wl_resource_destroy use-heap-after-free which destroied by weston_seat_release
Submitted by comicfans44
Assigned to Wayland bug list
Description
I'm trying weston with rdp backend, after rdp session disconnect, weston crash.
seems weston_seat_release already calls
weston_keyboard_destroy(seat->keyboardstate)
but later wl_resource_destroy->destroy_resource->wl_list_remove access this memory
address sanitizer report :
==10695==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000020d50 at pc 0x7f05e9f6c567 bp 0x7ffee886bf10 sp 0x7ffee886bf00
WRITE of size 8 at 0x611000020d50 thread T0
#0 0x7f05e9f6c566 in wl_list_remove /usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/wayland-util.c:57
#1 0x7f05e9f5df7a in destroy_resource /usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/wayland-server.c:571
#2 0x7f05e9f5f89e in wl_resource_destroy /usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/wayland-server.c:584
#3 0x7f05e84cae2f in ffi_call_unix64 (/usr/lib64/libffi.so.6+0xce2f)
#4 0x7f05e84c9a2d in ffi_call (/usr/lib64/libffi.so.6+0xba2d)
#5 0x7f05e9f6af75 in wl_closure_invoke /usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/connection.c:949
#6 0x7f05e9f603b5 in wl_client_connection_data /usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/wayland-server.c:337
#7 0x7f05e9f650d1 in wl_event_loop_dispatch /usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/event-loop.c:421
#8 0x7f05e9f611af in wl_display_run /usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/wayland-server.c:1051
#9 0x40a333 in main src/main.c:859
#10 0x7f05e8ea459f in __libc_start_main (/lib64/libc.so.6+0x2059f)
#11 0x40a8c8 in _start (/usr/bin/weston+0x40a8c8)
0x611000020d50 is located 16 bytes inside of 232-byte region [0x611000020d40,0x611000020e28)
freed by thread T0 here:
#0 0x7f05ea1d455f in __interceptor_free (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x5755f)
#1 0x42c92c in weston_seat_release src/input.c:2675
previously allocated by thread T0 here:
#0 0x7f05ea1d4935 in calloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x57935)
#1 0x423e6f in zalloc shared/zalloc.h:38
#2 0x423e6f in weston_keyboard_create src/input.c:756
Edited by Daniel Stone