntil.c os: Don't crash in AttendClient if the client is gone 2019-11-19 10:15:05 -08:00
sleepuntil.h Replace 'pointer' type with 'void *' 2014-01-12 10:24:11 -08:00
sync.c sync: restart trigger list iteration in SyncChangeCounter after TriggerFired 2026-06-02 09:53:37 +10:00
syncsdk.h xsync: Add resource inside of SyncCreate, export SyncCreate 2019-04-17 14:01:17 -07:00
syncsrv.h sync: Convert from "CARD64" to int64_t. 2017-09-20 13:19:27 -04:00
vidmode.c Xext/vidmode: avoid null dereference if VidModeCreateMode() allocation fails 2025-10-21 08:56:39 +02:00
xace.c xace: drop duplicate export of XaceHooks from .c source 2024-03-03 22:34:26 +00:00
xace.h xace: Remove the audit hooks and tune dispatch 2016-06-10 13:26:19 -04:00
xacestr.h Replace 'pointer' type with 'void *' 2014-01-12 10:24:11 -08:00
xcmisc.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
xf86bigfont.c xf86bigfont: fix -Wimplicit-function-declaration error 2026-04-09 08:59:08 +00:00
xf86bigfontsrv.h Move extension initialisation prototypes into extinit.h 2012-07-09 23:06:41 -07:00
xres.c Xext/xres: avoid null dereference in ProcXResQueryClients() 2025-10-21 08:56:39 +02:00
xselinux.h include: unpexport SELINUX_* consts from include/global.h 2024-03-25 19:40:04 +00:00
xselinux_ext.c Xext/xselinux: add fast path to ProcSELinuxListSelections() 2025-10-21 08:56:39 +02:00
xselinux_hooks.c Xext: fix missing include of <errno.h> 2024-03-21 17:32:30 +01:00
xselinux_label.c Xext/xselinux: avoid memory leak in SELinuxAtomToSID() 2025-10-21 08:56:39 +02:00
xselinuxint.h include: drop obsolete registry.h 2024-03-03 23:20:06 +00:00
xtest.c Xext/xtest: avoid null dereference in ProcXTestFakeInput() 2025-10-21 08:56:39 +02:00
xvdisp.c Unvalidated lengths 2017-10-10 23:33:34 +02:00
xvdisp.h Fix swapped Xv dispatch under Xinerama. 2007-12-02 14:15:36 -05:00
xvdix.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
xvmain.c Xext: free the XvRTVideoNotify when turning off from the same client 2022-12-14 11:02:06 +10:00
xvmc.c dispatch: Mark swapped dispatch as _X_COLD 2017-03-01 10:16:20 -05:00
xvmcext.h Replace 'pointer' type with 'void *' 2014-01-12 10:24:11 -08:00