[PATCH xserver] xwayland: avoid a crash with empty window pixmaps
Daniel Stone
daniel at fooishbar.org
Thu Jan 18 11:22:24 UTC 2018
Hi Olivier,
On 18 January 2018 at 10:41, Olivier Fourdan <ofourdan at redhat.com> wrote:
> This is a rare occurrence of a crash in Xwayland for which I don't have
> the reproducing steps, just a core file.
>
> The backtrace looks as follow:
>
> [...]
> #6 <signal handler called>
> #7 xwl_glamor_pixmap_get_wl_buffer () at xwayland-glamor.c:162
> #8 xwl_screen_post_damage () at xwayland.c:514
> #9 block_handler () at xwayland.c:665
> [...]
>
> The crash is caused by dereferencing “xwl_pixmap->buffer” in
> xwl_glamor_pixmap_get_wl_buffer() because “xwl_pixmap” is NULL.
>
> Reason for this is because the corresponding pixmap has a size of 0×0
> and no xwl_pixmap is created for pixmaps of size 0×0.
>
> Avoid the NULL pointer dereference by checking the actual “xwl_pixmap”
> value in both glamor and shm implementations of pixmap_get_wl_buffer()
> and return a NULL buffer if there is no “xwl_pixmap”.
Odd; how could we have a realized 0x0 window which also has damage? I
wonder if this isn't actually a UAF where the xwl_window has since
been unrealized, in which case you should be able to reproduce pretty
easily by causing damage on a window and then immediately destroying
it. In that case, we just need
wl_list_remove(&xwl_window->link_damage) inside
xwl_window_unrealize().
Cheers,
Daniel
More information about the xorg-devel
mailing list