rpms
/
xorg-x11-server
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import xorg-x11-server-1.20.10-1.el8

This commit is contained in:
CentOS Sources 2020-12-11 08:14:45 +00:00 committed by Andrew Lukoshko
parent eb237a978c
commit de740dbd80
15 changed files with 12 additions and 949 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/xorg-server-1.20.8.tar.bz2
SOURCES/xorg-server-1.20.10.tar.bz2

2
.xorg-x11-server.metadata
View File

@ -1 +1 @@
077d081f912faf11c87ea1c9d0e29490961b0cd4 SOURCES/xorg-server-1.20.8.tar.bz2
e698b30adb781dfe0e7bee0aa489ea9df404a5db SOURCES/xorg-server-1.20.10.tar.bz2

183
SOURCES/0001-Correct-bounds-checking-in-XkbSetNames.patch
View File

@ -1,183 +0,0 @@
From 1d3a1092c30af660b1366fcd344af745590aa29f Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Tue, 18 Aug 2020 14:46:32 +0200
Subject: [PATCH xserver] Correct bounds checking in XkbSetNames()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2020-14345 / ZDI 11428
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
(cherry picked from commit 11f22a3bf694d7061d552c99898d843bcdaf0cf1)
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
---
xkb/xkb.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 48 insertions(+)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 3162574a4..2139da7ee 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT;
#define CHK_REQ_KEY_RANGE(err,first,num,r) \
CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue)
+static Bool
+_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) {
+ char *cstuff = (char *)stuff;
+ char *cfrom = (char *)from;
+ char *cto = (char *)to;
+
+ return cfrom < cto &&
+ cfrom >= cstuff &&
+ cfrom < cstuff + ((size_t)client->req_len << 2) &&
+ cto >= cstuff &&
+ cto <= cstuff + ((size_t)client->req_len << 2);
+}
+
/***====================================================================***/
int
@@ -4045,6 +4058,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
client->errorValue = _XkbErrCode2(0x04, stuff->firstType);
return BadAccess;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nTypes))
+ return BadLength;
old = tmp;
tmp = _XkbCheckAtoms(tmp, stuff->nTypes, client->swapped, &bad);
if (!tmp) {
@@ -4074,6 +4089,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
}
width = (CARD8 *) tmp;
tmp = (CARD32 *) (((char *) tmp) + XkbPaddedSize(stuff->nKTLevels));
+ if (!_XkbCheckRequestBounds(client, stuff, width, tmp))
+ return BadLength;
type = &xkb->map->types[stuff->firstKTLevel];
for (i = 0; i < stuff->nKTLevels; i++, type++) {
if (width[i] == 0)
@@ -4083,6 +4100,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
type->num_levels, width[i]);
return BadMatch;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + width[i]))
+ return BadLength;
tmp = _XkbCheckAtoms(tmp, width[i], client->swapped, &bad);
if (!tmp) {
client->errorValue = bad;
@@ -4095,6 +4114,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
client->errorValue = 0x08;
return BadMatch;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
+ tmp + Ones(stuff->indicators)))
+ return BadLength;
tmp = _XkbCheckMaskedAtoms(tmp, XkbNumIndicators, stuff->indicators,
client->swapped, &bad);
if (!tmp) {
@@ -4107,6 +4129,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
client->errorValue = 0x09;
return BadMatch;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
+ tmp + Ones(stuff->virtualMods)))
+ return BadLength;
tmp = _XkbCheckMaskedAtoms(tmp, XkbNumVirtualMods,
(CARD32) stuff->virtualMods,
client->swapped, &bad);
@@ -4120,6 +4145,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
client->errorValue = 0x0a;
return BadMatch;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
+ tmp + Ones(stuff->groupNames)))
+ return BadLength;
tmp = _XkbCheckMaskedAtoms(tmp, XkbNumKbdGroups,
(CARD32) stuff->groupNames,
client->swapped, &bad);
@@ -4141,9 +4169,14 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
stuff->nKeys);
return BadValue;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nKeys))
+ return BadLength;
tmp += stuff->nKeys;
}
if ((stuff->which & XkbKeyAliasesMask) && (stuff->nKeyAliases > 0)) {
+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
+ tmp + (stuff->nKeyAliases * 2)))
+ return BadLength;
tmp += stuff->nKeyAliases * 2;
}
if (stuff->which & XkbRGNamesMask) {
@@ -4151,6 +4184,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
client->errorValue = _XkbErrCode2(0x0d, stuff->nRadioGroups);
return BadValue;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
+ tmp + stuff->nRadioGroups))
+ return BadLength;
tmp = _XkbCheckAtoms(tmp, stuff->nRadioGroups, client->swapped, &bad);
if (!tmp) {
client->errorValue = bad;
@@ -4344,6 +4380,8 @@ ProcXkbSetNames(ClientPtr client)
/* check device-independent stuff */
tmp = (CARD32 *) &stuff[1];
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbKeycodesNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
@@ -4351,6 +4389,8 @@ ProcXkbSetNames(ClientPtr client)
return BadAtom;
}
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbGeometryNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
@@ -4358,6 +4398,8 @@ ProcXkbSetNames(ClientPtr client)
return BadAtom;
}
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbSymbolsNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
@@ -4365,6 +4407,8 @@ ProcXkbSetNames(ClientPtr client)
return BadAtom;
}
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbPhysSymbolsNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
@@ -4372,6 +4416,8 @@ ProcXkbSetNames(ClientPtr client)
return BadAtom;
}
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbTypesNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
@@ -4379,6 +4425,8 @@ ProcXkbSetNames(ClientPtr client)
return BadAtom;
}
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbCompatNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
--
2.28.0

36
SOURCES/0001-Fix-XIChangeHierarchy-integer-underflow.patch
View File

@ -1,36 +0,0 @@
From eff3f6cdd398bfac040351e99e64baf3bf64fa2e Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Tue, 18 Aug 2020 14:49:04 +0200
Subject: [PATCH xserver] Fix XIChangeHierarchy() integer underflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2020-14346 / ZDI-CAN-11429
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
(cherry picked from commit 1e3392b07923987c6c9d09cf75b24f397b59bd5e)
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
---
Xi/xichangehierarchy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
index cbdd91258..504defe56 100644
--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
if (!stuff->num_changes)
return rc;
- len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
+ len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq);
any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
while (stuff->num_changes--) {
--
2.28.0

70
SOURCES/0001-Fix-XRecordRegisterClients-Integer-underflow.patch
View File

@ -1,70 +0,0 @@
From 705d7213935820d9f56563ee9e17aa9beb365c1e Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Tue, 18 Aug 2020 14:55:01 +0200
Subject: [PATCH xserver] Fix XRecordRegisterClients() Integer underflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2020-14362 ZDI-CAN-11574
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
(cherry picked from commit 24acad216aa0fc2ac451c67b2b86db057a032050)
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
---
record/record.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/record/record.c b/record/record.c
index f0b739b0c..05d751ac2 100644
--- a/record/record.c
+++ b/record/record.c
@@ -2499,7 +2499,7 @@ SProcRecordQueryVersion(ClientPtr client)
} /* SProcRecordQueryVersion */
static int _X_COLD
-SwapCreateRegister(xRecordRegisterClientsReq * stuff)
+SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
{
int i;
XID *pClientID;
@@ -2509,13 +2509,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
swapl(&stuff->nRanges);
pClientID = (XID *) &stuff[1];
if (stuff->nClients >
- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
return BadLength;
for (i = 0; i < stuff->nClients; i++, pClientID++) {
swapl(pClientID);
}
if (stuff->nRanges >
- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
- stuff->nClients)
return BadLength;
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
@@ -2530,7 +2530,7 @@ SProcRecordCreateContext(ClientPtr client)
swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
- if ((status = SwapCreateRegister((void *) stuff)) != Success)
+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
return status;
return ProcRecordCreateContext(client);
} /* SProcRecordCreateContext */
@@ -2543,7 +2543,7 @@ SProcRecordRegisterClients(ClientPtr client)
swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
- if ((status = SwapCreateRegister((void *) stuff)) != Success)
+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
return status;
return ProcRecordRegisterClients(client);
} /* SProcRecordRegisterClients */
--
2.28.0

36
SOURCES/0001-Fix-XkbSelectEvents-integer-underflow.patch
View File

@ -1,36 +0,0 @@
From 5b384e7678c5a155dd8752f018c8292153c1295e Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Tue, 18 Aug 2020 14:52:29 +0200
Subject: [PATCH xserver] Fix XkbSelectEvents() integer underflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2020-14361 ZDI-CAN 11573
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
(cherry picked from commit 90304b3c2018a6b8f4a79de86364d2af15cb9ad8)
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
---
xkb/xkbSwap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c
index 1c1ed5ff4..50cabb90e 100644
--- a/xkb/xkbSwap.c
+++ b/xkb/xkbSwap.c
@@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client)
register unsigned bit, ndx, maskLeft, dataLeft, size;
from.c8 = (CARD8 *) &stuff[1];
- dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq);
+ dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq);
maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask));
for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) {
if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify))
--
2.28.0

33
SOURCES/0001-fix-for-ZDI-11426.patch
View File

@ -1,33 +0,0 @@
From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Sat, 25 Jul 2020 19:33:50 +0200
Subject: [PATCH] fix for ZDI-11426
Avoid leaking un-initalized memory to clients by zeroing the
whole pixmap on initial allocation.
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
dix/pixmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dix/pixmap.c b/dix/pixmap.c
index 1186d7dbb..5a0146bbb 100644
--- a/dix/pixmap.c
+++ b/dix/pixmap.c
@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize)
if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize)
return NullPixmap;
- pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize);
+ pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize);
if (!pPixmap)
return NullPixmap;
--
2.25.4

56
SOURCES/0001-glamor-Fix-glamor_poly_fill_rect_gl-xRectangle-width.patch
View File

@ -1,56 +0,0 @@
From 85d9f7932353b6e0986796dbb09b7f778f9cc9aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
Date: Fri, 24 Jul 2020 18:21:05 +0200
Subject: [PATCH xserver] glamor: Fix glamor_poly_fill_rect_gl
xRectangle::width/height handling
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
(Using GLSL 1.30 or newer)
The width/height members of xRectangle are unsigned, but they were
being interpreted as signed when converting to floating point for the
vertex shader, producing incorrect drawing for values > 32767.
Solve this by passing through the values as integers, and masking off
the upper 16 bits in the vertex shader (which could be 1 due to sign
extension).
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
---
glamor/glamor_rects.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/glamor/glamor_rects.c b/glamor/glamor_rects.c
index 6cbb040c1..5cac40d49 100644
--- a/glamor/glamor_rects.c
+++ b/glamor/glamor_rects.c
@@ -27,9 +27,10 @@
static const glamor_facet glamor_facet_polyfillrect_130 = {
.name = "poly_fill_rect",
.version = 130,
- .vs_vars = "attribute vec4 primitive;\n",
- .vs_exec = (" vec2 pos = primitive.zw * vec2(gl_VertexID&1, (gl_VertexID&2)>>1);\n"
- GLAMOR_POS(gl_Position, (primitive.xy + pos))),
+ .vs_vars = "attribute ivec4 primitive;\n",
+ .vs_exec = (" vec2 pos = vec2(primitive.zw & ivec2(0xffff));\n"
+ " pos *= vec2(gl_VertexID&1, (gl_VertexID&2)>>1);\n"
+ GLAMOR_POS(gl_Position, (vec2(primitive.xy) + pos))),
};
static const glamor_facet glamor_facet_polyfillrect_120 = {
@@ -81,8 +82,8 @@ glamor_poly_fill_rect_gl(DrawablePtr drawable,
glEnableVertexAttribArray(GLAMOR_VERTEX_POS);
glVertexAttribDivisor(GLAMOR_VERTEX_POS, 1);
- glVertexAttribPointer(GLAMOR_VERTEX_POS, 4, GL_SHORT, GL_FALSE,
- 4 * sizeof (short), vbo_offset);
+ glVertexAttribIPointer(GLAMOR_VERTEX_POS, 4, GL_SHORT,
+ 4 * sizeof (short), vbo_offset);
memcpy(v, prect, nrect * sizeof (xRectangle));
--
2.26.2

37
SOURCES/0001-present-wnmd-Keep-pixmap-pointer-in-present_wnmd_cle.patch
View File

@ -1,37 +0,0 @@
From f32c851a0ba41f5d8d0f8c869bc394858de721df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
Date: Thu, 25 Jun 2020 18:09:27 +0200
Subject: [PATCH xserver 1/4] present/wnmd: Keep pixmap pointer in
present_wnmd_clear_window_flip
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The comment was incorrect: Any reference held by the window (see
present_wnmd_execute) is in addition to the one in struct present_vblank
(see present_vblank_create). So if we don't drop the latter, the pixmap
will be leaked.
Reviewed-by: Dave Airlie <airlied@redhat.com>
(cherry picked from commit bc9dd1c71c3722284ffaa7183f4119151b25a44f)
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
---
present/present_screen.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/present/present_screen.c b/present/present_screen.c
index c7e37c5fd..c435f55f4 100644
--- a/present/present_screen.c
+++ b/present/present_screen.c
@@ -122,8 +122,6 @@ present_wnmd_clear_window_flip(WindowPtr window)
xorg_list_for_each_entry_safe(vblank, tmp, &window_priv->idle_queue, event_queue) {
present_pixmap_idle(vblank->pixmap, vblank->window, vblank->serial, vblank->idle_fence);
- /* The pixmap will be destroyed by freeing the window resources. */
- vblank->pixmap = NULL;
present_vblank_destroy(vblank);
}
--
2.26.2

173
SOURCES/0001-xfree86-add-drm-modes-on-non-GTF-panels.patch
View File

@ -1,173 +0,0 @@
From 139868f3e82a3e7b7b17f3a5a2e07c4b04d81728 Mon Sep 17 00:00:00 2001
From: Aaron Ma <aaron.ma@canonical.com>
Date: Thu, 30 Jul 2020 11:02:39 +0200
Subject: [PATCH xserver] xfree86: add drm modes on non-GTF panels
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
EDID1.4 replaced GTF Bit with Continuous or Non-Continuous Frequency Display.
Check the "Display Range Limits Descriptor" for GTF support.
If panel doesn't support GTF, then add gtf modes.
Otherwise X will only show the modes in "Detailed Timing Descriptor".
V2: Coding style changes.
V3: Coding style changes, remove unused variate.
V4: remove unused variate.
BugLink: https://gitlab.freedesktop.org/drm/intel/issues/313
Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 6a79a737e2c0bc730ee693b4ea4a1530c108be4e)
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
---
hw/xfree86/ddc/edid.h | 17 +++++++++++-
hw/xfree86/ddc/interpret_edid.c | 27 +++++++++++++++++++
hw/xfree86/ddc/xf86DDC.h | 3 +++
.../drivers/modesetting/drmmode_display.c | 2 +-
hw/xfree86/modes/xf86Crtc.c | 3 +--
5 files changed, 48 insertions(+), 4 deletions(-)
diff --git a/hw/xfree86/ddc/edid.h b/hw/xfree86/ddc/edid.h
index 750e4270b..b884d8212 100644
--- a/hw/xfree86/ddc/edid.h
+++ b/hw/xfree86/ddc/edid.h
@@ -262,6 +262,10 @@
#define MAX_H (_MAX_H(c) + _MAX_H_OFFSET(c))
#define _MAX_CLOCK(x) x[9]
#define MAX_CLOCK _MAX_CLOCK(c)
+#define _DEFAULT_GTF(x) (x[10] == 0x00)
+#define DEFAULT_GTF _DEFAULT_GTF(c)
+#define _RANGE_LIMITS_ONLY(x) (x[10] == 0x01)
+#define RANGE_LIMITS_ONLY _RANGE_LIMITS_ONLY(c)
#define _HAVE_2ND_GTF(x) (x[10] == 0x02)
#define HAVE_2ND_GTF _HAVE_2ND_GTF(c)
#define _F_2ND_GTF(x) (x[12] * 2)
@@ -477,6 +481,16 @@ struct detailed_timings {
#define DS_VENDOR 0x101
#define DS_VENDOR_MAX 0x110
+/*
+ * Display range limit Descriptor of EDID version1, reversion 4
+ */
+typedef enum {
+ DR_DEFAULT_GTF,
+ DR_LIMITS_ONLY,
+ DR_SECONDARY_GTF,
+ DR_CVT_SUPPORTED = 4,
+} DR_timing_flags;
+
struct monitor_ranges {
int min_v;
int max_v;
@@ -495,6 +509,7 @@ struct monitor_ranges {
char supported_blanking;
char supported_scaling;
int preferred_refresh; /* in hz */
+ DR_timing_flags display_range_timing_flags;
};
struct whitePoints {
@@ -524,7 +539,7 @@ struct detailed_monitor_section {
Uchar serial[13];
Uchar ascii_data[13];
Uchar name[13];
- struct monitor_ranges ranges; /* 56 */
+ struct monitor_ranges ranges; /* 60 */
struct std_timings std_t[5]; /* 80 */
struct whitePoints wp[2]; /* 32 */
/* color management data */
diff --git a/hw/xfree86/ddc/interpret_edid.c b/hw/xfree86/ddc/interpret_edid.c
index 17a8f81c0..19630471c 100644
--- a/hw/xfree86/ddc/interpret_edid.c
+++ b/hw/xfree86/ddc/interpret_edid.c
@@ -672,6 +672,9 @@ get_monitor_ranges(Uchar * c, struct monitor_ranges *r)
r->max_clock = 0;
if (MAX_CLOCK != 0xff) /* is specified? */
r->max_clock = MAX_CLOCK * 10 + 5;
+
+ r->display_range_timing_flags = c[10];
+
if (HAVE_2ND_GTF) {
r->gtf_2nd_f = F_2ND_GTF;
r->gtf_2nd_c = C_2ND_GTF;
@@ -751,6 +754,30 @@ validate_version(int scrnIndex, struct edid_version *r)
return TRUE;
}
+Bool
+gtf_supported(xf86MonPtr mon)
+{
+ int i;
+
+ if (!mon)
+ return FALSE;
+
+ if ((mon->ver.version == 1) && (mon->ver.revision < 4)) {
+ if (mon->features.msc & 0x1)
+ return TRUE;
+ } else {
+ for (i = 0; i < DET_TIMINGS; i++) {
+ struct detailed_monitor_section *det_timing_des = &(mon->det_mon[i]);
+ if (det_timing_des && (det_timing_des->type == DS_RANGES) &&
+ (det_timing_des->section.ranges.display_range_timing_flags == DR_DEFAULT_GTF
+ || det_timing_des->section.ranges.display_range_timing_flags == DR_SECONDARY_GTF))
+ return TRUE;
+ }
+ }
+
+ return FALSE;
+}
+
/*
* Returns true if HDMI, false if definitely not or unknown.
*/
diff --git a/hw/xfree86/ddc/xf86DDC.h b/hw/xfree86/ddc/xf86DDC.h
index 7d81ab911..6eb2f0ba2 100644
--- a/hw/xfree86/ddc/xf86DDC.h
+++ b/hw/xfree86/ddc/xf86DDC.h
@@ -48,6 +48,9 @@ extern _X_EXPORT Bool xf86SetDDCproperties(ScrnInfoPtr pScreen, xf86MonPtr DDC);
extern _X_EXPORT Bool
xf86MonitorIsHDMI(xf86MonPtr mon);
+extern _X_EXPORT Bool
+gtf_supported(xf86MonPtr mon);
+
extern _X_EXPORT DisplayModePtr
FindDMTMode(int hsize, int vsize, int refresh, Bool rb);
diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c
index 59abb6cc7..9dd8c5573 100644
--- a/hw/xfree86/drivers/modesetting/drmmode_display.c
+++ b/hw/xfree86/drivers/modesetting/drmmode_display.c
@@ -2439,7 +2439,7 @@ drmmode_output_add_gtf_modes(xf86OutputPtr output, DisplayModePtr Modes)
int max_x = 0, max_y = 0;
float max_vrefresh = 0.0;
- if (mon && GTF_SUPPORTED(mon->features.msc))
+ if (mon && gtf_supported(mon))
return Modes;
if (!has_panel_fitter(output))
diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c
index 37a45bb3a..17d4ef103 100644
--- a/hw/xfree86/modes/xf86Crtc.c
+++ b/hw/xfree86/modes/xf86Crtc.c
@@ -1719,11 +1719,10 @@ xf86ProbeOutputModes(ScrnInfoPtr scrn, int maxX, int maxY)
if (edid_monitor) {
struct det_monrec_parameter p;
- struct disp_features *features = &edid_monitor->features;
struct cea_data_block *hdmi_db;
/* if display is not continuous-frequency, don't add default modes */
- if (!GTF_SUPPORTED(features->msc))
+ if (!gtf_supported(edid_monitor))
add_default_modes = FALSE;
p.mon_rec = &mon_rec;
--
2.26.2

84
SOURCES/0001-xwayland-Hold-a-pixmap-reference-in-struct-xwl_prese.patch
View File

@ -1,84 +0,0 @@
From 23c55ec32973e0a75d723e3f37769dd711c9c59c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
Date: Wed, 22 Jul 2020 18:20:14 +0200
Subject: [PATCH xserver] xwayland: Hold a pixmap reference in struct
xwl_present_event
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In the log of the commit below, I claimed this wasn't necessary on the
1.20 branch, but this turned out to be wrong: It meant that
event->buffer could already be destroyed in xwl_present_free_event,
resulting in use-after-free and likely a crash.
Fixes: 22c0808ac88f "xwayland: Free all remaining events in
xwl_present_cleanup"
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
---
hw/xwayland/xwayland-present.c | 17 +++++++++++++----
hw/xwayland/xwayland.h | 2 +-
2 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
index 2cec63f59..f003170a9 100644
--- a/hw/xwayland/xwayland-present.c
+++ b/hw/xwayland/xwayland-present.c
@@ -117,8 +117,16 @@ xwl_present_free_event(struct xwl_present_event *event)
if (!event)
return;
- if (event->buffer)
- wl_buffer_set_user_data(event->buffer, NULL);
+ if (event->pixmap) {
+ if (!event->buffer_released) {
+ struct wl_buffer *buffer =
+ xwl_glamor_pixmap_get_wl_buffer(event->pixmap, NULL);
+
+ wl_buffer_set_user_data(buffer, NULL);
+ }
+
+ dixDestroyPixmap(event->pixmap, event->pixmap->drawable.id);
+ }
xorg_list_del(&event->list);
free(event);
@@ -348,7 +356,7 @@ xwl_present_queue_vblank(WindowPtr present_window,
return BadAlloc;
event->event_id = event_id;
- event->buffer = NULL;
+ event->pixmap = NULL;
event->xwl_present_window = xwl_present_window;
event->target_msc = msc;
@@ -453,11 +461,12 @@ xwl_present_flip(WindowPtr present_window,
if (!event)
return FALSE;
+ pixmap->refcnt++;
buffer = xwl_glamor_pixmap_get_wl_buffer(pixmap, &buffer_created);
event->event_id = event_id;
event->xwl_present_window = xwl_present_window;
- event->buffer = buffer;
+ event->pixmap = pixmap;
event->target_msc = target_msc;
event->pending = TRUE;
event->abort = FALSE;
diff --git a/hw/xwayland/xwayland.h b/hw/xwayland/xwayland.h
index bc5836ec4..b9495b313 100644
--- a/hw/xwayland/xwayland.h
+++ b/hw/xwayland/xwayland.h
@@ -215,7 +215,7 @@ struct xwl_present_event {
Bool buffer_released;
struct xwl_present_window *xwl_present_window;
- struct wl_buffer *buffer;
+ PixmapPtr pixmap;
struct xorg_list list;
};
--
2.26.2

45
SOURCES/0002-present-wnmd-Free-flip_queue-entries-in-present_wnmd.patch
View File

@ -1,45 +0,0 @@
From 732507ed3255dff3970c5f92bd6ea13bf877e637 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
Date: Thu, 25 Jun 2020 18:11:31 +0200
Subject: [PATCH xserver 2/4] present/wnmd: Free flip_queue entries in
present_wnmd_clear_window_flip
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When present_wnmd_clear_window_flip is done, present_destroy_window
frees struct present_window_priv, and the events in the flip queue
become unreachable. So if we don't free them first, they're leaked.
Also drop the call to present_wnmd_set_abort_flip, which just sets a
flag in struct present_window_priv and thus can't have any observable
effect after present_destroy_window.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1042
Reviewed-by: Dave Airlie <airlied@redhat.com>
(cherry picked from commit 1bdedc8dbb9d035b85444c2558a137470ff52113)
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
---
present/present_screen.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/present/present_screen.c b/present/present_screen.c
index c435f55f4..bfd30b8ba 100644
--- a/present/present_screen.c
+++ b/present/present_screen.c
@@ -115,9 +115,9 @@ present_wnmd_clear_window_flip(WindowPtr window)
present_window_priv_ptr window_priv = present_window_priv(window);
present_vblank_ptr vblank, tmp;
- if (window_priv->flip_pending) {
- present_wnmd_set_abort_flip(window);
- window_priv->flip_pending->window = NULL;
+ xorg_list_for_each_entry_safe(vblank, tmp, &window_priv->flip_queue, event_queue) {
+ present_pixmap_idle(vblank->pixmap, vblank->window, vblank->serial, vblank->idle_fence);
+ present_vblank_destroy(vblank);
}
xorg_list_for_each_entry_safe(vblank, tmp, &window_priv->idle_queue, event_queue) {
--
2.26.2

94
SOURCES/0003-xwayland-Always-use-xwl_present_free_event-for-freei.patch
View File

@ -1,94 +0,0 @@
From 99e9854c5fab7114b26c272088d9202548da55bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
Date: Fri, 19 Jun 2020 18:14:35 +0200
Subject: [PATCH xserver 3/4] xwayland: Always use xwl_present_free_event for
freeing Present events
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Minor cleanup, and will make the next change simpler. No functional
change intended.
Reviewed-by: Dave Airlie <airlied@redhat.com>
(cherry picked from commit 1beffba699e2cc3f23039d2177c025bc127966de)
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
---
hw/xwayland/xwayland-present.c | 27 ++++++++++++---------------
1 file changed, 12 insertions(+), 15 deletions(-)
diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
index 5ba7dce08..492e4a876 100644
--- a/hw/xwayland/xwayland-present.c
+++ b/hw/xwayland/xwayland-present.c
@@ -111,6 +111,13 @@ xwl_present_reset_timer(struct xwl_present_window *xwl_present_window)
}
}
+static void
+xwl_present_free_event(struct xwl_present_event *event)
+{
+ xorg_list_del(&event->list);
+ free(event);
+}
+
void
xwl_present_cleanup(WindowPtr window)
{
@@ -128,17 +135,15 @@ xwl_present_cleanup(WindowPtr window)
}
/* Clear remaining events */
- xorg_list_for_each_entry_safe(event, tmp, &xwl_present_window->event_list, list) {
- xorg_list_del(&event->list);
- free(event);
- }
+ xorg_list_for_each_entry_safe(event, tmp, &xwl_present_window->event_list, list)
+ xwl_present_free_event(event);
/* Clear remaining buffer releases and inform Present about free ressources */
event = xwl_present_window->sync_flip;
xwl_present_window->sync_flip = NULL;
if (event) {
if (event->buffer_released) {
- free(event);
+ xwl_present_free_event(event);
} else {
event->pending = FALSE;
event->abort = TRUE;
@@ -160,13 +165,6 @@ xwl_present_cleanup(WindowPtr window)
free(xwl_present_window);
}
-static void
-xwl_present_free_event(struct xwl_present_event *event)
-{
- xorg_list_del(&event->list);
- free(event);
-}
-
static void
xwl_present_buffer_release(void *data, struct wl_buffer *buffer)
{
@@ -216,7 +214,7 @@ xwl_present_msc_bump(struct xwl_present_window *xwl_present_window)
/* If the buffer was already released, clean up now */
present_wnmd_event_notify(xwl_present_window->window, event->event_id,
xwl_present_window->ust, msc);
- free(event);
+ xwl_present_free_event(event);
} else {
xorg_list_add(&event->list, &xwl_present_window->release_queue);
}
@@ -392,8 +390,7 @@ xwl_present_abort_vblank(WindowPtr present_window,
xorg_list_for_each_entry_safe(event, tmp, &xwl_present_window->event_list, list) {
if (event->event_id == event_id) {
- xorg_list_del(&event->list);
- free(event);
+ xwl_present_free_event(event);
return;
}
}
--
2.26.2

77
SOURCES/0004-xwayland-Free-all-remaining-events-in-xwl_present_cl.patch
View File

@ -1,77 +0,0 @@
From 1466a4fdfa8156dd4fd8b6ee6acd1b44f72ee3b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
Date: Fri, 19 Jun 2020 18:10:18 +0200
Subject: [PATCH xserver 4/4] xwayland: Free all remaining events in
xwl_present_cleanup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
At the end of xwl_present_cleanup, these events aren't reachable
anymore, so if we don't free them first, they're leaked.
(cherry picked from commit 64565ea344fef0171497952ef75f019cb420fe3b)
v2:
* Simpler backport, no need to keep a reference to the pixmap on the
1.20 branch.
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
---
hw/xwayland/xwayland-present.c | 26 +++++++++++---------------
1 file changed, 11 insertions(+), 15 deletions(-)
diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
index 492e4a876..2cec63f59 100644
--- a/hw/xwayland/xwayland-present.c
+++ b/hw/xwayland/xwayland-present.c
@@ -114,6 +114,12 @@ xwl_present_reset_timer(struct xwl_present_window *xwl_present_window)
static void
xwl_present_free_event(struct xwl_present_event *event)
{
+ if (!event)
+ return;
+
+ if (event->buffer)
+ wl_buffer_set_user_data(event->buffer, NULL);
+
xorg_list_del(&event->list);
free(event);
}
@@ -138,21 +144,10 @@ xwl_present_cleanup(WindowPtr window)
xorg_list_for_each_entry_safe(event, tmp, &xwl_present_window->event_list, list)
xwl_present_free_event(event);
- /* Clear remaining buffer releases and inform Present about free ressources */
- event = xwl_present_window->sync_flip;
- xwl_present_window->sync_flip = NULL;
- if (event) {
- if (event->buffer_released) {
- xwl_present_free_event(event);
- } else {
- event->pending = FALSE;
- event->abort = TRUE;
- }
- }
- xorg_list_for_each_entry_safe(event, tmp, &xwl_present_window->release_queue, list) {
- xorg_list_del(&event->list);
- event->abort = TRUE;
- }
+ xwl_present_free_event(xwl_present_window->sync_flip);
+
+ xorg_list_for_each_entry_safe(event, tmp, &xwl_present_window->release_queue, list)
+ xwl_present_free_event(event);
/* Clear timer */
xwl_present_free_timer(xwl_present_window);
@@ -353,6 +348,7 @@ xwl_present_queue_vblank(WindowPtr present_window,
return BadAlloc;
event->event_id = event_id;
+ event->buffer = NULL;
event->xwl_present_window = xwl_present_window;
event->target_msc = msc;
--
2.26.2

33
SPECS/xorg-x11-server.spec
View File

@ -45,8 +45,8 @@
Summary: X.Org X11 X server
Name: xorg-x11-server
Version: 1.20.8
Release: 9%{?gitdate:.%{gitdate}}%{?dist}
Version: 1.20.10
Release: 1%{?gitdate:.%{gitdate}}%{?dist}
URL: http://www.x.org
License: MIT
Group: User Interface/X
@ -99,13 +99,6 @@ Patch15: 0001-xfree86-LeaveVT-from-xf86CrtcCloseScreen.patch
Patch16: 0001-xfree86-try-harder-to-span-on-multihead.patch
Patch18: 0001-mustard-Work-around-broken-fbdev-headers.patch
# Xwayland / Present leak fixes from
# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/459
Patch20: 0001-present-wnmd-Keep-pixmap-pointer-in-present_wnmd_cle.patch
Patch21: 0002-present-wnmd-Free-flip_queue-entries-in-present_wnmd.patch
Patch22: 0003-xwayland-Always-use-xwl_present_free_event-for-freei.patch
Patch23: 0004-xwayland-Free-all-remaining-events-in-xwl_present_cl.patch
# fix to be upstreamed
Patch100: 0001-linux-Make-platform-device-probe-less-fragile.patch
Patch102: 0001-xfree86-ensure-the-readlink-buffer-is-null-terminate.patch
@ -115,20 +108,6 @@ Patch200: 0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch
Patch201: 0001-linux-Fix-platform-device-PCI-detection-for-complex-.patch
Patch202: 0001-modesetting-Reduce-glamor-initialization-failed-mess.patch
Patch203: 0001-xfree86-Only-switch-to-original-VT-if-it-is-active.patch
Patch204: 0001-xwayland-Hold-a-pixmap-reference-in-struct-xwl_prese.patch
Patch205: 0001-glamor-Fix-glamor_poly_fill_rect_gl-xRectangle-width.patch
Patch206: 0001-xfree86-add-drm-modes-on-non-GTF-panels.patch
# CVE-2020-14345
Patch301: 0001-Correct-bounds-checking-in-XkbSetNames.patch
# CVE-2020-14346
Patch302: 0001-Fix-XIChangeHierarchy-integer-underflow.patch
# CVE-2020-14361
Patch303: 0001-Fix-XkbSelectEvents-integer-underflow.patch
# CVE-2020-14362
Patch304: 0001-Fix-XRecordRegisterClients-Integer-underflow.patch
# CVE-2020-14347
Patch305: 0001-fix-for-ZDI-11426.patch
BuildRequires: systemtap-sdt-devel
BuildRequires: git
@ -573,6 +552,14 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
%changelog
* Thu Dec 10 2020 Adam Jackson <ajax@redhat.com> - 1.20.10-1
- xserver 1.20.10
Resolves: #1891871
* Wed Dec 9 2020 Michel Dänzer <mdaenzer@redhat.com> - 1.20.8-10
- modesetting: keep going if a modeset fails on EnterVT
Resolves: #1838392
* Mon Nov 16 2020 Adam Jackson <ajax@redhat.com> - 1.20.8-9
- CVE fix for: CVE-2020-14347 (#1862320)