diff --git a/.gitignore b/.gitignore index 5db85a0..3c72a61 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/xorg-server-1.20.8.tar.bz2 +SOURCES/xorg-server-1.20.10.tar.bz2 diff --git a/.xorg-x11-server.metadata b/.xorg-x11-server.metadata index 1bae2ad..672ec7b 100644 --- a/.xorg-x11-server.metadata +++ b/.xorg-x11-server.metadata @@ -1 +1 @@ -077d081f912faf11c87ea1c9d0e29490961b0cd4 SOURCES/xorg-server-1.20.8.tar.bz2 +e698b30adb781dfe0e7bee0aa489ea9df404a5db SOURCES/xorg-server-1.20.10.tar.bz2 diff --git a/SOURCES/0001-Correct-bounds-checking-in-XkbSetNames.patch b/SOURCES/0001-Correct-bounds-checking-in-XkbSetNames.patch deleted file mode 100644 index 429c8cf..0000000 --- a/SOURCES/0001-Correct-bounds-checking-in-XkbSetNames.patch +++ /dev/null @@ -1,183 +0,0 @@ -From 1d3a1092c30af660b1366fcd344af745590aa29f Mon Sep 17 00:00:00 2001 -From: Matthieu Herrb -Date: Tue, 18 Aug 2020 14:46:32 +0200 -Subject: [PATCH xserver] Correct bounds checking in XkbSetNames() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -CVE-2020-14345 / ZDI 11428 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Matthieu Herrb -(cherry picked from commit 11f22a3bf694d7061d552c99898d843bcdaf0cf1) -Signed-off-by: Michel Dänzer ---- - xkb/xkb.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 48 insertions(+) - -diff --git a/xkb/xkb.c b/xkb/xkb.c -index 3162574a4..2139da7ee 100644 ---- a/xkb/xkb.c -+++ b/xkb/xkb.c -@@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT; - #define CHK_REQ_KEY_RANGE(err,first,num,r) \ - CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue) - -+static Bool -+_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) { -+ char *cstuff = (char *)stuff; -+ char *cfrom = (char *)from; -+ char *cto = (char *)to; -+ -+ return cfrom < cto && -+ cfrom >= cstuff && -+ cfrom < cstuff + ((size_t)client->req_len << 2) && -+ cto >= cstuff && -+ cto <= cstuff + ((size_t)client->req_len << 2); -+} -+ - /***====================================================================***/ - - int -@@ -4045,6 +4058,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, - client->errorValue = _XkbErrCode2(0x04, stuff->firstType); - return BadAccess; - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nTypes)) -+ return BadLength; - old = tmp; - tmp = _XkbCheckAtoms(tmp, stuff->nTypes, client->swapped, &bad); - if (!tmp) { -@@ -4074,6 +4089,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, - } - width = (CARD8 *) tmp; - tmp = (CARD32 *) (((char *) tmp) + XkbPaddedSize(stuff->nKTLevels)); -+ if (!_XkbCheckRequestBounds(client, stuff, width, tmp)) -+ return BadLength; - type = &xkb->map->types[stuff->firstKTLevel]; - for (i = 0; i < stuff->nKTLevels; i++, type++) { - if (width[i] == 0) -@@ -4083,6 +4100,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, - type->num_levels, width[i]); - return BadMatch; - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + width[i])) -+ return BadLength; - tmp = _XkbCheckAtoms(tmp, width[i], client->swapped, &bad); - if (!tmp) { - client->errorValue = bad; -@@ -4095,6 +4114,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, - client->errorValue = 0x08; - return BadMatch; - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, -+ tmp + Ones(stuff->indicators))) -+ return BadLength; - tmp = _XkbCheckMaskedAtoms(tmp, XkbNumIndicators, stuff->indicators, - client->swapped, &bad); - if (!tmp) { -@@ -4107,6 +4129,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, - client->errorValue = 0x09; - return BadMatch; - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, -+ tmp + Ones(stuff->virtualMods))) -+ return BadLength; - tmp = _XkbCheckMaskedAtoms(tmp, XkbNumVirtualMods, - (CARD32) stuff->virtualMods, - client->swapped, &bad); -@@ -4120,6 +4145,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, - client->errorValue = 0x0a; - return BadMatch; - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, -+ tmp + Ones(stuff->groupNames))) -+ return BadLength; - tmp = _XkbCheckMaskedAtoms(tmp, XkbNumKbdGroups, - (CARD32) stuff->groupNames, - client->swapped, &bad); -@@ -4141,9 +4169,14 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, - stuff->nKeys); - return BadValue; - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nKeys)) -+ return BadLength; - tmp += stuff->nKeys; - } - if ((stuff->which & XkbKeyAliasesMask) && (stuff->nKeyAliases > 0)) { -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, -+ tmp + (stuff->nKeyAliases * 2))) -+ return BadLength; - tmp += stuff->nKeyAliases * 2; - } - if (stuff->which & XkbRGNamesMask) { -@@ -4151,6 +4184,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, - client->errorValue = _XkbErrCode2(0x0d, stuff->nRadioGroups); - return BadValue; - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, -+ tmp + stuff->nRadioGroups)) -+ return BadLength; - tmp = _XkbCheckAtoms(tmp, stuff->nRadioGroups, client->swapped, &bad); - if (!tmp) { - client->errorValue = bad; -@@ -4344,6 +4380,8 @@ ProcXkbSetNames(ClientPtr client) - /* check device-independent stuff */ - tmp = (CARD32 *) &stuff[1]; - -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) -+ return BadLength; - if (stuff->which & XkbKeycodesNameMask) { - tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); - if (!tmp) { -@@ -4351,6 +4389,8 @@ ProcXkbSetNames(ClientPtr client) - return BadAtom; - } - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) -+ return BadLength; - if (stuff->which & XkbGeometryNameMask) { - tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); - if (!tmp) { -@@ -4358,6 +4398,8 @@ ProcXkbSetNames(ClientPtr client) - return BadAtom; - } - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) -+ return BadLength; - if (stuff->which & XkbSymbolsNameMask) { - tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); - if (!tmp) { -@@ -4365,6 +4407,8 @@ ProcXkbSetNames(ClientPtr client) - return BadAtom; - } - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) -+ return BadLength; - if (stuff->which & XkbPhysSymbolsNameMask) { - tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); - if (!tmp) { -@@ -4372,6 +4416,8 @@ ProcXkbSetNames(ClientPtr client) - return BadAtom; - } - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) -+ return BadLength; - if (stuff->which & XkbTypesNameMask) { - tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); - if (!tmp) { -@@ -4379,6 +4425,8 @@ ProcXkbSetNames(ClientPtr client) - return BadAtom; - } - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) -+ return BadLength; - if (stuff->which & XkbCompatNameMask) { - tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); - if (!tmp) { --- -2.28.0 - diff --git a/SOURCES/0001-Fix-XIChangeHierarchy-integer-underflow.patch b/SOURCES/0001-Fix-XIChangeHierarchy-integer-underflow.patch deleted file mode 100644 index e4be3ac..0000000 --- a/SOURCES/0001-Fix-XIChangeHierarchy-integer-underflow.patch +++ /dev/null @@ -1,36 +0,0 @@ -From eff3f6cdd398bfac040351e99e64baf3bf64fa2e Mon Sep 17 00:00:00 2001 -From: Matthieu Herrb -Date: Tue, 18 Aug 2020 14:49:04 +0200 -Subject: [PATCH xserver] Fix XIChangeHierarchy() integer underflow -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -CVE-2020-14346 / ZDI-CAN-11429 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Matthieu Herrb -(cherry picked from commit 1e3392b07923987c6c9d09cf75b24f397b59bd5e) -Signed-off-by: Michel Dänzer ---- - Xi/xichangehierarchy.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c -index cbdd91258..504defe56 100644 ---- a/Xi/xichangehierarchy.c -+++ b/Xi/xichangehierarchy.c -@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client) - if (!stuff->num_changes) - return rc; - -- len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq); -+ len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq); - - any = (xXIAnyHierarchyChangeInfo *) &stuff[1]; - while (stuff->num_changes--) { --- -2.28.0 - diff --git a/SOURCES/0001-Fix-XRecordRegisterClients-Integer-underflow.patch b/SOURCES/0001-Fix-XRecordRegisterClients-Integer-underflow.patch deleted file mode 100644 index 6504678..0000000 --- a/SOURCES/0001-Fix-XRecordRegisterClients-Integer-underflow.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 705d7213935820d9f56563ee9e17aa9beb365c1e Mon Sep 17 00:00:00 2001 -From: Matthieu Herrb -Date: Tue, 18 Aug 2020 14:55:01 +0200 -Subject: [PATCH xserver] Fix XRecordRegisterClients() Integer underflow -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -CVE-2020-14362 ZDI-CAN-11574 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Matthieu Herrb -(cherry picked from commit 24acad216aa0fc2ac451c67b2b86db057a032050) -Signed-off-by: Michel Dänzer ---- - record/record.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/record/record.c b/record/record.c -index f0b739b0c..05d751ac2 100644 ---- a/record/record.c -+++ b/record/record.c -@@ -2499,7 +2499,7 @@ SProcRecordQueryVersion(ClientPtr client) - } /* SProcRecordQueryVersion */ - - static int _X_COLD --SwapCreateRegister(xRecordRegisterClientsReq * stuff) -+SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff) - { - int i; - XID *pClientID; -@@ -2509,13 +2509,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff) - swapl(&stuff->nRanges); - pClientID = (XID *) &stuff[1]; - if (stuff->nClients > -- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)) -+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)) - return BadLength; - for (i = 0; i < stuff->nClients; i++, pClientID++) { - swapl(pClientID); - } - if (stuff->nRanges > -- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq) -+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) - - stuff->nClients) - return BadLength; - RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); -@@ -2530,7 +2530,7 @@ SProcRecordCreateContext(ClientPtr client) - - swaps(&stuff->length); - REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq); -- if ((status = SwapCreateRegister((void *) stuff)) != Success) -+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success) - return status; - return ProcRecordCreateContext(client); - } /* SProcRecordCreateContext */ -@@ -2543,7 +2543,7 @@ SProcRecordRegisterClients(ClientPtr client) - - swaps(&stuff->length); - REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq); -- if ((status = SwapCreateRegister((void *) stuff)) != Success) -+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success) - return status; - return ProcRecordRegisterClients(client); - } /* SProcRecordRegisterClients */ --- -2.28.0 - diff --git a/SOURCES/0001-Fix-XkbSelectEvents-integer-underflow.patch b/SOURCES/0001-Fix-XkbSelectEvents-integer-underflow.patch deleted file mode 100644 index 321b90f..0000000 --- a/SOURCES/0001-Fix-XkbSelectEvents-integer-underflow.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 5b384e7678c5a155dd8752f018c8292153c1295e Mon Sep 17 00:00:00 2001 -From: Matthieu Herrb -Date: Tue, 18 Aug 2020 14:52:29 +0200 -Subject: [PATCH xserver] Fix XkbSelectEvents() integer underflow -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -CVE-2020-14361 ZDI-CAN 11573 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Matthieu Herrb -(cherry picked from commit 90304b3c2018a6b8f4a79de86364d2af15cb9ad8) -Signed-off-by: Michel Dänzer ---- - xkb/xkbSwap.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c -index 1c1ed5ff4..50cabb90e 100644 ---- a/xkb/xkbSwap.c -+++ b/xkb/xkbSwap.c -@@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client) - register unsigned bit, ndx, maskLeft, dataLeft, size; - - from.c8 = (CARD8 *) &stuff[1]; -- dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq); -+ dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq); - maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask)); - for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) { - if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify)) --- -2.28.0 - diff --git a/SOURCES/0001-fix-for-ZDI-11426.patch b/SOURCES/0001-fix-for-ZDI-11426.patch deleted file mode 100644 index 7ae18a8..0000000 --- a/SOURCES/0001-fix-for-ZDI-11426.patch +++ /dev/null @@ -1,33 +0,0 @@ -From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001 -From: Matthieu Herrb -Date: Sat, 25 Jul 2020 19:33:50 +0200 -Subject: [PATCH] fix for ZDI-11426 - -Avoid leaking un-initalized memory to clients by zeroing the -whole pixmap on initial allocation. - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Matthieu Herrb -Reviewed-by: Alan Coopersmith ---- - dix/pixmap.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/dix/pixmap.c b/dix/pixmap.c -index 1186d7dbb..5a0146bbb 100644 ---- a/dix/pixmap.c -+++ b/dix/pixmap.c -@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize) - if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize) - return NullPixmap; - -- pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize); -+ pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize); - if (!pPixmap) - return NullPixmap; - --- -2.25.4 - diff --git a/SOURCES/0001-glamor-Fix-glamor_poly_fill_rect_gl-xRectangle-width.patch b/SOURCES/0001-glamor-Fix-glamor_poly_fill_rect_gl-xRectangle-width.patch deleted file mode 100644 index 32b0106..0000000 --- a/SOURCES/0001-glamor-Fix-glamor_poly_fill_rect_gl-xRectangle-width.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 85d9f7932353b6e0986796dbb09b7f778f9cc9aa Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michel=20D=C3=A4nzer?= -Date: Fri, 24 Jul 2020 18:21:05 +0200 -Subject: [PATCH xserver] glamor: Fix glamor_poly_fill_rect_gl - xRectangle::width/height handling -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -(Using GLSL 1.30 or newer) - -The width/height members of xRectangle are unsigned, but they were -being interpreted as signed when converting to floating point for the -vertex shader, producing incorrect drawing for values > 32767. - -Solve this by passing through the values as integers, and masking off -the upper 16 bits in the vertex shader (which could be 1 due to sign -extension). - -Signed-off-by: Michel Dänzer ---- - glamor/glamor_rects.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/glamor/glamor_rects.c b/glamor/glamor_rects.c -index 6cbb040c1..5cac40d49 100644 ---- a/glamor/glamor_rects.c -+++ b/glamor/glamor_rects.c -@@ -27,9 +27,10 @@ - static const glamor_facet glamor_facet_polyfillrect_130 = { - .name = "poly_fill_rect", - .version = 130, -- .vs_vars = "attribute vec4 primitive;\n", -- .vs_exec = (" vec2 pos = primitive.zw * vec2(gl_VertexID&1, (gl_VertexID&2)>>1);\n" -- GLAMOR_POS(gl_Position, (primitive.xy + pos))), -+ .vs_vars = "attribute ivec4 primitive;\n", -+ .vs_exec = (" vec2 pos = vec2(primitive.zw & ivec2(0xffff));\n" -+ " pos *= vec2(gl_VertexID&1, (gl_VertexID&2)>>1);\n" -+ GLAMOR_POS(gl_Position, (vec2(primitive.xy) + pos))), - }; - - static const glamor_facet glamor_facet_polyfillrect_120 = { -@@ -81,8 +82,8 @@ glamor_poly_fill_rect_gl(DrawablePtr drawable, - - glEnableVertexAttribArray(GLAMOR_VERTEX_POS); - glVertexAttribDivisor(GLAMOR_VERTEX_POS, 1); -- glVertexAttribPointer(GLAMOR_VERTEX_POS, 4, GL_SHORT, GL_FALSE, -- 4 * sizeof (short), vbo_offset); -+ glVertexAttribIPointer(GLAMOR_VERTEX_POS, 4, GL_SHORT, -+ 4 * sizeof (short), vbo_offset); - - memcpy(v, prect, nrect * sizeof (xRectangle)); - --- -2.26.2 - diff --git a/SOURCES/0001-present-wnmd-Keep-pixmap-pointer-in-present_wnmd_cle.patch b/SOURCES/0001-present-wnmd-Keep-pixmap-pointer-in-present_wnmd_cle.patch deleted file mode 100644 index c6ae2eb..0000000 --- a/SOURCES/0001-present-wnmd-Keep-pixmap-pointer-in-present_wnmd_cle.patch +++ /dev/null @@ -1,37 +0,0 @@ -From f32c851a0ba41f5d8d0f8c869bc394858de721df Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michel=20D=C3=A4nzer?= -Date: Thu, 25 Jun 2020 18:09:27 +0200 -Subject: [PATCH xserver 1/4] present/wnmd: Keep pixmap pointer in - present_wnmd_clear_window_flip -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The comment was incorrect: Any reference held by the window (see -present_wnmd_execute) is in addition to the one in struct present_vblank -(see present_vblank_create). So if we don't drop the latter, the pixmap -will be leaked. - -Reviewed-by: Dave Airlie -(cherry picked from commit bc9dd1c71c3722284ffaa7183f4119151b25a44f) -Signed-off-by: Michel Dänzer ---- - present/present_screen.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/present/present_screen.c b/present/present_screen.c -index c7e37c5fd..c435f55f4 100644 ---- a/present/present_screen.c -+++ b/present/present_screen.c -@@ -122,8 +122,6 @@ present_wnmd_clear_window_flip(WindowPtr window) - - xorg_list_for_each_entry_safe(vblank, tmp, &window_priv->idle_queue, event_queue) { - present_pixmap_idle(vblank->pixmap, vblank->window, vblank->serial, vblank->idle_fence); -- /* The pixmap will be destroyed by freeing the window resources. */ -- vblank->pixmap = NULL; - present_vblank_destroy(vblank); - } - --- -2.26.2 - diff --git a/SOURCES/0001-xfree86-add-drm-modes-on-non-GTF-panels.patch b/SOURCES/0001-xfree86-add-drm-modes-on-non-GTF-panels.patch deleted file mode 100644 index a10be22..0000000 --- a/SOURCES/0001-xfree86-add-drm-modes-on-non-GTF-panels.patch +++ /dev/null @@ -1,173 +0,0 @@ -From 139868f3e82a3e7b7b17f3a5a2e07c4b04d81728 Mon Sep 17 00:00:00 2001 -From: Aaron Ma -Date: Thu, 30 Jul 2020 11:02:39 +0200 -Subject: [PATCH xserver] xfree86: add drm modes on non-GTF panels -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -EDID1.4 replaced GTF Bit with Continuous or Non-Continuous Frequency Display. - -Check the "Display Range Limits Descriptor" for GTF support. -If panel doesn't support GTF, then add gtf modes. - -Otherwise X will only show the modes in "Detailed Timing Descriptor". - -V2: Coding style changes. -V3: Coding style changes, remove unused variate. -V4: remove unused variate. - -BugLink: https://gitlab.freedesktop.org/drm/intel/issues/313 -Signed-off-by: Aaron Ma -Reviewed-by: Adam Jackson -(cherry picked from commit 6a79a737e2c0bc730ee693b4ea4a1530c108be4e) -Signed-off-by: Michel Dänzer ---- - hw/xfree86/ddc/edid.h | 17 +++++++++++- - hw/xfree86/ddc/interpret_edid.c | 27 +++++++++++++++++++ - hw/xfree86/ddc/xf86DDC.h | 3 +++ - .../drivers/modesetting/drmmode_display.c | 2 +- - hw/xfree86/modes/xf86Crtc.c | 3 +-- - 5 files changed, 48 insertions(+), 4 deletions(-) - -diff --git a/hw/xfree86/ddc/edid.h b/hw/xfree86/ddc/edid.h -index 750e4270b..b884d8212 100644 ---- a/hw/xfree86/ddc/edid.h -+++ b/hw/xfree86/ddc/edid.h -@@ -262,6 +262,10 @@ - #define MAX_H (_MAX_H(c) + _MAX_H_OFFSET(c)) - #define _MAX_CLOCK(x) x[9] - #define MAX_CLOCK _MAX_CLOCK(c) -+#define _DEFAULT_GTF(x) (x[10] == 0x00) -+#define DEFAULT_GTF _DEFAULT_GTF(c) -+#define _RANGE_LIMITS_ONLY(x) (x[10] == 0x01) -+#define RANGE_LIMITS_ONLY _RANGE_LIMITS_ONLY(c) - #define _HAVE_2ND_GTF(x) (x[10] == 0x02) - #define HAVE_2ND_GTF _HAVE_2ND_GTF(c) - #define _F_2ND_GTF(x) (x[12] * 2) -@@ -477,6 +481,16 @@ struct detailed_timings { - #define DS_VENDOR 0x101 - #define DS_VENDOR_MAX 0x110 - -+/* -+ * Display range limit Descriptor of EDID version1, reversion 4 -+ */ -+typedef enum { -+ DR_DEFAULT_GTF, -+ DR_LIMITS_ONLY, -+ DR_SECONDARY_GTF, -+ DR_CVT_SUPPORTED = 4, -+} DR_timing_flags; -+ - struct monitor_ranges { - int min_v; - int max_v; -@@ -495,6 +509,7 @@ struct monitor_ranges { - char supported_blanking; - char supported_scaling; - int preferred_refresh; /* in hz */ -+ DR_timing_flags display_range_timing_flags; - }; - - struct whitePoints { -@@ -524,7 +539,7 @@ struct detailed_monitor_section { - Uchar serial[13]; - Uchar ascii_data[13]; - Uchar name[13]; -- struct monitor_ranges ranges; /* 56 */ -+ struct monitor_ranges ranges; /* 60 */ - struct std_timings std_t[5]; /* 80 */ - struct whitePoints wp[2]; /* 32 */ - /* color management data */ -diff --git a/hw/xfree86/ddc/interpret_edid.c b/hw/xfree86/ddc/interpret_edid.c -index 17a8f81c0..19630471c 100644 ---- a/hw/xfree86/ddc/interpret_edid.c -+++ b/hw/xfree86/ddc/interpret_edid.c -@@ -672,6 +672,9 @@ get_monitor_ranges(Uchar * c, struct monitor_ranges *r) - r->max_clock = 0; - if (MAX_CLOCK != 0xff) /* is specified? */ - r->max_clock = MAX_CLOCK * 10 + 5; -+ -+ r->display_range_timing_flags = c[10]; -+ - if (HAVE_2ND_GTF) { - r->gtf_2nd_f = F_2ND_GTF; - r->gtf_2nd_c = C_2ND_GTF; -@@ -751,6 +754,30 @@ validate_version(int scrnIndex, struct edid_version *r) - return TRUE; - } - -+Bool -+gtf_supported(xf86MonPtr mon) -+{ -+ int i; -+ -+ if (!mon) -+ return FALSE; -+ -+ if ((mon->ver.version == 1) && (mon->ver.revision < 4)) { -+ if (mon->features.msc & 0x1) -+ return TRUE; -+ } else { -+ for (i = 0; i < DET_TIMINGS; i++) { -+ struct detailed_monitor_section *det_timing_des = &(mon->det_mon[i]); -+ if (det_timing_des && (det_timing_des->type == DS_RANGES) && -+ (det_timing_des->section.ranges.display_range_timing_flags == DR_DEFAULT_GTF -+ || det_timing_des->section.ranges.display_range_timing_flags == DR_SECONDARY_GTF)) -+ return TRUE; -+ } -+ } -+ -+ return FALSE; -+} -+ - /* - * Returns true if HDMI, false if definitely not or unknown. - */ -diff --git a/hw/xfree86/ddc/xf86DDC.h b/hw/xfree86/ddc/xf86DDC.h -index 7d81ab911..6eb2f0ba2 100644 ---- a/hw/xfree86/ddc/xf86DDC.h -+++ b/hw/xfree86/ddc/xf86DDC.h -@@ -48,6 +48,9 @@ extern _X_EXPORT Bool xf86SetDDCproperties(ScrnInfoPtr pScreen, xf86MonPtr DDC); - extern _X_EXPORT Bool - xf86MonitorIsHDMI(xf86MonPtr mon); - -+extern _X_EXPORT Bool -+gtf_supported(xf86MonPtr mon); -+ - extern _X_EXPORT DisplayModePtr - FindDMTMode(int hsize, int vsize, int refresh, Bool rb); - -diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c -index 59abb6cc7..9dd8c5573 100644 ---- a/hw/xfree86/drivers/modesetting/drmmode_display.c -+++ b/hw/xfree86/drivers/modesetting/drmmode_display.c -@@ -2439,7 +2439,7 @@ drmmode_output_add_gtf_modes(xf86OutputPtr output, DisplayModePtr Modes) - int max_x = 0, max_y = 0; - float max_vrefresh = 0.0; - -- if (mon && GTF_SUPPORTED(mon->features.msc)) -+ if (mon && gtf_supported(mon)) - return Modes; - - if (!has_panel_fitter(output)) -diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c -index 37a45bb3a..17d4ef103 100644 ---- a/hw/xfree86/modes/xf86Crtc.c -+++ b/hw/xfree86/modes/xf86Crtc.c -@@ -1719,11 +1719,10 @@ xf86ProbeOutputModes(ScrnInfoPtr scrn, int maxX, int maxY) - - if (edid_monitor) { - struct det_monrec_parameter p; -- struct disp_features *features = &edid_monitor->features; - struct cea_data_block *hdmi_db; - - /* if display is not continuous-frequency, don't add default modes */ -- if (!GTF_SUPPORTED(features->msc)) -+ if (!gtf_supported(edid_monitor)) - add_default_modes = FALSE; - - p.mon_rec = &mon_rec; --- -2.26.2 - diff --git a/SOURCES/0001-xwayland-Hold-a-pixmap-reference-in-struct-xwl_prese.patch b/SOURCES/0001-xwayland-Hold-a-pixmap-reference-in-struct-xwl_prese.patch deleted file mode 100644 index 8cab652..0000000 --- a/SOURCES/0001-xwayland-Hold-a-pixmap-reference-in-struct-xwl_prese.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 23c55ec32973e0a75d723e3f37769dd711c9c59c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michel=20D=C3=A4nzer?= -Date: Wed, 22 Jul 2020 18:20:14 +0200 -Subject: [PATCH xserver] xwayland: Hold a pixmap reference in struct - xwl_present_event -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In the log of the commit below, I claimed this wasn't necessary on the -1.20 branch, but this turned out to be wrong: It meant that -event->buffer could already be destroyed in xwl_present_free_event, -resulting in use-after-free and likely a crash. - -Fixes: 22c0808ac88f "xwayland: Free all remaining events in - xwl_present_cleanup" -Signed-off-by: Michel Dänzer ---- - hw/xwayland/xwayland-present.c | 17 +++++++++++++---- - hw/xwayland/xwayland.h | 2 +- - 2 files changed, 14 insertions(+), 5 deletions(-) - -diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c -index 2cec63f59..f003170a9 100644 ---- a/hw/xwayland/xwayland-present.c -+++ b/hw/xwayland/xwayland-present.c -@@ -117,8 +117,16 @@ xwl_present_free_event(struct xwl_present_event *event) - if (!event) - return; - -- if (event->buffer) -- wl_buffer_set_user_data(event->buffer, NULL); -+ if (event->pixmap) { -+ if (!event->buffer_released) { -+ struct wl_buffer *buffer = -+ xwl_glamor_pixmap_get_wl_buffer(event->pixmap, NULL); -+ -+ wl_buffer_set_user_data(buffer, NULL); -+ } -+ -+ dixDestroyPixmap(event->pixmap, event->pixmap->drawable.id); -+ } - - xorg_list_del(&event->list); - free(event); -@@ -348,7 +356,7 @@ xwl_present_queue_vblank(WindowPtr present_window, - return BadAlloc; - - event->event_id = event_id; -- event->buffer = NULL; -+ event->pixmap = NULL; - event->xwl_present_window = xwl_present_window; - event->target_msc = msc; - -@@ -453,11 +461,12 @@ xwl_present_flip(WindowPtr present_window, - if (!event) - return FALSE; - -+ pixmap->refcnt++; - buffer = xwl_glamor_pixmap_get_wl_buffer(pixmap, &buffer_created); - - event->event_id = event_id; - event->xwl_present_window = xwl_present_window; -- event->buffer = buffer; -+ event->pixmap = pixmap; - event->target_msc = target_msc; - event->pending = TRUE; - event->abort = FALSE; -diff --git a/hw/xwayland/xwayland.h b/hw/xwayland/xwayland.h -index bc5836ec4..b9495b313 100644 ---- a/hw/xwayland/xwayland.h -+++ b/hw/xwayland/xwayland.h -@@ -215,7 +215,7 @@ struct xwl_present_event { - Bool buffer_released; - - struct xwl_present_window *xwl_present_window; -- struct wl_buffer *buffer; -+ PixmapPtr pixmap; - - struct xorg_list list; - }; --- -2.26.2 - diff --git a/SOURCES/0002-present-wnmd-Free-flip_queue-entries-in-present_wnmd.patch b/SOURCES/0002-present-wnmd-Free-flip_queue-entries-in-present_wnmd.patch deleted file mode 100644 index 6bce17f..0000000 --- a/SOURCES/0002-present-wnmd-Free-flip_queue-entries-in-present_wnmd.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 732507ed3255dff3970c5f92bd6ea13bf877e637 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michel=20D=C3=A4nzer?= -Date: Thu, 25 Jun 2020 18:11:31 +0200 -Subject: [PATCH xserver 2/4] present/wnmd: Free flip_queue entries in - present_wnmd_clear_window_flip -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When present_wnmd_clear_window_flip is done, present_destroy_window -frees struct present_window_priv, and the events in the flip queue -become unreachable. So if we don't free them first, they're leaked. - -Also drop the call to present_wnmd_set_abort_flip, which just sets a -flag in struct present_window_priv and thus can't have any observable -effect after present_destroy_window. - -Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1042 -Reviewed-by: Dave Airlie -(cherry picked from commit 1bdedc8dbb9d035b85444c2558a137470ff52113) -Signed-off-by: Michel Dänzer ---- - present/present_screen.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/present/present_screen.c b/present/present_screen.c -index c435f55f4..bfd30b8ba 100644 ---- a/present/present_screen.c -+++ b/present/present_screen.c -@@ -115,9 +115,9 @@ present_wnmd_clear_window_flip(WindowPtr window) - present_window_priv_ptr window_priv = present_window_priv(window); - present_vblank_ptr vblank, tmp; - -- if (window_priv->flip_pending) { -- present_wnmd_set_abort_flip(window); -- window_priv->flip_pending->window = NULL; -+ xorg_list_for_each_entry_safe(vblank, tmp, &window_priv->flip_queue, event_queue) { -+ present_pixmap_idle(vblank->pixmap, vblank->window, vblank->serial, vblank->idle_fence); -+ present_vblank_destroy(vblank); - } - - xorg_list_for_each_entry_safe(vblank, tmp, &window_priv->idle_queue, event_queue) { --- -2.26.2 - diff --git a/SOURCES/0003-xwayland-Always-use-xwl_present_free_event-for-freei.patch b/SOURCES/0003-xwayland-Always-use-xwl_present_free_event-for-freei.patch deleted file mode 100644 index 7925adc..0000000 --- a/SOURCES/0003-xwayland-Always-use-xwl_present_free_event-for-freei.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 99e9854c5fab7114b26c272088d9202548da55bf Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michel=20D=C3=A4nzer?= -Date: Fri, 19 Jun 2020 18:14:35 +0200 -Subject: [PATCH xserver 3/4] xwayland: Always use xwl_present_free_event for - freeing Present events -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Minor cleanup, and will make the next change simpler. No functional -change intended. - -Reviewed-by: Dave Airlie -(cherry picked from commit 1beffba699e2cc3f23039d2177c025bc127966de) -Signed-off-by: Michel Dänzer ---- - hw/xwayland/xwayland-present.c | 27 ++++++++++++--------------- - 1 file changed, 12 insertions(+), 15 deletions(-) - -diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c -index 5ba7dce08..492e4a876 100644 ---- a/hw/xwayland/xwayland-present.c -+++ b/hw/xwayland/xwayland-present.c -@@ -111,6 +111,13 @@ xwl_present_reset_timer(struct xwl_present_window *xwl_present_window) - } - } - -+static void -+xwl_present_free_event(struct xwl_present_event *event) -+{ -+ xorg_list_del(&event->list); -+ free(event); -+} -+ - void - xwl_present_cleanup(WindowPtr window) - { -@@ -128,17 +135,15 @@ xwl_present_cleanup(WindowPtr window) - } - - /* Clear remaining events */ -- xorg_list_for_each_entry_safe(event, tmp, &xwl_present_window->event_list, list) { -- xorg_list_del(&event->list); -- free(event); -- } -+ xorg_list_for_each_entry_safe(event, tmp, &xwl_present_window->event_list, list) -+ xwl_present_free_event(event); - - /* Clear remaining buffer releases and inform Present about free ressources */ - event = xwl_present_window->sync_flip; - xwl_present_window->sync_flip = NULL; - if (event) { - if (event->buffer_released) { -- free(event); -+ xwl_present_free_event(event); - } else { - event->pending = FALSE; - event->abort = TRUE; -@@ -160,13 +165,6 @@ xwl_present_cleanup(WindowPtr window) - free(xwl_present_window); - } - --static void --xwl_present_free_event(struct xwl_present_event *event) --{ -- xorg_list_del(&event->list); -- free(event); --} -- - static void - xwl_present_buffer_release(void *data, struct wl_buffer *buffer) - { -@@ -216,7 +214,7 @@ xwl_present_msc_bump(struct xwl_present_window *xwl_present_window) - /* If the buffer was already released, clean up now */ - present_wnmd_event_notify(xwl_present_window->window, event->event_id, - xwl_present_window->ust, msc); -- free(event); -+ xwl_present_free_event(event); - } else { - xorg_list_add(&event->list, &xwl_present_window->release_queue); - } -@@ -392,8 +390,7 @@ xwl_present_abort_vblank(WindowPtr present_window, - - xorg_list_for_each_entry_safe(event, tmp, &xwl_present_window->event_list, list) { - if (event->event_id == event_id) { -- xorg_list_del(&event->list); -- free(event); -+ xwl_present_free_event(event); - return; - } - } --- -2.26.2 - diff --git a/SOURCES/0004-xwayland-Free-all-remaining-events-in-xwl_present_cl.patch b/SOURCES/0004-xwayland-Free-all-remaining-events-in-xwl_present_cl.patch deleted file mode 100644 index ab526e7..0000000 --- a/SOURCES/0004-xwayland-Free-all-remaining-events-in-xwl_present_cl.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 1466a4fdfa8156dd4fd8b6ee6acd1b44f72ee3b1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michel=20D=C3=A4nzer?= -Date: Fri, 19 Jun 2020 18:10:18 +0200 -Subject: [PATCH xserver 4/4] xwayland: Free all remaining events in - xwl_present_cleanup -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -At the end of xwl_present_cleanup, these events aren't reachable -anymore, so if we don't free them first, they're leaked. - -(cherry picked from commit 64565ea344fef0171497952ef75f019cb420fe3b) - -v2: -* Simpler backport, no need to keep a reference to the pixmap on the - 1.20 branch. - -Signed-off-by: Michel Dänzer ---- - hw/xwayland/xwayland-present.c | 26 +++++++++++--------------- - 1 file changed, 11 insertions(+), 15 deletions(-) - -diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c -index 492e4a876..2cec63f59 100644 ---- a/hw/xwayland/xwayland-present.c -+++ b/hw/xwayland/xwayland-present.c -@@ -114,6 +114,12 @@ xwl_present_reset_timer(struct xwl_present_window *xwl_present_window) - static void - xwl_present_free_event(struct xwl_present_event *event) - { -+ if (!event) -+ return; -+ -+ if (event->buffer) -+ wl_buffer_set_user_data(event->buffer, NULL); -+ - xorg_list_del(&event->list); - free(event); - } -@@ -138,21 +144,10 @@ xwl_present_cleanup(WindowPtr window) - xorg_list_for_each_entry_safe(event, tmp, &xwl_present_window->event_list, list) - xwl_present_free_event(event); - -- /* Clear remaining buffer releases and inform Present about free ressources */ -- event = xwl_present_window->sync_flip; -- xwl_present_window->sync_flip = NULL; -- if (event) { -- if (event->buffer_released) { -- xwl_present_free_event(event); -- } else { -- event->pending = FALSE; -- event->abort = TRUE; -- } -- } -- xorg_list_for_each_entry_safe(event, tmp, &xwl_present_window->release_queue, list) { -- xorg_list_del(&event->list); -- event->abort = TRUE; -- } -+ xwl_present_free_event(xwl_present_window->sync_flip); -+ -+ xorg_list_for_each_entry_safe(event, tmp, &xwl_present_window->release_queue, list) -+ xwl_present_free_event(event); - - /* Clear timer */ - xwl_present_free_timer(xwl_present_window); -@@ -353,6 +348,7 @@ xwl_present_queue_vblank(WindowPtr present_window, - return BadAlloc; - - event->event_id = event_id; -+ event->buffer = NULL; - event->xwl_present_window = xwl_present_window; - event->target_msc = msc; - --- -2.26.2 - diff --git a/SPECS/xorg-x11-server.spec b/SPECS/xorg-x11-server.spec index 070cd00..66ad4aa 100644 --- a/SPECS/xorg-x11-server.spec +++ b/SPECS/xorg-x11-server.spec @@ -45,8 +45,8 @@ Summary: X.Org X11 X server Name: xorg-x11-server -Version: 1.20.8 -Release: 9%{?gitdate:.%{gitdate}}%{?dist} +Version: 1.20.10 +Release: 1%{?gitdate:.%{gitdate}}%{?dist} URL: http://www.x.org License: MIT Group: User Interface/X @@ -99,13 +99,6 @@ Patch15: 0001-xfree86-LeaveVT-from-xf86CrtcCloseScreen.patch Patch16: 0001-xfree86-try-harder-to-span-on-multihead.patch Patch18: 0001-mustard-Work-around-broken-fbdev-headers.patch -# Xwayland / Present leak fixes from -# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/459 -Patch20: 0001-present-wnmd-Keep-pixmap-pointer-in-present_wnmd_cle.patch -Patch21: 0002-present-wnmd-Free-flip_queue-entries-in-present_wnmd.patch -Patch22: 0003-xwayland-Always-use-xwl_present_free_event-for-freei.patch -Patch23: 0004-xwayland-Free-all-remaining-events-in-xwl_present_cl.patch - # fix to be upstreamed Patch100: 0001-linux-Make-platform-device-probe-less-fragile.patch Patch102: 0001-xfree86-ensure-the-readlink-buffer-is-null-terminate.patch @@ -115,20 +108,6 @@ Patch200: 0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch Patch201: 0001-linux-Fix-platform-device-PCI-detection-for-complex-.patch Patch202: 0001-modesetting-Reduce-glamor-initialization-failed-mess.patch Patch203: 0001-xfree86-Only-switch-to-original-VT-if-it-is-active.patch -Patch204: 0001-xwayland-Hold-a-pixmap-reference-in-struct-xwl_prese.patch -Patch205: 0001-glamor-Fix-glamor_poly_fill_rect_gl-xRectangle-width.patch -Patch206: 0001-xfree86-add-drm-modes-on-non-GTF-panels.patch - -# CVE-2020-14345 -Patch301: 0001-Correct-bounds-checking-in-XkbSetNames.patch -# CVE-2020-14346 -Patch302: 0001-Fix-XIChangeHierarchy-integer-underflow.patch -# CVE-2020-14361 -Patch303: 0001-Fix-XkbSelectEvents-integer-underflow.patch -# CVE-2020-14362 -Patch304: 0001-Fix-XRecordRegisterClients-Integer-underflow.patch -# CVE-2020-14347 -Patch305: 0001-fix-for-ZDI-11426.patch BuildRequires: systemtap-sdt-devel BuildRequires: git @@ -573,6 +552,14 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %changelog +* Thu Dec 10 2020 Adam Jackson - 1.20.10-1 +- xserver 1.20.10 + Resolves: #1891871 + +* Wed Dec 9 2020 Michel Dänzer - 1.20.8-10 +- modesetting: keep going if a modeset fails on EnterVT + Resolves: #1838392 + * Mon Nov 16 2020 Adam Jackson - 1.20.8-9 - CVE fix for: CVE-2020-14347 (#1862320)