From b1e2718dd72ec4526d862a3ab059b7d37aeb9af8 Mon Sep 17 00:00:00 2001 From: emersion Date: Fri, 23 Feb 2018 10:20:53 +0100 Subject: xwayland: fix some use-after-free in xwm --- include/wlr/types/wlr_compositor.h | 1 + include/wlr/xwm.h | 3 ++- types/wlr_compositor.c | 2 ++ xwayland/xwm.c | 26 ++++++++++++++++++++------ 4 files changed, 25 insertions(+), 7 deletions(-) diff --git a/include/wlr/types/wlr_compositor.h b/include/wlr/types/wlr_compositor.h index 8481c590..5919b934 100644 --- a/include/wlr/types/wlr_compositor.h +++ b/include/wlr/types/wlr_compositor.h @@ -14,6 +14,7 @@ struct wlr_compositor { struct { struct wl_signal new_surface; + struct wl_signal destroy; } events; }; diff --git a/include/wlr/xwm.h b/include/wlr/xwm.h index 242ff9cc..65681607 100644 --- a/include/wlr/xwm.h +++ b/include/wlr/xwm.h @@ -93,7 +93,8 @@ struct wlr_xwm { const xcb_query_extension_reply_t *xfixes; - struct wl_listener compositor_surface_create; + struct wl_listener compositor_new_surface; + struct wl_listener compositor_destroy; struct wl_listener seat_selection; struct wl_listener seat_primary_selection; }; diff --git a/types/wlr_compositor.c b/types/wlr_compositor.c index 008f2e51..f27655c0 100644 --- a/types/wlr_compositor.c +++ b/types/wlr_compositor.c @@ -90,6 +90,7 @@ void wlr_compositor_destroy(struct wlr_compositor *compositor) { if (compositor == NULL) { return; } + wlr_signal_emit_safe(&compositor->events.destroy, compositor); wl_list_remove(&compositor->display_destroy.link); wl_global_destroy(compositor->wl_global); free(compositor); @@ -195,6 +196,7 @@ struct wlr_compositor *wlr_compositor_create(struct wl_display *display, wl_list_init(&compositor->wl_resources); wl_list_init(&compositor->surfaces); wl_signal_init(&compositor->events.new_surface); + wl_signal_init(&compositor->events.destroy); compositor->display_destroy.notify = handle_display_destroy; wl_display_add_destroy_listener(display, &compositor->display_destroy); diff --git a/xwayland/xwm.c b/xwayland/xwm.c index 94dfdaab..0d957260 100644 --- a/xwayland/xwm.c +++ b/xwayland/xwm.c @@ -1019,11 +1019,11 @@ static int x11_event_handler(int fd, uint32_t mask, void *data) { return count; } -static void handle_compositor_surface_create(struct wl_listener *listener, +static void handle_compositor_new_surface(struct wl_listener *listener, void *data) { - struct wlr_surface *surface = data; struct wlr_xwm *xwm = - wl_container_of(listener, xwm, compositor_surface_create); + wl_container_of(listener, xwm, compositor_new_surface); + struct wlr_surface *surface = data; if (wl_resource_get_client(surface->resource) != xwm->xwayland->client) { return; } @@ -1043,6 +1043,16 @@ static void handle_compositor_surface_create(struct wl_listener *listener, } } +static void handle_compositor_destroy(struct wl_listener *listener, + void *data) { + struct wlr_xwm *xwm = + wl_container_of(listener, xwm, compositor_destroy); + wl_list_remove(&xwm->compositor_new_surface.link); + wl_list_remove(&xwm->compositor_destroy.link); + wl_list_init(&xwm->compositor_new_surface.link); + wl_list_init(&xwm->compositor_destroy.link); +} + void wlr_xwayland_surface_activate(struct wlr_xwayland_surface *xsurface, bool activated) { struct wlr_xwayland_surface *focused = xsurface->xwm->focus_surface; @@ -1124,7 +1134,8 @@ void xwm_destroy(struct wlr_xwm *xwm) { wl_list_for_each_safe(xsurface, tmp, &xwm->unpaired_surfaces, link) { wlr_xwayland_surface_destroy(xsurface); } - wl_list_remove(&xwm->compositor_surface_create.link); + wl_list_remove(&xwm->compositor_new_surface.link); + wl_list_remove(&xwm->compositor_destroy.link); xcb_disconnect(xwm->xcb_conn); free(xwm); @@ -1407,9 +1418,12 @@ struct wlr_xwm *xwm_create(struct wlr_xwayland *wlr_xwayland) { xwm_selection_init(xwm); - xwm->compositor_surface_create.notify = handle_compositor_surface_create; + xwm->compositor_new_surface.notify = handle_compositor_new_surface; wl_signal_add(&wlr_xwayland->compositor->events.new_surface, - &xwm->compositor_surface_create); + &xwm->compositor_new_surface); + xwm->compositor_destroy.notify = handle_compositor_destroy; + wl_signal_add(&wlr_xwayland->compositor->events.destroy, + &xwm->compositor_destroy); xwm_create_wm_window(xwm); -- cgit v1.2.3 From 5dba27216c760b9d750a75209a228efef499d08f Mon Sep 17 00:00:00 2001 From: emersion Date: Fri, 23 Feb 2018 10:24:28 +0100 Subject: rootston: fix use-after-free in handle_keyboard_destroy --- rootston/seat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rootston/seat.c b/rootston/seat.c index 38c26628..1b7d05c4 100644 --- a/rootston/seat.c +++ b/rootston/seat.c @@ -408,10 +408,10 @@ static void handle_keyboard_destroy(struct wl_listener *listener, void *data) { struct roots_keyboard *keyboard = wl_container_of(listener, keyboard, device_destroy); struct roots_seat *seat = keyboard->seat; - roots_keyboard_destroy(keyboard); wl_list_remove(&keyboard->device_destroy.link); wl_list_remove(&keyboard->keyboard_key.link); wl_list_remove(&keyboard->keyboard_modifiers.link); + roots_keyboard_destroy(keyboard); seat_update_capabilities(seat); } -- cgit v1.2.3 From ca3a9478640e6e70b89a988fd0005e6b57b6b35c Mon Sep 17 00:00:00 2001 From: emersion Date: Fri, 23 Feb 2018 10:29:18 +0100 Subject: rootston: fix user-after-free in output_handle_destroy --- include/rootston/output.h | 3 ++- rootston/output.c | 38 ++++++++++++++++++++++++++------------ 2 files changed, 28 insertions(+), 13 deletions(-) diff --git a/include/rootston/output.h b/include/rootston/output.h index 9682e4f5..a852a204 100644 --- a/include/rootston/output.h +++ b/include/rootston/output.h @@ -19,7 +19,8 @@ struct roots_output { struct wlr_output_damage *damage; struct wl_listener destroy; - struct wl_listener frame; + struct wl_listener damage_frame; + struct wl_listener damage_destroy; }; void handle_new_output(struct wl_listener *listener, void *data); diff --git a/rootston/output.c b/rootston/output.c index 8ef383c3..72925f91 100644 --- a/rootston/output.c +++ b/rootston/output.c @@ -514,12 +514,6 @@ damage_finish: pixman_region32_fini(&damage); } -static void output_damage_handle_frame(struct wl_listener *listener, - void *data) { - struct roots_output *output = wl_container_of(listener, output, frame); - render_output(output); -} - void output_damage_whole(struct roots_output *output) { wlr_output_damage_add_whole(output->damage); } @@ -681,19 +675,37 @@ static void set_mode(struct wlr_output *output, } } -static void output_handle_destroy(struct wl_listener *listener, void *data) { - struct roots_output *output = wl_container_of(listener, output, destroy); - +static void output_destroy(struct roots_output *output) { // TODO: cursor //example_config_configure_cursor(sample->config, sample->cursor, // sample->compositor); wl_list_remove(&output->link); wl_list_remove(&output->destroy.link); - wl_list_remove(&output->frame.link); + wl_list_remove(&output->damage_frame.link); + wl_list_remove(&output->damage_destroy.link); free(output); } +static void output_handle_destroy(struct wl_listener *listener, void *data) { + struct roots_output *output = wl_container_of(listener, output, destroy); + output_destroy(output); +} + +static void output_damage_handle_frame(struct wl_listener *listener, + void *data) { + struct roots_output *output = + wl_container_of(listener, output, damage_frame); + render_output(output); +} + +static void output_damage_handle_destroy(struct wl_listener *listener, + void *data) { + struct roots_output *output = + wl_container_of(listener, output, damage_destroy); + output_destroy(output); +} + void handle_new_output(struct wl_listener *listener, void *data) { struct roots_desktop *desktop = wl_container_of(listener, desktop, new_output); @@ -722,8 +734,10 @@ void handle_new_output(struct wl_listener *listener, void *data) { output->destroy.notify = output_handle_destroy; wl_signal_add(&wlr_output->events.destroy, &output->destroy); - output->frame.notify = output_damage_handle_frame; - wl_signal_add(&output->damage->events.frame, &output->frame); + output->damage_frame.notify = output_damage_handle_frame; + wl_signal_add(&output->damage->events.frame, &output->damage_frame); + output->damage_destroy.notify = output_damage_handle_destroy; + wl_signal_add(&output->damage->events.destroy, &output->damage_destroy); struct roots_output_config *output_config = roots_config_get_output(config, wlr_output); -- cgit v1.2.3