Age | Commit message (Collapse) | Author |
|
xfree86: Hold input_lock across SPRITE functions in VGA arbiter
Fixes stack overflow crash with VGA arbiter used with multi GPU systems.
Report and fix identified by 'Joe M' on misc@. ok matthieu@
|
|
This prevents kbd(8) layouts with particular bitmasks from being
wrongly detected as French.
Broken behavior reported by Diogo Galvao; thanks!
ok mpi@ matthieu@
|
|
|
|
the modesetting driver uses these to pick a dri driver name
ok phessler@ kettenis@ matthieu@
|
|
On OpenBSD, we need the console fd to query wsdisplay type,
This was only causing problems with -keepPriv, since the privilege
separation code already calls xf86OpenConsole() earlier.
The function is idempotent, so there's no harm calling it
several times.
ok kettenis@
|
|
It was previously disabled by a broken test for XdmcpWrap() in xdm and
later in xenodm but it won't be missed. (use of DES, no IPv6 support).
ok tb@ mortimer@
|
|
and we held out hope too long. This will break some stuff. Let's start
with non-setuid as the baseline, and see if it is worth trying to fix
the broken parts in some other way.
|
|
privileges. This Could cause arbitrary files overwrite.
CVE-2018-14665.
|
|
their fds over to the parent proc. Knowing this then we already have a list of
all possible devices that might be opened in the future, in struct okdev
allowed_devices[], and we just need to traverse them and unveil(2) each one
with read/write permissions.
positive feedback from semarie@, OK matthieu@
|
|
ok matthieu@
|
|
Fixes DRI3 with Xserver running as _x11 with xenodm.
close-on-exec is now default for priv_open_device().
ok kettenis@
|
|
All file descriptors opened via priv_open_device() can benefit of
the close-on-exec flag.
ok kettenis@.
|
|
allow them to work with xf86-input-synaptics
with and ok bru@
|
|
Fixes utilities like xcalib
Upstream xorg commit ac138f9b31b0fba00742edbc3326afe66e28099a
ok matthieu
|
|
--enable-glamor has changed from 'no' to 'auto'.
This makes an error running configure on luna88k, so disable it
explicitly with ${XENOCARA_BUILD_GL}=no machines.
ok jsg@
|
|
|
|
It was needed at some point in the past, but doesn't compile and
isn't needed with clang. Reported by jsg@.
|
|
and NOTE_CHANGE to notify the desktop environment to deal with
the change (e.g. after plugging in an HDMI cable)
with this change there is no need to manually do any randr commands
if your desktop environment supports it (gnome, mate, kde, etc.)
ok matthieu@, kettenis@
|
|
Tested by bru@, jsg@ and others
|
|
ok matthieu@
|
|
|
|
ProcDbeGetVisualInfo (CVE-2017-12177)
v2: Protect against integer overflow (Alan Coopersmith)
|
|
(CVE-2017-12178)
|
|
(S)ProcXIBarrierReleasePointer
[jcristau: originally this patch fixed the same issue as commit
211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the
addition of these checks]
This addresses CVE-2017-12179
|
|
Otherwise a client can send any value of num_barriers and cause
reading or swapping of values on heap behind the receive buffer.
|
|
This addresses:
CVE-2017-12180 in XFree86-VidModeExtension
CVE-2017-12181 in XFree86-DGA
CVE-2017-12182 in XFree86-DRI
|
|
v2: Use before swap (Jeremy Huddleston Sequoia)
v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)
|
|
v2: Add overflow check and remove unnecessary check (Julien Cristau)
This addresses:
CVE-2017-12184 in XINERAMA
CVE-2017-12185 in MIT-SCREEN-SAVER
CVE-2017-12186 in X-Resource
CVE-2017-12187 in RENDER
|
|
A client can send a big request where the 32B "length" field has value
0. When the big request header is removed and the length corrected,
the value will underflow to 0xFFFFFFFF. Functions processing the
request later will think that the client sent much more data and may
touch memory beyond the receive buffer.
|
|
Generating strings for XKB data used a single shared static buffer,
which offered several opportunities for errors. Use a ring of
resizable buffers instead, to avoid problems when strings end up
longer than anticipated.
|
|
XkbStringText escapes non-printable characters using octal numbers.
Such escape sequence would be at most 5 characters long ("\0123"), so
it reserves 5 bytes in the buffer. Due to char->unsigned int
conversion, it would print much longer string for negative numbers.
|
|
Otherwise it can belong to a non-existing client and abort X server with
FatalError "client not in use", or overwrite existing segment of another
existing client.
|
|
stsp@ reported that modesetting(4) has been reported unreliable
on his laptop, while intel(4) works.
XXXX to be removed after 6.2 to figure out and fix the issue.
ok kettenis@, also discussed briefly with deraadt@ during EuroBSDCon.
|
|
It is supposed to be slow, and when such instructions are used to copy
data from/to mapped video memory, some hypervisors (e.g. KVM,
Microsoft Hyper-V) can generate SIGILL or SIGBUS exceptions, causing
Xorg to crash.
Bug report to OpenBSD by Max Parmer, fix from FreeBSD (Dimitry Andric)
via kettenis@
ok kettenis@
|
|
care of autoconfiguration based on the information returned by the
WSDISPLAYIO_GTYPE ioctl of the console FD. This should fix selection of
wsfb on loongson and sgi when using a non-KMS kernel driver.
ok matthieu@, jsg@
|
|
later. This matches what several Linux distros do these days as it tends to
work better than the intel driver in most cases.
There are some performance issues with vncviewer on at least Ivy Bridge and
Haswell. But for now that regression outweighs the benefits.
ok robert@, tedu@, sthen@
|
|
KMS connector property of the same name if such a property is present.
ok matthieu@
|
|
(CVE-2017-10971 and CVE-2017-10972).
|
|
OK jsg@
|
|
ok matthieu@
|
|
the xorg-devel list. Thanks
|
|
of the unused *ToID functions(). Spotted by Adam Jackson on xorg-devel
list. Thanks.
|
|
|
|
And the current code for MitToId has a use-after-free() issue.
Advisory X41-2017-001: Multiple Vulnerabilities in X.Org
|
|
Advisory X41-2017-001: Multiple Vulnerabilities in X.Org.
|
|
Advisory X41-2017-001: Multiple Vulnerabilities in X.Org.
|
|
|
|
|
|
|
|
- constify name field
- rename devname -> devnam
- replace deprecated Xprintf() with asprintf()
|