RR Leases use-after-free bug

Keith Packard keithp at keithp.com
Tue Jun 26 23:34:41 UTC 2018


Thomas Hellstrom <thellstrom at vmware.com> writes:

> Hi!
>
> I'd like to draw your attention to bug 106960 where the new leases code 
> accesses freed memory.

Thanks. I've got a proposed fix which re-works where leases are taken
down during X server reset or termination.

> On xf86-video-vmware it causes a server segfault. On modesetting it 
> doesn't (yet) but can be seen with valgrind.

I've hacked up a client to take a lease and close the X connection so
that the lease hangs around for X server shutdown for testing; the
results were pretty spectacular. The leases held pointers to crtcs and
outputs; during termination, the crtcs and outputs were freed when their
associated XIDs were freed, which happens before CloseScreen. At
CloseScreen time, the leases still held pointers to those objects which
caused all sorts of issues.

The patch below terminates any lease referencing a CRTC or
output that is being destroyed; that makes the leases go away before
CloseScreen. Any remaining leases (which must have no outputs or CRTCs
at all) get terminated in RRCloseScreen.

Lease termination is no longer necessary in the driver now, so I've
removed it from the modesetting driver.

I also discovered that leasing is broken with current X server master;
patches to fix that have been sent to the list under a separate cover.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-During-reset-shutdown-clean-up-leases-in-DIX-instead.patch
Type: text/x-diff
Size: 6468 bytes
Desc: not available
URL: <https://lists.x.org/archives/xorg-devel/attachments/20180626/cfc334e7/attachment.patch>
-------------- next part --------------

-- 
-keith
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <https://lists.x.org/archives/xorg-devel/attachments/20180626/cfc334e7/attachment.sig>


More information about the xorg-devel mailing list