frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
xserver/hw/xquartz
History
Jeremy Huddleston Sequoia aa6f84021a xquartz: Allocate each fbconfig separately 
A change during the 1.20 development cycle resulted in fbconfigs being walked
and deallocated individually during __glXScreenDestroy.  This change
now avoids a use-after-free caused by that change.

==50859==ERROR: AddressSanitizer: heap-use-after-free on address 0x00010d3819c8 at pc 0x0001009d4230 bp 0x00016feca7a0 sp 0x00016feca798
READ of size 8 at 0x00010d3819c8 thread T5
    #0 0x1009d422c in __glXScreenDestroy glxscreens.c:448
    #1 0x10091cc98 in __glXAquaScreenDestroy indirect.c:510
    #2 0x1009d2734 in glxCloseScreen glxscreens.c:169
    #3 0x100740a24 in dix_main main.c:325
    #4 0x10023ed50 in server_thread quartzStartup.c:65
    #5 0x199ae7fd0 in _pthread_start+0x13c (libsystem_pthread.dylib:arm64e+0x6fd0)
    #6 0x199ae2d38 in thread_start+0x4 (libsystem_pthread.dylib:arm64e+0x1d38)

0x00010d3819c8 is located 200 bytes inside of 12800-byte region [0x00010d381900,0x00010d384b00)
freed by thread T5 here:
    #0 0x101477ba8 in wrap_free+0x98 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3fba8)
    #1 0x1009d4240 in __glXScreenDestroy glxscreens.c:449
    #2 0x10091cc98 in __glXAquaScreenDestroy indirect.c:510
    #3 0x1009d2734 in glxCloseScreen glxscreens.c:169
    #4 0x100740a24 in dix_main main.c:325
    #5 0x10023ed50 in server_thread quartzStartup.c:65
    #6 0x199ae7fd0 in _pthread_start+0x13c (libsystem_pthread.dylib:arm64e+0x6fd0)
    #7 0x199ae2d38 in thread_start+0x4 (libsystem_pthread.dylib:arm64e+0x1d38)

previously allocated by thread T5 here:
    #0 0x101477e38 in wrap_calloc+0x9c (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3fe38)
    #1 0x100925a40 in __glXAquaCreateVisualConfigs visualConfigs.c:116
    #2 0x10091cb24 in __glXAquaScreenProbe+0x224 (X11.bin:arm64+0x100730b24)
    #3 0x1009cd840 in xorgGlxServerInit glxext.c:528
    #4 0x10074539c in _CallCallbacks dixutils.c:743
    #5 0x100932a70 in CallCallbacks callback.h:83
    #6 0x100932478 in GlxExtensionInit vndext.c:244
    #7 0x10020a364 in InitExtensions miinitext.c:267
    #8 0x10073fe7c in dix_main main.c:197
    #9 0x10023ed50 in server_thread quartzStartup.c:65
    #10 0x199ae7fd0 in _pthread_start+0x13c (libsystem_pthread.dylib:arm64e+0x6fd0)
    #11 0x199ae2d38 in thread_start+0x4 (libsystem_pthread.dylib:arm64e+0x1d38)

Regressed-in: 4b0a3cbab1
CC: Giuseppe Bilotta <giuseppe.bilotta@gmail.com>
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
(cherry picked from commit 487286d472)
 		2021-02-20 17:30:45 -08:00
..
GL xquartz: Allocate each fbconfig separately 2021-02-20 17:30:45 -08:00
bundle xquartz: Fix applications menu table background color for dark mode 2021-02-17 16:27:03 -08:00
mach-startup xquartz: Apply spell check fixes from master for easier cherry-picking of changes in xquartz 2021-02-18 22:26:08 -08:00
man Fix typo "XQaurtz" in Xquartz.man 2021-02-01 23:07:11 -08:00
pbproxy xquartz: Minor code modernization -- @autoreleasepool adoption 2021-02-18 22:35:03 -08:00
xpr xquartz: Fix a compiler warning about const incompatible pointer assignment 2021-02-20 15:21:37 -08:00
Makefile.am xquartz: Fold quartzCommon.h into quartz.h 2021-02-18 22:35:03 -08:00
X11Application.h xquartz: Convert X11Application ivars into @properties 2021-02-18 22:35:03 -08:00
X11Application.m xquartz: Silence a compiler warning about missing internal methods on NSApplication 2021-02-18 22:35:03 -08:00
X11Controller.h xquartz: Convert X11Controller ivars into @properties 2021-02-18 22:35:03 -08:00
X11Controller.m xquartz: Fix build with sparkle enabled 2021-02-19 16:33:04 -08:00
applewm.c xquartz: Fold quartzCommon.h into quartz.h 2021-02-18 22:35:03 -08:00
applewmExt.h xquartz: Remove support for older versions of libXplugin 2021-02-01 23:10:35 -08:00
darwin.c xquartz: Apply spell check fixes from master for easier cherry-picking of changes in xquartz 2021-02-18 22:26:08 -08:00
darwin.h XQuartz: Source formatting cleanup 2012-03-24 01:07:06 -07:00
darwinEvents.c XQuartz: Silence an expected TSan warning 2016-09-22 14:55:03 -07:00
darwinEvents.h XQuartz: darwinPointer now sends both absolute and relative motion 2012-04-23 20:20:42 -07:00
darwinXinput.c ddx: add new call to purge input devices that weren't added 2016-10-26 15:35:07 +10:00
darwinfb.h XQuartz: Fix darwinfb.h header guard 2014-01-12 23:12:48 -08:00
keysym2ucs.c Use ARRAY_SIZE all over the tree 2017-10-30 13:45:20 -04:00
keysym2ucs.h Use ARRAY_SIZE all over the tree 2017-10-30 13:45:20 -04:00
meson.build Add a Meson build system alongside autotools. 2017-04-26 15:25:27 -07:00
quartz.c xquartz: Fold quartzCommon.h into quartz.h 2021-02-18 22:35:03 -08:00
quartz.h xquartz: Fold quartzCommon.h into quartz.h 2021-02-18 22:35:03 -08:00
quartzKeyboard.c xquartz: Ensure we call into TIS on the main thread 2021-02-17 09:56:15 -08:00
quartzKeyboard.h XQuartz: Source formatting cleanup 2012-03-24 01:07:06 -07:00
quartzRandR.c xquartz: Fold quartzCommon.h into quartz.h 2021-02-18 22:35:03 -08:00
quartzRandR.h XQuartz: Source formatting cleanup 2012-03-24 01:07:06 -07:00
quartzStartup.c xquartz: Fold quartzCommon.h into quartz.h 2021-02-18 22:35:03 -08:00
sanitizedCarbon.h XQuartz: Source formatting cleanup 2012-03-24 01:07:06 -07:00
sanitizedCocoa.h XQuartz: Source formatting cleanup 2012-03-24 01:07:06 -07:00