use after free in _XReply in libX11 1.3.4
Matthieu Herrb
matthieu.herrb at laas.fr
Thu Jul 15 13:23:36 PDT 2010
Hi,
After updating to libX11 1.3.4, I started seeing window managers or
toolbar programs exit without reasons when closing windows or pop-ups.
After a bit of debugging, I figured out that this is caused by
a use after free bug in _XReply. Most people running Linux won't see it
because the data in the just free()'d memory is still there. But
Using OpenBSD's malloc which fills free()'d memory with a specific
pattern, you get a different code path.
The proplem arises in xcb_io.c:582. the 'current' pointer can have
been free()'d already (by dequeue_pending_request() called at line 562)
when getting there.
A simple test program to reproduce the issue is appended below: just
call XGetWindowProperty on a non-existent window.
Using his favourite malloc debugger one should be able to see the problem
on Linux too...
Unfortunatly I'm not sure of what the fix is...
#include <X11/Xlib.h>
#include <X11/Xatom.h>
#include <stdio.h>
int
main(int argc, char *argv[])
{
Display *dpy;
Window w = 0;
Atom prop;
Atom type;
int format, result;
unsigned long nitems, bytes;
unsigned char *prop_value;
dpy = XOpenDisplay(NULL);
prop = XInternAtom (dpy, "_NET_WM_STATE", False);
result = XGetWindowProperty(dpy, w, prop, 0, 0x7fffffff, False,
XA_ATOM, &type, &format, &nitems, &bytes, &prop_value);
return result;
}
--
Matthieu Herrb
More information about the xorg-devel
mailing list