diff --git a/commit-a9e2030.diff b/commit-a9e2030.diff new file mode 100644 index 0000000..c779f19 --- /dev/null +++ b/commit-a9e2030.diff @@ -0,0 +1,49 @@ +commit a9e20306fbe3262602f21b876a52a1ef38cdf20a +Author: Egbert Eich +Date: Fri Nov 21 18:50:01 2008 +0100 + + int10: Do an mprotect(..,PROT_EXEC) on shmat()ed memory ranges. + + When the linux kernel sets the NX bit vm86 segfaults when it tries to execute + code in memory that is not marked EXEC. Such code gets called whenever + we return from a VBIOS call to signal the calling program that the call + is actually finished and that we are not trapping for other reasons (like + IO accesses). + Use mprotect(2) to set these memory ranges PROT_EXEC. + +diff --git a/hw/xfree86/os-support/linux/int10/linux.c b/hw/xfree86/os-support/linux/int10/linux.c +index 67eb161..b15f7fd 100644 +--- a/hw/xfree86/os-support/linux/int10/linux.c ++++ b/hw/xfree86/os-support/linux/int10/linux.c +@@ -1,6 +1,6 @@ + /* + * linux specific part of the int10 module +- * Copyright 1999, 2000, 2001, 2002, 2003, 2004 Egbert Eich ++ * Copyright 1999, 2000, 2001, 2002, 2003, 2004, 2008 Egbert Eich + */ + #ifdef HAVE_XORG_CONFIG_H + #include +@@ -357,7 +357,10 @@ MapCurrentInt10(xf86Int10InfoPtr pInt) + "shmat(low_mem) error: %s\n",strerror(errno)); + return FALSE; + } +- ++ if (mprotect((void*)0, V_RAM, PROT_READ|PROT_WRITE|PROT_EXEC) != 0) ++ xf86DrvMsg(pInt->scrnIndex, X_ERROR, ++ "Cannot set EXEC bit on low memory: %s\n", strerror(errno)); ++ + if (((linuxInt10Priv*)pInt->private)->highMem >= 0) { + addr = shmat(((linuxInt10Priv*)pInt->private)->highMem, + (char*)HIGH_MEM, 0); +@@ -368,6 +371,11 @@ MapCurrentInt10(xf86Int10InfoPtr pInt) + "shmget error: %s\n",strerror(errno)); + return FALSE; + } ++ if (mprotect((void*)HIGH_MEM, HIGH_MEM_SIZE, ++ PROT_READ|PROT_WRITE|PROT_EXEC) != 0) ++ xf86DrvMsg(pInt->scrnIndex, X_ERROR, ++ "Cannot set EXEC bit on high memory: %s\n", ++ strerror(errno)); + } else { + if ((fd = open(DEV_MEM, O_RDWR, 0)) >= 0) { + if (mmap((void *)(V_BIOS), SYS_BIOS - V_BIOS, diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index 95a7cb9..93a946c 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Fri Nov 21 20:16:00 CET 2008 - sndirsch@suse.de + +- commit-a9e2030.diff + * int10: Do an mprotect(..,PROT_EXEC) on shmat()ed memory + ranges. When the linux kernel sets the NX bit vm86 segfaults + when it tries to execute code in memory that is not marked + EXEC. Such code gets called whenever we return from a VBIOS + call to signal the calling program that the call is actually + finished and that we are not trapping for other reasons + (like IO accesses). Use mprotect(2) to set these memory + ranges PROT_EXEC. (bnc #443440) + ------------------------------------------------------------------- Thu Nov 13 17:55:01 CET 2008 - sndirsch@suse.de diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 09f3a3d..d73cd81 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -29,7 +29,7 @@ BuildRequires: libjpeg-devel Url: http://xorg.freedesktop.org/ %define EXPERIMENTAL 0 Version: 7.4 -Release: 15 +Release: 16 License: X11/MIT BuildRoot: %{_tmppath}/%{name}-%{version}-build Group: System/X11/Servers/XF86_4 @@ -103,6 +103,7 @@ Patch122: unplugged_monitor_crashfix.diff Patch123: vidmode-sig11.diff Patch124: commit-59f9fb4b8.diff Patch125: 0001-Xinput-Catch-missing-configlayout-when-deleting-dev.patch +Patch126: commit-a9e2030.diff %description This package contains the X.Org Server. @@ -221,6 +222,7 @@ popd %patch123 -p0 %patch124 -p1 %patch125 -p1 +%patch126 -p1 %build pushd xorg-docs-* @@ -537,6 +539,16 @@ exit 0 %endif %changelog +* Fri Nov 21 2008 sndirsch@suse.de +- commit-a9e2030.diff + * int10: Do an mprotect(..,PROT_EXEC) on shmat()ed memory + ranges. When the linux kernel sets the NX bit vm86 segfaults + when it tries to execute code in memory that is not marked + EXEC. Such code gets called whenever we return from a VBIOS + call to signal the calling program that the call is actually + finished and that we are not trapping for other reasons + (like IO accesses). Use mprotect(2) to set these memory + ranges PROT_EXEC. (bnc #443440) * Thu Nov 13 2008 sndirsch@suse.de - 0001-Xinput-Catch-missing-configlayout-when-deleting-dev.patch * In DeleteInputDeviceRequest (xf86Xinput.c), we access idev