Skip to content

wlr_seat destroy: fix use-after-free when destroying clients

Dominique Martinet requested to merge github/fork/martinetd/wlr-seat-destroy into master

wl_resource_for_each_safe isn't safe to use here because it accesses the list's head memory one last time at the end of the loop. Work around this by breaking out early.

==19880==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0000e6368 at pc 0x7fab68619de2 bp 0x7ffd5c91cee0 sp 0x7ffd5c91ced0
READ of size 8 at 0x60d0000e6368 thread T0
    #0 0x7fab68619de1 in wlr_seat_destroy ../types/seat/wlr_seat.c:179
    #1 0x7fab68619fb9 in handle_display_destroy ../types/seat/wlr_seat.c:196
    #2 0x7fab688e4f8f in wl_priv_signal_emit src/wayland-server.c:2024
    #3 0x7fab688e56ca in wl_display_destroy src/wayland-server.c:1092
    #4 0x40c11e in server_fini ../sway/server.c:138
    #5 0x40b1a8 in main ../sway/main.c:438
    #6 0x7fab67b5e18a in __libc_start_main ../csu/libc-start.c:308
    #7 0x409359 in _start (/opt/wayland/bin/sway+0x409359)

0x60d0000e6368 is located 24 bytes inside of 144-byte region [0x60d0000e6350,0x60d0000e63e0)
freed by thread T0 here:
    #0 0x7fab6a7d6880 in __interceptor_free (/lib64/libasan.so.5+0xee880)
    #1 0x7fab68619805 in seat_client_handle_resource_destroy ../types/seat/wlr_seat.c:97
    #2 0x7fab688e5025 in destroy_resource src/wayland-server.c:688

previously allocated by thread T0 here:
    #0 0x7fab6a7d6e50 in calloc (/lib64/libasan.so.5+0xeee50)
    #1 0x7fab686198df in seat_handle_bind ../types/seat/wlr_seat.c:127
    #2 0x7fab6530503d in ffi_call_unix64 (/lib64/libffi.so.6+0x603d)

Merge request reports