Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use-after-free in subsurface_handle_destroy / view_child_destroy #5168

Closed
martinetd opened this issue Apr 3, 2020 · 2 comments · Fixed by #6199
Closed

use-after-free in subsurface_handle_destroy / view_child_destroy #5168

martinetd opened this issue Apr 3, 2020 · 2 comments · Fixed by #6199
Labels
bug Not working as intended

Comments

@martinetd
Copy link
Member

Once again unsure how to proceed here, ideally destroying the subsurface should always happen before the parent view but that apparently doesn't happen when closing firefox (doesn't happen 100% of the time but seems reliable enough with firefox. It looks like having firefox alone in a workspace is necessary for it to happen, I can't reproduce if there is another stacked window at least.)
Also once again, requires my local hack or using valgrind to notice.

==111901==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150006610d0 at pc 0x0000004f924f bp 0x7ffedf543350 sp 0x7ffedf543340
WRITE of size 8 at 0x6150006610d0 thread T0
    #0 0x4f924e in wl_list_remove ../common/list.c:181
    #1 0x4e66c2 in view_child_destroy ../sway/tree/view.c:925
-> wl_list_remove(&child->view_unmap.link);
    #2 0x4e575c in subsurface_handle_destroy ../sway/tree/view.c:765
    #3 0x7f53fdbf2c93 in wlr_signal_emit_safe ../util/signal.c:29
    #4 0x7f53fdbeb1ba in subsurface_destroy ../types/wlr_surface.c:550
    #5 0x7f53fdbeb7f8 in subsurface_resource_destroy ../types/wlr_surface.c:695
    #6 0x7f53fdc423de  (/lib64/libwayland-server.so.0+0x83de)
    #7 0x7f53fdc42b33 in wl_resource_destroy (/lib64/libwayland-server.so.0+0x8b33)
    #8 0x7f53fdbeb817 in subsurface_handle_destroy ../types/wlr_surface.c:700
    #9 0x7f53fd2adaef in ffi_call_unix64 (/lib64/libffi.so.6+0x6aef)
    #10 0x7f53fd2ad2aa in ffi_call (/lib64/libffi.so.6+0x62aa)
    #11 0x7f53fdc47cd1  (/lib64/libwayland-server.so.0+0xdcd1)
    #12 0x7f53fdc43131  (/lib64/libwayland-server.so.0+0x9131)
    #13 0x7f53fdc45be9 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0xbbe9)
    #14 0x7f53fdc43774 in wl_display_run (/lib64/libwayland-server.so.0+0x9774)
    #15 0x42f5f5 in server_run ../sway/server.c:216
    #16 0x42dd22 in main ../sway/main.c:409
    #17 0x7f53fd948041 in __libc_start_main (/lib64/libc.so.6+0x27041)
    #18 0x40e3bd in _start (/opt/wayland/bin/sway+0x40e3bd)

0x6150006610d0 is located 208 bytes inside of 512-byte region [0x615000661000,0x615000661200)
freed by thread T0 here:
    #0 0x7f53fe2fa317 in __interceptor_free (/lib64/libasan.so.6+0xb0317)
    #1 0x450726 in destroy ../sway/desktop/xdg_shell.c:253
    #2 0x4dfca3 in view_destroy ../sway/tree/view.c:60
    #3 0x4dfda8 in view_begin_destroy ../sway/tree/view.c:73
    #4 0x451e99 in handle_destroy ../sway/desktop/xdg_shell.c:481
    #5 0x7f53fdbf2c93 in wlr_signal_emit_safe ../util/signal.c:29
    #6 0x7f53fdbca2ef in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:474
    #7 0x7f53fdbcc097 in destroy_xdg_toplevel ../types/xdg_shell/wlr_xdg_toplevel.c:559
    #8 0x7f53fdbcbdee in xdg_toplevel_handle_resource_destroy ../types/xdg_shell/wlr_xdg_toplevel.c:498
    #9 0x7f53fdc423de  (/lib64/libwayland-server.so.0+0x83de)

previously allocated by thread T0 here:
    #0 0x7f53fe2fa847 in __interceptor_calloc (/lib64/libasan.so.6+0xb0847)
    #1 0x452022 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:502
    #2 0x7f53fdbf2c93 in wlr_signal_emit_safe ../util/signal.c:29
    #3 0x7f53fdbc9ecb in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:371
    #4 0x7f53fdbeab5e in surface_commit_pending ../types/wlr_surface.c:376
    #5 0x7f53fdbeaddc in surface_commit ../types/wlr_surface.c:448
    #6 0x7f53fd2adaef in ffi_call_unix64 (/lib64/libffi.so.6+0x6aef)

SUMMARY: AddressSanitizer: heap-use-after-free ../common/list.c:181 in wl_list_remove
Shadow bytes around the buggy address:
  0x0c2a800c41c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a800c41d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a800c41e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a800c41f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a800c4200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2a800c4210: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
  0x0c2a800c4220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a800c4230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a800c4240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a800c4250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a800c4260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==111901==ABORTING
@emersion
Copy link
Member

emersion commented Apr 3, 2020

I think view_destroy should free all the view children.

@emersion emersion added the bug Not working as intended label Apr 3, 2020
@emersion
Copy link
Member

emersion commented Apr 3, 2020
edited

Note, subsurfaces are tied to the wl_surface rather than the xdg_toplevel, so destroying the toplevel before the subsurfaces is valid from a protocol POV.

martinetd added a commit to martinetd/sway that referenced this issue Apr 18, 2021
@martinetd
view_destroy: fix use-after-free with subsurface_destroy
06d7969 
remove view from its own unmap event listener so when subsurfaces
link try to remove themselves they won't run into it.

This fixes the following ASAN use-after-free error on a build slightly
modifier to instrument wl_list operations:
==71705==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000829a0 at pc 0x000000508eb7 bp 0x7ffec8fd8030 sp 0x7ffec8fd8028
WRITE of size 8 at 0x6160000829a0 thread T0
    #0 0x508eb6 in wl_list_remove ../common/list.c:181
    swaywm#1 0x4f4998 in view_child_destroy ../sway/tree/view.c:1131
    swaywm#2 0x4f38fa in subsurface_handle_destroy ../sway/tree/view.c:946
    swaywm#3 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#4 0x7fda5072f0dd in subsurface_destroy ../types/wlr_surface.c:649
    swaywm#5 0x7fda507312c4 in subsurface_handle_surface_destroy ../types/wlr_surface.c:1094
    swaywm#6 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#7 0x7fda5072f305 in surface_handle_resource_destroy ../types/wlr_surface.c:677
    swaywm#8 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce)
    swaywm#9 0x7fda508187f2 in wl_client_destroy (/lib64/libwayland-server.so.0+0xc7f2)
    swaywm#10 0x7fda50818e5f in wl_client_connection_data (/lib64/libwayland-server.so.0+0xce5f)
    swaywm#11 0x7fda50818219 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0xc219)
    swaywm#12 0x7fda50818984 in wl_display_run (/lib64/libwayland-server.so.0+0xc984)
    swaywm#13 0x43122c in server_run ../sway/server.c:254
    swaywm#14 0x42f47c in main ../sway/main.c:433
    swaywm#15 0x7fda503cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74)
    swaywm#16 0x40f6fd in _start (/opt/wayland/bin/sway+0x40f6fd)

0x6160000829a0 is located 288 bytes inside of 592-byte region [0x616000082880,0x616000082ad0)
freed by thread T0 here:
    #0 0x7fda50f01a27 in free (/lib64/libasan.so.6+0xaea27)
    swaywm#1 0x4532d8 in destroy ../sway/desktop/xdg_shell.c:262
    swaywm#2 0x4ed17b in view_destroy ../sway/tree/view.c:67
    swaywm#3 0x4ed300 in view_begin_destroy ../sway/tree/view.c:83
    swaywm#4 0x454a3f in handle_destroy ../sway/desktop/xdg_shell.c:507
    swaywm#5 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#6 0x7fda506e2c87 in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:481
    swaywm#7 0x7fda506e3018 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:516
    swaywm#8 0x7fda506dfbe5 in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    swaywm#9 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce)

previously allocated by thread T0 here:
    #0 0x7fda50f01ed7 in calloc (/lib64/libasan.so.6+0xaeed7)
    swaywm#1 0x454bc8 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:528
    swaywm#2 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#3 0x7fda506e2363 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:378
    swaywm#4 0x7fda5072e368 in surface_commit_state ../types/wlr_surface.c:455
    swaywm#5 0x7fda5072e51d in surface_commit_pending ../types/wlr_surface.c:474
    swaywm#6 0x7fda5072ea58 in surface_commit ../types/wlr_surface.c:542
    swaywm#7 0x7fda4fb3ac03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03)

Fixes swaywm#5168
martinetd added a commit to martinetd/sway that referenced this issue Apr 18, 2021
@martinetd
view_destroy: fix use-after-free with subsurface_destroy
82e7cf8 
remove view from its own unmap event listener so when subsurfaces
link try to remove themselves they won't run into it.

This fixes the following ASAN use-after-free error on a build slightly
modified to instrument wl_list operations:
==71705==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000829a0 at pc 0x000000508eb7 bp 0x7ffec8fd8030 sp 0x7ffec8fd8028
WRITE of size 8 at 0x6160000829a0 thread T0
    #0 0x508eb6 in wl_list_remove ../common/list.c:181
    swaywm#1 0x4f4998 in view_child_destroy ../sway/tree/view.c:1131
    swaywm#2 0x4f38fa in subsurface_handle_destroy ../sway/tree/view.c:946
    swaywm#3 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#4 0x7fda5072f0dd in subsurface_destroy ../types/wlr_surface.c:649
    swaywm#5 0x7fda507312c4 in subsurface_handle_surface_destroy ../types/wlr_surface.c:1094
    swaywm#6 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#7 0x7fda5072f305 in surface_handle_resource_destroy ../types/wlr_surface.c:677
    swaywm#8 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce)
    swaywm#9 0x7fda508187f2 in wl_client_destroy (/lib64/libwayland-server.so.0+0xc7f2)
    swaywm#10 0x7fda50818e5f in wl_client_connection_data (/lib64/libwayland-server.so.0+0xce5f)
    swaywm#11 0x7fda50818219 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0xc219)
    swaywm#12 0x7fda50818984 in wl_display_run (/lib64/libwayland-server.so.0+0xc984)
    swaywm#13 0x43122c in server_run ../sway/server.c:254
    swaywm#14 0x42f47c in main ../sway/main.c:433
    swaywm#15 0x7fda503cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74)
    swaywm#16 0x40f6fd in _start (/opt/wayland/bin/sway+0x40f6fd)

0x6160000829a0 is located 288 bytes inside of 592-byte region [0x616000082880,0x616000082ad0)
freed by thread T0 here:
    #0 0x7fda50f01a27 in free (/lib64/libasan.so.6+0xaea27)
    swaywm#1 0x4532d8 in destroy ../sway/desktop/xdg_shell.c:262
    swaywm#2 0x4ed17b in view_destroy ../sway/tree/view.c:67
    swaywm#3 0x4ed300 in view_begin_destroy ../sway/tree/view.c:83
    swaywm#4 0x454a3f in handle_destroy ../sway/desktop/xdg_shell.c:507
    swaywm#5 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#6 0x7fda506e2c87 in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:481
    swaywm#7 0x7fda506e3018 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:516
    swaywm#8 0x7fda506dfbe5 in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    swaywm#9 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce)

previously allocated by thread T0 here:
    #0 0x7fda50f01ed7 in calloc (/lib64/libasan.so.6+0xaeed7)
    swaywm#1 0x454bc8 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:528
    swaywm#2 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#3 0x7fda506e2363 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:378
    swaywm#4 0x7fda5072e368 in surface_commit_state ../types/wlr_surface.c:455
    swaywm#5 0x7fda5072e51d in surface_commit_pending ../types/wlr_surface.c:474
    swaywm#6 0x7fda5072ea58 in surface_commit ../types/wlr_surface.c:542
    swaywm#7 0x7fda4fb3ac03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03)

Fixes swaywm#5168
@martinetd martinetd mentioned this issue Apr 18, 2021
Merged
kennylevinsen pushed a commit that referenced this issue Apr 22, 2021
@martinetd @kennylevinsen
view_destroy: fix use-after-free with subsurface_destroy
8529141 
remove view from its own unmap event listener so when subsurfaces
link try to remove themselves they won't run into it.

This fixes the following ASAN use-after-free error on a build slightly
modified to instrument wl_list operations:
==71705==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000829a0 at pc 0x000000508eb7 bp 0x7ffec8fd8030 sp 0x7ffec8fd8028
WRITE of size 8 at 0x6160000829a0 thread T0
    #0 0x508eb6 in wl_list_remove ../common/list.c:181
    #1 0x4f4998 in view_child_destroy ../sway/tree/view.c:1131
    #2 0x4f38fa in subsurface_handle_destroy ../sway/tree/view.c:946
    #3 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    #4 0x7fda5072f0dd in subsurface_destroy ../types/wlr_surface.c:649
    #5 0x7fda507312c4 in subsurface_handle_surface_destroy ../types/wlr_surface.c:1094
    #6 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    #7 0x7fda5072f305 in surface_handle_resource_destroy ../types/wlr_surface.c:677
    #8 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce)
    #9 0x7fda508187f2 in wl_client_destroy (/lib64/libwayland-server.so.0+0xc7f2)
    #10 0x7fda50818e5f in wl_client_connection_data (/lib64/libwayland-server.so.0+0xce5f)
    #11 0x7fda50818219 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0xc219)
    #12 0x7fda50818984 in wl_display_run (/lib64/libwayland-server.so.0+0xc984)
    #13 0x43122c in server_run ../sway/server.c:254
    #14 0x42f47c in main ../sway/main.c:433
    #15 0x7fda503cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74)
    #16 0x40f6fd in _start (/opt/wayland/bin/sway+0x40f6fd)

0x6160000829a0 is located 288 bytes inside of 592-byte region [0x616000082880,0x616000082ad0)
freed by thread T0 here:
    #0 0x7fda50f01a27 in free (/lib64/libasan.so.6+0xaea27)
    #1 0x4532d8 in destroy ../sway/desktop/xdg_shell.c:262
    #2 0x4ed17b in view_destroy ../sway/tree/view.c:67
    #3 0x4ed300 in view_begin_destroy ../sway/tree/view.c:83
    #4 0x454a3f in handle_destroy ../sway/desktop/xdg_shell.c:507
    #5 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    #6 0x7fda506e2c87 in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:481
    #7 0x7fda506e3018 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:516
    #8 0x7fda506dfbe5 in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    #9 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce)

previously allocated by thread T0 here:
    #0 0x7fda50f01ed7 in calloc (/lib64/libasan.so.6+0xaeed7)
    #1 0x454bc8 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:528
    #2 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    #3 0x7fda506e2363 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:378
    #4 0x7fda5072e368 in surface_commit_state ../types/wlr_surface.c:455
    #5 0x7fda5072e51d in surface_commit_pending ../types/wlr_surface.c:474
    #6 0x7fda5072ea58 in surface_commit ../types/wlr_surface.c:542
    #7 0x7fda4fb3ac03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03)

Fixes #5168
RagnarGrootKoerkamp pushed a commit to RagnarGrootKoerkamp/sway that referenced this issue Jun 17, 2021
@martinetd @RagnarGrootKoerkamp
view_destroy: fix use-after-free with subsurface_destroy
0c12127 
remove view from its own unmap event listener so when subsurfaces
link try to remove themselves they won't run into it.

This fixes the following ASAN use-after-free error on a build slightly
modified to instrument wl_list operations:
==71705==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000829a0 at pc 0x000000508eb7 bp 0x7ffec8fd8030 sp 0x7ffec8fd8028
WRITE of size 8 at 0x6160000829a0 thread T0
    #0 0x508eb6 in wl_list_remove ../common/list.c:181
    swaywm#1 0x4f4998 in view_child_destroy ../sway/tree/view.c:1131
    swaywm#2 0x4f38fa in subsurface_handle_destroy ../sway/tree/view.c:946
    swaywm#3 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#4 0x7fda5072f0dd in subsurface_destroy ../types/wlr_surface.c:649
    swaywm#5 0x7fda507312c4 in subsurface_handle_surface_destroy ../types/wlr_surface.c:1094
    swaywm#6 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#7 0x7fda5072f305 in surface_handle_resource_destroy ../types/wlr_surface.c:677
    swaywm#8 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce)
    swaywm#9 0x7fda508187f2 in wl_client_destroy (/lib64/libwayland-server.so.0+0xc7f2)
    swaywm#10 0x7fda50818e5f in wl_client_connection_data (/lib64/libwayland-server.so.0+0xce5f)
    swaywm#11 0x7fda50818219 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0xc219)
    swaywm#12 0x7fda50818984 in wl_display_run (/lib64/libwayland-server.so.0+0xc984)
    swaywm#13 0x43122c in server_run ../sway/server.c:254
    swaywm#14 0x42f47c in main ../sway/main.c:433
    swaywm#15 0x7fda503cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74)
    swaywm#16 0x40f6fd in _start (/opt/wayland/bin/sway+0x40f6fd)

0x6160000829a0 is located 288 bytes inside of 592-byte region [0x616000082880,0x616000082ad0)
freed by thread T0 here:
    #0 0x7fda50f01a27 in free (/lib64/libasan.so.6+0xaea27)
    swaywm#1 0x4532d8 in destroy ../sway/desktop/xdg_shell.c:262
    swaywm#2 0x4ed17b in view_destroy ../sway/tree/view.c:67
    swaywm#3 0x4ed300 in view_begin_destroy ../sway/tree/view.c:83
    swaywm#4 0x454a3f in handle_destroy ../sway/desktop/xdg_shell.c:507
    swaywm#5 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#6 0x7fda506e2c87 in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:481
    swaywm#7 0x7fda506e3018 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:516
    swaywm#8 0x7fda506dfbe5 in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    swaywm#9 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce)

previously allocated by thread T0 here:
    #0 0x7fda50f01ed7 in calloc (/lib64/libasan.so.6+0xaeed7)
    swaywm#1 0x454bc8 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:528
    swaywm#2 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#3 0x7fda506e2363 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:378
    swaywm#4 0x7fda5072e368 in surface_commit_state ../types/wlr_surface.c:455
    swaywm#5 0x7fda5072e51d in surface_commit_pending ../types/wlr_surface.c:474
    swaywm#6 0x7fda5072ea58 in surface_commit ../types/wlr_surface.c:542
    swaywm#7 0x7fda4fb3ac03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03)

Fixes swaywm#5168
emersion pushed a commit to emersion/sway that referenced this issue Jun 23, 2021
@martinetd @emersion
view_destroy: fix use-after-free with subsurface_destroy
a3f3744 
remove view from its own unmap event listener so when subsurfaces
link try to remove themselves they won't run into it.

This fixes the following ASAN use-after-free error on a build slightly
modified to instrument wl_list operations:
==71705==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000829a0 at pc 0x000000508eb7 bp 0x7ffec8fd8030 sp 0x7ffec8fd8028
WRITE of size 8 at 0x6160000829a0 thread T0
    #0 0x508eb6 in wl_list_remove ../common/list.c:181
    swaywm#1 0x4f4998 in view_child_destroy ../sway/tree/view.c:1131
    swaywm#2 0x4f38fa in subsurface_handle_destroy ../sway/tree/view.c:946
    swaywm#3 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#4 0x7fda5072f0dd in subsurface_destroy ../types/wlr_surface.c:649
    swaywm#5 0x7fda507312c4 in subsurface_handle_surface_destroy ../types/wlr_surface.c:1094
    swaywm#6 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#7 0x7fda5072f305 in surface_handle_resource_destroy ../types/wlr_surface.c:677
    swaywm#8 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce)
    swaywm#9 0x7fda508187f2 in wl_client_destroy (/lib64/libwayland-server.so.0+0xc7f2)
    swaywm#10 0x7fda50818e5f in wl_client_connection_data (/lib64/libwayland-server.so.0+0xce5f)
    swaywm#11 0x7fda50818219 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0xc219)
    swaywm#12 0x7fda50818984 in wl_display_run (/lib64/libwayland-server.so.0+0xc984)
    swaywm#13 0x43122c in server_run ../sway/server.c:254
    swaywm#14 0x42f47c in main ../sway/main.c:433
    swaywm#15 0x7fda503cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74)
    swaywm#16 0x40f6fd in _start (/opt/wayland/bin/sway+0x40f6fd)

0x6160000829a0 is located 288 bytes inside of 592-byte region [0x616000082880,0x616000082ad0)
freed by thread T0 here:
    #0 0x7fda50f01a27 in free (/lib64/libasan.so.6+0xaea27)
    swaywm#1 0x4532d8 in destroy ../sway/desktop/xdg_shell.c:262
    swaywm#2 0x4ed17b in view_destroy ../sway/tree/view.c:67
    swaywm#3 0x4ed300 in view_begin_destroy ../sway/tree/view.c:83
    swaywm#4 0x454a3f in handle_destroy ../sway/desktop/xdg_shell.c:507
    swaywm#5 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#6 0x7fda506e2c87 in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:481
    swaywm#7 0x7fda506e3018 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:516
    swaywm#8 0x7fda506dfbe5 in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    swaywm#9 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce)

previously allocated by thread T0 here:
    #0 0x7fda50f01ed7 in calloc (/lib64/libasan.so.6+0xaeed7)
    swaywm#1 0x454bc8 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:528
    swaywm#2 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#3 0x7fda506e2363 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:378
    swaywm#4 0x7fda5072e368 in surface_commit_state ../types/wlr_surface.c:455
    swaywm#5 0x7fda5072e51d in surface_commit_pending ../types/wlr_surface.c:474
    swaywm#6 0x7fda5072ea58 in surface_commit ../types/wlr_surface.c:542
    swaywm#7 0x7fda4fb3ac03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03)

Fixes swaywm#5168

(cherry picked from commit 8529141)
emersion pushed a commit to emersion/sway that referenced this issue Jun 24, 2021
@martinetd @emersion
view_destroy: fix use-after-free with subsurface_destroy
1ae128f 
remove view from its own unmap event listener so when subsurfaces
link try to remove themselves they won't run into it.

This fixes the following ASAN use-after-free error on a build slightly
modified to instrument wl_list operations:
==71705==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000829a0 at pc 0x000000508eb7 bp 0x7ffec8fd8030 sp 0x7ffec8fd8028
WRITE of size 8 at 0x6160000829a0 thread T0
    #0 0x508eb6 in wl_list_remove ../common/list.c:181
    swaywm#1 0x4f4998 in view_child_destroy ../sway/tree/view.c:1131
    swaywm#2 0x4f38fa in subsurface_handle_destroy ../sway/tree/view.c:946
    swaywm#3 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#4 0x7fda5072f0dd in subsurface_destroy ../types/wlr_surface.c:649
    swaywm#5 0x7fda507312c4 in subsurface_handle_surface_destroy ../types/wlr_surface.c:1094
    swaywm#6 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#7 0x7fda5072f305 in surface_handle_resource_destroy ../types/wlr_surface.c:677
    swaywm#8 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce)
    swaywm#9 0x7fda508187f2 in wl_client_destroy (/lib64/libwayland-server.so.0+0xc7f2)
    swaywm#10 0x7fda50818e5f in wl_client_connection_data (/lib64/libwayland-server.so.0+0xce5f)
    swaywm#11 0x7fda50818219 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0xc219)
    swaywm#12 0x7fda50818984 in wl_display_run (/lib64/libwayland-server.so.0+0xc984)
    swaywm#13 0x43122c in server_run ../sway/server.c:254
    swaywm#14 0x42f47c in main ../sway/main.c:433
    swaywm#15 0x7fda503cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74)
    swaywm#16 0x40f6fd in _start (/opt/wayland/bin/sway+0x40f6fd)

0x6160000829a0 is located 288 bytes inside of 592-byte region [0x616000082880,0x616000082ad0)
freed by thread T0 here:
    #0 0x7fda50f01a27 in free (/lib64/libasan.so.6+0xaea27)
    swaywm#1 0x4532d8 in destroy ../sway/desktop/xdg_shell.c:262
    swaywm#2 0x4ed17b in view_destroy ../sway/tree/view.c:67
    swaywm#3 0x4ed300 in view_begin_destroy ../sway/tree/view.c:83
    swaywm#4 0x454a3f in handle_destroy ../sway/desktop/xdg_shell.c:507
    swaywm#5 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#6 0x7fda506e2c87 in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:481
    swaywm#7 0x7fda506e3018 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:516
    swaywm#8 0x7fda506dfbe5 in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    swaywm#9 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce)

previously allocated by thread T0 here:
    #0 0x7fda50f01ed7 in calloc (/lib64/libasan.so.6+0xaeed7)
    swaywm#1 0x454bc8 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:528
    swaywm#2 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    swaywm#3 0x7fda506e2363 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:378
    swaywm#4 0x7fda5072e368 in surface_commit_state ../types/wlr_surface.c:455
    swaywm#5 0x7fda5072e51d in surface_commit_pending ../types/wlr_surface.c:474
    swaywm#6 0x7fda5072ea58 in surface_commit ../types/wlr_surface.c:542
    swaywm#7 0x7fda4fb3ac03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03)

Fixes swaywm#5168

(cherry picked from commit 8529141)
emersion pushed a commit that referenced this issue Jun 24, 2021
@martinetd @emersion
view_destroy: fix use-after-free with subsurface_destroy
fc1cce9 
remove view from its own unmap event listener so when subsurfaces
link try to remove themselves they won't run into it.

This fixes the following ASAN use-after-free error on a build slightly
modified to instrument wl_list operations:
==71705==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000829a0 at pc 0x000000508eb7 bp 0x7ffec8fd8030 sp 0x7ffec8fd8028
WRITE of size 8 at 0x6160000829a0 thread T0
    #0 0x508eb6 in wl_list_remove ../common/list.c:181
    #1 0x4f4998 in view_child_destroy ../sway/tree/view.c:1131
    #2 0x4f38fa in subsurface_handle_destroy ../sway/tree/view.c:946
    #3 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    #4 0x7fda5072f0dd in subsurface_destroy ../types/wlr_surface.c:649
    #5 0x7fda507312c4 in subsurface_handle_surface_destroy ../types/wlr_surface.c:1094
    #6 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    #7 0x7fda5072f305 in surface_handle_resource_destroy ../types/wlr_surface.c:677
    #8 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce)
    #9 0x7fda508187f2 in wl_client_destroy (/lib64/libwayland-server.so.0+0xc7f2)
    #10 0x7fda50818e5f in wl_client_connection_data (/lib64/libwayland-server.so.0+0xce5f)
    #11 0x7fda50818219 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0xc219)
    #12 0x7fda50818984 in wl_display_run (/lib64/libwayland-server.so.0+0xc984)
    #13 0x43122c in server_run ../sway/server.c:254
    #14 0x42f47c in main ../sway/main.c:433
    #15 0x7fda503cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74)
    #16 0x40f6fd in _start (/opt/wayland/bin/sway+0x40f6fd)

0x6160000829a0 is located 288 bytes inside of 592-byte region [0x616000082880,0x616000082ad0)
freed by thread T0 here:
    #0 0x7fda50f01a27 in free (/lib64/libasan.so.6+0xaea27)
    #1 0x4532d8 in destroy ../sway/desktop/xdg_shell.c:262
    #2 0x4ed17b in view_destroy ../sway/tree/view.c:67
    #3 0x4ed300 in view_begin_destroy ../sway/tree/view.c:83
    #4 0x454a3f in handle_destroy ../sway/desktop/xdg_shell.c:507
    #5 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    #6 0x7fda506e2c87 in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:481
    #7 0x7fda506e3018 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:516
    #8 0x7fda506dfbe5 in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
    #9 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce)

previously allocated by thread T0 here:
    #0 0x7fda50f01ed7 in calloc (/lib64/libasan.so.6+0xaeed7)
    #1 0x454bc8 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:528
    #2 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29
    #3 0x7fda506e2363 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:378
    #4 0x7fda5072e368 in surface_commit_state ../types/wlr_surface.c:455
    #5 0x7fda5072e51d in surface_commit_pending ../types/wlr_surface.c:474
    #6 0x7fda5072ea58 in surface_commit ../types/wlr_surface.c:542
    #7 0x7fda4fb3ac03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03)

Fixes #5168

(cherry picked from commit 8529141)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Not working as intended
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

view_destroy: fix use-after-free with subsurface_destroy martinetd/sway
2 participants
@emersion @martinetd