Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • wayland wayland
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 149
    • Issues 149
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 56
    • Merge requests 56
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • waylandwayland
  • waylandwayland
  • Issues
  • #224
Closed
Open
Issue created Jul 30, 2021 by Demi Marie Obenour@DemiMarieContributor

Reference count overflow in shm leads to use-after-free

The shared memory code uses an int for the reference count. On 64-bit systems, a malicous client can create so many references that the int overflows. This is undefined behavior, but it will most likely cause the int to overflow, causing an exploitable use-after-free. A successful exploit will result in the execution of arbitrary code in the context of the Wayland compositor.

To fix this bug, uintptr_t (or intptr_t) should be used for all reference counts. There are only UINT_MAX possible distinct pointers, so a uintptr_t reference count can never overflow, and an intptr_t reference count cannot overflow if the referencing and referenced objects are at least 2 bytes. This assumes that INTPTR_MAX == (UINTPTR_MAX >> 1) && UINTPTR_MAX == ((uintptr_t)INTPTR_MAX << 1) + 1, which can be checked with a C11 _Static_assert.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking