alex/swayfx
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
swayfx/sway
History
Dominique Martinet 8529141150 view_destroy: fix use-after-free with subsurface_destroy 
remove view from its own unmap event listener so when subsurfaces
link try to remove themselves they won't run into it.

This fixes the following ASAN use-after-free error on a build slightly
modified to instrument wl_list operations:
==71705==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000829a0 at pc 0x000000508eb7 bp 0x7ffec8fd8030 sp 0x7ffec8fd8028
WRITE of size 8 at 0x6160000829a0 thread T0
    #0 0x508eb6 in wl_list_remove ../common/list.c:181
    #1 0x4f4998 in view_child_destroy ../sway/tree/view.c:1131
    #2 0x4f38fa in subsurface_handle_destroy ../sway/tree/view.c:946
    #3 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    #4 0x7fda5072f0dd in subsurface_destroy ../types/wlr_surface.c:649
    #5 0x7fda507312c4 in subsurface_handle_surface_destroy ../types/wlr_surface.c:1094
    #6 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    #7 0x7fda5072f305 in surface_handle_resource_destroy ../types/wlr_surface.c:677
    #8 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce)
    #9 0x7fda508187f2 in wl_client_destroy (/lib64/libwayland-server.so.0+0xc7f2)
    #10 0x7fda50818e5f in wl_client_connection_data (/lib64/libwayland-server.so.0+0xce5f)
    #11 0x7fda50818219 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0xc219)
    #12 0x7fda50818984 in wl_display_run (/lib64/libwayland-server.so.0+0xc984)
    #13 0x43122c in server_run ../sway/server.c:254
    #14 0x42f47c in main ../sway/main.c:433
    #15 0x7fda503cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74)
    #16 0x40f6fd in _start (/opt/wayland/bin/sway+0x40f6fd)

0x6160000829a0 is located 288 bytes inside of 592-byte region [0x616000082880,0x616000082ad0)
freed by thread T0 here:
    #0 0x7fda50f01a27 in free (/lib64/libasan.so.6+0xaea27)
    #1 0x4532d8 in destroy ../sway/desktop/xdg_shell.c:262
    #2 0x4ed17b in view_destroy ../sway/tree/view.c:67
    #3 0x4ed300 in view_begin_destroy ../sway/tree/view.c:83
    #4 0x454a3f in handle_destroy ../sway/desktop/xdg_shell.c:507
    #5 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    #6 0x7fda506e2c87 in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:481
    #7 0x7fda506e3018 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:516
    #8 0x7fda506dfbe5 in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    #9 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce)

previously allocated by thread T0 here:
    #0 0x7fda50f01ed7 in calloc (/lib64/libasan.so.6+0xaeed7)
    #1 0x454bc8 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:528
    #2 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    #3 0x7fda506e2363 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:378
    #4 0x7fda5072e368 in surface_commit_state ../types/wlr_surface.c:455
    #5 0x7fda5072e51d in surface_commit_pending ../types/wlr_surface.c:474
    #6 0x7fda5072ea58 in surface_commit ../types/wlr_surface.c:542
    #7 0x7fda4fb3ac03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03)

Fixes #5168
2021-04-22 23:19:08 +02:00
..
commands commands/exec_always: log error on execlp failure 2021-04-22 23:12:49 +02:00
config output: Reconfigure xcursor when applying output config 2021-02-24 20:54:48 +01:00
desktop desktop/layer_shell: fix centering for opposing anchors 2021-04-12 12:13:25 -07:00
input Implement input method keyboard grab 2021-03-12 12:18:08 +01:00
tree view_destroy: fix use-after-free with subsurface_destroy 2021-04-22 23:19:08 +02:00
commands.c Fix for_window criteria and mouse button bindings 2021-02-25 09:48:39 -05:00
config.c config: allow whitespaces in config path 2021-03-25 17:22:26 +01:00
criteria.c container: Move pending state to state struct 2021-02-16 22:05:00 -05:00
decoration.c Fix double free when unmapping any view 2018-11-15 15:22:09 +10:00
ipc-json.c container: Move pending state to state struct 2021-02-16 22:05:00 -05:00
ipc-server.c Fix incorrect format specifiers 2020-07-30 22:02:42 -04:00
main.c Log wlroots version on startup 2021-04-12 16:18:17 +02:00
meson.build Automatically map built-in touchscreens/tablets to built-in panels 2021-02-25 09:38:00 -05:00
server.c Remove WLR_HAS_XDG_FOREIGN checks 2021-04-11 19:14:05 +02:00
sway-bar.5.scd Add support for workspace_min_width bar option. 2020-10-11 19:12:42 +02:00
sway-input.5.scd man: document input XXX map_to_output * 2021-02-25 09:38:00 -05:00
sway-ipc.7.scd document parse_error 2020-11-21 11:42:29 +01:00
sway-output.5.scd Add toggle logic inside DPMS handler 2021-03-25 11:01:04 +01:00
sway.1.scd man: update maintainer 2021-01-08 09:33:51 +01:00
sway.5.scd Change workspace_layout to match i3 behavior 2020-12-20 00:58:42 -05:00
swaynag.c Use execlp("sh") instead of execl("/bin/sh") 2021-04-22 23:12:49 +02:00
xdg_decoration.c Fix xdg-decoration unconfigured if set before first commit 2019-05-03 15:37:32 -06:00