[Xcb] use after free in _XReply in libX11 1.3.4

Pauli Nieminen suokkos at gmail.com
Thu Jul 15 23:38:46 PDT 2010


CC: xcb list

On Thu, Jul 15, 2010 at 11:23 PM, Matthieu Herrb <matthieu.herrb at laas.fr> wrote:
> Hi,
>
> After updating to libX11 1.3.4, I started seeing window managers or
> toolbar programs exit without reasons when closing windows or pop-ups.
>
> After a bit of debugging, I figured out that this is caused by
> a use after free bug in _XReply. Most people running Linux won't see it
> because the data in the just free()'d memory is still there. But
> Using OpenBSD's malloc which fills free()'d memory with a specific
> pattern, you get a different code path.
>
> The proplem arises in xcb_io.c:582. the 'current' pointer can have
> been free()'d already (by dequeue_pending_request() called at line 562)
> when getting there.
>
> A simple test program to reproduce the issue is appended below: just
> call XGetWindowProperty on a non-existent window.
>
> Using his favourite malloc debugger one should be able to see the problem
> on Linux too...
>
> Unfortunatly I'm not sure of what the fix is...
>
> #include <X11/Xlib.h>
> #include <X11/Xatom.h>
> #include <stdio.h>
>
> int
> main(int argc, char *argv[])
> {
>        Display *dpy;
>        Window w = 0;
>        Atom prop;
>        Atom type;
>        int format, result;
>        unsigned long nitems, bytes;
>        unsigned char *prop_value;
>
>        dpy = XOpenDisplay(NULL);
>        prop = XInternAtom (dpy, "_NET_WM_STATE", False);
>        result = XGetWindowProperty(dpy, w, prop, 0, 0x7fffffff, False,
>            XA_ATOM, &type, &format, &nitems, &bytes, &prop_value);
>        return result;
> }
>
> --
> Matthieu Herrb
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: http://lists.x.org/mailman/listinfo/xorg-devel
>


More information about the Xcb mailing list