wlroots-hyprland/xwayland
Tudor Brindus feb0e1c74d xwayland: fix use-after-free in selection handling
Fixes #2425.

wlroots can only handle one outgoing transfer at a time, so it keeps a
list of pending selections. The head of the list is the currently-active
selection, and when that transfer completes and is destroyed, the next
one is started.

The trouble is when you have a transfer to some app that is misbehaving.
fcitx is one such application. With really large transfers, fcitx will
hang and never wake up again. So, you can end up with a transfer list
that looks like this:

| T1: started | T2: pending | T3: pending | T4: pending |

The file descriptor for transfer T1 is registered in libwayland's epoll
loop. The rest are waiting in wlroots' list.

As a user, you want your clipboard back, so you `pkill fcitx`. Now
Xwayland sends `XCB_DESTROY_NOTIFY` to let us know to give up. We clean
up T4 first.

Due to a bug in wlroots code, we register the (fd, transfer data
pointer) pair for T1 with libwayland *again*, despite it already being
registered. We do this 2 more times as we remove T3 and T2.

Finally, we remove T1 and `free` all the memory associated with it,
before `close`-ing its transfer file descriptor.

However, we still have 3 copies of T1's file descriptor left in the
epoll loop, since we erroneously added them as part of removing T2/3/4.
When we `close` the file descriptor as part of T1's teardown, we
actually cause the epoll loop to wake up the next time around, saying
"this file descriptor has activity!" (it was closed, so `read`-ing would
normally return 0 to let us know of EOF).

But instead of returning 0, it returns -1 with `EBADF`, because the file
descriptor has already been closed. And finally, as part of error-handling
this, we access the transfer pointer, which was `free`'d. And we crash.
2020-10-11 08:59:08 +02:00
..
selection xwayland: fix use-after-free in selection handling 2020-10-11 08:59:08 +02:00
meson.build xwayland: split server 2020-05-19 22:07:47 +02:00
server.c xwayland: disconnect display destroy listener even if xwayland didn't initialize 2020-09-04 17:55:23 +02:00
sockets.c meson: enable more compiler warnings 2019-03-01 09:20:23 +01:00
sockets.h xwayland: remove remaining SOCK_CLOEXEC 2019-02-20 17:04:00 +01:00
xwayland.c xwayland: free server in error path 2020-07-27 10:49:19 +02:00
xwm.c xwm: add loop detection for read_surface_parent 2020-10-08 19:32:58 +02:00