From 60bd7d1fb56c3be0d51c777b88b28c8b220a6ceb Mon Sep 17 00:00:00 2001 From: Adam Jackson Date: Mon, 15 Oct 2018 12:13:44 -0400 Subject: [PATCH] xserver 1.20.2 --- ...direct-context-in-CreateContextAttri.patch | 60 -------------- 0001-present-fix-freed-pointer-access.patch | 80 ------------------ ...xwl_present_window-from-privates-on-.patch | 81 ------------------- ...ayland-fix-access-to-invalid-pointer.patch | 78 ------------------ sources | 3 +- xorg-x11-server.spec | 13 ++- 6 files changed, 6 insertions(+), 309 deletions(-) delete mode 100644 0001-glx-check-for-indirect-context-in-CreateContextAttri.patch delete mode 100644 0001-present-fix-freed-pointer-access.patch delete mode 100644 0001-xwayland-Remove-xwl_present_window-from-privates-on-.patch delete mode 100644 0001-xwayland-fix-access-to-invalid-pointer.patch diff --git a/0001-glx-check-for-indirect-context-in-CreateContextAttri.patch b/0001-glx-check-for-indirect-context-in-CreateContextAttri.patch deleted file mode 100644 index 7c51440..0000000 --- a/0001-glx-check-for-indirect-context-in-CreateContextAttri.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 2881ce563661043ef0ee1163c63c120f3622e6d1 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Wed, 5 Sep 2018 15:06:55 +0200 -Subject: [PATCH xserver] glx: check for indirect context in - CreateContextAttribsARB() - -Commit 99f0365b "Add a command line argument for disabling indirect GLX" -added a test to check if indirect context are enabled in -`DoCreateContext()` but `__glXDisp_CreateContextAttribsARB()` doesn't -use `DoCreateContext()` and doesn't check if indirect context is -enabled. - -As a result, clients can still manage to create indirect contexts using -`glXCreateContextAttribsARB()` even if indirect contexts are disabled, -which can possibly crash Xservers such as Xwayland or Xephyr when the -context is destroyed. - -To avoid the issue, check for `enableIndirectGLX` in -`__glXDisp_CreateContextAttribsARB()` as well. - -Fixes: 99f0365b "Add a command line argument for disabling indirect GLX" -Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107508 -Signed-off-by: Olivier Fourdan ---- - glx/createcontext.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/glx/createcontext.c b/glx/createcontext.c -index 7d09c3a1c..24b02ddfb 100644 ---- a/glx/createcontext.c -+++ b/glx/createcontext.c -@@ -28,6 +28,7 @@ - #include "glxserver.h" - #include "glxext.h" - #include "indirect_dispatch.h" -+#include "opaque.h" - - #define ALL_VALID_FLAGS \ - (GLX_CONTEXT_DEBUG_BIT_ARB | GLX_CONTEXT_FORWARD_COMPATIBLE_BIT_ARB \ -@@ -320,6 +321,17 @@ __glXDisp_CreateContextAttribsARB(__GLXclientState * cl, GLbyte * pc) - err = BadAlloc; - } - else { -+ /* Only allow creating indirect GLX contexts if allowed by -+ * server command line. Indirect GLX is of limited use (since -+ * it's only GL 1.4), it's slower than direct contexts, and -+ * it's a massive attack surface for buffer overflow type -+ * errors. -+ */ -+ if (!enableIndirectGLX) { -+ client->errorValue = req->isDirect; -+ return BadValue; -+ } -+ - ctx = glxScreen->createContext(glxScreen, config, shareCtx, - req->numAttribs, (uint32_t *) attribs, - &err); --- -2.19.0.rc1 - diff --git a/0001-present-fix-freed-pointer-access.patch b/0001-present-fix-freed-pointer-access.patch deleted file mode 100644 index 8c28ee8..0000000 --- a/0001-present-fix-freed-pointer-access.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 259f838af4aae2c240d0ea9c05073a86718990d7 Mon Sep 17 00:00:00 2001 -From: Lionel Landwerlin -Date: Mon, 27 Aug 2018 01:04:45 +0100 -Subject: [PATCH xserver] present: fix freed pointer access - -When a vblank has been marked as aborted, it's going to be free in the -flip_notify function when stopped. We can't notify it after it's -stopped because the pointer is invalid. - -Valgrind backtrace: - -==5331== Invalid read of size 8 -==5331== at 0x212B4D: present_vblank_notify (present_vblank.c:34) -==5331== by 0x21439B: present_wnmd_flip_notify (present_wnmd.c:194) -==5331== by 0x21439B: present_wnmd_event_notify (present_wnmd.c:228) -==5331== by 0x156216: xwl_present_sync_callback (xwayland-present.c:282) -==5331== by 0x6570FCD: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) -==5331== by 0x657093E: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) -==5331== by 0x4DDB183: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) -==5331== by 0x4DD79D8: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) -==5331== by 0x4DD8EA3: wl_display_dispatch_queue_pending (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) -==5331== by 0x14BCCA: xwl_read_events (xwayland.c:814) -==5331== by 0x2AC0D0: ospoll_wait (ospoll.c:651) -==5331== by 0x2A5322: WaitForSomething (WaitFor.c:208) -==5331== by 0x27574B: Dispatch (dispatch.c:421) -==5331== Address 0x1b44dc98 is 40 bytes inside a block of size 184 free'd -==5331== at 0x48369EB: free (vg_replace_malloc.c:530) -==5331== by 0x213B0A: present_wnmd_free_idle_vblanks (present_wnmd.c:118) -==5331== by 0x213B0A: present_wnmd_flips_stop (present_wnmd.c:161) -==5331== by 0x2143EF: present_wnmd_flip_notify (present_wnmd.c:192) -==5331== by 0x2143EF: present_wnmd_event_notify (present_wnmd.c:228) -==5331== by 0x156216: xwl_present_sync_callback (xwayland-present.c:282) -==5331== by 0x6570FCD: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) -==5331== by 0x657093E: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) -==5331== by 0x4DDB183: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) -==5331== by 0x4DD79D8: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) -==5331== by 0x4DD8EA3: wl_display_dispatch_queue_pending (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) -==5331== by 0x14BCCA: xwl_read_events (xwayland.c:814) -==5331== by 0x2AC0D0: ospoll_wait (ospoll.c:651) -==5331== by 0x2A5322: WaitForSomething (WaitFor.c:208) -==5331== Block was alloc'd at -==5331== at 0x48377D5: calloc (vg_replace_malloc.c:711) -==5331== by 0x212D9F: present_vblank_create (present_vblank.c:69) -==5331== by 0x214014: present_wnmd_pixmap (present_wnmd.c:610) -==5331== by 0x21576C: proc_present_pixmap (present_request.c:150) -==5331== by 0x27599D: Dispatch (dispatch.c:479) -==5331== by 0x279945: dix_main (main.c:276) -==5331== by 0x633AB16: (below main) (libc-start.c:310) - -v2: Still notify aborted flips (Roman) - -Signed-off-by: Lionel Landwerlin -Reviewed-by: Daniel Stone -Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107314 -Reviewed-by: Roman Gilg -Tested-by: Roman Gilg ---- - present/present_wnmd.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/present/present_wnmd.c b/present/present_wnmd.c -index 035ae8ffe..8f3836440 100644 ---- a/present/present_wnmd.c -+++ b/present/present_wnmd.c -@@ -188,10 +188,11 @@ present_wnmd_flip_notify(present_vblank_ptr vblank, uint64_t ust, uint64_t crtc_ - window_priv->flip_active = vblank; - window_priv->flip_pending = NULL; - -+ present_vblank_notify(vblank, PresentCompleteKindPixmap, PresentCompleteModeFlip, ust, crtc_msc); -+ - if (vblank->abort_flip) - present_wnmd_flips_stop(window); - -- present_vblank_notify(vblank, PresentCompleteKindPixmap, PresentCompleteModeFlip, ust, crtc_msc); - present_wnmd_flip_try_ready(window); - } - --- -2.19.0.rc1 - diff --git a/0001-xwayland-Remove-xwl_present_window-from-privates-on-.patch b/0001-xwayland-Remove-xwl_present_window-from-privates-on-.patch deleted file mode 100644 index 1575cb0..0000000 --- a/0001-xwayland-Remove-xwl_present_window-from-privates-on-.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 90ac51f3e44d8d433741dc0f0495e79cc6e5fd51 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Wed, 5 Sep 2018 09:34:12 +0200 -Subject: [PATCH xserver] xwayland: Remove xwl_present_window from privates on - cleanup - -Xwayland's `xwl_destroy_window()` invokes `xwl_present_cleanup()` -before the common `DestroyWindow()`. - -But then `DestroyWindow()` calls `present_destroy_window()` which will -possibly end up in `xwl_present_abort_vblank()` which will try to access -data that was previously freed by `xwl_present_cleanup()`: - - Invalid read of size 8 - at 0x434184: xwl_present_abort_vblank (xwayland-present.c:378) - by 0x53785B: present_wnmd_abort_vblank (present_wnmd.c:651) - by 0x53695A: present_free_window_vblank (present_screen.c:87) - by 0x53695A: present_destroy_window (present_screen.c:152) - by 0x42A90D: xwl_destroy_window (xwayland.c:653) - by 0x584298: compDestroyWindow (compwindow.c:613) - by 0x53CEE3: damageDestroyWindow (damage.c:1570) - by 0x4F1BB8: DbeDestroyWindow (dbe.c:1326) - by 0x46F7F6: FreeWindowResources (window.c:1031) - by 0x472847: DeleteWindow (window.c:1099) - by 0x46B54C: doFreeResource (resource.c:880) - by 0x46C706: FreeClientResources (resource.c:1146) - by 0x446ADE: CloseDownClient (dispatch.c:3473) - Address 0x182abde0 is 80 bytes inside a block of size 112 free'd - at 0x4C2FDAC: free (vg_replace_malloc.c:530) - by 0x42A937: xwl_destroy_window (xwayland.c:647) - by 0x584298: compDestroyWindow (compwindow.c:613) - by 0x53CEE3: damageDestroyWindow (damage.c:1570) - by 0x4F1BB8: DbeDestroyWindow (dbe.c:1326) - by 0x46F7F6: FreeWindowResources (window.c:1031) - by 0x472847: DeleteWindow (window.c:1099) - by 0x46B54C: doFreeResource (resource.c:880) - by 0x46C706: FreeClientResources (resource.c:1146) - by 0x446ADE: CloseDownClient (dispatch.c:3473) - by 0x446DA5: ProcKillClient (dispatch.c:3279) - by 0x4476AF: Dispatch (dispatch.c:479) - Block was alloc'd at - at 0x4C30B06: calloc (vg_replace_malloc.c:711) - by 0x433F46: xwl_present_window_get_priv (xwayland-present.c:54) - by 0x434228: xwl_present_get_crtc (xwayland-present.c:302) - by 0x539728: proc_present_query_capabilities (present_request.c:227) - by 0x4476AF: Dispatch (dispatch.c:479) - by 0x44B5B5: dix_main (main.c:276) - by 0x75F611A: (below main) (libc-start.c:308) - -This is because `xwl_present_cleanup()` frees the memory but does not -remove it from the window's privates, and `xwl_present_abort_vblank()` -will still find it and hence try to access that freed memory... - -Remove `xwl_present_window` from window's privates on cleanup so that no -other function can find and reuse that data once it's freed. - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1616269 -Signed-off-by: Olivier Fourdan ---- - hw/xwayland/xwayland-present.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c -index 81e0eb9ce..316e04443 100644 ---- a/hw/xwayland/xwayland-present.c -+++ b/hw/xwayland/xwayland-present.c -@@ -147,6 +147,11 @@ xwl_present_cleanup(WindowPtr window) - /* Clear timer */ - xwl_present_free_timer(xwl_present_window); - -+ /* Remove from privates so we don't try to access it later */ -+ dixSetPrivate(&window->devPrivates, -+ &xwl_present_window_private_key, -+ NULL); -+ - free(xwl_present_window); - } - --- -2.19.0.rc1 - diff --git a/0001-xwayland-fix-access-to-invalid-pointer.patch b/0001-xwayland-fix-access-to-invalid-pointer.patch deleted file mode 100644 index a6026ba..0000000 --- a/0001-xwayland-fix-access-to-invalid-pointer.patch +++ /dev/null @@ -1,78 +0,0 @@ -From b3f6dc6892ca554ecb57f4289182a3e29915a2c6 Mon Sep 17 00:00:00 2001 -From: Lionel Landwerlin -Date: Tue, 28 Aug 2018 21:30:05 +0100 -Subject: [PATCH xserver] xwayland: fix access to invalid pointer - -xwl_output->randr_crtc is used in the update_screen_size() function : - -==5331== Invalid read of size 4 -==5331== at 0x15263D: update_screen_size (xwayland-output.c:190) -==5331== by 0x152C48: xwl_output_remove (xwayland-output.c:413) -==5331== by 0x6570FCD: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) -==5331== by 0x657093E: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) -==5331== by 0x4DDB183: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) -==5331== by 0x4DD79D8: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) -==5331== by 0x4DD8EA3: wl_display_dispatch_queue_pending (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) -==5331== by 0x14BCCA: xwl_read_events (xwayland.c:814) -==5331== by 0x2AC0D0: ospoll_wait (ospoll.c:651) -==5331== by 0x2A5322: WaitForSomething (WaitFor.c:208) -==5331== by 0x27574B: Dispatch (dispatch.c:421) -==5331== by 0x279945: dix_main (main.c:276) -==5331== Address 0x1aacb5f4 is 36 bytes inside a block of size 154 free'd -==5331== at 0x48369EB: free (vg_replace_malloc.c:530) -==5331== by 0x1F8AE8: RROutputDestroyResource (rroutput.c:421) -==5331== by 0x29A2AC: doFreeResource (resource.c:880) -==5331== by 0x29AE5B: FreeResource (resource.c:910) -==5331== by 0x152BE0: xwl_output_remove (xwayland-output.c:408) -==5331== by 0x6570FCD: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) -==5331== by 0x657093E: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) -==5331== by 0x4DDB183: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) -==5331== by 0x4DD79D8: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) -==5331== by 0x4DD8EA3: wl_display_dispatch_queue_pending (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) -==5331== by 0x14BCCA: xwl_read_events (xwayland.c:814) -==5331== by 0x2AC0D0: ospoll_wait (ospoll.c:651) -==5331== Block was alloc'd at -==5331== at 0x48357BF: malloc (vg_replace_malloc.c:299) -==5331== by 0x1F93E0: RROutputCreate (rroutput.c:83) -==5331== by 0x152A75: xwl_output_create (xwayland-output.c:361) -==5331== by 0x14BE59: registry_global (xwayland.c:764) -==5331== by 0x6570FCD: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) -==5331== by 0x657093E: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) -==5331== by 0x4DDB183: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) -==5331== by 0x4DD79D8: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) -==5331== by 0x4DD8EA3: wl_display_dispatch_queue_pending (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) -==5331== by 0x14BCCA: xwl_read_events (xwayland.c:814) -==5331== by 0x2AC0D0: ospoll_wait (ospoll.c:651) -==5331== by 0x2A5322: WaitForSomething (WaitFor.c:208) - -Signed-off-by: Lionel Landwerlin -Reviewed-by: Daniel Stone ---- - hw/xwayland/xwayland-output.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/hw/xwayland/xwayland-output.c b/hw/xwayland/xwayland-output.c -index 0d2ec7890..cc68f0340 100644 ---- a/hw/xwayland/xwayland-output.c -+++ b/hw/xwayland/xwayland-output.c -@@ -404,14 +404,15 @@ xwl_output_remove(struct xwl_output *xwl_output) - int width = 0, height = 0; - Bool need_rotate = (xwl_output->xdg_output == NULL); - -- RRCrtcDestroy(xwl_output->randr_crtc); -- RROutputDestroy(xwl_output->randr_output); - xorg_list_del(&xwl_output->link); - - xorg_list_for_each_entry(it, &xwl_screen->output_list, link) - output_get_new_size(it, need_rotate, &height, &width); - update_screen_size(xwl_output, width, height); - -+ RRCrtcDestroy(xwl_output->randr_crtc); -+ RROutputDestroy(xwl_output->randr_output); -+ - xwl_output_destroy(xwl_output); - } - --- -2.19.0.rc1 - diff --git a/sources b/sources index a8f856c..8e757f8 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -SHA512 (xorg-server-1.20.0.tar.bz2) = 1489e8511c9da682ef0460182dfeeddd241c72d4ef4d206d9706f1e39572c09953df851fab18cefb65a1ee4c6710c6ba13c63c9c9fc0bc1b5f12c50780412cde -SHA512 (xorg-server-1.20.1.tar.bz2) = ef2b93a61683c8ca8d1f14b771e70db65ba119a73db8a46e7cdbf2ac2243e3f4b2732068eb5aa5d7b76f460db995a3c04390870198a5210ec30df4360ad9f94b +SHA512 (xorg-server-1.20.2.tar.bz2) = 1c87d78b14529dd4b438ef038118c8540d1d17bdd58bf08ec5408a2ddbe8d0dda48033a9a9477cfc2c4c304dd1078fa40968a03c4d0cd3398359dd0fadb8e7c7 diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 611a431..751e663 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -45,8 +45,8 @@ Summary: X.Org X11 X server Name: xorg-x11-server -Version: 1.20.1 -Release: 4%{?gitdate:.%{gitdate}}%{dist} +Version: 1.20.2 +Release: 1%{?gitdate:.%{gitdate}}%{dist} URL: http://www.x.org License: MIT Group: User Interface/X @@ -95,12 +95,6 @@ Patch5: 0001-autobind-GPUs-to-the-screen.patch # because the display-managers are not ready yet, do not upstream Patch6: 0001-Fedora-hack-Make-the-suid-root-wrapper-always-start-.patch -# Submitted upstream -Patch7: 0001-xwayland-Remove-xwl_present_window-from-privates-on-.patch -Patch8: 0001-xwayland-fix-access-to-invalid-pointer.patch -Patch9: 0001-present-fix-freed-pointer-access.patch -Patch10: 0001-glx-check-for-indirect-context-in-CreateContextAttri.patch - BuildRequires: systemtap-sdt-devel BuildRequires: git BuildRequires: automake autoconf libtool pkgconfig @@ -534,6 +528,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %changelog +* Mon Oct 15 2018 Adam Jackson - 1.20.2-1 +- xserver 1.20.2 + * Thu Oct 4 2018 Hans de Goede - 1.20.1-4 - Rebase patch to use va_gl as vdpau driver on i965 GPUs, re-fix rhbz#1413733