[Wayland-bugs] [Bug 94519] wl_resource_destroy use-heap-after-free which destroied by weston_seat_release

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Sat Mar 12 23:21:30 UTC 2016 

https://bugs.freedesktop.org/show_bug.cgi?id=94519

            Bug ID: 94519
           Summary: wl_resource_destroy use-heap-after-free which
                    destroied by weston_seat_release
           Product: Wayland
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: weston
          Assignee: wayland-bugs at lists.freedesktop.org
          Reporter: comicfans44 at gmail.com

I'm trying weston with rdp backend, after rdp session disconnect, weston crash.

seems weston_seat_release already calls

weston_keyboard_destroy(seat->keyboardstate)

but later 
wl_resource_destroy->destroy_resource->wl_list_remove 
access this memory



address sanitizer report :

==10695==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000020d50
at pc 0x7f05e9f6c567 bp 0x7ffee886bf10 sp 0x7ffee886bf00
WRITE of size 8 at 0x611000020d50 thread T0
    #0 0x7f05e9f6c566 in wl_list_remove
/usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/wayland-util.c:57
    #1 0x7f05e9f5df7a in destroy_resource
/usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/wayland-server.c:571
    #2 0x7f05e9f5f89e in wl_resource_destroy
/usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/wayland-server.c:584
    #3 0x7f05e84cae2f in ffi_call_unix64 (/usr/lib64/libffi.so.6+0xce2f)
    #4 0x7f05e84c9a2d in ffi_call (/usr/lib64/libffi.so.6+0xba2d)
    #5 0x7f05e9f6af75 in wl_closure_invoke
/usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/connection.c:949
    #6 0x7f05e9f603b5 in wl_client_connection_data
/usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/wayland-server.c:337
    #7 0x7f05e9f650d1 in wl_event_loop_dispatch
/usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/event-loop.c:421
    #8 0x7f05e9f611af in wl_display_run
/usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/wayland-server.c:1051
    #9 0x40a333 in main src/main.c:859
    #10 0x7f05e8ea459f in __libc_start_main (/lib64/libc.so.6+0x2059f)
    #11 0x40a8c8 in _start (/usr/bin/weston+0x40a8c8)

0x611000020d50 is located 16 bytes inside of 232-byte region
[0x611000020d40,0x611000020e28)
freed by thread T0 here:
    #0 0x7f05ea1d455f in __interceptor_free
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x5755f)
    #1 0x42c92c in weston_seat_release src/input.c:2675

previously allocated by thread T0 here:
    #0 0x7f05ea1d4935 in calloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x57935)
    #1 0x423e6f in zalloc shared/zalloc.h:38
    #2 0x423e6f in weston_keyboard_create src/input.c:756

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/wayland-bugs/attachments/20160312/e804fc98/attachment.html>

More information about the wayland-bugs mailing list