[PATCH] server: Fix crash when accessing client which is already freed

Hyun Kook Khang hyunkook.khang at lge.com
Thu Sep 22 23:40:30 UTC 2016 

Giulio,

Sorry for resending same email. (previous one got failed to send to wayland-devel at lists.freedesktop.org <mailto:wayland-devel at lists.freedesktop.org>; so I’m sending the same one again)

in wl_client_connection_data(),
there is no guarantee that client would never be destroyed in the process of handling the pending input.

For example,
1. It comes to wl_client_connection_data()
2. wl_closure_invoke() would be invoked, and then wl_display_flush_clients would be invoked anyhow later in the same routine. (wl_closure_invoke() -> ? -> wl_display_flush_clients())
    Here, client will be destroyed if wl_connection_flush() returns negative value and errno is not EAGAIN.
3. It will come back to the while loop in wl_client_connection_data().
    If wl_connection_pending_input() returns any values which is bigger than “size of p”; it will go into the while loop again, and then it will do something with the client which is already freed.


The simplest way to solve this is checking the source(wl_event_source)’ fd, but for now there is no way to access wl_event_source in wayland-server.c. (wl_event_source will be freed a while later)

Thanks,

Hyunkook Khang / 강 현 국
Research Engineer
Reference Platform Task
Mobile: 82-10-7249-9909
E-mail: hyunkook.khang at lge.com <mailto:hyunkook.khang at lge.com>
Seocho R&D Campus, 19, Yangjae-daero 11gil
Seocho-gu, Seoul 137-130, Korea




> On Sep 22, 2016, at 4:50 PM, Giulio Camuffo <giuliocamuffo at gmail.com> wrote:
> 
> Hi,
> 
> could you write how to trigger the crash, also in the commit message
> maybe? Besides that, i have a comment inline below.
> 
> 2016-09-21 9:08 GMT+02:00 Hyunkook Khang <hyunkook.khang at lge.com>:
>> While processing pending data, client could be destroyed in the middle of
>> the process. (e.g. by invoking wl_display_flush_clients()).
>> In this case, client will be freed, but we are still in the processing data
>> of the client, so it could cause a crash.
>> 
>> To avoid this, instead of destroying the client directly,
>> just set the error here and destroy the client where it needs to be.
>> 
>> Signed-off-by: Hyunkook Khang <hyunkook.khang at lge.com>
>> ---
>> src/wayland-server.c |    8 +++++++-
>> 1 file changed, 7 insertions(+), 1 deletion(-)
>> 
>> diff --git a/src/wayland-server.c b/src/wayland-server.c
>> index 9d7d9c1..89d0bac 100644
>> --- a/src/wayland-server.c
>> +++ b/src/wayland-server.c
>> @@ -1103,10 +1103,16 @@ wl_display_terminate(struct wl_display *display)
>> WL_EXPORT void
>> wl_display_run(struct wl_display *display)
>> {
>> +       struct wl_client *client, *next;
>> +
>>        display->run = 1;
>> 
>>        while (display->run) {
>>                wl_display_flush_clients(display);
>> +               wl_list_for_each_safe(client, next, &display->client_list, link) {
>> +                       if (client->error)
>> +                               wl_client_destroy(client);
>> +               }
> 
> wl_display_flush_clients() may be called manually by the user too,
> without using wl_display_run(). So now all the users would need to do
> the loop to destroy the clients, or else they would leak. Instead, you
> should do the loop at the end of wl_display_flush_clients().
> 
> 
> Thanks,
> Giulio
> 
>>                wl_event_loop_dispatch(display->loop, -1);
>>        }
>> }
>> @@ -1124,7 +1130,7 @@ wl_display_flush_clients(struct wl_display *display)
>>                                                  WL_EVENT_WRITABLE |
>>                                                  WL_EVENT_READABLE);
>>                } else if (ret < 0) {
>> -                       wl_client_destroy(client);
>> +                       client->error = 1;
>>                }
>>        }
>> }
>> --
>> 1.7.9.5
>> 
>> _______________________________________________
>> wayland-devel mailing list
>> wayland-devel at lists.freedesktop.org
>> https://lists.freedesktop.org/mailman/listinfo/wayland-devel
> _______________________________________________
> wayland-devel mailing list
> wayland-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/wayland-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/wayland-devel/attachments/20160923/f9d57ccd/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Email_Signature_image_English.jpg
Type: image/jpeg
Size: 101522 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/wayland-devel/attachments/20160923/f9d57ccd/attachment-0001.jpg>

More information about the wayland-devel mailing list