frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
xserver/hw/xwayland
History
Olivier Fourdan 42113ab289 xwayland/present: Fix use-after-free in xwl_unrealize_window() 
When a window is unrealized, Xwayland would destroy the Wayland surface
prior to unrealizing the present window.

xwl_present_flip() will then do a wl_surface_commit() of that surface,
hence causing a use-after-free:

 Invalid read of size 8
    at 0x49F7FD4: wl_proxy_marshal_array_flags (wayland-client.c:852)
    by 0x49F823A: wl_proxy_marshal_flags (wayland-client.c:784)
    by 0x42B877: wl_surface_commit (wayland-client-protocol.h:3914)
    by 0x42CAA7: xwl_present_flip (xwayland-present.c:717)
    by 0x42CD0E: xwl_present_execute (xwayland-present.c:783)
    by 0x42C26D: xwl_present_msc_bump (xwayland-present.c:416)
    by 0x42C2D1: xwl_present_timer_callback (xwayland-present.c:433)
    by 0x42BAC4: xwl_present_reset_timer (xwayland-present.c:149)
    by 0x42D1F8: xwl_present_unrealize_window (xwayland-present.c:945)
    by 0x4230E2: xwl_unrealize_window (xwayland-window.c:616)
    by 0x4FCDD8: compUnrealizeWindow (compwindow.c:292)
    by 0x4F3F5C: UnrealizeTree (window.c:2805)
  Address 0x1390b8d8 is 24 bytes inside a block of size 80 free'd
    at 0x48470E4: free (vg_replace_malloc.c:872)
    by 0x49F8029: wl_proxy_destroy_caller_locks (wayland-client.c:523)
    by 0x49F8029: wl_proxy_marshal_array_flags (wayland-client.c:861)
    by 0x49F823A: wl_proxy_marshal_flags (wayland-client.c:784)
    by 0x421984: wl_surface_destroy (wayland-client-protocol.h:3672)
    by 0x423052: xwl_unrealize_window (xwayland-window.c:599)
    by 0x4FCDD8: compUnrealizeWindow (compwindow.c:292)
    by 0x4F3F5C: UnrealizeTree (window.c:2805)
    by 0x4F424B: UnmapWindow (window.c:2863)
    by 0x4EF58C: DeleteWindow (window.c:1075)
    by 0x4E24B3: doFreeResource (resource.c:885)
    by 0x4E2ED7: FreeClientResources (resource.c:1151)
    by 0x4ACBA4: CloseDownClient (dispatch.c:3546)
  Block was alloc'd at
    at 0x4849464: calloc (vg_replace_malloc.c:1328)
    by 0x49F7F29: zalloc (wayland-private.h:233)
    by 0x49F7F29: proxy_create (wayland-client.c:422)
    by 0x49F7F29: create_outgoing_proxy (wayland-client.c:664)
    by 0x49F7F29: wl_proxy_marshal_array_flags (wayland-client.c:831)
    by 0x49F823A: wl_proxy_marshal_flags (wayland-client.c:784)
    by 0x4218CA: wl_compositor_create_surface (wayland-client-protocol.h:1291)
    by 0x422A0D: ensure_surface_for_window (xwayland-window.c:445)
    by 0x4231E8: xwl_window_set_window_pixmap (xwayland-window.c:647)
    by 0x5232D6: damageSetWindowPixmap (damage.c:1565)
    by 0x4FC7BC: compSetPixmapVisitWindow (compwindow.c:129)
    by 0x4EDB3F: TraverseTree (window.c:441)
    by 0x4FC851: compSetPixmap (compwindow.c:151)
    by 0x4F8C1A: compAllocPixmap (compalloc.c:616)
    by 0x4FC938: compCheckRedirect (compwindow.c:174)

To avoid that, call xwl_present_unrealize_window() before destroying the
Wayland surface.

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
 		2022-03-15 08:59:19 +00:00
..
man Remove autotools support 2021-10-27 13:15:40 +03:00
.gitignore xwayland: Add wp_viewport wayland extension support 2019-10-12 12:19:14 +02:00
drm.xml wayland: Sync drm.xml with Mesa 2017-07-05 10:13:04 -04:00
meson.build Xwayland: implement drm-lease-v1 2021-12-07 10:02:29 +00:00
xwayland-cursor.c xwayland: Fix cursor color 2022-02-11 10:33:10 +01:00
xwayland-cursor.h xwayland: Add xwl_cursor_clear_frame_cb() 2021-10-25 12:05:42 +00:00
xwayland-cvt.c xwayland: Use libxcvt 2021-08-06 11:29:29 +00:00
xwayland-cvt.h xwayland: Move Xwayland CVT declaration 2019-12-20 16:19:01 +01:00
xwayland-drm-lease.c Xwayland: implement drm-lease-v1 2021-12-07 10:02:29 +00:00
xwayland-drm-lease.h Xwayland: implement drm-lease-v1 2021-12-07 10:02:29 +00:00
xwayland-glamor-eglstream.c xwayland/glamor: Change errors to verbose messages 2021-12-01 15:13:11 +01:00
xwayland-glamor-gbm.c xwayland/glamor: Change errors to verbose messages 2021-12-01 15:13:11 +01:00
xwayland-glamor-xv.c xwayland: Cleanup and remove `xwayland.h` 2019-12-20 16:19:01 +01:00
xwayland-glamor.c xwayland/eglstream: Prefer EGLstream if available 2021-12-02 08:13:49 +00:00
xwayland-glamor.h xwayland/glamor: Add return status to post_damage 2021-05-11 14:08:58 +02:00
xwayland-glx.c xwayland/glx: Flip order of sRGB & non-sRGB fbconfigs 2022-01-14 18:16:01 +01:00
xwayland-glx.h xwayland: Move Xwayland GLX declaration 2019-12-20 16:19:01 +01:00
xwayland-input.c xwayland: Fix a race condition when setting up input devices 2021-12-04 15:55:21 +00:00
xwayland-input.h xwayland: Implement support for touchpad gestures 2021-12-04 15:55:21 +00:00
xwayland-output.c Xwayland: implement drm-lease-v1 2021-12-07 10:02:29 +00:00
xwayland-output.h Xwayland: implement drm-lease-v1 2021-12-07 10:02:29 +00:00
xwayland-pixmap.c xwayland: Rename xwl_pixmap_cb → xwl_buffer_release_cb 2020-07-07 13:47:11 +00:00
xwayland-pixmap.h xwayland: Rename xwl_pixmap_cb → xwl_buffer_release_cb 2020-07-07 13:47:11 +00:00
xwayland-present.c xwayland/present: Run fallback timer callback after more than a second 2021-12-24 19:06:47 +01:00
xwayland-present.h xwayland/present: Run fallback timer callback after more than a second 2021-12-24 19:06:47 +01:00
xwayland-screen.c Fix spelling of Xwayland 2021-12-17 16:22:07 +00:00
xwayland-screen.h Xwayland: implement drm-lease-v1 2021-12-07 10:02:29 +00:00
xwayland-shm.c xwayland/shm: Avoid integer overflow on large pixmaps 2021-10-05 10:00:02 +00:00
xwayland-shm.h xwayland: Move SHM declarations to their own header 2019-12-20 16:19:01 +01:00
xwayland-types.h Xwayland: implement drm-lease-v1 2021-12-07 10:02:29 +00:00
xwayland-vidmode.c xwayland: Initialise values in xwlVidModeGetGamma() 2020-07-03 10:56:43 +00:00
xwayland-vidmode.h xwayland: Move Xwayland vidmode declaration 2019-12-20 16:19:01 +01:00
xwayland-window-buffers.c xwayland: Hold window buffer until released 2020-12-10 13:49:42 +01:00
xwayland-window-buffers.h xwayland: Cleanup and remove `xwayland.h` 2019-12-20 16:19:01 +01:00
xwayland-window.c xwayland/present: Fix use-after-free in xwl_unrealize_window() 2022-03-15 08:59:19 +00:00
xwayland-window.h xwayland: port rooted xwayland from wl_shell to xdg-shell protocol 2020-02-28 16:23:58 +00:00
xwayland.c xwayland: Raise the FD limit to the max 2022-01-18 11:10:11 +01:00
xwayland.pc.in xwayland: add -noTouchPointerEmulation 2021-09-06 21:19:46 +00:00