diff options
| author |  Rouven Czerwinski <rouven@czerwinskis.de> | 2019-02-23 08:28:49 +0100 |
|---|---|---|
| committer |  Drew DeVault <sir@cmpwn.com> | 2019-02-25 17:10:04 -0500 |
| commit | b474050d7b22c9dfa425affa2c4aff551dc96a71 (patch) | |
| tree | ecfa15802edaecee009294e778f376359c438868 | |
| parent | input/cursor: allow whole-window bindings on ws (diff) | |
| download | sway-b474050d7b22c9dfa425affa2c4aff551dc96a71.tar.gz sway-b474050d7b22c9dfa425affa2c4aff551dc96a71.tar.zst sway-b474050d7b22c9dfa425affa2c4aff551dc96a71.zip | |
view: set xdg_decoration->view to NULL, check decoration destroy
Fixes heap-use-after-free:
==32046==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000064d20 at pc 0x55571ce4d303 bp 0x7fff545c64c0 sp 0x7fff545c64b0
WRITE of size 8 at 0x615000064d20 thread T0
#0 0x55571ce4d302 in xdg_decoration_handle_destroy ../sway/xdg_decoration.c:13
#1 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
#2 0x7f64009d3c46 in toplevel_decoration_handle_resource_destroy ../types/wlr_xdg_decoration_v1.c:65
#3 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)
#4 0x7f6400a19fed in wl_resource_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7fed)
#5 0x7f64009d3d1f in toplevel_decoration_handle_surface_destroy ../types/wlr_xdg_decoration_v1.c:82
#6 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
#7 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453
#8 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483
#9 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
#10 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)
#11 0x7f6400a1e211 (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc211)
#12 0x7f6400a1e6fe (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc6fe)
#13 0x7f6400a1a0ec in wl_client_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x80ec)
#14 0x7f6400a1a1c4 (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x81c4)
#15 0x7f6400a1b941 in wl_event_loop_dispatch (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x9941)
#16 0x7f6400a1a569 in wl_display_run (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x8569)
#17 0x55571ce4c7fd in server_run ../sway/server.c:214
#18 0x55571ce4ad59 in main ../sway/main.c:405
#19 0x7f640071109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#20 0x55571ce2cfa9 in _start (/usr/local/bin/sway+0x35fa9)
0x615000064d20 is located 32 bytes inside of 504-byte region [0x615000064d00,0x615000064ef8)
freed by thread T0 here:
#0 0x7f6401531b70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70)
#1 0x55571ce6c72b in destroy ../sway/desktop/xdg_shell.c:252
#2 0x55571cee3f7b in view_destroy ../sway/tree/view.c:60
#3 0x55571cee4090 in view_begin_destroy ../sway/tree/view.c:73
#4 0x55571ce6dd95 in handle_destroy ../sway/desktop/xdg_shell.c:464
#5 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
#6 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453
#7 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483
#8 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
#9 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)
previously allocated by thread T0 here:
#0 0x7f6401532138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138)
#1 0x55571ce6df39 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:485
#2 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
#3 0x7f64009b0167 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:350
#4 0x7f64009ce2a5 in surface_commit_pending ../types/wlr_surface.c:372
#5 0x7f64009ce523 in surface_commit ../types/wlr_surface.c:444
#6 0x7f63ff63ddad in ffi_call_unix64 (/usr/lib/x86_64-linux-gnu/libffi.so.6+0x5dad)
Fixes #3759
| -rw-r--r-- | sway/desktop/xdg_shell.c | 4 | ||||
| -rw-r--r-- | sway/xdg_decoration.c | 4 |
2 files changed, 7 insertions, 1 deletions
diff --git a/sway/desktop/xdg_shell.c b/sway/desktop/xdg_shell.c index ce6fe41a..c84ca111 100644 --- a/sway/desktop/xdg_shell.c +++ b/sway/desktop/xdg_shell.c | |||
| @@ -17,6 +17,7 @@ | |||
| 17 | #include "sway/tree/container.h" | 17 | #include "sway/tree/container.h" |
| 18 | #include "sway/tree/view.h" | 18 | #include "sway/tree/view.h" |
| 19 | #include "sway/tree/workspace.h" | 19 | #include "sway/tree/workspace.h" |
| 20 | #include "sway/xdg_decoration.h" | ||
| 20 | 21 | ||
| 21 | static const struct sway_view_child_impl popup_impl; | 22 | static const struct sway_view_child_impl popup_impl; |
| 22 | 23 | ||
| @@ -461,6 +462,9 @@ static void handle_destroy(struct wl_listener *listener, void *data) { | |||
| 461 | wl_list_remove(&xdg_shell_view->map.link); | 462 | wl_list_remove(&xdg_shell_view->map.link); |
| 462 | wl_list_remove(&xdg_shell_view->unmap.link); | 463 | wl_list_remove(&xdg_shell_view->unmap.link); |
| 463 | view->wlr_xdg_surface = NULL; | 464 | view->wlr_xdg_surface = NULL; |
| 465 | if (view->xdg_decoration) { | ||
| 466 | view->xdg_decoration->view = NULL; | ||
| 467 | } | ||
| 464 | view_begin_destroy(view); | 468 | view_begin_destroy(view); |
| 465 | } | 469 | } |
| 466 | 470 | ||
diff --git a/sway/xdg_decoration.c b/sway/xdg_decoration.c index 39e0df56..9ac87191 100644 --- a/sway/xdg_decoration.c +++ b/sway/xdg_decoration.c | |||
| @@ -10,7 +10,9 @@ static void xdg_decoration_handle_destroy(struct wl_listener *listener, | |||
| 10 | void *data) { | 10 | void *data) { |
| 11 | struct sway_xdg_decoration *deco = | 11 | struct sway_xdg_decoration *deco = |
| 12 | wl_container_of(listener, deco, destroy); | 12 | wl_container_of(listener, deco, destroy); |
| 13 | deco->view->xdg_decoration = NULL; | 13 | if(deco->view) { |
| 14 | deco->view->xdg_decoration = NULL; | ||
| 15 | } | ||
| 14 | wl_list_remove(&deco->destroy.link); | 16 | wl_list_remove(&deco->destroy.link); |
| 15 | wl_list_remove(&deco->request_mode.link); | 17 | wl_list_remove(&deco->request_mode.link); |
| 16 | wl_list_remove(&deco->link); | 18 | wl_list_remove(&deco->link); |