From 08800c8ee22f2aad8c00117756c15169d6e543b1 Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Tue, 26 Jun 2018 21:16:42 +0900 Subject: [PATCH 1/2] layer_shell: cleanup output link on output destroy Fixes this kind of use-after-free: ==1795==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000191ef0 at pc 0x00000048c388 bp 0x7ffe308f0410 sp 0x7ffe308f0400 WRITE of size 8 at 0x612000191ef0 thread T0 #0 0x48c387 in wl_list_remove ../common/list.c:157 #1 0x42196b in handle_destroy ../sway/desktop/layer_shell.c:275 #2 0x7f55cc2549fa in wlr_signal_emit_safe ../util/signal.c:29 #3 0x7f55cc22cf68 in layer_surface_destroy ../types/wlr_layer_shell.c:182 #4 0x7f55cc22d084 in layer_surface_resource_destroy ../types/wlr_layer_shell.c:196 #5 0x7f55cc4ca025 in destroy_resource src/wayland-server.c:688 #6 0x7f55cc4ca091 in wl_resource_destroy src/wayland-server.c:705 #7 0x7f55cc22c3a2 in resource_handle_destroy ../types/wlr_layer_shell.c:18 #8 0x7f55c8ef103d in ffi_call_unix64 (/lib64/libffi.so.6+0x603d) #9 0x7f55c8ef09fe in ffi_call (/lib64/libffi.so.6+0x59fe) #10 0x7f55cc4cdf2c (/lib64/libwayland-server.so.0+0xbf2c) #11 0x7f55cc4ca3de in wl_client_connection_data src/wayland-server.c:420 #12 0x7f55cc4cbf01 in wl_event_loop_dispatch src/event-loop.c:641 #13 0x7f55cc4ca601 in wl_display_run src/wayland-server.c:1260 #14 0x40bb1e in server_run ../sway/server.c:141 #15 0x40ab2f in main ../sway/main.c:432 #16 0x7f55cb97318a in __libc_start_main ../csu/libc-start.c:308 #17 0x408d29 in _start (/opt/wayland/bin/sway+0x408d29) 0x612000191ef0 is located 48 bytes inside of 312-byte region [0x612000191ec0,0x612000191ff8) freed by thread T0 here: #0 0x7f55ce3bb880 in __interceptor_free (/lib64/libasan.so.5+0xee880) #1 0x42f1db in handle_destroy ../sway/desktop/output.c:1275 #2 0x7f55cc2549fa in wlr_signal_emit_safe ../util/signal.c:29 #3 0x7f55cc23b4c2 in wlr_output_destroy ../types/wlr_output.c:284 #4 0x7f55cc1ddc20 in xdg_toplevel_handle_close ../backend/wayland/output.c:235 #5 0x7f55c8ef103d in ffi_call_unix64 (/lib64/libffi.so.6+0x603d) previously allocated by thread T0 here: #0 0x7f55ce3bbe50 in calloc (/lib64/libasan.so.5+0xeee50) #1 0x42f401 in handle_new_output ../sway/desktop/output.c:1308 #2 0x7f55cc2549fa in wlr_signal_emit_safe ../util/signal.c:29 #3 0x7f55cc1d6cbf in new_output_reemit ../backend/multi/backend.c:113 #4 0x7f55cc2549fa in wlr_signal_emit_safe ../util/signal.c:29 #5 0x7f55cc1deac7 in wlr_wl_output_create ../backend/wayland/output.c:327 #6 0x7f55cc1db353 in backend_start ../backend/wayland/backend.c:55 #7 0x7f55cc1bad55 in wlr_backend_start ../backend/backend.c:35 #8 0x7f55cc1d67a0 in multi_backend_start ../backend/multi/backend.c:24 #9 0x7f55cc1bad55 in wlr_backend_start ../backend/backend.c:35 #10 0x40ba8a in server_run ../sway/server.c:136 #11 0x40ab2f in main ../sway/main.c:432 #12 0x7f55cb97318a in __libc_start_main ../csu/libc-start.c:308 --- sway/desktop/layer_shell.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sway/desktop/layer_shell.c b/sway/desktop/layer_shell.c index 3accdefb..94dc22e7 100644 --- a/sway/desktop/layer_shell.c +++ b/sway/desktop/layer_shell.c @@ -219,6 +219,8 @@ static void handle_output_destroy(struct wl_listener *listener, void *data) { struct sway_layer_surface *sway_layer = wl_container_of(listener, sway_layer, output_destroy); wl_list_remove(&sway_layer->output_destroy.link); + wl_list_remove(&sway_layer->link); + wl_list_init(&sway_layer->link); sway_layer->layer_surface->output = NULL; wlr_layer_surface_close(sway_layer->layer_surface); } From 6856866a612c9f0708a42cbe6d9627173d9e3569 Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Tue, 26 Jun 2018 21:19:38 +0900 Subject: [PATCH 2/2] layer_shell: order destroying before sway_output Both sway_output and sway_layer_shell listen to wlr's output destroy event, but sway_layer_shell needs to access into sway_output's data strucure and needs to be destroyed first. Resolve this by making sway_layer_shell listen to a new event that happens at start of sway_output's destroy handler --- include/sway/output.h | 4 ++++ sway/desktop/layer_shell.c | 7 +++---- sway/desktop/output.c | 3 +++ 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/include/sway/output.h b/include/sway/output.h index 70f746dc..8180ce3d 100644 --- a/include/sway/output.h +++ b/include/sway/output.h @@ -32,6 +32,10 @@ struct sway_output { struct wl_list link; pid_t bg_pid; + + struct { + struct wl_signal destroy; + } events; }; void output_damage_whole(struct sway_output *output); diff --git a/sway/desktop/layer_shell.c b/sway/desktop/layer_shell.c index 94dc22e7..b57d1ee6 100644 --- a/sway/desktop/layer_shell.c +++ b/sway/desktop/layer_shell.c @@ -352,10 +352,6 @@ void handle_layer_shell_surface(struct wl_listener *listener, void *data) { wl_signal_add(&layer_surface->surface->events.commit, &sway_layer->surface_commit); - sway_layer->output_destroy.notify = handle_output_destroy; - wl_signal_add(&layer_surface->output->events.destroy, - &sway_layer->output_destroy); - sway_layer->destroy.notify = handle_destroy; wl_signal_add(&layer_surface->events.destroy, &sway_layer->destroy); sway_layer->map.notify = handle_map; @@ -368,6 +364,9 @@ void handle_layer_shell_surface(struct wl_listener *listener, void *data) { layer_surface->data = sway_layer; struct sway_output *output = layer_surface->output->data; + sway_layer->output_destroy.notify = handle_output_destroy; + wl_signal_add(&output->events.destroy, &sway_layer->output_destroy); + wl_list_insert(&output->layers[layer_surface->layer], &sway_layer->link); // Temporarily set the layer's current state to client_pending diff --git a/sway/desktop/output.c b/sway/desktop/output.c index d4115be8..f0f1603a 100644 --- a/sway/desktop/output.c +++ b/sway/desktop/output.c @@ -1199,6 +1199,8 @@ static void damage_handle_destroy(struct wl_listener *listener, void *data) { static void handle_destroy(struct wl_listener *listener, void *data) { struct sway_output *output = wl_container_of(listener, output, destroy); + wl_signal_emit(&output->events.destroy, output); + if (output->swayc) { container_destroy(output->swayc); } @@ -1277,6 +1279,7 @@ void output_enable(struct sway_output *output) { for (size_t i = 0; i < len; ++i) { wl_list_init(&output->layers[i]); } + wl_signal_init(&output->events.destroy); input_manager_configure_xcursor(input_manager);