diff options
Diffstat (limited to 'meta/recipes-graphics/wayland')
8 files changed, 664 insertions, 0 deletions
diff --git a/meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch b/meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch new file mode 100644 index 0000000000..313c0c5eb2 --- /dev/null +++ b/meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch | |||
@@ -0,0 +1,360 @@ | |||
1 | From 2a8b8fde90d63d48ce09ddae44142674bbca1c28 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Wed, 30 Mar 2022 09:25:22 +1000 | ||
4 | Subject: [PATCH] evdev: strip the device name of format directives | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | This fixes a format string vulnerabilty. | ||
10 | |||
11 | evdev_log_message() composes a format string consisting of a fixed | ||
12 | prefix (including the rendered device name) and the passed-in format | ||
13 | buffer. This format string is then passed with the arguments to the | ||
14 | actual log handler, which usually and eventually ends up being printf. | ||
15 | |||
16 | If the device name contains a printf-style format directive, these ended | ||
17 | up in the format string and thus get interpreted correctly, e.g. for a | ||
18 | device "Foo%sBar" the log message vs printf invocation ends up being: | ||
19 | evdev_log_message(device, "some message %s", "some argument"); | ||
20 | printf("event9 - Foo%sBar: some message %s", "some argument"); | ||
21 | |||
22 | This can enable an attacker to execute malicious code with the | ||
23 | privileges of the process using libinput. | ||
24 | |||
25 | To exploit this, an attacker needs to be able to create a kernel device | ||
26 | with a malicious name, e.g. through /dev/uinput or a Bluetooth device. | ||
27 | |||
28 | To fix this, convert any potential format directives in the device name | ||
29 | by duplicating percentages. | ||
30 | |||
31 | Pre-rendering the device to avoid the issue altogether would be nicer | ||
32 | but the current log level hooks do not easily allow for this. The device | ||
33 | name is the only user-controlled part of the format string. | ||
34 | |||
35 | A second potential issue is the sysname of the device which is also | ||
36 | sanitized. | ||
37 | |||
38 | This issue was found by Albin Eldstål-Ahrens and Benjamin Svensson from | ||
39 | Assured AB, and independently by Lukas Lamster. | ||
40 | |||
41 | Fixes #752 | ||
42 | |||
43 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
44 | (cherry picked from commit a423d7d3269dc32a87384f79e29bb5ac021c83d1) | ||
45 | |||
46 | CVE: CVE-2022-1215 | ||
47 | Upstream Status: Backport [https://gitlab.freedesktop.org/libinput/libinput/-/commit/2a8b8fde90d63d48ce09ddae44142674bbca1c28] | ||
48 | Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> | ||
49 | |||
50 | --- | ||
51 | meson.build | 1 + | ||
52 | src/evdev.c | 31 +++++++++++------ | ||
53 | src/evdev.h | 6 ++-- | ||
54 | src/util-strings.h | 30 ++++++++++++++++ | ||
55 | test/litest-device-format-string.c | 56 ++++++++++++++++++++++++++++++ | ||
56 | test/litest.h | 1 + | ||
57 | test/test-utils.c | 26 ++++++++++++++ | ||
58 | 7 files changed, 139 insertions(+), 12 deletions(-) | ||
59 | create mode 100644 test/litest-device-format-string.c | ||
60 | |||
61 | diff --git a/meson.build b/meson.build | ||
62 | index 90f528e6..1f6159e7 100644 | ||
63 | --- a/meson.build | ||
64 | +++ b/meson.build | ||
65 | @@ -787,6 +787,7 @@ | ||
66 | 'test/litest-device-dell-canvas-totem-touch.c', | ||
67 | 'test/litest-device-elantech-touchpad.c', | ||
68 | 'test/litest-device-elan-tablet.c', | ||
69 | + 'test/litest-device-format-string.c', | ||
70 | 'test/litest-device-generic-singletouch.c', | ||
71 | 'test/litest-device-gpio-keys.c', | ||
72 | 'test/litest-device-huion-pentablet.c', | ||
73 | diff --git a/src/evdev.c b/src/evdev.c | ||
74 | index 6d81f58f..d1c35c07 100644 | ||
75 | --- a/src/evdev.c | ||
76 | +++ b/src/evdev.c | ||
77 | @@ -2356,19 +2356,19 @@ evdev_device_create(struct libinput_seat *seat, | ||
78 | struct libinput *libinput = seat->libinput; | ||
79 | struct evdev_device *device = NULL; | ||
80 | int rc; | ||
81 | - int fd; | ||
82 | + int fd = -1; | ||
83 | int unhandled_device = 0; | ||
84 | const char *devnode = udev_device_get_devnode(udev_device); | ||
85 | - const char *sysname = udev_device_get_sysname(udev_device); | ||
86 | + char *sysname = str_sanitize(udev_device_get_sysname(udev_device)); | ||
87 | |||
88 | if (!devnode) { | ||
89 | log_info(libinput, "%s: no device node associated\n", sysname); | ||
90 | - return NULL; | ||
91 | + goto err; | ||
92 | } | ||
93 | |||
94 | if (udev_device_should_be_ignored(udev_device)) { | ||
95 | log_debug(libinput, "%s: device is ignored\n", sysname); | ||
96 | - return NULL; | ||
97 | + goto err; | ||
98 | } | ||
99 | |||
100 | /* Use non-blocking mode so that we can loop on read on | ||
101 | @@ -2382,13 +2382,15 @@ evdev_device_create(struct libinput_seat *seat, | ||
102 | sysname, | ||
103 | devnode, | ||
104 | strerror(-fd)); | ||
105 | - return NULL; | ||
106 | + goto err; | ||
107 | } | ||
108 | |||
109 | if (!evdev_device_have_same_syspath(udev_device, fd)) | ||
110 | goto err; | ||
111 | |||
112 | device = zalloc(sizeof *device); | ||
113 | + device->sysname = sysname; | ||
114 | + sysname = NULL; | ||
115 | |||
116 | libinput_device_init(&device->base, seat); | ||
117 | libinput_seat_ref(seat); | ||
118 | @@ -2411,6 +2413,9 @@ evdev_device_create(struct libinput_seat *seat, | ||
119 | device->dispatch = NULL; | ||
120 | device->fd = fd; | ||
121 | device->devname = libevdev_get_name(device->evdev); | ||
122 | + /* the log_prefix_name is used as part of a printf format string and | ||
123 | + * must not contain % directives, see evdev_log_msg */ | ||
124 | + device->log_prefix_name = str_sanitize(device->devname); | ||
125 | device->scroll.threshold = 5.0; /* Default may be overridden */ | ||
126 | device->scroll.direction_lock_threshold = 5.0; /* Default may be overridden */ | ||
127 | device->scroll.direction = 0; | ||
128 | @@ -2238,9 +2238,14 @@ | ||
129 | return device; | ||
130 | |||
131 | err: | ||
132 | - close_restricted(libinput, fd); | ||
133 | - if (device) | ||
134 | - evdev_device_destroy(device); | ||
135 | + if (fd >= 0) { | ||
136 | + close_restricted(libinput, fd); | ||
137 | + if (device) { | ||
138 | + unhandled_device = device->seat_caps == 0; | ||
139 | + evdev_device_destroy(device); | ||
140 | + } | ||
141 | + } | ||
142 | + free(sysname); | ||
143 | |||
144 | return unhandled_device ? EVDEV_UNHANDLED_DEVICE : NULL; | ||
145 | } | ||
146 | @@ -2469,7 +2478,7 @@ evdev_device_get_output(struct evdev_device *device) | ||
147 | const char * | ||
148 | evdev_device_get_sysname(struct evdev_device *device) | ||
149 | { | ||
150 | - return udev_device_get_sysname(device->udev_device); | ||
151 | + return device->sysname; | ||
152 | } | ||
153 | |||
154 | const char * | ||
155 | @@ -3066,6 +3075,8 @@ evdev_device_destroy(struct evdev_device *device) | ||
156 | if (device->base.group) | ||
157 | libinput_device_group_unref(device->base.group); | ||
158 | |||
159 | + free(device->log_prefix_name); | ||
160 | + free(device->sysname); | ||
161 | free(device->output_name); | ||
162 | filter_destroy(device->pointer.filter); | ||
163 | libinput_timer_destroy(&device->scroll.timer); | ||
164 | diff --git a/src/evdev.h b/src/evdev.h | ||
165 | index c7d130f8..980c5943 100644 | ||
166 | --- a/src/evdev.h | ||
167 | +++ b/src/evdev.h | ||
168 | @@ -169,6 +169,8 @@ struct evdev_device { | ||
169 | struct udev_device *udev_device; | ||
170 | char *output_name; | ||
171 | const char *devname; | ||
172 | + char *log_prefix_name; | ||
173 | + char *sysname; | ||
174 | bool was_removed; | ||
175 | int fd; | ||
176 | enum evdev_device_seat_capability seat_caps; | ||
177 | @@ -786,7 +788,7 @@ evdev_log_msg(struct evdev_device *device, | ||
178 | sizeof(buf), | ||
179 | "%-7s - %s%s%s", | ||
180 | evdev_device_get_sysname(device), | ||
181 | - (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->devname : "", | ||
182 | + (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->log_prefix_name : "", | ||
183 | (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? ": " : "", | ||
184 | format); | ||
185 | |||
186 | @@ -824,7 +826,7 @@ evdev_log_msg_ratelimit(struct evdev_device *device, | ||
187 | sizeof(buf), | ||
188 | "%-7s - %s%s%s", | ||
189 | evdev_device_get_sysname(device), | ||
190 | - (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->devname : "", | ||
191 | + (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->log_prefix_name : "", | ||
192 | (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? ": " : "", | ||
193 | format); | ||
194 | |||
195 | diff --git a/src/util-strings.h b/src/util-strings.h | ||
196 | index 2a15fab3..d5a84146 100644 | ||
197 | --- a/src/util-strings.h | ||
198 | +++ b/src/util-strings.h | ||
199 | @@ -42,6 +42,7 @@ | ||
200 | #ifdef HAVE_XLOCALE_H | ||
201 | #include <xlocale.h> | ||
202 | #endif | ||
203 | +#include "util-macros.h" | ||
204 | |||
205 | #define streq(s1, s2) (strcmp((s1), (s2)) == 0) | ||
206 | #define strneq(s1, s2, n) (strncmp((s1), (s2), (n)) == 0) | ||
207 | @@ -312,3 +313,31 @@ | ||
208 | free(result); | ||
209 | return -1; | ||
210 | } | ||
211 | + | ||
212 | +/** | ||
213 | + * Return a copy of str with all % converted to %% to make the string | ||
214 | + * acceptable as printf format. | ||
215 | + */ | ||
216 | +static inline char * | ||
217 | +str_sanitize(const char *str) | ||
218 | +{ | ||
219 | + if (!str) | ||
220 | + return NULL; | ||
221 | + | ||
222 | + if (!strchr(str, '%')) | ||
223 | + return strdup(str); | ||
224 | + | ||
225 | + size_t slen = min(strlen(str), 512); | ||
226 | + char *sanitized = zalloc(2 * slen + 1); | ||
227 | + const char *src = str; | ||
228 | + char *dst = sanitized; | ||
229 | + | ||
230 | + for (size_t i = 0; i < slen; i++) { | ||
231 | + if (*src == '%') | ||
232 | + *dst++ = '%'; | ||
233 | + *dst++ = *src++; | ||
234 | + } | ||
235 | + *dst = '\0'; | ||
236 | + | ||
237 | + return sanitized; | ||
238 | +} | ||
239 | diff --git a/test/litest-device-format-string.c b/test/litest-device-format-string.c | ||
240 | new file mode 100644 | ||
241 | index 00000000..aed15db4 | ||
242 | --- /dev/null | ||
243 | +++ b/test/litest-device-format-string.c | ||
244 | @@ -0,0 +1,56 @@ | ||
245 | + | ||
246 | +/* | ||
247 | + * Copyright © 2013 Red Hat, Inc. | ||
248 | + * | ||
249 | + * Permission is hereby granted, free of charge, to any person obtaining a | ||
250 | + * copy of this software and associated documentation files (the "Software"), | ||
251 | + * to deal in the Software without restriction, including without limitation | ||
252 | + * the rights to use, copy, modify, merge, publish, distribute, sublicense, | ||
253 | + * and/or sell copies of the Software, and to permit persons to whom the | ||
254 | + * Software is furnished to do so, subject to the following conditions: | ||
255 | + * | ||
256 | + * The above copyright notice and this permission notice (including the next | ||
257 | + * paragraph) shall be included in all copies or substantial portions of the | ||
258 | + * Software. | ||
259 | + * | ||
260 | + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
261 | + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
262 | + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL | ||
263 | + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
264 | + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING | ||
265 | + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER | ||
266 | + * DEALINGS IN THE SOFTWARE. | ||
267 | + */ | ||
268 | + | ||
269 | +#include "config.h" | ||
270 | + | ||
271 | +#include "litest.h" | ||
272 | +#include "litest-int.h" | ||
273 | + | ||
274 | +static struct input_id input_id = { | ||
275 | + .bustype = 0x3, | ||
276 | + .vendor = 0x0123, | ||
277 | + .product = 0x0456, | ||
278 | +}; | ||
279 | + | ||
280 | +static int events[] = { | ||
281 | + EV_KEY, BTN_LEFT, | ||
282 | + EV_KEY, BTN_RIGHT, | ||
283 | + EV_KEY, BTN_MIDDLE, | ||
284 | + EV_REL, REL_X, | ||
285 | + EV_REL, REL_Y, | ||
286 | + EV_REL, REL_WHEEL, | ||
287 | + EV_REL, REL_WHEEL_HI_RES, | ||
288 | + -1 , -1, | ||
289 | +}; | ||
290 | + | ||
291 | +TEST_DEVICE("mouse-format-string", | ||
292 | + .type = LITEST_MOUSE_FORMAT_STRING, | ||
293 | + .features = LITEST_RELATIVE | LITEST_BUTTON | LITEST_WHEEL, | ||
294 | + .interface = NULL, | ||
295 | + | ||
296 | + .name = "Evil %s %d %x Mouse %p %", | ||
297 | + .id = &input_id, | ||
298 | + .absinfo = NULL, | ||
299 | + .events = events, | ||
300 | +) | ||
301 | diff --git a/test/litest.h b/test/litest.h | ||
302 | index 4982e516..1b1daa90 100644 | ||
303 | --- a/test/litest.h | ||
304 | +++ b/test/litest.h | ||
305 | @@ -303,6 +303,7 @@ | ||
306 | LITEST_ALPS_3FG, | ||
307 | LITEST_ELAN_TABLET, | ||
308 | LITEST_ABSINFO_OVERRIDE, | ||
309 | + LITEST_MOUSE_FORMAT_STRING, | ||
310 | }; | ||
311 | |||
312 | #define LITEST_DEVICELESS -2 | ||
313 | diff --git a/test/test-utils.c b/test/test-utils.c | ||
314 | index 989adecd..e80754be 100644 | ||
315 | --- a/test/test-utils.c | ||
316 | +++ b/test/test-utils.c | ||
317 | @@ -1267,6 +1267,31 @@ START_TEST(strstartswith_test) | ||
318 | } | ||
319 | END_TEST | ||
320 | |||
321 | +START_TEST(strsanitize_test) | ||
322 | +{ | ||
323 | + struct strsanitize_test { | ||
324 | + const char *string; | ||
325 | + const char *expected; | ||
326 | + } tests[] = { | ||
327 | + { "foobar", "foobar" }, | ||
328 | + { "", "" }, | ||
329 | + { "%", "%%" }, | ||
330 | + { "%%%%", "%%%%%%%%" }, | ||
331 | + { "x %s", "x %%s" }, | ||
332 | + { "x %", "x %%" }, | ||
333 | + { "%sx", "%%sx" }, | ||
334 | + { "%s%s", "%%s%%s" }, | ||
335 | + { NULL, NULL }, | ||
336 | + }; | ||
337 | + | ||
338 | + for (struct strsanitize_test *t = tests; t->string; t++) { | ||
339 | + char *sanitized = str_sanitize(t->string); | ||
340 | + ck_assert_str_eq(sanitized, t->expected); | ||
341 | + free(sanitized); | ||
342 | + } | ||
343 | +} | ||
344 | +END_TEST | ||
345 | + | ||
346 | START_TEST(list_test_insert) | ||
347 | { | ||
348 | struct list_test { | ||
349 | @@ -1138,6 +1138,7 @@ | ||
350 | tcase_add_test(tc, strsplit_test); | ||
351 | tcase_add_test(tc, kvsplit_double_test); | ||
352 | tcase_add_test(tc, strjoin_test); | ||
353 | + tcase_add_test(tc, strsanitize_test); | ||
354 | tcase_add_test(tc, time_conversion); | ||
355 | |||
356 | tcase_add_test(tc, list_test_insert); | ||
357 | |||
358 | -- | ||
359 | GitLab | ||
360 | |||
diff --git a/meta/recipes-graphics/wayland/libinput_1.15.2.bb b/meta/recipes-graphics/wayland/libinput_1.15.2.bb index 810532774e..d7927d132a 100644 --- a/meta/recipes-graphics/wayland/libinput_1.15.2.bb +++ b/meta/recipes-graphics/wayland/libinput_1.15.2.bb | |||
@@ -14,6 +14,7 @@ DEPENDS = "libevdev udev mtdev" | |||
14 | 14 | ||
15 | SRC_URI = "http://www.freedesktop.org/software/${BPN}/${BP}.tar.xz \ | 15 | SRC_URI = "http://www.freedesktop.org/software/${BPN}/${BP}.tar.xz \ |
16 | file://determinism.patch \ | 16 | file://determinism.patch \ |
17 | file://CVE-2022-1215.patch \ | ||
17 | " | 18 | " |
18 | SRC_URI[md5sum] = "eb6bd2907ad33d53954d70dfb881a643" | 19 | SRC_URI[md5sum] = "eb6bd2907ad33d53954d70dfb881a643" |
19 | SRC_URI[sha256sum] = "971c3fbfb624f95c911adeb2803c372e4e3647d1b98f278f660051f834597747" | 20 | SRC_URI[sha256sum] = "971c3fbfb624f95c911adeb2803c372e4e3647d1b98f278f660051f834597747" |
diff --git a/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch b/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch new file mode 100644 index 0000000000..df204508e9 --- /dev/null +++ b/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch | |||
@@ -0,0 +1,111 @@ | |||
1 | From 5eed6609619cc2e4eaa8618d11c15d442abf54be Mon Sep 17 00:00:00 2001 | ||
2 | From: Derek Foreman <derek.foreman@collabora.com> | ||
3 | Date: Fri, 28 Jan 2022 13:18:37 -0600 | ||
4 | Subject: [PATCH] util: Limit size of wl_map | ||
5 | |||
6 | Since server IDs are basically indistinguishable from really big client | ||
7 | IDs at many points in the source, it's theoretically possible to overflow | ||
8 | a map and either overflow server IDs into the client ID space, or grow | ||
9 | client IDs into the server ID space. This would currently take a massive | ||
10 | amount of RAM, but the definition of massive changes yearly. | ||
11 | |||
12 | Prevent this by placing a ridiculous but arbitrary upper bound on the | ||
13 | number of items we can put in a map: 0xF00000, somewhere over 15 million. | ||
14 | This should satisfy pathological clients without restriction, but stays | ||
15 | well clear of the 0xFF000000 transition point between server and client | ||
16 | IDs. It will still take an improbable amount of RAM to hit this, and a | ||
17 | client could still exhaust all RAM in this way, but our goal is to prevent | ||
18 | overflow and undefined behaviour. | ||
19 | |||
20 | Fixes #224 | ||
21 | |||
22 | Signed-off-by: Derek Foreman <derek.foreman@collabora.com> | ||
23 | |||
24 | Upstream-Status: Backport | ||
25 | CVE: CVE-2021-3782 | ||
26 | |||
27 | Reference to upstream patch: | ||
28 | https://gitlab.freedesktop.org/wayland/wayland/-/commit/b19488c7154b902354cb26a27f11415d7799b0b2 | ||
29 | |||
30 | [DP: adjust context for wayland version 1.20.0] | ||
31 | Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com> | ||
32 | --- | ||
33 | src/wayland-private.h | 1 + | ||
34 | src/wayland-util.c | 25 +++++++++++++++++++++++-- | ||
35 | 2 files changed, 24 insertions(+), 2 deletions(-) | ||
36 | |||
37 | diff --git a/src/wayland-private.h b/src/wayland-private.h | ||
38 | index 9bf8cb7..35dc40e 100644 | ||
39 | --- a/src/wayland-private.h | ||
40 | +++ b/src/wayland-private.h | ||
41 | @@ -45,6 +45,7 @@ | ||
42 | #define WL_MAP_SERVER_SIDE 0 | ||
43 | #define WL_MAP_CLIENT_SIDE 1 | ||
44 | #define WL_SERVER_ID_START 0xff000000 | ||
45 | +#define WL_MAP_MAX_OBJECTS 0x00f00000 | ||
46 | #define WL_CLOSURE_MAX_ARGS 20 | ||
47 | |||
48 | struct wl_object { | ||
49 | diff --git a/src/wayland-util.c b/src/wayland-util.c | ||
50 | index d5973bf..3e45d19 100644 | ||
51 | --- a/src/wayland-util.c | ||
52 | +++ b/src/wayland-util.c | ||
53 | @@ -195,6 +195,7 @@ wl_map_insert_new(struct wl_map *map, uint32_t flags, void *data) | ||
54 | union map_entry *start, *entry; | ||
55 | struct wl_array *entries; | ||
56 | uint32_t base; | ||
57 | + uint32_t count; | ||
58 | |||
59 | if (map->side == WL_MAP_CLIENT_SIDE) { | ||
60 | entries = &map->client_entries; | ||
61 | @@ -215,10 +216,25 @@ wl_map_insert_new(struct wl_map *map, uint32_t flags, void *data) | ||
62 | start = entries->data; | ||
63 | } | ||
64 | |||
65 | + /* wl_array only grows, so if we have too many objects at | ||
66 | + * this point there's no way to clean up. We could be more | ||
67 | + * pro-active about trying to avoid this allocation, but | ||
68 | + * it doesn't really matter because at this point there is | ||
69 | + * nothing to be done but disconnect the client and delete | ||
70 | + * the whole array either way. | ||
71 | + */ | ||
72 | + count = entry - start; | ||
73 | + if (count > WL_MAP_MAX_OBJECTS) { | ||
74 | + /* entry->data is freshly malloced garbage, so we'd | ||
75 | + * better make it a NULL so wl_map_for_each doesn't | ||
76 | + * dereference it later. */ | ||
77 | + entry->data = NULL; | ||
78 | + return 0; | ||
79 | + } | ||
80 | entry->data = data; | ||
81 | entry->next |= (flags & 0x1) << 1; | ||
82 | |||
83 | - return (entry - start) + base; | ||
84 | + return count + base; | ||
85 | } | ||
86 | |||
87 | int | ||
88 | @@ -235,6 +251,9 @@ wl_map_insert_at(struct wl_map *map, uint32_t flags, uint32_t i, void *data) | ||
89 | i -= WL_SERVER_ID_START; | ||
90 | } | ||
91 | |||
92 | + if (i > WL_MAP_MAX_OBJECTS) | ||
93 | + return -1; | ||
94 | + | ||
95 | count = entries->size / sizeof *start; | ||
96 | if (count < i) | ||
97 | return -1; | ||
98 | @@ -269,8 +288,10 @@ wl_map_reserve_new(struct wl_map *map, uint32_t i) | ||
99 | i -= WL_SERVER_ID_START; | ||
100 | } | ||
101 | |||
102 | - count = entries->size / sizeof *start; | ||
103 | + if (i > WL_MAP_MAX_OBJECTS) | ||
104 | + return -1; | ||
105 | |||
106 | + count = entries->size / sizeof *start; | ||
107 | if (count < i) | ||
108 | return -1; | ||
109 | |||
110 | -- | ||
111 | 2.37.3 | ||
diff --git a/meta/recipes-graphics/wayland/wayland_1.18.0.bb b/meta/recipes-graphics/wayland/wayland_1.18.0.bb index 00be3aac27..e621abddbf 100644 --- a/meta/recipes-graphics/wayland/wayland_1.18.0.bb +++ b/meta/recipes-graphics/wayland/wayland_1.18.0.bb | |||
@@ -18,6 +18,7 @@ SRC_URI = "https://wayland.freedesktop.org/releases/${BPN}-${PV}.tar.xz \ | |||
18 | file://0002-Do-not-hardcode-the-path-to-wayland-scanner.patch \ | 18 | file://0002-Do-not-hardcode-the-path-to-wayland-scanner.patch \ |
19 | file://0001-build-Fix-strndup-detection-on-MinGW.patch \ | 19 | file://0001-build-Fix-strndup-detection-on-MinGW.patch \ |
20 | file://0001-meson-tests-add-missing-dependencies-on-protocol-hea.patch \ | 20 | file://0001-meson-tests-add-missing-dependencies-on-protocol-hea.patch \ |
21 | file://CVE-2021-3782.patch \ | ||
21 | " | 22 | " |
22 | SRC_URI[md5sum] = "23317697b6e3ff2e1ac8c5ba3ed57b65" | 23 | SRC_URI[md5sum] = "23317697b6e3ff2e1ac8c5ba3ed57b65" |
23 | SRC_URI[sha256sum] = "4675a79f091020817a98fd0484e7208c8762242266967f55a67776936c2e294d" | 24 | SRC_URI[sha256sum] = "4675a79f091020817a98fd0484e7208c8762242266967f55a67776936c2e294d" |
diff --git a/meta/recipes-graphics/wayland/weston/0002-desktop-shell-Remove-no-op-de-activation-of-the-xdg-.patch b/meta/recipes-graphics/wayland/weston/0002-desktop-shell-Remove-no-op-de-activation-of-the-xdg-.patch new file mode 100644 index 0000000000..fb36d3817a --- /dev/null +++ b/meta/recipes-graphics/wayland/weston/0002-desktop-shell-Remove-no-op-de-activation-of-the-xdg-.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | From 5c74a0640e873694bf60a88eceb21f664cb4b8f7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Marius Vlad <marius.vlad@collabora.com> | ||
3 | Date: Fri, 5 Mar 2021 20:03:49 +0200 | ||
4 | Subject: [PATCH 2/5] desktop-shell: Remove no-op de-activation of the xdg | ||
5 | top-level surface | ||
6 | |||
7 | The shsurf is calloc'ed so the surface count is always 0. Not only | ||
8 | that but the surface is not set as active by default, so there's no | ||
9 | need to de-activate it. | ||
10 | |||
11 | Upstream-Status: Backport [05bef4c18a3e82376a46a4a28d978389c4c0fd0f] | ||
12 | Signed-off-by: Marius Vlad <marius.vlad@collabora.com> | ||
13 | --- | ||
14 | desktop-shell/shell.c | 2 -- | ||
15 | 1 file changed, 2 deletions(-) | ||
16 | |||
17 | diff --git a/desktop-shell/shell.c b/desktop-shell/shell.c | ||
18 | index 442a625f..3791be25 100644 | ||
19 | --- a/desktop-shell/shell.c | ||
20 | +++ b/desktop-shell/shell.c | ||
21 | @@ -2427,8 +2427,6 @@ desktop_surface_added(struct weston_desktop_surface *desktop_surface, | ||
22 | wl_list_init(&shsurf->children_link); | ||
23 | |||
24 | weston_desktop_surface_set_user_data(desktop_surface, shsurf); | ||
25 | - weston_desktop_surface_set_activated(desktop_surface, | ||
26 | - shsurf->focus_count > 0); | ||
27 | } | ||
28 | |||
29 | static void | ||
30 | -- | ||
31 | 2.34.1 | ||
32 | |||
diff --git a/meta/recipes-graphics/wayland/weston/0003-desktop-shell-Rename-gain-lose-keyboard-focus-to-act.patch b/meta/recipes-graphics/wayland/weston/0003-desktop-shell-Rename-gain-lose-keyboard-focus-to-act.patch new file mode 100644 index 0000000000..dcd0700fca --- /dev/null +++ b/meta/recipes-graphics/wayland/weston/0003-desktop-shell-Rename-gain-lose-keyboard-focus-to-act.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From edb31c456ae3da7ffffefb668a37ab88075c4b67 Mon Sep 17 00:00:00 2001 | ||
2 | From: Marius Vlad <marius.vlad@collabora.com> | ||
3 | Date: Fri, 5 Mar 2021 21:40:22 +0200 | ||
4 | Subject: [PATCH 3/5] desktop-shell: Rename gain/lose keyboard focus to | ||
5 | activate/de-activate | ||
6 | |||
7 | This way it better reflects that it handles activation rather that input | ||
8 | focus. | ||
9 | |||
10 | Upstream-Status: Backport [ab39e1d76d4f6715cb300bc37f5c2a0e2d426208] | ||
11 | Signed-off-by: Marius Vlad <marius.vlad@collabora.com> | ||
12 | --- | ||
13 | desktop-shell/shell.c | 8 ++++---- | ||
14 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
15 | |||
16 | diff --git a/desktop-shell/shell.c b/desktop-shell/shell.c | ||
17 | index 3791be25..c4669f11 100644 | ||
18 | --- a/desktop-shell/shell.c | ||
19 | +++ b/desktop-shell/shell.c | ||
20 | @@ -1869,14 +1869,14 @@ handle_pointer_focus(struct wl_listener *listener, void *data) | ||
21 | } | ||
22 | |||
23 | static void | ||
24 | -shell_surface_lose_keyboard_focus(struct shell_surface *shsurf) | ||
25 | +shell_surface_deactivate(struct shell_surface *shsurf) | ||
26 | { | ||
27 | if (--shsurf->focus_count == 0) | ||
28 | weston_desktop_surface_set_activated(shsurf->desktop_surface, false); | ||
29 | } | ||
30 | |||
31 | static void | ||
32 | -shell_surface_gain_keyboard_focus(struct shell_surface *shsurf) | ||
33 | +shell_surface_activate(struct shell_surface *shsurf) | ||
34 | { | ||
35 | if (shsurf->focus_count++ == 0) | ||
36 | weston_desktop_surface_set_activated(shsurf->desktop_surface, true); | ||
37 | @@ -1891,7 +1891,7 @@ handle_keyboard_focus(struct wl_listener *listener, void *data) | ||
38 | if (seat->focused_surface) { | ||
39 | struct shell_surface *shsurf = get_shell_surface(seat->focused_surface); | ||
40 | if (shsurf) | ||
41 | - shell_surface_lose_keyboard_focus(shsurf); | ||
42 | + shell_surface_deactivate(shsurf); | ||
43 | } | ||
44 | |||
45 | seat->focused_surface = weston_surface_get_main_surface(keyboard->focus); | ||
46 | @@ -1899,7 +1899,7 @@ handle_keyboard_focus(struct wl_listener *listener, void *data) | ||
47 | if (seat->focused_surface) { | ||
48 | struct shell_surface *shsurf = get_shell_surface(seat->focused_surface); | ||
49 | if (shsurf) | ||
50 | - shell_surface_gain_keyboard_focus(shsurf); | ||
51 | + shell_surface_activate(shsurf); | ||
52 | } | ||
53 | } | ||
54 | |||
55 | -- | ||
56 | 2.34.1 | ||
57 | |||
diff --git a/meta/recipes-graphics/wayland/weston/0004-desktop-shell-Embed-keyboard-focus-handle-code-when-.patch b/meta/recipes-graphics/wayland/weston/0004-desktop-shell-Embed-keyboard-focus-handle-code-when-.patch new file mode 100644 index 0000000000..7ca72f8494 --- /dev/null +++ b/meta/recipes-graphics/wayland/weston/0004-desktop-shell-Embed-keyboard-focus-handle-code-when-.patch | |||
@@ -0,0 +1,99 @@ | |||
1 | From 899ad5a6a8a92f2c10e0694a45c982b7d878aed6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Marius Vlad <marius.vlad@collabora.com> | ||
3 | Date: Fri, 5 Mar 2021 21:44:26 +0200 | ||
4 | Subject: [PATCH 4/5] desktop-shell: Embed keyboard focus handle code when | ||
5 | activating | ||
6 | |||
7 | We shouldn't be constrained by having a keyboard plugged-in, so avoid | ||
8 | activating/de-activating the window/surface in the keyboard focus | ||
9 | handler and embed it straight into the window activation part. | ||
10 | |||
11 | Upstream-Status: Backport [f12697bb3e4c6eb85437ed905e7de44ae2a0ba69] | ||
12 | Signed-off-by: Marius Vlad <marius.vlad@collabora.com> | ||
13 | --- | ||
14 | desktop-shell/shell.c | 41 +++++++++++++++++++++++++---------------- | ||
15 | 1 file changed, 25 insertions(+), 16 deletions(-) | ||
16 | |||
17 | diff --git a/desktop-shell/shell.c b/desktop-shell/shell.c | ||
18 | index c4669f11..c6a4fe91 100644 | ||
19 | --- a/desktop-shell/shell.c | ||
20 | +++ b/desktop-shell/shell.c | ||
21 | @@ -1885,22 +1885,7 @@ shell_surface_activate(struct shell_surface *shsurf) | ||
22 | static void | ||
23 | handle_keyboard_focus(struct wl_listener *listener, void *data) | ||
24 | { | ||
25 | - struct weston_keyboard *keyboard = data; | ||
26 | - struct shell_seat *seat = get_shell_seat(keyboard->seat); | ||
27 | - | ||
28 | - if (seat->focused_surface) { | ||
29 | - struct shell_surface *shsurf = get_shell_surface(seat->focused_surface); | ||
30 | - if (shsurf) | ||
31 | - shell_surface_deactivate(shsurf); | ||
32 | - } | ||
33 | - | ||
34 | - seat->focused_surface = weston_surface_get_main_surface(keyboard->focus); | ||
35 | - | ||
36 | - if (seat->focused_surface) { | ||
37 | - struct shell_surface *shsurf = get_shell_surface(seat->focused_surface); | ||
38 | - if (shsurf) | ||
39 | - shell_surface_activate(shsurf); | ||
40 | - } | ||
41 | + /* FIXME: To be removed later. */ | ||
42 | } | ||
43 | |||
44 | /* The surface will be inserted into the list immediately after the link | ||
45 | @@ -2438,6 +2423,7 @@ desktop_surface_removed(struct weston_desktop_surface *desktop_surface, | ||
46 | struct shell_surface *shsurf_child, *tmp; | ||
47 | struct weston_surface *surface = | ||
48 | weston_desktop_surface_get_surface(desktop_surface); | ||
49 | + struct weston_seat *seat; | ||
50 | |||
51 | if (!shsurf) | ||
52 | return; | ||
53 | @@ -2448,6 +2434,18 @@ desktop_surface_removed(struct weston_desktop_surface *desktop_surface, | ||
54 | } | ||
55 | wl_list_remove(&shsurf->children_link); | ||
56 | |||
57 | + wl_list_for_each(seat, &shsurf->shell->compositor->seat_list, link) { | ||
58 | + struct shell_seat *shseat = get_shell_seat(seat); | ||
59 | + /* activate() controls the focused surface activation and | ||
60 | + * removal of a surface requires invalidating the | ||
61 | + * focused_surface to avoid activate() use a stale (and just | ||
62 | + * removed) surface when attempting to de-activate it. It will | ||
63 | + * also update the focused_surface once it has a chance to run. | ||
64 | + */ | ||
65 | + if (surface == shseat->focused_surface) | ||
66 | + shseat->focused_surface = NULL; | ||
67 | + } | ||
68 | + | ||
69 | wl_signal_emit(&shsurf->destroy_signal, shsurf); | ||
70 | |||
71 | if (shsurf->fullscreen.black_view) | ||
72 | @@ -3836,6 +3834,7 @@ activate(struct desktop_shell *shell, struct weston_view *view, | ||
73 | struct workspace *ws; | ||
74 | struct weston_surface *old_es; | ||
75 | struct shell_surface *shsurf, *shsurf_child; | ||
76 | + struct shell_seat *shseat = get_shell_seat(seat); | ||
77 | |||
78 | main_surface = weston_surface_get_main_surface(es); | ||
79 | shsurf = get_shell_surface(main_surface); | ||
80 | @@ -3855,6 +3854,16 @@ activate(struct desktop_shell *shell, struct weston_view *view, | ||
81 | |||
82 | weston_view_activate(view, seat, flags); | ||
83 | |||
84 | + if (shseat->focused_surface) { | ||
85 | + struct shell_surface *current_focus = | ||
86 | + get_shell_surface(shseat->focused_surface); | ||
87 | + assert(current_focus); | ||
88 | + shell_surface_deactivate(current_focus); | ||
89 | + } | ||
90 | + | ||
91 | + shseat->focused_surface = main_surface; | ||
92 | + shell_surface_activate(shsurf); | ||
93 | + | ||
94 | state = ensure_focus_state(shell, seat); | ||
95 | if (state == NULL) | ||
96 | return; | ||
97 | -- | ||
98 | 2.34.1 | ||
99 | |||
diff --git a/meta/recipes-graphics/wayland/weston_8.0.0.bb b/meta/recipes-graphics/wayland/weston_8.0.0.bb index 0b383f25f3..5e4e2032c9 100644 --- a/meta/recipes-graphics/wayland/weston_8.0.0.bb +++ b/meta/recipes-graphics/wayland/weston_8.0.0.bb | |||
@@ -10,6 +10,9 @@ SRC_URI = "https://wayland.freedesktop.org/releases/${BPN}-${PV}.tar.xz \ | |||
10 | file://weston.desktop \ | 10 | file://weston.desktop \ |
11 | file://xwayland.weston-start \ | 11 | file://xwayland.weston-start \ |
12 | file://0001-weston-launch-Provide-a-default-version-that-doesn-t.patch \ | 12 | file://0001-weston-launch-Provide-a-default-version-that-doesn-t.patch \ |
13 | file://0002-desktop-shell-Remove-no-op-de-activation-of-the-xdg-.patch \ | ||
14 | file://0003-desktop-shell-Rename-gain-lose-keyboard-focus-to-act.patch \ | ||
15 | file://0004-desktop-shell-Embed-keyboard-focus-handle-code-when-.patch \ | ||
13 | " | 16 | " |
14 | SRC_URI[md5sum] = "53e4810d852df0601d01fd986a5b22b3" | 17 | SRC_URI[md5sum] = "53e4810d852df0601d01fd986a5b22b3" |
15 | SRC_URI[sha256sum] = "7518b49b2eaa1c3091f24671bdcc124fd49fc8f1af51161927afa4329c027848" | 18 | SRC_URI[sha256sum] = "7518b49b2eaa1c3091f24671bdcc124fd49fc8f1af51161927afa4329c027848" |