alex/swayfx
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
swayfx/sway
History
Rouven Czerwinski ac0637708f output: remove damage listeners in damage destroy 
Instead of removing the destroy listeners in the output destroy, remove
them in the damage destroy handler. Fixes the following use after free:

  ==646625==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200017cab8 at pc 0x0000004f8f29 bp 0x7ffdf465ad30 sp 0x7ffdf465ad20
  WRITE of size 8 at 0x61200017cab8 thread T0

      #0 0x4f8f28 in wl_list_remove ../common/list.c:181
      #1 0x43dd24 in handle_destroy ../sway/desktop/output.c:790
  (`wl_list_remove(&output->damage_destroy.link);` here, 214e3030e1dce master branch)
      #2 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
      #3 0x7f0e57390954 in wlr_output_destroy ../types/wlr_output.c:365
      #4 0x7f0e5735e37f in backend_destroy ../backend/x11/backend.c:128
      #5 0x7f0e57348147 in wlr_backend_destroy ../backend/backend.c:47
      #6 0x7f0e57356f75 in multi_backend_destroy ../backend/multi/backend.c:54
      #7 0x7f0e5735710e in handle_display_destroy ../backend/multi/backend.c:107
      #8 0x7f0e573f23e4 in wl_display_destroy (/lib64/libwayland-server.so.0+0x93e4)
      #9 0x42f0b2 in server_fini ../sway/server.c:177
      #10 0x42dd01 in main ../sway/main.c:414
      #11 0x7f0e570f7041 in __libc_start_main (/lib64/libc.so.6+0x27041)
      #12 0x40e3bd in _start (/opt/wayland/bin/sway+0x40e3bd)

  0x61200017cab8 is located 120 bytes inside of 320-byte region [0x61200017ca40,0x61200017cb80)
  freed by thread T0 here:
      #0 0x7f0e57aa9357 in __interceptor_free (/lib64/libasan.so.6+0xb0357)
      #1 0x7f0e5738b877 in wlr_output_damage_destroy ../types/wlr_output_damage.c:143
      #2 0x7f0e5738b2b9 in output_handle_destroy ../types/wlr_output_damage.c:13
      #3 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
      #4 0x7f0e57390954 in wlr_output_destroy ../types/wlr_output.c:365
      #5 0x7f0e5735e37f in backend_destroy ../backend/x11/backend.c:128
      #6 0x7f0e57348147 in wlr_backend_destroy ../backend/backend.c:47
      #7 0x7f0e57356f75 in multi_backend_destroy ../backend/multi/backend.c:54
      #8 0x7f0e5735710e in handle_display_destroy ../backend/multi/backend.c:107
      #9 0x7f0e573f23e4 in wl_display_destroy (/lib64/libwayland-server.so.0+0x93e4)

  previously allocated by thread T0 here:
      #0 0x7f0e57aa9887 in __interceptor_calloc (/lib64/libasan.so.6+0xb0887)
      #1 0x7f0e5738b532 in wlr_output_damage_create ../types/wlr_output_damage.c:91
      #2 0x43e4a7 in handle_new_output ../sway/desktop/output.c:875
      #3 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
      #4 0x7f0e57357261 in new_output_reemit ../backend/multi/backend.c:143
      #5 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
      #6 0x7f0e5736030a in wlr_x11_output_create ../backend/x11/output.c:253
      #7 0x7f0e5735e309 in backend_start ../backend/x11/backend.c:113
      #8 0x7f0e573480fb in wlr_backend_start ../backend/backend.c:36
      #9 0x7f0e57356e61 in multi_backend_start ../backend/multi/backend.c:31
      #10 0x7f0e573480fb in wlr_backend_start ../backend/backend.c:36
      #11 0x42f4ba in server_start ../sway/server.c:205
      #12 0x42dbd7 in main ../sway/main.c:394
      #13 0x7f0e570f7041 in __libc_start_main (/lib64/libc.so.6+0x27041)

Fixes #5158
2020-04-10 10:20:21 +02:00
..
commands add --no-repeat option for bindings 2020-03-30 14:18:27 +02:00
config Don't add disabled outputs back to output layout 2020-04-09 15:45:29 +02:00
desktop output: remove damage listeners in damage destroy 2020-04-10 10:20:21 +02:00
input im: Fix crash when im destorying and no focused surface exists 2020-04-04 11:42:04 +02:00
tree Update for new wlr_buffer API 2020-04-02 23:23:56 +02:00
commands.c criteria: match containers without view 2020-02-04 19:52:21 -05:00
config.c config: fix unfocused text color 2020-04-04 23:25:04 +02:00
criteria.c Introduce pid criteria token 2020-02-27 14:03:22 +01:00
decoration.c Fix double free when unmapping any view 2018-11-15 15:22:09 +10:00
ipc-json.c Limit workspace numbers within 0..INT32_MAX 2020-03-12 19:43:45 -04:00
ipc-server.c ipc-server: improve error message 2020-02-29 19:59:42 +01:00
main.c config: fix validation exit code and log level 2020-02-11 16:02:11 +01:00
meson.build Port input method and text input from rootston 2020-04-04 11:42:04 +02:00
security.c Replace _XOPEN_SOURCE with _POSIX_C_SOURCE 2018-11-25 17:19:43 +01:00
server.c Port input method and text input from rootston 2020-04-04 11:42:04 +02:00
sway-bar.5.scd swaybar: complete barconfig_update event handling 2019-09-04 16:48:50 -10:00
sway-input.5.scd Document input selector precedence 2020-03-15 18:05:14 -04:00
sway-ipc.7.scd i3compat: add window_type to IPC response 2020-02-17 21:58:05 +01:00
sway-output.5.scd Fix output mode usage 2020-03-21 17:46:06 +01:00
sway.1.scd Update language in sway.desktop & sway(1) 2019-03-10 15:09:52 -04:00
sway.5.scd Reference wev instead of xev 2020-04-02 23:25:34 +02:00
swaynag.c Rename symbol set_cloexec to sway_set_cloexec, remove duplicates. 2019-11-01 12:41:08 -04:00
xdg_decoration.c Fix xdg-decoration unconfigured if set before first commit 2019-05-03 15:37:32 -06:00