[Wayland-bugs] [Bug 94071] Two subsequent display roundtrips results sendmsg syscall with uninitialized bytes
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Wed Feb 10 15:36:07 UTC 2016
https://bugs.freedesktop.org/show_bug.cgi?id=94071
--- Comment #4 from Jonas Ådahl <jadahl at gmail.com> ---
(In reply to Jon from comment #3)
> (In reply to Jonas Ådahl from comment #2)
> > (In reply to Jon from comment #1)
> > > Note, a normal execution (not with valgrind) results in SIGSEGV (Address
> > > boundary error).
> >
> > Are you sure there is a compositor running when you run your test case? I
> > can only reproduce a SIGSEGV if there is no Wayland compositor to connect
> > to. If it succeeds connecting, I only get the valgrind warning, no SIGSEGV.
>
> Oops, sorry. Yeah the SIGSEGV only occurs if there's no compositor. The
> sendmsg valgrind error still occurs in either case though.
The reason is that we align the buffers by 4 bytes. So that when we put a
string "ab" which is 3 bytes including '\0', we write:
0-3: [sender id]
4-5: [3 bytes long message]
6-7: [op code]
8-10: "ab\0"
11: [uninitialized]
The reader will read bytes 4-5 and then not read the uninitialized data.
This, is, more or less harmless, accept for the fact that we are sending
uninitialized bytes from the one process's memory to another, which I would say
is a security issue at least when the closure is sent from the server to the
client. I'm sending a patch making the memory initialized to 0, so we avoid
padding with uninitialized bytes.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/wayland-bugs/attachments/20160210/fa48994b/attachment.html>
More information about the wayland-bugs
mailing list