Xorg backports 2 #1233
Open
Xorg backports 2 #1233
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Reported in https://gitlab.freedesktop.org/xorg/xserver/-/issues/1817: xwayland-24.1.6/redhat-linux-build/../Xext/shm.c:213:23: acquire_memory: this call could return NULL xwayland-24.1.6/redhat-linux-build/../Xext/shm.c:214:9: danger: ‘screen_priv’ could be NULL: unchecked value from [(19)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/18) Signed-off-by: Alan Coopersmith <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2072>
Reported in https://gitlab.freedesktop.org/xorg/xserver/-/issues/1817: xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2664:9: danger: dereference of NULL ‘SysCounterGetPrivate(pCounter)’ xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2677:14: danger: dereference of NULL ‘SysCounterGetPrivate(pCounter)’ xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2767:14: danger: dereference of NULL ‘SysCounterGetPrivate(pCounter)’ xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2800:14: danger: dereference of NULL ‘SysCounterGetPrivate(pCounter)’ Signed-off-by: Alan Coopersmith <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2072>
Reported incorrectly in https://gitlab.freedesktop.org/xorg/xserver/-/issues/1817 as: xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2835:33: acquire_memory: allocated here xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2843:12: danger: ‘priv’ leaks here; was allocated at [(30)](sarif:/runs/0/results/5/codeFlows/0/threadFlows/0/locations/29) but the "leak" is really saving the pointer in an uninitalized pointer in a structure that was already freed when the malloc of the SysCounterInfo struct failed in SyncCreateSystemCounter(), because it returned the address of the freed struct instead of NULL to indicate failure. Signed-off-by: Alan Coopersmith <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2072>
If there's nothing to send, skip over a bunch of code to make a list that won't be used, and hopefully make the code path clearer to both humans and static analyzers, who raise errors as seen in https://gitlab.freedesktop.org/xorg/xserver/-/issues/1817 of dereferencing NULL pointers when count == 0. Signed-off-by: Alan Coopersmith <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2072>
Reported in https://gitlab.freedesktop.org/xorg/xserver/-/issues/1817: xwayland-24.1.6/redhat-linux-build/../Xext/xselinux_label.c:142:13: warning[-Wanalyzer-malloc-leak]: leak of ‘rec’ xwayland-24.1.6/redhat-linux-build/../Xext/xselinux_label.c:133:1: enter_function: entry to ‘SELinuxAtomToSID’ xwayland-24.1.6/redhat-linux-build/../Xext/xselinux_label.c:141:15: acquire_memory: allocated here xwayland-24.1.6/redhat-linux-build/../Xext/xselinux_label.c:69:12: branch_true: following ‘true’ branch... xwayland-24.1.6/redhat-linux-build/../Xext/xselinux_label.c:142:13: danger: ‘rec’ leaks here; was allocated at [(2)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/1) 140| if (!rec) { 141| rec = calloc(1, sizeof(SELinuxAtomRec)); 142|-> if (!rec || !SELinuxArraySet(&arr_atoms, atom, rec)) 143| return BadAlloc; 144| } Signed-off-by: Alan Coopersmith <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2072>
Reported in https://gitlab.freedesktop.org/xorg/xserver/-/issues/1817: xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:383:14: warning[-Wanalyzer-null-dereference]: dereference of NULL ‘dev’ xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:348:9: release_memory: ‘dev’ is NULL xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:383:14: danger: dereference of NULL ‘dev’ xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:395:14: warning[-Wanalyzer-null-dereference]: dereference of NULL ‘dev’ xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:348:9: release_memory: ‘dev’ is NULL xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:395:14: danger: dereference of NULL ‘dev’ xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:426:14: warning[-Wanalyzer-null-dereference]: dereference of NULL ‘dev’ xwayland-24.1.6/redhat-linux-build/../Xext /xtest.c:348:9: release_memory: ‘dev’ is NULL xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:426:14: danger: dereference of NULL ...
The wOtherInputMasks(win) macro will return NULL if win->optional is NULL. Reported in https://gitlab.freedesktop.org/xorg/xserver/-/issues/1817: xwayland-24.1.6/redhat-linux-build/../Xi/exevents.c:1390:13: warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’ xwayland-24.1.6/redhat-linux-build/../Xi/exevents.c:1404:13: warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’ xwayland-24.1.6/redhat-linux-build/../Xi/exevents.c:2293:9: warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’ xwayland-24.1.6/redhat-linux-build/../Xi/exevents.c:3244:22: warning[-Wanalyzer-null-dereference]: dereference of NULL ‘inputMasks’ xwayland-24.1.6/redhat-linux-build/../Xi/exevents.c:3338:9: warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’ Signed-off-by: Alan Coopersmith <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2075>
(The existing setting of led_mask is probably wrong, but has been set like this since X11R5 and going back as far as the first version in the X Consortium source control archives.) Reported in https://gitlab.freedesktop.org/xorg/xserver/-/issues/1817: xwayland-24.1.6/redhat-linux-build/../Xi/getfctl.c:108:9: warning[-Wanalyzer-use-of-uninitialized-value]: use of uninitialized value ‘*k2.led_values’ 108|-> swapl(&k2->led_values); Signed-off-by: Alan Coopersmith <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2075>
metux
reviewed
Oct 13, 2025
|
|
||
| if (!screen_priv) { | ||
| screen_priv = calloc(1, sizeof(ShmScrPrivateRec)); | ||
| screen_priv = XNFcallocarray(1, sizeof(ShmScrPrivateRec)); |
There was a problem hiding this comment.
Shall we really crash the whole Xserver here ?
By the way, having a pointer to a pointer to a struct of two pointers doesn't really make sense to me.
At least we should move the ShmScrPrivateRec directly into the privates block (instead of a pointer to it)
(see dixRegisterPrivates() call)
There was a problem hiding this comment.
Yes that strange redirection. Just keep in mind nvidia_drv uses via ShmFuncsPtr via ShmRegisterFuncs
$ strings /usr/lib/xorg/modules/drivers/nvidia_drv.so |grep ShmRegisterFuncs
ShmRegisterFuncs
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
More backports of recent commits from Xorg.
These are fixes for lints reported in https://gitlab.freedesktop.org/xorg/xserver/-/issues/1817
Fixes were merged in https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2072 and https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2075