[Wayland-bugs] [Bug 66830] weston/wayland: Invalid read/write with rdp-backend.so

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon Jul 15 14:53:55 PDT 2013 

https://bugs.freedesktop.org/show_bug.cgi?id=66830

--- Comment #4 from Mariusz Ceier <mceier+freedesktop at gmail.com> ---
rdp_client_activity function in weston/src/compositor-rdp.c frees rdp peer
context and rdp peer, which in turn release weston structures e.g. wl_seat

the problem is these structures can still be in use e.g. in registry_bind in
wayland-server.c which calls bind_seat with zeroed or often garbage wl_seat.

it's easily reproduceable (at least for me, running under X) with rdesktop :

./weston -Brdp-backend.so

for x in `seq 0 100`; do rdesktop -b -4 127.0.0.1 & done ; killall rdesktop


below is example of contents of wl_seat structure passed to bind_seat:

{base_resource_list = {prev = 0x0, next = 0x0}, global = 0x0, pointer = 0x0,
keyboard = 0x0, touch = 0x0, output = 0x0, 
  destroy_signal = {listener_list = {prev = 0x0, next = 0x0}}, compositor =
0x0, link = {prev = 0x31, next = 0x74ef80}, 
  modifier_state = (unknown: 8153568), saved_kbd_focus = 0x75ef7f,
saved_kbd_focus_listener = {link = {prev = 0x74ef80, next = 0x0}, 
    notify = 0x6a1}, drag_resource_list = {prev = 0x0, next = 0x6599d0},
selection_serial = 0, selection_data_source = 0x0, 
  selection_data_source_listener = {link = {prev = 0x0, next = 0x0}, notify =
0x0}, selection_signal = {listener_list = {prev = 0x0, 
      next = 0x0}}, num_tp = 0, led_update = 0x0, xkb_info = {keymap = 0x0,
keymap_fd = 0, keymap_size = 0, keymap_area = 0x0, 
    shift_mod = 0, caps_mod = 0, ctrl_mod = 0, alt_mod = 0, mod2_mod = 0,
mod3_mod = 0, super_mod = 6658800, mod5_mod = 0, 
    num_led = 0, caps_led = 0, scroll_led = 0}, xkb_state = {state = 0x0, leds
= (unknown: 0)}, input_method = 0x0, 
  seat_name = 0x65b4a0 "\220>i"}


base_resource_list has NULL in prev and next, which should never happen, unless
we're just after calloc/memset or when we removed head of the list
(wl_list_remove(&seat->base_resource_list) somewhere).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/wayland-bugs/attachments/20130715/3647973c/attachment.html>

More information about the Wayland-bugs mailing list