[Git][xorg-team/lib/libx11][upstream-unstable] 34 commits: _XDefaultError: set XlibDisplayIOError flag before calling exit

[Andreas Boll]

Andreas Boll pushed to branch upstream-unstable at X Strike Force / lib / libx11


Commits:
2d20890e by Arthur Huillet at 2017-03-07T20:39:51Z
_XDefaultError: set XlibDisplayIOError flag before calling exit

_XReply isn't reentrant, and it can lead to deadlocks when the default error
handler is called: _XDefaultError calls exit(1). It is called indirectly by
_XReply when a X protocol error comes in that isn't filtered/handled by an
extension or the application. This means that if the application (or one of its
loaded shared libraries such as the NVIDIA OpenGL driver) has registered any
_fini destructor, _fini will get called while still on the call stack of
_XReply. If the destructor interacts with the X server and calls _XReply, it
will hit a deadlock, looping on the following in _XReply:

    ConditionWait(dpy, dpy->xcb->reply_notify);

It is legal for an application to make Xlib calls during _fini, and that is
useful for an OpenGL driver to avoid resource leaks on the X server side, for
example in the dlopen/dlclose case. However, the driver can not readily tell
whether its _fini is being called because Xlib called exit, or for another
reason (dlclose), so it is hard to cleanly work around this issue in the driver.

This change makes it so _XReply effectively becomes a no-op when called after
_XDefaultError was called, as though an XIOError had happened. The dpy
connection isn't broken at that point, but any call to _XReply is going to 
hang.
This is a bit of a kludge, because the more correct solution would be to make
_XReply reentrant, maybe by broadcasting the reply_notify condition before
calling the default error handler. However, such a change would carry a grater
risk of introducing regressions in Xlib.

This change will drop some valid requests on the floor, but this should not
matter, as it will only do so in the case where the application is dying: X will
clean up after it once exit() is done running. There is the case of
XSetCloseDownMode(RETAIN_PERMANENT), but an application using that and wishing
to clean up resources in _fini would currently be hitting a deadlock, which is
hardly a better situation.

Signed-off-by: Aaron Plattner <aplatt...@nvidia.com>
Reviewed-by: Jamey Sharp <ja...@minilop.net>

- - - - -
c6dadd4c by Alan Coopersmith at 2017-03-24T22:19:18Z
Make Xkb{Get,Set}NamedIndicator spec & manpages match code

The XKB Library spec and the man pages for XkbGetNamedIndicator &
XkbSetNamedIndicator included a device_spec argument neither function
takes, and do not include the XkbGetNamedDeviceIndicator &
XkbSetNamedDeviceIndicator variants that do take it (along with two
other arguments).

This updates them to match the interfaces the code has provided for
decades.

This has been reported multiple times, so this fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=251
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729812
Sun Bug 4528016 XkbSetNamedIndicator & XkbGetNamedIndicator man pages are 
wrong
  (filed: alan.coopersm...@sun.com 2001-11-15 - now aka Oracle bug 15087506)
X.Org Group Defect Id #9418

Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Reviewed-by: Adam Jackson <a...@redhat.com>

- - - - -
b856d5d9 by Alan Coopersmith at 2017-03-24T22:19:27Z
Clarify state parameter to XkbSetNamedDeviceIndicator

Checking a Bool to see if it's NULL does not work well in C.
Also reported in https://bugs.freedesktop.org/show_bug.cgi?id=251

Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Reviewed-by: Adam Jackson <a...@redhat.com>

- - - - -
7d2010fe by Alan Coopersmith at 2017-04-07T07:13:03Z
Improve table formatting in XkbChangeControls & XkbKeyNumGroups man pages

Includes fix for Solaris Bug 24564279: "XkbKeyNumGroups.3x11 man page
contains some malformed text" caused by extra whitespace after .TE macros

Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>

- - - - -
4fe66b1c by Ryan C. Gordon at 2017-08-06T23:25:25Z
Valgrind fix for XStoreColor and XStoreColors.

If the "pad" field isn't set, Valgrind will report it as 
uninitialized
memory accesses when the struct is copied into the Display's send buffer.

In practice, this is (probably) harmless, but Valgrind is correct in
believing it's a bug.

https://bugs.freedesktop.org/attachment.cgi?id=133189

Reviewed-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>

- - - - -
83107a67 by walter harms at 2017-08-14T16:02:39Z
fix shadow warning

Signed-off-by: walter harms <wha...@bfs.de>

- - - - -
6ec901eb by walter harms at 2017-08-14T16:02:39Z
_XIOError(dpy); will never return so remore dead

Signed-off-by: walter harms <wha...@bfs.de>

- - - - -
916dffad by walter harms at 2017-08-14T16:02:40Z
remove argument check for free() adjust one inden

Signed-off-by: walter harms <wha...@bfs.de>

- - - - -
0355c392 by walter harms at 2017-08-14T16:02:40Z
fix shadow char_size

Signed-off-by: walter harms <wha...@bfs.de>

- - - - -
d02c2466 by walter harms at 2017-08-14T16:12:35Z
fix more shadow warning

Signed-off-by: walter harms <wha...@bfs.de>

- - - - -
714921f0 by walter harms at 2017-08-14T16:12:35Z
no need to check argument for _XkbFree()

simplify code by removing unneeded checks

Signed-off-by: walter harms <wha...@bfs.de>

- - - - -
c1c14af4 by walter harms at 2017-08-14T16:28:18Z
remove stray extern

remove stray extern

Signed-off-by: walter harms <wha...@bfs.de>

- - - - -
7c78fc57 by walter harms at 2017-08-14T16:28:18Z
no need to check args for Xfree()

simplify code

Signed-off-by: walter harms <wha...@bfs.de>

- - - - -
ed9f0d34 by walter harms at 2017-08-14T16:28:18Z
fix memleak in error path

V2: remove unneeded NULL (reported by eric.engest...@imgtec.com)

fix mem leak in error path
Signed-off-by: walter harms <wha...@bfs.de>

- - - - -
433477fc by walter harms at 2017-08-14T16:54:44Z
fix memleak in error path

free all mem on error
Signed-off-by: walter harms <wha...@bfs.de>

- - - - -
9abe8380 by walter harms at 2017-08-20T19:41:41Z
no need to check XFree arguments

You can save a bit of code. The is no need to check XFree arguments bring  
free_fontdataOM in line with other free function and check for NULL arg

Signed-off-by: harms wha...@bfs.de

- - - - -
bf82ec04 by walter harms at 2017-08-20T19:44:26Z
mark _XDefaultIOError as no_return

mark _XDefaultIOError as no_return. No one comes back from exit() ...

Signed-off-by: harms wha...@bfs.de

- - - - -
2911c39c by walter harms at 2017-08-20T19:47:05Z
Fixes: warning: variable 'req' set but not,used

Fixes: warning: variable 'req' set but not used 
[-Wunused-but-set-variable]
       by marking req _X_UNUSED
        Solution was discussed on xorg-devel ML
       Peter Hutter, Alan Coopersmith
        Re: [PATCH libX11 3/5] fix: warning: pointer targets in passing 
argument 2 of '_XSend' differ in signedness [-Wpointer-sign]

Signed-off-by: harms wha...@bfs.de

- - - - -
e02dfe54 by wharms at 2017-08-20T19:50:33Z
add _X_UNUSED to avoid unused variable warnings

- - - - -
36a1ac02 by wharms at 2017-08-20T19:51:57Z
remove empty line

- - - - -
e835a9dc by wharms at 2017-09-03T12:17:45Z
silence gcc warning assignment discards 'const' qualifier from pointer 
target type

- - - - -
34f4464f by Alan Coopersmith at 2018-03-07T22:50:32Z
If XGetImage fails to create image, don't dereference it to bounds check

Reported by gcc 7.3:

GetImage.c:110:25: warning: potential null pointer dereference 
[-Wnull-dereference]
  if (planes < 1 || image->height < 1 || image->bytes_per_line < 
1 ||
                    ~~~~~^~~~~~~~

Introduced by 8ea762f94f4c942d898fdeb590a1630c83235c17 in Xlib 1.6.4

Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Reviewed-by: Emil Velikov <emil.veli...@collabora.com>

- - - - -
a9dafdd5 by Michal Srb at 2018-03-23T04:32:05Z
Use flexible array member instead of fake size.

The _XimCacheStruct structure is followed in memory by two strings containing
fname and encoding. The memory was accessed using the last member of the
structure `char fname[1]`. That is a lie, prohibits us from using sizeof and
confuses checkers. Lets declare it properly as a flexible array, so compilers
don't complain about writing past that array. As bonus we can replace the
XOffsetOf with regular sizeof.

Fixes GCC8 error:
  In function 'strcpy',
      inlined from '_XimWriteCachedDefaultTree' at imLcIm.c:479:5,
      inlined from '_XimCreateDefaultTree' at imLcIm.c:616:2,
      inlined from '_XimLocalOpenIM' at imLcIm.c:700:5:
  /usr/include/bits/string_fortified.h:90:10: error: '__builtin_strcpy'
  forming offset 2 is out of the bounds [0, 1] [-Werror=array-bounds]
     return __builtin___strcpy_chk (__dest, __src, __bos (__dest));

Caused by this line seemingly writing past the fname[1] array:
  imLcIm.c:479:  strcpy (m->fname+strlen(name)+1, encoding);

Reviewed-by: Keith Packard <kei...@keithp.com>
Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net>

- - - - -
50a5a989 by Bhavi Dhingra at 2018-03-24T18:13:46Z
Fix possible memory leak in cmsProp.c:140

https://bugs.freedesktop.org/show_bug.cgi?id=96814

Reviewed-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>

- - - - -
82ca6308 by Alan Coopersmith at 2018-03-30T22:46:18Z
Use size_t for buffer sizes in SetHints.c

These variables store values returned from strlen() as a size_t
and are passed to Xmalloc, which expects a size_t, so lets stop
converting back and forth to int along the way.

Reported by: Konstantin SKliarov
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Reviewed-by: Matthieu Herrb <matth...@herrb.eu>

- - - - -
796f754c by Alan Coopersmith at 2018-05-05T21:45:57Z
Change fall through comment in lcDB.c to match gcc's requirements

Needs to match one of the regexps shown under
https://gcc.gnu.org/onlinedocs/gcc-7.3.0/gcc/Warning-Options.html#index-Wimplicit-fallthrough

Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>

- - - - -
9c5845ff by Martin Natano at 2018-05-14T01:38:58Z
Don't rebuild ks_tables.h if nothing changed.

ks_tables.h is always considered out of date due to the forced rebuild
of the makekeys util. This means the file is also rebuilt during 'make
install', which is usually performed as root, which can to lead
permission problems later on.

Signed-off-by: Martin Natano <nat...@natano.net>
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>

- - - - -
b676e623 by Samuel Thibault at 2018-06-13T13:46:58Z
XkbOpenDisplay.3: fix typo

XkbOpenDisplay returns a pointer to Display, not a Display.

Signed-off-by: Samuel Thibault <samuel.thiba...@ens-lyon.org>

- - - - -
d81da209 by Tobias Stoeckmann at 2018-07-17T13:23:14Z
Validation of server response in XListHosts.

If a server sends an incorrect length in its response, a client is prone
to perform an out of boundary read while processing the data.

The length field of xHostEntry is used to specify the amount of bytes
used to represent the address. It is 16 bit, which means that it is not
possible to perform an arbitrary memory access, but it might be enough
to read sensitive information, e.g. malloc-related pointers and offsets.

Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matth...@herrb.eu>

- - - - -
b469da14 by Tobias Stoeckmann at 2018-08-21T14:42:29Z
Fixed off-by-one writes (CVE-2018-14599).

The functions XGetFontPath, XListExtensions, and XListFonts are
vulnerable to an off-by-one override on malicious server responses.

The server replies consist of chunks consisting of a length byte
followed by actual string, which is not NUL-terminated.

While parsing the response, the length byte is overridden with '\0',
thus the memory area can be used as storage of C strings later on. To
be able to NUL-terminate the last string, the buffer is reserved with
an additional byte of space.

For a boundary check, the variable chend (end of ch) was introduced,
pointing at the end of the buffer which ch initially points to.
Unfortunately there is a difference in handling "the end of ch".

While chend points at the first byte that must not be written to,
the for-loop uses chend as the last byte that can be written to.

Therefore, an off-by-one can occur.

I have refactored the code so chend actually points to the last byte
that can be written to without an out of boundary access. As it is not
possible to achieve "ch + length < chend" and "ch + length + 
1 > chend"
with the corrected chend meaning, I removed the inner if-check.

Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org>

- - - - -
dbf72805 by Tobias Stoeckmann at 2018-08-21T14:43:06Z
Fixed out of boundary write (CVE-2018-14600).

The length value is interpreted as signed char on many systems
(depending on default signedness of char), which can lead to an out of
boundary write up to 128 bytes in front of the allocated storage, but
limited to NUL byte(s).

Casting the length value to unsigned char fixes the problem and allows
string values with up to 255 characters.

Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org>

- - - - -
e8372276 by Tobias Stoeckmann at 2018-08-21T14:43:22Z
Fixed crash on invalid reply (CVE-2018-14598).

If the server sends a reply in which even the first string would
overflow the transmitted bytes, list[0] (or flist[0]) will be set to
NULL and a count of 0 is returned.

If the resulting list is freed with XFreeExtensionList or
XFreeFontPath later on, the first Xfree call:

    Xfree (list[0]-1)
 turns into
    Xfree (NULL-1)

which will most likely trigger a segmentation fault.

I have modified the code to return NULL if the first string would
overflow, thus protecting the freeing functions later on.

Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org>

- - - - -
17370424 by Matthieu Herrb at 2018-08-21T14:53:40Z
Remove statement with no effect.

Signed-off-by: Matthieu Herrb <matth...@herrb.eu>

- - - - -
733f64bf by Matthieu Herrb at 2018-08-21T14:54:50Z
libX11 1.6.6

Signed-off-by: Matthieu Herrb <matth...@herrb.eu>

- - - - -


30 changed files:

- configure.ac
- man/xkb/Makefile.am
- man/xkb/XkbChangeControls.man
- + man/xkb/XkbGetNamedDeviceIndicator.man
- man/xkb/XkbGetNamedIndicator.man
- man/xkb/XkbKeyNumGroups.man
- man/xkb/XkbOpenDisplay.man
- + man/xkb/XkbSetNamedDeviceIndicator.man
- man/xkb/XkbSetNamedIndicator.man
- modules/im/ximcp/imCallbk.c
- modules/im/ximcp/imDefIc.c
- modules/im/ximcp/imInsClbk.c
- modules/im/ximcp/imLcIm.c
- modules/im/ximcp/imLcLkup.c
- modules/om/generic/omGeneric.c
- specs/XKB/ch08.xml
- src/DisName.c
- src/FSWrap.c
- src/FontNames.c
- src/GetFPath.c
- src/GetIFocus.c
- src/GetImage.c
- src/GetKCnt.c
- src/GetPCnt.c
- src/GetPntMap.c
- src/GetSSaver.c
- src/GrServer.c
- src/LiHosts.c
- src/ListExt.c
- src/Macros.c


The diff was not included because it is too large.


View it on GitLab: 
https://salsa.debian.org/xorg-team/lib/libx11/compare/42f4d7af9cf6d1dbfa575552e057328b054a20c9...733f64bfeb311c1d040b2f751bfdef9c9d0f89ef

-- 
View it on GitLab: 
https://salsa.debian.org/xorg-team/lib/libx11/compare/42f4d7af9cf6d1dbfa575552e057328b054a20c9...733f64bfeb311c1d040b2f751bfdef9c9d0f89ef
You're receiving this email because of your account on salsa.debian.org.