diff --git a/0001-glx-check-for-indirect-context-in-CreateContextAttri.patch b/0001-glx-check-for-indirect-context-in-CreateContextAttri.patch new file mode 100644 index 0000000..7c51440 --- /dev/null +++ b/0001-glx-check-for-indirect-context-in-CreateContextAttri.patch @@ -0,0 +1,60 @@ +From 2881ce563661043ef0ee1163c63c120f3622e6d1 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 5 Sep 2018 15:06:55 +0200 +Subject: [PATCH xserver] glx: check for indirect context in + CreateContextAttribsARB() + +Commit 99f0365b "Add a command line argument for disabling indirect GLX" +added a test to check if indirect context are enabled in +`DoCreateContext()` but `__glXDisp_CreateContextAttribsARB()` doesn't +use `DoCreateContext()` and doesn't check if indirect context is +enabled. + +As a result, clients can still manage to create indirect contexts using +`glXCreateContextAttribsARB()` even if indirect contexts are disabled, +which can possibly crash Xservers such as Xwayland or Xephyr when the +context is destroyed. + +To avoid the issue, check for `enableIndirectGLX` in +`__glXDisp_CreateContextAttribsARB()` as well. + +Fixes: 99f0365b "Add a command line argument for disabling indirect GLX" +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107508 +Signed-off-by: Olivier Fourdan +--- + glx/createcontext.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/glx/createcontext.c b/glx/createcontext.c +index 7d09c3a1c..24b02ddfb 100644 +--- a/glx/createcontext.c ++++ b/glx/createcontext.c +@@ -28,6 +28,7 @@ + #include "glxserver.h" + #include "glxext.h" + #include "indirect_dispatch.h" ++#include "opaque.h" + + #define ALL_VALID_FLAGS \ + (GLX_CONTEXT_DEBUG_BIT_ARB | GLX_CONTEXT_FORWARD_COMPATIBLE_BIT_ARB \ +@@ -320,6 +321,17 @@ __glXDisp_CreateContextAttribsARB(__GLXclientState * cl, GLbyte * pc) + err = BadAlloc; + } + else { ++ /* Only allow creating indirect GLX contexts if allowed by ++ * server command line. Indirect GLX is of limited use (since ++ * it's only GL 1.4), it's slower than direct contexts, and ++ * it's a massive attack surface for buffer overflow type ++ * errors. ++ */ ++ if (!enableIndirectGLX) { ++ client->errorValue = req->isDirect; ++ return BadValue; ++ } ++ + ctx = glxScreen->createContext(glxScreen, config, shareCtx, + req->numAttribs, (uint32_t *) attribs, + &err); +-- +2.19.0.rc1 + diff --git a/0001-present-fix-freed-pointer-access.patch b/0001-present-fix-freed-pointer-access.patch new file mode 100644 index 0000000..8c28ee8 --- /dev/null +++ b/0001-present-fix-freed-pointer-access.patch @@ -0,0 +1,80 @@ +From 259f838af4aae2c240d0ea9c05073a86718990d7 Mon Sep 17 00:00:00 2001 +From: Lionel Landwerlin +Date: Mon, 27 Aug 2018 01:04:45 +0100 +Subject: [PATCH xserver] present: fix freed pointer access + +When a vblank has been marked as aborted, it's going to be free in the +flip_notify function when stopped. We can't notify it after it's +stopped because the pointer is invalid. + +Valgrind backtrace: + +==5331== Invalid read of size 8 +==5331== at 0x212B4D: present_vblank_notify (present_vblank.c:34) +==5331== by 0x21439B: present_wnmd_flip_notify (present_wnmd.c:194) +==5331== by 0x21439B: present_wnmd_event_notify (present_wnmd.c:228) +==5331== by 0x156216: xwl_present_sync_callback (xwayland-present.c:282) +==5331== by 0x6570FCD: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) +==5331== by 0x657093E: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) +==5331== by 0x4DDB183: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) +==5331== by 0x4DD79D8: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) +==5331== by 0x4DD8EA3: wl_display_dispatch_queue_pending (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) +==5331== by 0x14BCCA: xwl_read_events (xwayland.c:814) +==5331== by 0x2AC0D0: ospoll_wait (ospoll.c:651) +==5331== by 0x2A5322: WaitForSomething (WaitFor.c:208) +==5331== by 0x27574B: Dispatch (dispatch.c:421) +==5331== Address 0x1b44dc98 is 40 bytes inside a block of size 184 free'd +==5331== at 0x48369EB: free (vg_replace_malloc.c:530) +==5331== by 0x213B0A: present_wnmd_free_idle_vblanks (present_wnmd.c:118) +==5331== by 0x213B0A: present_wnmd_flips_stop (present_wnmd.c:161) +==5331== by 0x2143EF: present_wnmd_flip_notify (present_wnmd.c:192) +==5331== by 0x2143EF: present_wnmd_event_notify (present_wnmd.c:228) +==5331== by 0x156216: xwl_present_sync_callback (xwayland-present.c:282) +==5331== by 0x6570FCD: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) +==5331== by 0x657093E: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) +==5331== by 0x4DDB183: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) +==5331== by 0x4DD79D8: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) +==5331== by 0x4DD8EA3: wl_display_dispatch_queue_pending (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) +==5331== by 0x14BCCA: xwl_read_events (xwayland.c:814) +==5331== by 0x2AC0D0: ospoll_wait (ospoll.c:651) +==5331== by 0x2A5322: WaitForSomething (WaitFor.c:208) +==5331== Block was alloc'd at +==5331== at 0x48377D5: calloc (vg_replace_malloc.c:711) +==5331== by 0x212D9F: present_vblank_create (present_vblank.c:69) +==5331== by 0x214014: present_wnmd_pixmap (present_wnmd.c:610) +==5331== by 0x21576C: proc_present_pixmap (present_request.c:150) +==5331== by 0x27599D: Dispatch (dispatch.c:479) +==5331== by 0x279945: dix_main (main.c:276) +==5331== by 0x633AB16: (below main) (libc-start.c:310) + +v2: Still notify aborted flips (Roman) + +Signed-off-by: Lionel Landwerlin +Reviewed-by: Daniel Stone +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107314 +Reviewed-by: Roman Gilg +Tested-by: Roman Gilg +--- + present/present_wnmd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/present/present_wnmd.c b/present/present_wnmd.c +index 035ae8ffe..8f3836440 100644 +--- a/present/present_wnmd.c ++++ b/present/present_wnmd.c +@@ -188,10 +188,11 @@ present_wnmd_flip_notify(present_vblank_ptr vblank, uint64_t ust, uint64_t crtc_ + window_priv->flip_active = vblank; + window_priv->flip_pending = NULL; + ++ present_vblank_notify(vblank, PresentCompleteKindPixmap, PresentCompleteModeFlip, ust, crtc_msc); ++ + if (vblank->abort_flip) + present_wnmd_flips_stop(window); + +- present_vblank_notify(vblank, PresentCompleteKindPixmap, PresentCompleteModeFlip, ust, crtc_msc); + present_wnmd_flip_try_ready(window); + } + +-- +2.19.0.rc1 + diff --git a/0001-xwayland-Remove-xwl_present_window-from-privates-on-.patch b/0001-xwayland-Remove-xwl_present_window-from-privates-on-.patch new file mode 100644 index 0000000..1575cb0 --- /dev/null +++ b/0001-xwayland-Remove-xwl_present_window-from-privates-on-.patch @@ -0,0 +1,81 @@ +From 90ac51f3e44d8d433741dc0f0495e79cc6e5fd51 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 5 Sep 2018 09:34:12 +0200 +Subject: [PATCH xserver] xwayland: Remove xwl_present_window from privates on + cleanup + +Xwayland's `xwl_destroy_window()` invokes `xwl_present_cleanup()` +before the common `DestroyWindow()`. + +But then `DestroyWindow()` calls `present_destroy_window()` which will +possibly end up in `xwl_present_abort_vblank()` which will try to access +data that was previously freed by `xwl_present_cleanup()`: + + Invalid read of size 8 + at 0x434184: xwl_present_abort_vblank (xwayland-present.c:378) + by 0x53785B: present_wnmd_abort_vblank (present_wnmd.c:651) + by 0x53695A: present_free_window_vblank (present_screen.c:87) + by 0x53695A: present_destroy_window (present_screen.c:152) + by 0x42A90D: xwl_destroy_window (xwayland.c:653) + by 0x584298: compDestroyWindow (compwindow.c:613) + by 0x53CEE3: damageDestroyWindow (damage.c:1570) + by 0x4F1BB8: DbeDestroyWindow (dbe.c:1326) + by 0x46F7F6: FreeWindowResources (window.c:1031) + by 0x472847: DeleteWindow (window.c:1099) + by 0x46B54C: doFreeResource (resource.c:880) + by 0x46C706: FreeClientResources (resource.c:1146) + by 0x446ADE: CloseDownClient (dispatch.c:3473) + Address 0x182abde0 is 80 bytes inside a block of size 112 free'd + at 0x4C2FDAC: free (vg_replace_malloc.c:530) + by 0x42A937: xwl_destroy_window (xwayland.c:647) + by 0x584298: compDestroyWindow (compwindow.c:613) + by 0x53CEE3: damageDestroyWindow (damage.c:1570) + by 0x4F1BB8: DbeDestroyWindow (dbe.c:1326) + by 0x46F7F6: FreeWindowResources (window.c:1031) + by 0x472847: DeleteWindow (window.c:1099) + by 0x46B54C: doFreeResource (resource.c:880) + by 0x46C706: FreeClientResources (resource.c:1146) + by 0x446ADE: CloseDownClient (dispatch.c:3473) + by 0x446DA5: ProcKillClient (dispatch.c:3279) + by 0x4476AF: Dispatch (dispatch.c:479) + Block was alloc'd at + at 0x4C30B06: calloc (vg_replace_malloc.c:711) + by 0x433F46: xwl_present_window_get_priv (xwayland-present.c:54) + by 0x434228: xwl_present_get_crtc (xwayland-present.c:302) + by 0x539728: proc_present_query_capabilities (present_request.c:227) + by 0x4476AF: Dispatch (dispatch.c:479) + by 0x44B5B5: dix_main (main.c:276) + by 0x75F611A: (below main) (libc-start.c:308) + +This is because `xwl_present_cleanup()` frees the memory but does not +remove it from the window's privates, and `xwl_present_abort_vblank()` +will still find it and hence try to access that freed memory... + +Remove `xwl_present_window` from window's privates on cleanup so that no +other function can find and reuse that data once it's freed. + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1616269 +Signed-off-by: Olivier Fourdan +--- + hw/xwayland/xwayland-present.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c +index 81e0eb9ce..316e04443 100644 +--- a/hw/xwayland/xwayland-present.c ++++ b/hw/xwayland/xwayland-present.c +@@ -147,6 +147,11 @@ xwl_present_cleanup(WindowPtr window) + /* Clear timer */ + xwl_present_free_timer(xwl_present_window); + ++ /* Remove from privates so we don't try to access it later */ ++ dixSetPrivate(&window->devPrivates, ++ &xwl_present_window_private_key, ++ NULL); ++ + free(xwl_present_window); + } + +-- +2.19.0.rc1 + diff --git a/0001-xwayland-fix-access-to-invalid-pointer.patch b/0001-xwayland-fix-access-to-invalid-pointer.patch new file mode 100644 index 0000000..a6026ba --- /dev/null +++ b/0001-xwayland-fix-access-to-invalid-pointer.patch @@ -0,0 +1,78 @@ +From b3f6dc6892ca554ecb57f4289182a3e29915a2c6 Mon Sep 17 00:00:00 2001 +From: Lionel Landwerlin +Date: Tue, 28 Aug 2018 21:30:05 +0100 +Subject: [PATCH xserver] xwayland: fix access to invalid pointer + +xwl_output->randr_crtc is used in the update_screen_size() function : + +==5331== Invalid read of size 4 +==5331== at 0x15263D: update_screen_size (xwayland-output.c:190) +==5331== by 0x152C48: xwl_output_remove (xwayland-output.c:413) +==5331== by 0x6570FCD: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) +==5331== by 0x657093E: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) +==5331== by 0x4DDB183: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) +==5331== by 0x4DD79D8: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) +==5331== by 0x4DD8EA3: wl_display_dispatch_queue_pending (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) +==5331== by 0x14BCCA: xwl_read_events (xwayland.c:814) +==5331== by 0x2AC0D0: ospoll_wait (ospoll.c:651) +==5331== by 0x2A5322: WaitForSomething (WaitFor.c:208) +==5331== by 0x27574B: Dispatch (dispatch.c:421) +==5331== by 0x279945: dix_main (main.c:276) +==5331== Address 0x1aacb5f4 is 36 bytes inside a block of size 154 free'd +==5331== at 0x48369EB: free (vg_replace_malloc.c:530) +==5331== by 0x1F8AE8: RROutputDestroyResource (rroutput.c:421) +==5331== by 0x29A2AC: doFreeResource (resource.c:880) +==5331== by 0x29AE5B: FreeResource (resource.c:910) +==5331== by 0x152BE0: xwl_output_remove (xwayland-output.c:408) +==5331== by 0x6570FCD: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) +==5331== by 0x657093E: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) +==5331== by 0x4DDB183: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) +==5331== by 0x4DD79D8: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) +==5331== by 0x4DD8EA3: wl_display_dispatch_queue_pending (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) +==5331== by 0x14BCCA: xwl_read_events (xwayland.c:814) +==5331== by 0x2AC0D0: ospoll_wait (ospoll.c:651) +==5331== Block was alloc'd at +==5331== at 0x48357BF: malloc (vg_replace_malloc.c:299) +==5331== by 0x1F93E0: RROutputCreate (rroutput.c:83) +==5331== by 0x152A75: xwl_output_create (xwayland-output.c:361) +==5331== by 0x14BE59: registry_global (xwayland.c:764) +==5331== by 0x6570FCD: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) +==5331== by 0x657093E: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) +==5331== by 0x4DDB183: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) +==5331== by 0x4DD79D8: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) +==5331== by 0x4DD8EA3: wl_display_dispatch_queue_pending (in /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0) +==5331== by 0x14BCCA: xwl_read_events (xwayland.c:814) +==5331== by 0x2AC0D0: ospoll_wait (ospoll.c:651) +==5331== by 0x2A5322: WaitForSomething (WaitFor.c:208) + +Signed-off-by: Lionel Landwerlin +Reviewed-by: Daniel Stone +--- + hw/xwayland/xwayland-output.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/xwayland/xwayland-output.c b/hw/xwayland/xwayland-output.c +index 0d2ec7890..cc68f0340 100644 +--- a/hw/xwayland/xwayland-output.c ++++ b/hw/xwayland/xwayland-output.c +@@ -404,14 +404,15 @@ xwl_output_remove(struct xwl_output *xwl_output) + int width = 0, height = 0; + Bool need_rotate = (xwl_output->xdg_output == NULL); + +- RRCrtcDestroy(xwl_output->randr_crtc); +- RROutputDestroy(xwl_output->randr_output); + xorg_list_del(&xwl_output->link); + + xorg_list_for_each_entry(it, &xwl_screen->output_list, link) + output_get_new_size(it, need_rotate, &height, &width); + update_screen_size(xwl_output, width, height); + ++ RRCrtcDestroy(xwl_output->randr_crtc); ++ RROutputDestroy(xwl_output->randr_output); ++ + xwl_output_destroy(xwl_output); + } + +-- +2.19.0.rc1 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 5e2184a..e7ec848 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -46,7 +46,7 @@ Summary: X.Org X11 X server Name: xorg-x11-server Version: 1.20.1 -Release: 1%{?gitdate:.%{gitdate}}%{dist} +Release: 2%{?gitdate:.%{gitdate}}%{dist} URL: http://www.x.org License: MIT Group: User Interface/X @@ -94,6 +94,12 @@ Patch5: 0001-autobind-GPUs-to-the-screen.patch # because the display-managers are not ready yet, do not upstream Patch6: 0001-Fedora-hack-Make-the-suid-root-wrapper-always-start-.patch +# Submitted upstream +Patch7: 0001-xwayland-Remove-xwl_present_window-from-privates-on-.patch +Patch8: 0001-xwayland-fix-access-to-invalid-pointer.patch +Patch9: 0001-present-fix-freed-pointer-access.patch +Patch10: 0001-glx-check-for-indirect-context-in-CreateContextAttri.patch + BuildRequires: systemtap-sdt-devel BuildRequires: git BuildRequires: automake autoconf libtool pkgconfig @@ -523,6 +529,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %changelog +* Mon Sep 10 2018 Olivier Fourdan - 1.20.1-2 +- Include patches from upstream to fix Xwayland crashes + * Thu Aug 09 2018 Adam Jackson - 1.20.1-1 - xserver 1.20.1