import xorg-x11-server-1.20.11-5.el8
This commit is contained in:
parent
894e155f08
commit
e830a9c2cc
43
SOURCES/0001-present-Check-for-NULL-to-prevent-crash.patch
Normal file
43
SOURCES/0001-present-Check-for-NULL-to-prevent-crash.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From 94b4a3d45451d29e9539ea234ce8b5e9ed58546c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?B=C5=82a=C5=BCej=20Szczygie=C5=82?= <spaz16@wp.pl>
|
||||
Date: Thu, 13 Jan 2022 00:47:27 +0100
|
||||
Subject: [PATCH xserver] present: Check for NULL to prevent crash
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1275
|
||||
Signed-off-by: Błażej Szczygieł <spaz16@wp.pl>
|
||||
Tested-by: Aaron Plattner <aplattner@nvidia.com>
|
||||
(cherry picked from commit 22d5818851967408bb7c903cb345b7ca8766094c)
|
||||
---
|
||||
present/present_scmd.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/present/present_scmd.c b/present/present_scmd.c
|
||||
index 3c68e690b..11391adbb 100644
|
||||
--- a/present/present_scmd.c
|
||||
+++ b/present/present_scmd.c
|
||||
@@ -168,6 +168,9 @@ present_scmd_get_crtc(present_screen_priv_ptr screen_priv, WindowPtr window)
|
||||
if (!screen_priv->info)
|
||||
return NULL;
|
||||
|
||||
+ if (!screen_priv->info->get_crtc)
|
||||
+ return NULL;
|
||||
+
|
||||
return (*screen_priv->info->get_crtc)(window);
|
||||
}
|
||||
|
||||
@@ -206,6 +209,9 @@ present_flush(WindowPtr window)
|
||||
if (!screen_priv->info)
|
||||
return;
|
||||
|
||||
+ if (!screen_priv->info->flush)
|
||||
+ return;
|
||||
+
|
||||
(*screen_priv->info->flush) (window);
|
||||
}
|
||||
|
||||
--
|
||||
2.34.1
|
||||
|
@ -0,0 +1,35 @@
|
||||
From acc50e6097d51fec0c6c34d84c35018a50c52d5a Mon Sep 17 00:00:00 2001
|
||||
From: Povilas Kanapickas <povilas@radix.lt>
|
||||
Date: Tue, 14 Dec 2021 15:00:00 +0200
|
||||
Subject: [PATCH xserver 1/4] record: Fix out of bounds access in
|
||||
SwapCreateRegister()
|
||||
|
||||
ZDI-CAN-14952, CVE-2021-4011
|
||||
|
||||
This vulnerability was discovered and the fix was suggested by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
||||
(cherry picked from commit e56f61c79fc3cee26d83cda0f84ae56d5979f768)
|
||||
---
|
||||
record/record.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/record/record.c b/record/record.c
|
||||
index 05d751ac2..a8aec23bd 100644
|
||||
--- a/record/record.c
|
||||
+++ b/record/record.c
|
||||
@@ -2515,8 +2515,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
|
||||
swapl(pClientID);
|
||||
}
|
||||
if (stuff->nRanges >
|
||||
- client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
|
||||
- - stuff->nClients)
|
||||
+ (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
|
||||
+ - stuff->nClients) / bytes_to_int32(sz_xRecordRange))
|
||||
return BadLength;
|
||||
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
|
||||
return Success;
|
||||
--
|
||||
2.33.1
|
||||
|
@ -0,0 +1,167 @@
|
||||
From dafe5f6358edd557d89bb63265d6df2e1249f106 Mon Sep 17 00:00:00 2001
|
||||
From: Jocelyn Falempe <jfalempe@redhat.com>
|
||||
Date: Thu, 18 Nov 2021 14:45:42 +0100
|
||||
Subject: [PATCH] xf86/logind: fix call systemd_logind_vtenter after receiving
|
||||
drm device resume
|
||||
|
||||
logind send the resume event for input devices and drm device,
|
||||
in any order. if we call vt_enter before logind resume the drm device,
|
||||
it leads to a driver error, because logind has not done the
|
||||
DRM_IOCTL_SET_MASTER on it.
|
||||
|
||||
Keep the old workaround to make sure we call systemd_logind_vtenter at
|
||||
least once if there are no platform device
|
||||
|
||||
Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
|
||||
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
|
||||
|
||||
xf86/logind: Fix drm_drop_master before vt_reldisp
|
||||
|
||||
When switching to VT, the ioctl DRM_DROP_MASTER must be done before
|
||||
the ioctl VT_RELDISP. Otherwise the kernel can't change the modesetting
|
||||
reliably, and this leads to the console not showing up in some cases, like
|
||||
after unplugging a docking station with a DP or HDMI monitor.
|
||||
|
||||
Before doing the VT_RELDISP, send a dbus message to logind, to
|
||||
pause the drm device, so logind will do the ioctl DRM_DROP_MASTER.
|
||||
|
||||
With this patch, it changes the order logind will send the resume
|
||||
event, and drm will be sent last instead of first.
|
||||
so there is a also fix to call systemd_logind_vtenter() at the right time.
|
||||
|
||||
Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
|
||||
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
|
||||
|
||||
xf86/logind: Fix compilation error when built without logind/platform bus
|
||||
|
||||
This was introduced by commit 8eb1396d
|
||||
|
||||
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1269
|
||||
Fixes: da9d012a9 - xf86/logind: Fix drm_drop_master before vt_reldisp
|
||||
|
||||
Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
|
||||
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
|
||||
|
||||
xf86/logind: fix missing call to vtenter if the platform device is not paused
|
||||
|
||||
If there is one platform device, which is not paused nor resumed,
|
||||
systemd_logind_vtenter() will never get called.
|
||||
This break suspend/resume, and switching to VT on system with Nvidia
|
||||
proprietary driver.
|
||||
This is a regression introduced by f5bd039633fa83
|
||||
|
||||
So now call systemd_logind_vtenter() if there are no paused
|
||||
platform devices.
|
||||
|
||||
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1271
|
||||
Fixes: f5bd0396 - xf86/logind: fix call systemd_logind_vtenter after receiving drm device resume
|
||||
|
||||
Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
|
||||
Tested-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
|
||||
---
|
||||
hw/xfree86/common/xf86Events.c | 4 ++
|
||||
hw/xfree86/os-support/linux/systemd-logind.c | 41 +++++++++++++++++---
|
||||
include/systemd-logind.h | 2 +
|
||||
3 files changed, 42 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/xfree86/common/xf86Events.c b/hw/xfree86/common/xf86Events.c
|
||||
index 8a800bd8f..b683d233b 100644
|
||||
--- a/hw/xfree86/common/xf86Events.c
|
||||
+++ b/hw/xfree86/common/xf86Events.c
|
||||
@@ -393,6 +393,10 @@ xf86VTLeave(void)
|
||||
for (i = 0; i < xf86NumGPUScreens; i++)
|
||||
xf86GPUScreens[i]->LeaveVT(xf86GPUScreens[i]);
|
||||
|
||||
+ if (systemd_logind_controls_session()) {
|
||||
+ systemd_logind_drop_master();
|
||||
+ }
|
||||
+
|
||||
if (!xf86VTSwitchAway())
|
||||
goto switch_failed;
|
||||
|
||||
diff --git a/hw/xfree86/os-support/linux/systemd-logind.c b/hw/xfree86/os-support/linux/systemd-logind.c
|
||||
index 13784d15c..bd7a341f0 100644
|
||||
--- a/hw/xfree86/os-support/linux/systemd-logind.c
|
||||
+++ b/hw/xfree86/os-support/linux/systemd-logind.c
|
||||
@@ -302,6 +302,37 @@ cleanup:
|
||||
dbus_error_free(&error);
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Send a message to logind, to pause the drm device
|
||||
+ * and ensure the drm_drop_master is done before
|
||||
+ * VT_RELDISP when switching VT
|
||||
+ */
|
||||
+void systemd_logind_drop_master(void)
|
||||
+{
|
||||
+ int i;
|
||||
+ for (i = 0; i < xf86_num_platform_devices; i++) {
|
||||
+ if (xf86_platform_devices[i].flags & XF86_PDEV_SERVER_FD) {
|
||||
+ dbus_int32_t major, minor;
|
||||
+ struct systemd_logind_info *info = &logind_info;
|
||||
+
|
||||
+ xf86_platform_devices[i].flags |= XF86_PDEV_PAUSED;
|
||||
+ major = xf86_platform_odev_attributes(i)->major;
|
||||
+ minor = xf86_platform_odev_attributes(i)->minor;
|
||||
+ systemd_logind_ack_pause(info, minor, major);
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static Bool are_platform_devices_resumed(void) {
|
||||
+ int i;
|
||||
+ for (i = 0; i < xf86_num_platform_devices; i++) {
|
||||
+ if (xf86_platform_devices[i].flags & XF86_PDEV_PAUSED) {
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+ }
|
||||
+ return TRUE;
|
||||
+}
|
||||
+
|
||||
static DBusHandlerResult
|
||||
message_filter(DBusConnection * connection, DBusMessage * message, void *data)
|
||||
{
|
||||
@@ -417,14 +448,14 @@ message_filter(DBusConnection * connection, DBusMessage * message, void *data)
|
||||
/* info->vt_active gets set by systemd_logind_vtenter() */
|
||||
info->active = TRUE;
|
||||
|
||||
- if (pdev)
|
||||
+ if (pdev) {
|
||||
pdev->flags &= ~XF86_PDEV_PAUSED;
|
||||
- else
|
||||
+ } else
|
||||
systemd_logind_set_input_fd_for_all_devs(major, minor, fd,
|
||||
info->vt_active);
|
||||
-
|
||||
- /* Always call vtenter(), in case there are only legacy video devs */
|
||||
- systemd_logind_vtenter();
|
||||
+ /* Call vtenter if all platform devices are resumed, or if there are no platform device */
|
||||
+ if (are_platform_devices_resumed())
|
||||
+ systemd_logind_vtenter();
|
||||
}
|
||||
return DBUS_HANDLER_RESULT_HANDLED;
|
||||
}
|
||||
diff --git a/include/systemd-logind.h b/include/systemd-logind.h
|
||||
index a4067d097..5c04d0130 100644
|
||||
--- a/include/systemd-logind.h
|
||||
+++ b/include/systemd-logind.h
|
||||
@@ -33,6 +33,7 @@ int systemd_logind_take_fd(int major, int minor, const char *path, Bool *paus);
|
||||
void systemd_logind_release_fd(int major, int minor, int fd);
|
||||
int systemd_logind_controls_session(void);
|
||||
void systemd_logind_vtenter(void);
|
||||
+void systemd_logind_drop_master(void);
|
||||
#else
|
||||
#define systemd_logind_init()
|
||||
#define systemd_logind_fini()
|
||||
@@ -40,6 +41,7 @@ void systemd_logind_vtenter(void);
|
||||
#define systemd_logind_release_fd(major, minor, fd) close(fd)
|
||||
#define systemd_logind_controls_session() 0
|
||||
#define systemd_logind_vtenter()
|
||||
+#define systemd_logind_drop_master()
|
||||
#endif
|
||||
|
||||
#endif
|
||||
--
|
||||
2.33.1
|
||||
|
@ -0,0 +1,44 @@
|
||||
From 6bb8aeb30a2686facc48733016caade97ece10ad Mon Sep 17 00:00:00 2001
|
||||
From: Povilas Kanapickas <povilas@radix.lt>
|
||||
Date: Tue, 14 Dec 2021 15:00:01 +0200
|
||||
Subject: [PATCH xserver 2/4] xfixes: Fix out of bounds access in
|
||||
*ProcXFixesCreatePointerBarrier()
|
||||
|
||||
ZDI-CAN-14950, CVE-2021-4009
|
||||
|
||||
This vulnerability was discovered and the fix was suggested by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
||||
(cherry picked from commit b5196750099ae6ae582e1f46bd0a6dad29550e02)
|
||||
---
|
||||
xfixes/cursor.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/xfixes/cursor.c b/xfixes/cursor.c
|
||||
index d4b68f3af..5f531a89a 100644
|
||||
--- a/xfixes/cursor.c
|
||||
+++ b/xfixes/cursor.c
|
||||
@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client)
|
||||
{
|
||||
REQUEST(xXFixesCreatePointerBarrierReq);
|
||||
|
||||
- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
|
||||
+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
|
||||
+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
|
||||
LEGAL_NEW_RESOURCE(stuff->barrier, client);
|
||||
|
||||
return XICreatePointerBarrier(client, stuff);
|
||||
@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
|
||||
|
||||
swaps(&stuff->length);
|
||||
swaps(&stuff->num_devices);
|
||||
- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
|
||||
+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
|
||||
+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
|
||||
|
||||
swapl(&stuff->barrier);
|
||||
swapl(&stuff->window);
|
||||
--
|
||||
2.33.1
|
||||
|
@ -0,0 +1,34 @@
|
||||
From 67425fcab50ef24a5617e109897f38876dd81277 Mon Sep 17 00:00:00 2001
|
||||
From: Povilas Kanapickas <povilas@radix.lt>
|
||||
Date: Tue, 14 Dec 2021 15:00:02 +0200
|
||||
Subject: [PATCH xserver 3/4] Xext: Fix out of bounds access in
|
||||
SProcScreenSaverSuspend()
|
||||
|
||||
ZDI-CAN-14951, CVE-2021-4010
|
||||
|
||||
This vulnerability was discovered and the fix was suggested by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
||||
(cherry picked from commit 6c4c53010772e3cb4cb8acd54950c8eec9c00d21)
|
||||
---
|
||||
Xext/saver.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Xext/saver.c b/Xext/saver.c
|
||||
index c27a66c80..c23907dbb 100644
|
||||
--- a/Xext/saver.c
|
||||
+++ b/Xext/saver.c
|
||||
@@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client)
|
||||
REQUEST(xScreenSaverSuspendReq);
|
||||
|
||||
swaps(&stuff->length);
|
||||
- swapl(&stuff->suspend);
|
||||
REQUEST_SIZE_MATCH(xScreenSaverSuspendReq);
|
||||
+ swapl(&stuff->suspend);
|
||||
return ProcScreenSaverSuspend(client);
|
||||
}
|
||||
|
||||
--
|
||||
2.33.1
|
||||
|
@ -0,0 +1,53 @@
|
||||
From 35b4681c79480d980bd8dcba390146aad7817c47 Mon Sep 17 00:00:00 2001
|
||||
From: Povilas Kanapickas <povilas@radix.lt>
|
||||
Date: Tue, 14 Dec 2021 15:00:03 +0200
|
||||
Subject: [PATCH xserver 4/4] render: Fix out of bounds access in
|
||||
SProcRenderCompositeGlyphs()
|
||||
|
||||
ZDI-CAN-14192, CVE-2021-4008
|
||||
|
||||
This vulnerability was discovered and the fix was suggested by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
||||
(cherry picked from commit ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60)
|
||||
---
|
||||
render/render.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/render/render.c b/render/render.c
|
||||
index c376090ca..456f156d4 100644
|
||||
--- a/render/render.c
|
||||
+++ b/render/render.c
|
||||
@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client)
|
||||
|
||||
i = elt->len;
|
||||
if (i == 0xff) {
|
||||
+ if (buffer + 4 > end) {
|
||||
+ return BadLength;
|
||||
+ }
|
||||
swapl((int *) buffer);
|
||||
buffer += 4;
|
||||
}
|
||||
@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client)
|
||||
buffer += i;
|
||||
break;
|
||||
case 2:
|
||||
+ if (buffer + i * 2 > end) {
|
||||
+ return BadLength;
|
||||
+ }
|
||||
while (i--) {
|
||||
swaps((short *) buffer);
|
||||
buffer += 2;
|
||||
}
|
||||
break;
|
||||
case 4:
|
||||
+ if (buffer + i * 4 > end) {
|
||||
+ return BadLength;
|
||||
+ }
|
||||
while (i--) {
|
||||
swapl((int *) buffer);
|
||||
buffer += 4;
|
||||
--
|
||||
2.33.1
|
||||
|
@ -46,7 +46,7 @@
|
||||
Summary: X.Org X11 X server
|
||||
Name: xorg-x11-server
|
||||
Version: 1.20.11
|
||||
Release: 2%{?gitdate:.%{gitdate}}%{?dist}
|
||||
Release: 5%{?gitdate:.%{gitdate}}%{?dist}
|
||||
URL: http://www.x.org
|
||||
License: MIT
|
||||
Group: User Interface/X
|
||||
@ -108,6 +108,17 @@ Patch200: 0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch
|
||||
Patch201: 0001-linux-Fix-platform-device-PCI-detection-for-complex-.patch
|
||||
Patch202: 0001-modesetting-Reduce-glamor-initialization-failed-mess.patch
|
||||
Patch203: 0001-xfree86-Only-switch-to-original-VT-if-it-is-active.patch
|
||||
Patch204: 0001-xf86-logind-Fix-drm_drop_master-before-vt_reldisp.patch
|
||||
Patch205: 0001-present-Check-for-NULL-to-prevent-crash.patch
|
||||
|
||||
# CVE-2021-4011
|
||||
Patch10009: 0001-record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch
|
||||
# CVE-2021-4009
|
||||
Patch10010: 0002-xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch
|
||||
# CVE-2021-4010
|
||||
Patch10011: 0003-Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch
|
||||
# CVE-2021-4008
|
||||
Patch10012: 0004-render-Fix-out-of-bounds-access-in-SProcRenderCompos.patch
|
||||
|
||||
BuildRequires: systemtap-sdt-devel
|
||||
BuildRequires: git
|
||||
@ -534,6 +545,17 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
|
||||
|
||||
|
||||
%changelog
|
||||
* Fri Jan 28 2022 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-5
|
||||
- Fix crash with NVIDIA proprietary driver with Present (#2046329)
|
||||
|
||||
* Thu Jan 6 2022 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-4
|
||||
- CVE fix for: CVE-2021-4008 (#2030162), CVE-2021-4009 (#2030172),
|
||||
CVE-2021-4010 (#2030175), CVE-2021-4011 (#2030181)
|
||||
|
||||
* Mon Nov 29 2021 Jocelyn Falempe <jfalempe@redhat.com> - 1.20.11-3
|
||||
- xf86/logind Fix drm_drop_master before vt_reldis
|
||||
Resolves: #1771863
|
||||
|
||||
* Wed Jun 9 2021 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-2
|
||||
- Remove Xwayland from the xserver builds
|
||||
Resolves: #1956838
|
||||
|
Loading…
Reference in New Issue
Block a user