Skip to content

types/wlr_seat: finish keyboard_state during wlr_seat_destroy

Simon Zeni requested to merge bl4ckb0ne/wlroots:wlr-seat-keyboard-fix-uaf into master

Fixes a use-after-free issue when the wlr_seat has been destroyed manually and destroying the display destroyed the associated wlr_keyboard

=================================================================
==11244==ERROR: AddressSanitizer: heap-use-after-free on address 0x618000007dd8 at pc 0x7f3c051f7f21 bp 0x7ffd64a704e0 sp 0x7ffd64a704d8
READ of size 8 at 0x618000007dd8 thread T0
    #0 0x7f3c051f7f20 in handle_keyboard_destroy /home/simon/src/wxrc/build/../subprojects/wlroots/types/seat/wlr_seat_keyboard.c:116:31
    #1 0x7f3c056e2ba0 in wl_signal_emit_mutable (/usr/lib/libwayland-server.so.0+0x9ba0)
    #2 0x7f3c052c8744 in wlr_input_device_finish /home/simon/src/wxrc/build/../subprojects/wlroots/types/wlr_input_device.c:23:2
    #3 0x7f3c052d483c in wlr_keyboard_finish /home/simon/src/wxrc/build/../subprojects/wlroots/types/wlr_keyboard.c:154:2
    #4 0x7f3c051610be in destroy_wl_seats /home/simon/src/wxrc/build/../subprojects/wlroots/backend/wayland/seat.c:263:5
    #5 0x7f3c0514dc52 in backend_destroy /home/simon/src/wxrc/build/../subprojects/wlroots/backend/wayland/backend.c:470:2
    #6 0x7f3c050db184 in wlr_backend_destroy /home/simon/src/wxrc/build/../subprojects/wlroots/backend/backend.c:67:3
    #7 0x7f3c05148765 in multi_backend_destroy /home/simon/src/wxrc/build/../subprojects/wlroots/backend/multi/backend.c:57:3
    #8 0x7f3c05146607 in handle_display_destroy /home/simon/src/wxrc/build/../subprojects/wlroots/backend/multi/backend.c:125:2
    #9 0x7f3c056e3dd0  (/usr/lib/libwayland-server.so.0+0xadd0)
    #10 0x7f3c056e44a1 in wl_display_destroy (/usr/lib/libwayland-server.so.0+0xb4a1)
    #11 0x55b4942eafbb in wxrc_server_finish /home/simon/src/wxrc/build/../wxrc/server.c:617:2
    #12 0x55b4942a0144 in main /home/simon/src/wxrc/build/../wxrc/main.c:128:2
    #13 0x7f3c057b49c9 in libc_start_main_stage2 /home/buildozer/aports/main/musl/src/v1.2.3/src/env/__libc_start_main.c:95:2

0x618000007dd8 is located 344 bytes inside of 880-byte region [0x618000007c80,0x618000007ff0)
freed by thread T0 here:
LLVMSymbolizer: error reading file: No such file or directory
    #0 0x55b494195872 in __interceptor_free /home/buildozer/aports/main/llvm-runtimes/src/llvm-project-15.0.5.src/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
    #1 0x7f3c0520f2a1 in wlr_seat_destroy /home/simon/src/wxrc/build/../subprojects/wlroots/types/seat/wlr_seat.c:216:2
    #2 0x55b4942cd6c4 in wxrc_seat_destroy /home/simon/src/wxrc/build/../wxrc/seat.c:846:2
    #3 0x55b4942eae75 in wxrc_server_finish /home/simon/src/wxrc/build/../wxrc/server.c:614:2
    #4 0x55b4942a0144 in main /home/simon/src/wxrc/build/../wxrc/main.c:128:2
    #5 0x7f3c057b49c9 in libc_start_main_stage2 /home/buildozer/aports/main/musl/src/v1.2.3/src/env/__libc_start_main.c:95:2
    #6 0x7ffd64a72c64  ([stack]+0x20c64)

previously allocated by thread T0 here:
    #0 0x55b494195b88 in __interceptor_calloc /home/buildozer/aports/main/llvm-runtimes/src/llvm-project-15.0.5.src/compiler-rt/lib/asan/asan_malloc_linux.cpp:77:3
    #1 0x7f3c0520f2d1 in wlr_seat_create /home/simon/src/wxrc/build/../subprojects/wlroots/types/seat/wlr_seat.c:226:26
    #2 0x55b4942cad93 in wxrc_seat_create /home/simon/src/wxrc/build/../wxrc/seat.c:792:15
    #3 0x55b4942e494d in wxrc_server_init /home/simon/src/wxrc/build/../wxrc/server.c:229:17
    #4 0x55b49429fe7d in main /home/simon/src/wxrc/build/../wxrc/main.c:101:7
    #5 0x7f3c057b49c9 in libc_start_main_stage2 /home/buildozer/aports/main/musl/src/v1.2.3/src/env/__libc_start_main.c:95:2
    #6 0x7ffd64a72c64  ([stack]+0x20c64)

SUMMARY: AddressSanitizer: heap-use-after-free /home/simon/src/wxrc/build/../subprojects/wlroots/types/seat/wlr_seat_keyboard.c:116:31 in handle_keyboard_destroy
Shadow bytes around the buggy address:
  0x0c307fff8f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c307fff8f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c307fff8f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fff8f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c307fff8fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c307fff8fb0: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
  0x0c307fff8fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c307fff8fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c307fff8fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c307fff8ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c307fff9000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11244==ABORTING

Merge request reports