xserver: Branch 'master' - 4 commits
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Fri Jan 6 02:04:18 UTC 2023
dix/dispatch.c | 39 ++++++++++++++++++---------------------
hw/xfree86/common/xf86Config.c | 8 ++++++++
hw/xfree86/man/xorg.conf.man | 2 ++
hw/xwayland/xwayland.pc.in | 1 +
include/opaque.h | 2 ++
man/Xserver.man | 6 ++++++
os/utils.c | 9 +++++++++
7 files changed, 46 insertions(+), 21 deletions(-)
New commits:
commit 412777664a20dd3561b936c02c96571a756fe9b2
Author: Peter Hutterer <peter.hutterer at who-t.net>
Date: Tue Dec 20 10:42:03 2022 +1000
Disallow byte-swapped clients by default
The X server swapping code is a huge attack surface, much of this code
is untested and prone to security issues. The use-case of byte-swapped
clients is very niche, so let's disable this by default and allow it
only when the respective config option or commandline flag is given.
For Xorg, this adds the ServerFlag "AllowByteSwappedClients" "on".
For all DDX, this adds the commandline options +byteswappedclients and
-byteswappedclients to enable or disable, respectively.
Fixes #1201
https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1029
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
diff --git a/dix/dispatch.c b/dix/dispatch.c
index 92be773e6..9c26753a9 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -3772,7 +3772,9 @@ ProcEstablishConnection(ClientPtr client)
prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq);
- if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
+ if (client->swapped && !AllowByteSwappedClients) {
+ reason = "Prohibited client endianess, see the Xserver man page ";
+ } else if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
pad_to_int32(prefix->nbytesAuthProto) +
pad_to_int32(prefix->nbytesAuthString))
reason = "Bad length";
diff --git a/hw/xfree86/common/xf86Config.c b/hw/xfree86/common/xf86Config.c
index 5d814c148..41acb25aa 100644
--- a/hw/xfree86/common/xf86Config.c
+++ b/hw/xfree86/common/xf86Config.c
@@ -646,6 +646,7 @@ typedef enum {
FLAG_MAX_CLIENTS,
FLAG_IGLX,
FLAG_DEBUG,
+ FLAG_ALLOW_BYTE_SWAPPED_CLIENTS,
} FlagValues;
/**
@@ -705,6 +706,8 @@ static OptionInfoRec FlagOptions[] = {
{0}, FALSE},
{FLAG_DEBUG, "Debug", OPTV_STRING,
{0}, FALSE},
+ {FLAG_ALLOW_BYTE_SWAPPED_CLIENTS, "AllowByteSwappedClients", OPTV_BOOLEAN,
+ {0}, FALSE},
{-1, NULL, OPTV_NONE,
{0}, FALSE},
};
@@ -746,6 +749,11 @@ configServerFlags(XF86ConfFlagsPtr flagsconf, XF86OptionPtr layoutopts)
xf86Msg(X_CONFIG, "Ignoring ABI Version\n");
}
+ xf86GetOptValBool(FlagOptions, FLAG_ALLOW_BYTE_SWAPPED_CLIENTS, &AllowByteSwappedClients);
+ if (AllowByteSwappedClients) {
+ xf86Msg(X_CONFIG, "Allowing byte-swapped clients\n");
+ }
+
if (xf86IsOptionSet(FlagOptions, FLAG_AUTO_ADD_DEVICES)) {
xf86GetOptValBool(FlagOptions, FLAG_AUTO_ADD_DEVICES,
&xf86Info.autoAddDevices);
diff --git a/hw/xfree86/man/xorg.conf.man b/hw/xfree86/man/xorg.conf.man
index 01b47247e..d057f26ec 100644
--- a/hw/xfree86/man/xorg.conf.man
+++ b/hw/xfree86/man/xorg.conf.man
@@ -677,6 +677,8 @@ Possible values are
or
.BR sync .
Unset by default.
+.BI "Option \*qAllowByteSwappedClients\*q \*q" boolean \*q
+Allow clients with a different byte-order than the server. Disabled by default.
.SH "MODULE SECTION"
The
.B Module
diff --git a/hw/xwayland/xwayland.pc.in b/hw/xwayland/xwayland.pc.in
index c62a95a02..d65d52e51 100644
--- a/hw/xwayland/xwayland.pc.in
+++ b/hw/xwayland/xwayland.pc.in
@@ -17,3 +17,4 @@ have_geometry=true
have_fullscreen=true
have_host_grab=true
have_decorate=@have_libdecor@
+have_byteswappedclients=true
diff --git a/include/opaque.h b/include/opaque.h
index 256261c2a..398d4b4e5 100644
--- a/include/opaque.h
+++ b/include/opaque.h
@@ -74,4 +74,6 @@ extern _X_EXPORT Bool bgNoneRoot;
extern _X_EXPORT Bool CoreDump;
extern _X_EXPORT Bool NoListenAll;
+extern _X_EXPORT Bool AllowByteSwappedClients;
+
#endif /* OPAQUE_H */
diff --git a/man/Xserver.man b/man/Xserver.man
index 764bd1d90..e7adf9eb3 100644
--- a/man/Xserver.man
+++ b/man/Xserver.man
@@ -114,6 +114,12 @@ pattern. This is the default unless -retro or -wr is specified.
.B \-bs
disables backing store support on all screens.
.TP 8
+.B \+byteswappedclients
+Allow connections from clients with an endianess different to that of the server.
+.TP 8
+.B \-byteswappedclients
+Prohibit connections from clients with an endianess different to that of the server.
+.TP 8
.B \-c
turns off key-click.
.TP 8
diff --git a/os/utils.c b/os/utils.c
index fe94912f3..405bf7d8b 100644
--- a/os/utils.c
+++ b/os/utils.c
@@ -189,6 +189,8 @@ Bool CoreDump;
Bool enableIndirectGLX = FALSE;
+Bool AllowByteSwappedClients = FALSE;
+
#ifdef PANORAMIX
Bool PanoramiXExtensionDisabledHack = FALSE;
#endif
@@ -523,6 +525,8 @@ UseMsg(void)
ErrorF("-br create root window with black background\n");
ErrorF("+bs enable any backing store support\n");
ErrorF("-bs disable any backing store support\n");
+ ErrorF("+byteswappedclients Allow clients with endianess different to that of the server\n");
+ ErrorF("-byteswappedclients Prohibit clients with endianess different to that of the server\n");
ErrorF("-c turns off key-click\n");
ErrorF("c # key-click volume (0-100)\n");
ErrorF("-cc int default color visual class\n");
@@ -720,6 +724,11 @@ ProcessCommandLine(int argc, char *argv[])
else
UseMsg();
}
+ else if (strcmp(argv[i], "-byteswappedclients") == 0) {
+ AllowByteSwappedClients = FALSE;
+ } else if (strcmp(argv[i], "+byteswappedclients") == 0) {
+ AllowByteSwappedClients = TRUE;
+ }
else if (strcmp(argv[i], "-br") == 0); /* default */
else if (strcmp(argv[i], "+bs") == 0)
enableBackingStore = TRUE;
commit f69280ddcdd3115ee4717f22e85e0f43569b60dd
Author: Peter Hutterer <peter.hutterer at who-t.net>
Date: Tue Dec 20 11:40:16 2022 +1000
dix: localize two variables
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
diff --git a/dix/dispatch.c b/dix/dispatch.c
index c651c3d88..92be773e6 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -3766,14 +3766,11 @@ int
ProcEstablishConnection(ClientPtr client)
{
const char *reason;
- char *auth_proto, *auth_string;
xConnClientPrefix *prefix;
REQUEST(xReq);
prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq);
- auth_proto = (char *) prefix + sz_xConnClientPrefix;
- auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
pad_to_int32(prefix->nbytesAuthProto) +
@@ -3782,12 +3779,15 @@ ProcEstablishConnection(ClientPtr client)
else if ((prefix->majorVersion != X_PROTOCOL) ||
(prefix->minorVersion != X_PROTOCOL_REVISION))
reason = "Protocol version mismatch";
- else
+ else {
+ char *auth_proto = (char *) prefix + sz_xConnClientPrefix;
+ char *auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
reason = ClientAuthorized(client,
(unsigned short) prefix->nbytesAuthProto,
auth_proto,
(unsigned short) prefix->nbytesAuthString,
auth_string);
+ }
return (SendConnSetup(client, reason));
}
commit a8c2e60d8d979a31ff3bb54f1ea8a0b0e3580a5f
Author: Peter Hutterer <peter.hutterer at who-t.net>
Date: Mon Dec 19 10:37:33 2022 +1000
dix: remove unused PANORAMIX_DEBUG ifdef
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
diff --git a/dix/dispatch.c b/dix/dispatch.c
index e38a8feca..c651c3d88 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -101,11 +101,6 @@ Equipment Corporation.
#include <version-config.h>
#endif
-#ifdef PANORAMIX_DEBUG
-#include <stdio.h>
-int ProcInitialConnection();
-#endif
-
#include "windowstr.h"
#include <X11/fonts/fontstruct.h>
#include <X11/fonts/libxfont2.h>
commit 73d6e888c6058b28a0e87ab65aa4172b17d8327d
Author: Peter Hutterer <peter.hutterer at who-t.net>
Date: Mon Dec 19 10:34:29 2022 +1000
Fix some indentation issues
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
diff --git a/dix/dispatch.c b/dix/dispatch.c
index 210df75c6..e38a8feca 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -492,10 +492,10 @@ Dispatch(void)
if (!WaitForSomething(clients_are_ready()))
continue;
- /*****************
- * Handle events in round robin fashion, doing input between
- * each round
- *****************/
+ /*****************
+ * Handle events in round robin fashion, doing input between
+ * each round
+ *****************/
if (!dispatchException && clients_are_ready()) {
client = SmartScheduleClient();
@@ -3657,11 +3657,11 @@ ProcInitialConnection(ClientPtr client)
prefix = (xConnClientPrefix *) ((char *)stuff + sz_xReq);
order = prefix->byteOrder;
if (order != 'l' && order != 'B' && order != 'r' && order != 'R')
- return client->noClientException = -1;
+ return client->noClientException = -1;
if (((*(char *) &whichbyte) && (order == 'B' || order == 'R')) ||
- (!(*(char *) &whichbyte) && (order == 'l' || order == 'r'))) {
- client->swapped = TRUE;
- SwapConnClientPrefix(prefix);
+ (!(*(char *) &whichbyte) && (order == 'l' || order == 'r'))) {
+ client->swapped = TRUE;
+ SwapConnClientPrefix(prefix);
}
stuff->reqType = 2;
stuff->length += bytes_to_int32(prefix->nbytesAuthProto) +
@@ -3670,7 +3670,7 @@ ProcInitialConnection(ClientPtr client)
swaps(&stuff->length);
}
if (order == 'r' || order == 'R') {
- client->local = FALSE;
+ client->local = FALSE;
}
ResetCurrentRequest(client);
return Success;
@@ -3781,8 +3781,8 @@ ProcEstablishConnection(ClientPtr client)
auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
- pad_to_int32(prefix->nbytesAuthProto) +
- pad_to_int32(prefix->nbytesAuthString))
+ pad_to_int32(prefix->nbytesAuthProto) +
+ pad_to_int32(prefix->nbytesAuthString))
reason = "Bad length";
else if ((prefix->majorVersion != X_PROTOCOL) ||
(prefix->minorVersion != X_PROTOCOL_REVISION))
More information about the xorg-commit
mailing list