fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-02-14 23:50:30 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
xserver/dix
History
Olivier Fourdan fb6dd658d7 Cursor: Refuse to free the root cursor 
If a cursor reference count drops to 0, the cursor is freed.

The root cursor however is referenced with a specific global variable,
and when the root cursor is freed, the global variable may still point
to freed memory.

Make sure to prevent the rootCursor from being explicitly freed by a
client.

CVE-2025-26594, ZDI-CAN-25544

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer
<peter.hutterer@who-t.net>)
v3: Return BadCursor instead of BadValue (Michel Dänzer
<michel@daenzer.net>)

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Suggested-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
(cherry picked from commit 01642f263f)
2026-01-25 10:40:00 -08:00
..
.gitignore Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
atom.c atom: make FreeAtom static 2015-07-08 16:41:29 -04:00
BuiltInAtoms R6.6 is the Xorg base-line 2003-11-14 15:54:54 +00:00
closestr.h dix: move closestr.h into dix directory 2026-01-19 12:48:30 -08:00
colormap.c dix: FindBestPixel: fix implicit fallthrough warning 2026-01-25 10:39:57 -08:00
cursor.c dix: fix a misused const pointer in cursor.c 2026-01-25 10:39:56 -08:00
devices.c dix: Use __builtin_popcountl if available to replace Ones() 2026-01-25 10:39:57 -08:00
dispatch.c Cursor: Refuse to free the root cursor 2026-01-25 10:40:00 -08:00
dispatch.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
dixfonts.c dix: SetFontPath: don't set errorValue on Success 2026-01-25 10:39:57 -08:00
dixutils.c treewide: replace xnfrealloc() calls to XNFrealloc() 2026-01-25 10:39:55 -08:00
enterleave.c dix: fix button offset when generating DeviceButtonStateNotify events 2026-01-25 10:39:58 -08:00
enterleave.h mi: reset the PointerWindows reference on screen switch 2023-10-25 00:37:47 +00:00
eventconvert.c dix: limit checks to MAX_VALUATORS when generating Xi events 2026-01-25 10:39:58 -08:00
events.c drop not needed includes of geext.h 2026-01-25 10:40:00 -08:00
extension.c Move sizeof to second argument in calloc calls 2026-01-25 10:39:55 -08:00
gc.c dix: unexport Ones() 2026-01-25 10:39:57 -08:00
gestures.c dix: make FreeGrab() NULL tolerant 2026-01-25 10:39:57 -08:00
getevents.c dix: fix wheel emulation lockup when a negative increment is set 2023-02-20 15:11:23 +10:00
globals.c include: Remove now-empty site.h 2019-10-30 16:17:04 +00:00
glyphcurs.c Let calloc handle multiplication 2015-04-21 16:57:07 -07:00
grabs.c dix: CreateGrab() rename "type" parameter to "eventType" 2026-01-25 10:39:57 -08:00
initatoms.c Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
inpututils.c xace: typesafe hook function for XACE_DEVICE_ACCESS 2026-01-25 10:39:54 -08:00
main.c Move sizeof to second argument in calloc calls 2026-01-25 10:39:55 -08:00
meson.build dix: Implement internal gesture state handling 2021-05-30 13:26:39 +03:00
pixmap.c treewide: fix indentions got broke by recent commit 2026-01-25 10:39:56 -08:00
privates.c Move sizeof to second argument in calloc calls 2026-01-25 10:39:55 -08:00
property.c dix: ProcListProperties: skip unneeded work if numProps is 0 2026-01-25 10:39:57 -08:00
protocol.txt drop remains of DMX 2026-01-19 12:32:20 -08:00
ptrveloc.c dix: InitPredictableAccelerationScheme: avoid memory leak on failure 2026-01-25 10:39:57 -08:00
region.c replace _X_INLINE by inline in internal static functions 2024-02-05 19:26:14 +00:00
registry.c rename remaining RT_* defines to X11_RESTYPE_* 2026-01-19 12:48:30 -08:00
resource.c dix: HashResourceID: use unsigned integers for bit shifting 2026-01-25 10:39:57 -08:00
selection.c dix: create empty selection objects as-needed in dixLookupSelection() 2026-01-25 10:39:55 -08:00
stubmain.c Allow DDX to provide a main() 2013-07-23 23:56:58 +01:00
swaprep.c Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
swapreq.c dix: drop swapping request length fields 2026-01-25 10:39:59 -08:00
tables.c dix: drop swapping request length fields 2026-01-25 10:39:59 -08:00
touch.c rename remaining RT_* defines to X11_RESTYPE_* 2026-01-19 12:48:30 -08:00
window.c xace: typesafe hook function for XACE_SCREENSAVER_ACCESS 2026-01-25 10:39:54 -08:00