aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDominique Martinet <asmadeus@codewreck.org>2018-06-25 10:30:51 +0900
committerDominique Martinet <asmadeus@codewreck.org>2018-06-25 17:28:44 +0900
commit4a1c9a19257305abfbf8498a5405fe119049a322 (patch)
treedce45bbf31cd532d30663f9e5b06e7d122878829
parent954969698ac87b05f30bf3eb3b7ae387b15c4145 (diff)
xwm: fix use-after-free involving parents/children
Happens when e.g. closing gimp. ==24039==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150001a7a78 at pc 0x7f09b09f1bb2 bp 0x7ffcf0237bf0 sp 0x7ffcf0237be0 WRITE of size 8 at 0x6150001a7a78 thread T0 #0 0x7f09b09f1bb1 in wl_list_remove ../util/signal.c:55 #1 0x7f09b094cf03 in xwayland_surface_destroy ../xwayland/xwm.c:295 #2 0x7f09b0950245 in xwm_handle_destroy_notify ../xwayland/xwm.c:717 #3 0x7f09b095304a in x11_event_handler ../xwayland/xwm.c:1149 #4 0x7f09b0c68f01 in wl_event_loop_dispatch src/event-loop.c:641 #5 0x7f09b0c67601 in wl_display_run src/wayland-server.c:1260 #6 0x40a2f4 in main ../sway/main.c:433 #7 0x7f09b011018a in __libc_start_main (/lib64/libc.so.6+0x2318a) #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749) 0x6150001a7a78 is located 120 bytes inside of 496-byte region [0x6150001a7a00,0x6150001a7bf0) freed by thread T0 here: #0 0x7f09b2b58880 in __interceptor_free (/lib64/libasan.so.5+0xee880) #1 0x7f09b094d1a1 in xwayland_surface_destroy ../xwayland/xwm.c:315 #2 0x7f09b0950245 in xwm_handle_destroy_notify ../xwayland/xwm.c:717 #3 0x7f09b095304a in x11_event_handler ../xwayland/xwm.c:1149 #4 0x7f09b0c68f01 in wl_event_loop_dispatch src/event-loop.c:641 #5 0x7f09b0c67601 in wl_display_run src/wayland-server.c:1260 #6 0x40a2f4 in main ../sway/main.c:433 #7 0x7f09b011018a in __libc_start_main (/lib64/libc.so.6+0x2318a) #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749) previously allocated by thread T0 here: #0 0x7f09b2b58e50 in calloc (/lib64/libasan.so.5+0xeee50) #1 0x7f09b094b585 in xwayland_surface_create ../xwayland/xwm.c:119 #2 0x7f09b0950151 in xwm_handle_create_notify ../xwayland/xwm.c:706 #3 0x7f09b0953032 in x11_event_handler ../xwayland/xwm.c:1146 #4 0x7f09b0c68f01 in wl_event_loop_dispatch src/event-loop.c:641 #5 0x7f09b0c67601 in wl_display_run src/wayland-server.c:1260 #6 0x40a2f4 in main ../sway/main.c:433 #7 0x7f09b011018a in __libc_start_main (/lib64/libc.so.6+0x2318a) #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749)
-rw-r--r--xwayland/xwm.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/xwayland/xwm.c b/xwayland/xwm.c
index b397b1e8..66a85d05 100644
--- a/xwayland/xwm.c
+++ b/xwayland/xwm.c
@@ -294,6 +294,12 @@ static void xwayland_surface_destroy(
wl_list_remove(&xsurface->link);
wl_list_remove(&xsurface->parent_link);
+ struct wlr_xwayland_surface *child, *next;
+ wl_list_for_each_safe(child, next, &xsurface->children, parent_link) {
+ wl_list_remove(&child->parent_link);
+ wl_list_init(&child->parent_link);
+ }
+
if (xsurface->surface_id) {
wl_list_remove(&xsurface->unpaired_link);
}