Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use after free in xdg_decoration_handle_destroy #3759

Closed
sanga opened this issue Feb 23, 2019 · 0 comments
Closed

use after free in xdg_decoration_handle_destroy #3759

sanga opened this issue Feb 23, 2019 · 0 comments

Comments

@sanga
Copy link
Contributor

sanga commented Feb 23, 2019 

2019-02-23 07:41:45 - [sway/desktop/transaction.c:378] Transaction 0x6040001630d0 timed out (1 waiting)
2019-02-23 07:41:45 - [sway/desktop/transaction.c:281] Applying transaction 0x6040001630d0
2019-02-23 07:41:45 - [sway/tree/container.c:1058] Container 0x616000134780 entered output 0x615000009680
2019-02-23 07:41:45 - [sway/desktop/transaction.c:413] Transaction 0x604000163d50 committing with 3 instructions
2019-02-23 07:41:45 - [sway/desktop/transaction.c:494] Transaction 0x604000163d50 is ready
2019-02-23 07:41:45 - [sway/desktop/transaction.c:281] Applying transaction 0x604000163d50
2019-02-23 07:41:45 - [sway/tree/container.c:1058] Container 0x616000176180 entered output 0x615000009680
2019-02-23 07:41:45 - [sway/desktop/transaction.c:413] Transaction 0x604000165210 committing with 1 instructions
2019-02-23 07:41:45 - [sway/desktop/transaction.c:281] Applying transaction 0x604000165210
2019-02-23 07:41:47 - [sway/ipc-server.c:323] Sending window::close event
2019-02-23 07:41:47 - [sway/ipc-server.c:911] Added IPC reply to client 68 queue: { "change": "close", "container": { "id": 7, "name": "fish \/home\/tsampson", "rect": { "x": 0, "y": 0, "width": 2560, "height": 1415 }, "focused": true, "focus": [ ], "border": "none", "current_border_width": 2, "layout": "none", "orientation": "none", "percent": 1.0, "window_rect": { "x": 0, "y": 0, "width": 2560, "height": 1415 }, "deco_rect": { "x": 0, "y": 0, "width": 0, "height": 0 }, "geometry": { "x": 0, "y": 0, "width": 884, "height": 532 }, "window": null, "urgent": false, "floating_nodes": [ ], "sticky": false, "type": "con", "fullscreen_mode": 0, "pid": 32338, "app_id": "Alacritty", "visible": true, "marks": [ ], "nodes": [ ] } }
2019-02-23 07:41:47 - [sway/tree/arrange.c:190] Usable area for ws: 2560x1415@0,0
2019-02-23 07:41:47 - [sway/tree/arrange.c:221] Arranging workspace '1' at 0.000000, 0.000000
2019-02-23 07:41:47 - [sway/desktop/transaction.c:413] Transaction 0x604000168110 committing with 2 instructions
2019-02-23 07:41:47 - [sway/desktop/transaction.c:281] Applying transaction 0x604000168110
=================================================================
==32046==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000064d20 at pc 0x55571ce4d303 bp 0x7fff545c64c0 sp 0x7fff545c64b0
WRITE of size 8 at 0x615000064d20 thread T0
    #0 0x55571ce4d302 in xdg_decoration_handle_destroy ../sway/xdg_decoration.c:13
    #1 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    #2 0x7f64009d3c46 in toplevel_decoration_handle_resource_destroy ../types/wlr_xdg_decoration_v1.c:65
    #3 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)
    #4 0x7f6400a19fed in wl_resource_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7fed)
    #5 0x7f64009d3d1f in toplevel_decoration_handle_surface_destroy ../types/wlr_xdg_decoration_v1.c:82
    #6 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    #7 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453
    #8 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483
    #9 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    #10 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)
    #11 0x7f6400a1e211  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc211)
    #12 0x7f6400a1e6fe  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc6fe)
    #13 0x7f6400a1a0ec in wl_client_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x80ec)
    #14 0x7f6400a1a1c4  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x81c4)
    #15 0x7f6400a1b941 in wl_event_loop_dispatch (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x9941)
    #16 0x7f6400a1a569 in wl_display_run (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x8569)
    #17 0x55571ce4c7fd in server_run ../sway/server.c:214
    #18 0x55571ce4ad59 in main ../sway/main.c:405
    #19 0x7f640071109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #20 0x55571ce2cfa9 in _start (/usr/local/bin/sway+0x35fa9)

0x615000064d20 is located 32 bytes inside of 504-byte region [0x615000064d00,0x615000064ef8)
freed by thread T0 here:
    #0 0x7f6401531b70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70)
    #1 0x55571ce6c72b in destroy ../sway/desktop/xdg_shell.c:252
    #2 0x55571cee3f7b in view_destroy ../sway/tree/view.c:60
    #3 0x55571cee4090 in view_begin_destroy ../sway/tree/view.c:73
    #4 0x55571ce6dd95 in handle_destroy ../sway/desktop/xdg_shell.c:464
    #5 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    #6 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453
    #7 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483
    #8 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    #9 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)

previously allocated by thread T0 here:
    #0 0x7f6401532138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138)
    #1 0x55571ce6df39 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:485
    #2 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    #3 0x7f64009b0167 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:350
    #4 0x7f64009ce2a5 in surface_commit_pending ../types/wlr_surface.c:372
    #5 0x7f64009ce523 in surface_commit ../types/wlr_surface.c:444
    #6 0x7f63ff63ddad in ffi_call_unix64 (/usr/lib/x86_64-linux-gnu/libffi.so.6+0x5dad)

SUMMARY: AddressSanitizer: heap-use-after-free ../sway/xdg_decoration.c:13 in xdg_decoration_handle_destroy
Shadow bytes around the buggy address:
  0x0c2a80004950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80004960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80004970: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80004980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80004990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2a800049a0: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a800049b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a800049c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a800049d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c2a800049e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a800049f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32046==ABORTING
Gdk-Message: 07:41:47.872: Error reading events from display: Broken pipe
(EE) failed to read Wayland events: Connection reset by peer

=================================================================
==32055==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 4608 byte(s) in 7 object(s) allocated from:
    #0 0x7ff060a8b370 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee370)
    #1 0x7ff05ff43f48  (/usr/lib/x86_64-linux-gnu/libfontconfig.so.1+0x1ff48)

Direct leak of 768 byte(s) in 3 object(s) allocated from:
    #0 0x7ff060a8af30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30)
    #1 0x7ff05ff43e9e  (/usr/lib/x86_64-linux-gnu/libfontconfig.so.1+0x1fe9e)

Direct leak of 48 byte(s) in 2 object(s) allocated from:
    #0 0x7ff060a8af30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30)
    #1 0x7ff05ff4367d in FcPatternCreate (/usr/lib/x86_64-linux-gnu/libfontconfig.so.1+0x1f67d)

Indirect leak of 10752 byte(s) in 336 object(s) allocated from:
    #0 0x7ff060a8af30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30)
    #1 0x7ff05ff30b5f  (/usr/lib/x86_64-linux-gnu/libfontconfig.so.1+0xcb5f)

Indirect leak of 4778 byte(s) in 409 object(s) allocated from:
    #0 0x7ff0609d8070 in __interceptor_strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3b070)
    #1 0x7ff05ff43894 in FcValueSave (/usr/lib/x86_64-linux-gnu/libfontconfig.so.1+0x1f894)

Indirect leak of 3840 byte(s) in 120 object(s) allocated from:
    #0 0x7ff060a8b138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138)
    #1 0x7ff05ff445a8  (/usr/lib/x86_64-linux-gnu/libfontconfig.so.1+0x205a8)

Indirect leak of 3264 byte(s) in 102 object(s) allocated from:
    #0 0x7ff060a8b138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138)
    #1 0x7ff05ff43b4c  (/usr/lib/x86_64-linux-gnu/libfontconfig.so.1+0x1fb4c)

Indirect leak of 768 byte(s) in 24 object(s) allocated from:
    #0 0x7ff060a8b138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138)
    #1 0x7ff05ff439d6  (/usr/lib/x86_64-linux-gnu/libfontconfig.so.1+0x1f9d6)

Indirect leak of 192 byte(s) in 4 object(s) allocated from:
    #0 0x7ff060a8af30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30)
    #1 0x7ff05ff3da1d in FcLangSetCreate (/usr/lib/x86_64-linux-gnu/libfontconfig.so.1+0x19a1d)

SUMMARY: AddressSanitizer: 29018 byte(s) leaked in 1007 allocation(s).
thread 'main' panicked at 'failed printing to stdout: Broken pipe (os error 32)', src/libstd/io/stdio.rs:735:9
note: Run with `RUST_BACKTRACE=1` environment variable to display a backtrace.
thread '<unnamed>' panicked at 'cannot access stdin during shutdown', src/libcore/option.rs:1038:5

IIRC all I did to get this was: start sway, open a terminal, close that terminal.

sway version 1.0-rc1-105-gd2b5857d (Feb 23 2019, branch 'improve_fish_completions')
wlroots=4f66565606c8958684c00f28d0b4996904c041bc

(note: it's possible that that version info is not correct, but if it's not it's very close, couldn't be more than a day off)
Emantor added a commit to Emantor/sway that referenced this issue Feb 23, 2019
@Emantor
view: set xdg_decoration->view to NULL, check decoration destroy
18fd7bb 
Fixes heap-use-after-free:

==32046==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000064d20 at pc 0x55571ce4d303 bp 0x7fff545c64c0 sp 0x7fff545c64b0
WRITE of size 8 at 0x615000064d20 thread T0
    #0 0x55571ce4d302 in xdg_decoration_handle_destroy ../sway/xdg_decoration.c:13
    swaywm#1 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#2 0x7f64009d3c46 in toplevel_decoration_handle_resource_destroy ../types/wlr_xdg_decoration_v1.c:65
    swaywm#3 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)
    swaywm#4 0x7f6400a19fed in wl_resource_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7fed)
    swaywm#5 0x7f64009d3d1f in toplevel_decoration_handle_surface_destroy ../types/wlr_xdg_decoration_v1.c:82
    swaywm#6 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#7 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453
    swaywm#8 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483
    swaywm#9 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    swaywm#10 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)
    swaywm#11 0x7f6400a1e211  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc211)
    swaywm#12 0x7f6400a1e6fe  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc6fe)
    swaywm#13 0x7f6400a1a0ec in wl_client_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x80ec)
    swaywm#14 0x7f6400a1a1c4  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x81c4)
    swaywm#15 0x7f6400a1b941 in wl_event_loop_dispatch (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x9941)
    swaywm#16 0x7f6400a1a569 in wl_display_run (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x8569)
    swaywm#17 0x55571ce4c7fd in server_run ../sway/server.c:214
    swaywm#18 0x55571ce4ad59 in main ../sway/main.c:405
    swaywm#19 0x7f640071109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    swaywm#20 0x55571ce2cfa9 in _start (/usr/local/bin/sway+0x35fa9)

0x615000064d20 is located 32 bytes inside of 504-byte region [0x615000064d00,0x615000064ef8)
freed by thread T0 here:
    #0 0x7f6401531b70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70)
    swaywm#1 0x55571ce6c72b in destroy ../sway/desktop/xdg_shell.c:252
    swaywm#2 0x55571cee3f7b in view_destroy ../sway/tree/view.c:60
    swaywm#3 0x55571cee4090 in view_begin_destroy ../sway/tree/view.c:73
    swaywm#4 0x55571ce6dd95 in handle_destroy ../sway/desktop/xdg_shell.c:464
    swaywm#5 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#6 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453
    swaywm#7 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483
    swaywm#8 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    swaywm#9 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)

previously allocated by thread T0 here:
    #0 0x7f6401532138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138)
    swaywm#1 0x55571ce6df39 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:485
    swaywm#2 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#3 0x7f64009b0167 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:350
    swaywm#4 0x7f64009ce2a5 in surface_commit_pending ../types/wlr_surface.c:372
    swaywm#5 0x7f64009ce523 in surface_commit ../types/wlr_surface.c:444
    swaywm#6 0x7f63ff63ddad in ffi_call_unix64 (/usr/lib/x86_64-linux-gnu/libffi.so.6+0x5dad)

Fixes swaywm#3759
@Emantor Emantor mentioned this issue Feb 23, 2019
Merged
Emantor added a commit to Emantor/sway that referenced this issue Feb 23, 2019
@Emantor
view: set xdg_decoration->view to NULL, check decoration destroy
a2a1872 
Fixes heap-use-after-free:

==32046==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000064d20 at pc 0x55571ce4d303 bp 0x7fff545c64c0 sp 0x7fff545c64b0
WRITE of size 8 at 0x615000064d20 thread T0
    #0 0x55571ce4d302 in xdg_decoration_handle_destroy ../sway/xdg_decoration.c:13
    swaywm#1 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#2 0x7f64009d3c46 in toplevel_decoration_handle_resource_destroy ../types/wlr_xdg_decoration_v1.c:65
    swaywm#3 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)
    swaywm#4 0x7f6400a19fed in wl_resource_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7fed)
    swaywm#5 0x7f64009d3d1f in toplevel_decoration_handle_surface_destroy ../types/wlr_xdg_decoration_v1.c:82
    swaywm#6 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#7 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453
    swaywm#8 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483
    swaywm#9 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    swaywm#10 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)
    swaywm#11 0x7f6400a1e211  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc211)
    swaywm#12 0x7f6400a1e6fe  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc6fe)
    swaywm#13 0x7f6400a1a0ec in wl_client_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x80ec)
    swaywm#14 0x7f6400a1a1c4  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x81c4)
    swaywm#15 0x7f6400a1b941 in wl_event_loop_dispatch (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x9941)
    swaywm#16 0x7f6400a1a569 in wl_display_run (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x8569)
    swaywm#17 0x55571ce4c7fd in server_run ../sway/server.c:214
    swaywm#18 0x55571ce4ad59 in main ../sway/main.c:405
    swaywm#19 0x7f640071109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    swaywm#20 0x55571ce2cfa9 in _start (/usr/local/bin/sway+0x35fa9)

0x615000064d20 is located 32 bytes inside of 504-byte region [0x615000064d00,0x615000064ef8)
freed by thread T0 here:
    #0 0x7f6401531b70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70)
    swaywm#1 0x55571ce6c72b in destroy ../sway/desktop/xdg_shell.c:252
    swaywm#2 0x55571cee3f7b in view_destroy ../sway/tree/view.c:60
    swaywm#3 0x55571cee4090 in view_begin_destroy ../sway/tree/view.c:73
    swaywm#4 0x55571ce6dd95 in handle_destroy ../sway/desktop/xdg_shell.c:464
    swaywm#5 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#6 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453
    swaywm#7 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483
    swaywm#8 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    swaywm#9 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)

previously allocated by thread T0 here:
    #0 0x7f6401532138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138)
    swaywm#1 0x55571ce6df39 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:485
    swaywm#2 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#3 0x7f64009b0167 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:350
    swaywm#4 0x7f64009ce2a5 in surface_commit_pending ../types/wlr_surface.c:372
    swaywm#5 0x7f64009ce523 in surface_commit ../types/wlr_surface.c:444
    swaywm#6 0x7f63ff63ddad in ffi_call_unix64 (/usr/lib/x86_64-linux-gnu/libffi.so.6+0x5dad)

Fixes swaywm#3759
RedSoxFan pushed a commit that referenced this issue Feb 23, 2019
@Emantor @RedSoxFan
view: set xdg_decoration->view to NULL, check decoration destroy
3ead287 
Fixes heap-use-after-free:

==32046==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000064d20 at pc 0x55571ce4d303 bp 0x7fff545c64c0 sp 0x7fff545c64b0
WRITE of size 8 at 0x615000064d20 thread T0
    #0 0x55571ce4d302 in xdg_decoration_handle_destroy ../sway/xdg_decoration.c:13
    #1 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    #2 0x7f64009d3c46 in toplevel_decoration_handle_resource_destroy ../types/wlr_xdg_decoration_v1.c:65
    #3 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)
    #4 0x7f6400a19fed in wl_resource_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7fed)
    #5 0x7f64009d3d1f in toplevel_decoration_handle_surface_destroy ../types/wlr_xdg_decoration_v1.c:82
    #6 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    #7 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453
    #8 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483
    #9 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    #10 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)
    #11 0x7f6400a1e211  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc211)
    #12 0x7f6400a1e6fe  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc6fe)
    #13 0x7f6400a1a0ec in wl_client_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x80ec)
    #14 0x7f6400a1a1c4  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x81c4)
    #15 0x7f6400a1b941 in wl_event_loop_dispatch (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x9941)
    #16 0x7f6400a1a569 in wl_display_run (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x8569)
    #17 0x55571ce4c7fd in server_run ../sway/server.c:214
    #18 0x55571ce4ad59 in main ../sway/main.c:405
    #19 0x7f640071109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #20 0x55571ce2cfa9 in _start (/usr/local/bin/sway+0x35fa9)

0x615000064d20 is located 32 bytes inside of 504-byte region [0x615000064d00,0x615000064ef8)
freed by thread T0 here:
    #0 0x7f6401531b70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70)
    #1 0x55571ce6c72b in destroy ../sway/desktop/xdg_shell.c:252
    #2 0x55571cee3f7b in view_destroy ../sway/tree/view.c:60
    #3 0x55571cee4090 in view_begin_destroy ../sway/tree/view.c:73
    #4 0x55571ce6dd95 in handle_destroy ../sway/desktop/xdg_shell.c:464
    #5 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    #6 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453
    #7 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483
    #8 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    #9 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)

previously allocated by thread T0 here:
    #0 0x7f6401532138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138)
    #1 0x55571ce6df39 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:485
    #2 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    #3 0x7f64009b0167 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:350
    #4 0x7f64009ce2a5 in surface_commit_pending ../types/wlr_surface.c:372
    #5 0x7f64009ce523 in surface_commit ../types/wlr_surface.c:444
    #6 0x7f63ff63ddad in ffi_call_unix64 (/usr/lib/x86_64-linux-gnu/libffi.so.6+0x5dad)

Fixes #3759
ddevault pushed a commit that referenced this issue Feb 25, 2019
@Emantor @ddevault
view: set xdg_decoration->view to NULL, check decoration destroy
b474050 
Fixes heap-use-after-free:

==32046==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000064d20 at pc 0x55571ce4d303 bp 0x7fff545c64c0 sp 0x7fff545c64b0
WRITE of size 8 at 0x615000064d20 thread T0
    #0 0x55571ce4d302 in xdg_decoration_handle_destroy ../sway/xdg_decoration.c:13
    #1 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    #2 0x7f64009d3c46 in toplevel_decoration_handle_resource_destroy ../types/wlr_xdg_decoration_v1.c:65
    #3 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)
    #4 0x7f6400a19fed in wl_resource_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7fed)
    #5 0x7f64009d3d1f in toplevel_decoration_handle_surface_destroy ../types/wlr_xdg_decoration_v1.c:82
    #6 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    #7 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453
    #8 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483
    #9 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    #10 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)
    #11 0x7f6400a1e211  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc211)
    #12 0x7f6400a1e6fe  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc6fe)
    #13 0x7f6400a1a0ec in wl_client_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x80ec)
    #14 0x7f6400a1a1c4  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x81c4)
    #15 0x7f6400a1b941 in wl_event_loop_dispatch (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x9941)
    #16 0x7f6400a1a569 in wl_display_run (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x8569)
    #17 0x55571ce4c7fd in server_run ../sway/server.c:214
    #18 0x55571ce4ad59 in main ../sway/main.c:405
    #19 0x7f640071109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #20 0x55571ce2cfa9 in _start (/usr/local/bin/sway+0x35fa9)

0x615000064d20 is located 32 bytes inside of 504-byte region [0x615000064d00,0x615000064ef8)
freed by thread T0 here:
    #0 0x7f6401531b70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70)
    #1 0x55571ce6c72b in destroy ../sway/desktop/xdg_shell.c:252
    #2 0x55571cee3f7b in view_destroy ../sway/tree/view.c:60
    #3 0x55571cee4090 in view_begin_destroy ../sway/tree/view.c:73
    #4 0x55571ce6dd95 in handle_destroy ../sway/desktop/xdg_shell.c:464
    #5 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    #6 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453
    #7 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483
    #8 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    #9 0x7f6400a19f8d  (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)

previously allocated by thread T0 here:
    #0 0x7f6401532138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138)
    #1 0x55571ce6df39 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:485
    #2 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
    #3 0x7f64009b0167 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:350
    #4 0x7f64009ce2a5 in surface_commit_pending ../types/wlr_surface.c:372
    #5 0x7f64009ce523 in surface_commit ../types/wlr_surface.c:444
    #6 0x7f63ff63ddad in ffi_call_unix64 (/usr/lib/x86_64-linux-gnu/libffi.so.6+0x5dad)

Fixes #3759
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sanga