hyprwm
/
wlroots-hyprland
mirror of https://github.com/hyprwm/wlroots-hyprland.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

xwm: fix use-after-free involving parents/children 

Happens when e.g. closing gimp.

==24039==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150001a7a78 at pc 0x7f09b09f1bb2 bp 0x7ffcf0237bf0 sp 0x7ffcf0237be0
WRITE of size 8 at 0x6150001a7a78 thread T0
    #0 0x7f09b09f1bb1 in wl_list_remove ../util/signal.c:55
    #1 0x7f09b094cf03 in xwayland_surface_destroy ../xwayland/xwm.c:295
    #2 0x7f09b0950245 in xwm_handle_destroy_notify ../xwayland/xwm.c:717
    #3 0x7f09b095304a in x11_event_handler ../xwayland/xwm.c:1149
    #4 0x7f09b0c68f01 in wl_event_loop_dispatch src/event-loop.c:641
    #5 0x7f09b0c67601 in wl_display_run src/wayland-server.c:1260
    #6 0x40a2f4 in main ../sway/main.c:433
    #7 0x7f09b011018a in __libc_start_main (/lib64/libc.so.6+0x2318a)
    #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749)

0x6150001a7a78 is located 120 bytes inside of 496-byte region [0x6150001a7a00,0x6150001a7bf0)
freed by thread T0 here:
    #0 0x7f09b2b58880 in __interceptor_free (/lib64/libasan.so.5+0xee880)
    #1 0x7f09b094d1a1 in xwayland_surface_destroy ../xwayland/xwm.c:315
    #2 0x7f09b0950245 in xwm_handle_destroy_notify ../xwayland/xwm.c:717
    #3 0x7f09b095304a in x11_event_handler ../xwayland/xwm.c:1149
    #4 0x7f09b0c68f01 in wl_event_loop_dispatch src/event-loop.c:641
    #5 0x7f09b0c67601 in wl_display_run src/wayland-server.c:1260
    #6 0x40a2f4 in main ../sway/main.c:433
    #7 0x7f09b011018a in __libc_start_main (/lib64/libc.so.6+0x2318a)
    #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749)

previously allocated by thread T0 here:
    #0 0x7f09b2b58e50 in calloc (/lib64/libasan.so.5+0xeee50)
    #1 0x7f09b094b585 in xwayland_surface_create ../xwayland/xwm.c:119
    #2 0x7f09b0950151 in xwm_handle_create_notify ../xwayland/xwm.c:706
    #3 0x7f09b0953032 in x11_event_handler ../xwayland/xwm.c:1146
    #4 0x7f09b0c68f01 in wl_event_loop_dispatch src/event-loop.c:641
    #5 0x7f09b0c67601 in wl_display_run src/wayland-server.c:1260
    #6 0x40a2f4 in main ../sway/main.c:433
    #7 0x7f09b011018a in __libc_start_main (/lib64/libc.so.6+0x2318a)
    #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749)
This commit is contained in:
Dominique Martinet 2018-06-25 10:30:51 +09:00
parent 954969698a
commit 4a1c9a1925
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
xwayland/xwm.c
View File

@ -294,6 +294,12 @@ static void xwayland_surface_destroy(
wl_list_remove(&xsurface->link);
wl_list_remove(&xsurface->parent_link);
struct wlr_xwayland_surface *child, *next;
wl_list_for_each_safe(child, next, &xsurface->children, parent_link) {
wl_list_remove(&child->parent_link);
wl_list_init(&child->parent_link);
}
if (xsurface->surface_id) {
wl_list_remove(&xsurface->unpaired_link);
}