frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
xserver/hw
History
Olivier Fourdan 42113ab289 xwayland/present: Fix use-after-free in xwl_unrealize_window() 
When a window is unrealized, Xwayland would destroy the Wayland surface
prior to unrealizing the present window.

xwl_present_flip() will then do a wl_surface_commit() of that surface,
hence causing a use-after-free:

 Invalid read of size 8
    at 0x49F7FD4: wl_proxy_marshal_array_flags (wayland-client.c:852)
    by 0x49F823A: wl_proxy_marshal_flags (wayland-client.c:784)
    by 0x42B877: wl_surface_commit (wayland-client-protocol.h:3914)
    by 0x42CAA7: xwl_present_flip (xwayland-present.c:717)
    by 0x42CD0E: xwl_present_execute (xwayland-present.c:783)
    by 0x42C26D: xwl_present_msc_bump (xwayland-present.c:416)
    by 0x42C2D1: xwl_present_timer_callback (xwayland-present.c:433)
    by 0x42BAC4: xwl_present_reset_timer (xwayland-present.c:149)
    by 0x42D1F8: xwl_present_unrealize_window (xwayland-present.c:945)
    by 0x4230E2: xwl_unrealize_window (xwayland-window.c:616)
    by 0x4FCDD8: compUnrealizeWindow (compwindow.c:292)
    by 0x4F3F5C: UnrealizeTree (window.c:2805)
  Address 0x1390b8d8 is 24 bytes inside a block of size 80 free'd
    at 0x48470E4: free (vg_replace_malloc.c:872)
    by 0x49F8029: wl_proxy_destroy_caller_locks (wayland-client.c:523)
    by 0x49F8029: wl_proxy_marshal_array_flags (wayland-client.c:861)
    by 0x49F823A: wl_proxy_marshal_flags (wayland-client.c:784)
    by 0x421984: wl_surface_destroy (wayland-client-protocol.h:3672)
    by 0x423052: xwl_unrealize_window (xwayland-window.c:599)
    by 0x4FCDD8: compUnrealizeWindow (compwindow.c:292)
    by 0x4F3F5C: UnrealizeTree (window.c:2805)
    by 0x4F424B: UnmapWindow (window.c:2863)
    by 0x4EF58C: DeleteWindow (window.c:1075)
    by 0x4E24B3: doFreeResource (resource.c:885)
    by 0x4E2ED7: FreeClientResources (resource.c:1151)
    by 0x4ACBA4: CloseDownClient (dispatch.c:3546)
  Block was alloc'd at
    at 0x4849464: calloc (vg_replace_malloc.c:1328)
    by 0x49F7F29: zalloc (wayland-private.h:233)
    by 0x49F7F29: proxy_create (wayland-client.c:422)
    by 0x49F7F29: create_outgoing_proxy (wayland-client.c:664)
    by 0x49F7F29: wl_proxy_marshal_array_flags (wayland-client.c:831)
    by 0x49F823A: wl_proxy_marshal_flags (wayland-client.c:784)
    by 0x4218CA: wl_compositor_create_surface (wayland-client-protocol.h:1291)
    by 0x422A0D: ensure_surface_for_window (xwayland-window.c:445)
    by 0x4231E8: xwl_window_set_window_pixmap (xwayland-window.c:647)
    by 0x5232D6: damageSetWindowPixmap (damage.c:1565)
    by 0x4FC7BC: compSetPixmapVisitWindow (compwindow.c:129)
    by 0x4EDB3F: TraverseTree (window.c:441)
    by 0x4FC851: compSetPixmap (compwindow.c:151)
    by 0x4F8C1A: compAllocPixmap (compalloc.c:616)
    by 0x4FC938: compCheckRedirect (compwindow.c:174)

To avoid that, call xwl_present_unrealize_window() before destroying the
Wayland surface.

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
 		2022-03-15 08:59:19 +00:00
..
kdrive xephyr: Don't check for SeatId anymore 2022-02-03 22:34:03 +00:00
vfb Remove autotools support 2021-10-27 13:15:40 +03:00
xfree86 xfree86: Fix event data alignment in inputtest driver 2022-02-16 15:25:28 +02:00
xnest Remove autotools support 2021-10-27 13:15:40 +03:00
xquartz Remove autotools support 2021-10-27 13:15:40 +03:00
xwayland xwayland/present: Fix use-after-free in xwl_unrealize_window() 2022-03-15 08:59:19 +00:00
xwin meson: Fix build of xwinclip tool when xcb is installed in non-default location 2021-11-04 13:03:25 +00:00
meson.build Drop DMX DDX 2021-09-07 09:34:31 +00:00