Skip to content

compositor: Prevent an invalid access against content protection

Marius Vlad requested to merge mvlad/weston:wip/mvlad/simple-cp-test into main

Avoids an user-after-free when destroying the surface, like in the following ASAN message:

==25180==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000589d8 at pc 0x7ff70a4f7102 bp 0x7fff8f7e13b0 sp 0x7fff8f7e13a8
READ of size 8 at 0x6060000589d8 thread T0
    #0 0x7ff70a4f7101 in weston_schedule_surface_protection_update ../libweston/compositor.c:1163
    #1 0x7ff70a4f743b in weston_surface_update_output_mask ../libweston/compositor.c:1212
    #2 0x7ff70a4f7a47 in weston_surface_assign_output ../libweston/compositor.c:1298
    #3 0x7ff70a4f7f44 in weston_view_assign_output ../libweston/compositor.c:1348
    #4 0x7ff70a4fa12f in weston_view_update_transform ../libweston/compositor.c:1589
    #5 0x7ff70a4ffc20 in view_list_add ../libweston/compositor.c:2657
    #6 0x7ff70a5000ee in weston_compositor_build_view_list ../libweston/compositor.c:2688
    #7 0x7ff70a4fd577 in weston_view_destroy ../libweston/compositor.c:2202
    #8 0x7ff70a4fd7df in weston_surface_destroy ../libweston/compositor.c:2239
    #9 0x7ff70a4fdbb0 in destroy_surface ../libweston/compositor.c:2285
    #10 0x7ff70a4a2d3e in destroy_resource ../src/wayland-server.c:723
    #11 0x7ff70a4a8940 in for_each_helper ../src/wayland-util.c:372
    #12 0x7ff70a4a8e1f in wl_map_for_each ../src/wayland-util.c:385
    #13 0x7ff70a4a3748 in wl_client_destroy ../src/wayland-server.c:882
    #14 0x7ff6fe04e866 in shell_destroy ../desktop-shell/shell.c:5004
    #15 0x7ff70a4ee923 in wl_signal_emit /home/mvlad/install-amd64/include/wayland-server-core.h:481
    #16 0x7ff70a51598d in weston_compositor_destroy ../libweston/compositor.c:7903
    #17 0x7ff70a903a58 in wet_main ../compositor/main.c:3493
    #18 0x560de7b3b179 in main ../compositor/executable.c:33
    #19 0x7ff70a73ecc9 in __libc_start_main ../csu/libc-start.c:308
    #20 0x560de7b3b099 in _start (/home/mvlad/install-amd64/bin/weston+0x1099)

0x6060000589d8 is located 56 bytes inside of 64-byte region [0x6060000589a0,0x6060000589e0)
freed by thread T0 here:
    #0 0x7ff70a9d3b6f in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.6+0xa9b6f)
    #1 0x7ff70a5167d2 in cp_destroy_listener ../libweston/content-protection.c:193
    #2 0x7ff70a4ee923 in wl_signal_emit /home/mvlad/install-amd64/include/wayland-server-core.h:481
    #3 0x7ff70a51598d in weston_compositor_destroy ../libweston/compositor.c:7903
    #4 0x7ff70a903a58 in wet_main ../compositor/main.c:3493
    #5 0x560de7b3b179 in main ../compositor/executable.c:33
    #6 0x7ff70a73ecc9 in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x7ff70a9d4037 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.6+0xaa037)
    #1 0x7ff70a5160aa in zalloc ../include/libweston/zalloc.h:38
    #2 0x7ff70a516cda in weston_compositor_enable_content_protection ../libweston/content-protection.c:329
    #3 0x7ff7070247e0 in drm_backend_create ../libweston/backend-drm/drm.c:3180
    #4 0x7ff707024cae in weston_backend_init ../libweston/backend-drm/drm.c:3250
    #5 0x7ff70a515d02 in weston_compositor_load_backend ../libweston/compositor.c:7999
    #6 0x7ff70a8fbcfb in load_drm_backend ../compositor/main.c:2614
    #7 0x7ff70a900b46 in load_backend ../compositor/main.c:3103
    #8 0x7ff70a902ecd in wet_main ../compositor/main.c:3380
    #9 0x560de7b3b179 in main ../compositor/executable.c:33
    #10 0x7ff70a73ecc9 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free ../libweston/compositor.c:1163 in weston_schedule_surface_protection_update

Signed-off-by: Marius Vlad marius.vlad@collabora.com

Edited by Marius Vlad

Merge request reports

Loading