|
|
1
|
+From 1801fe0ac3926882d47d7e1ad6c0518a2cdffd41 Mon Sep 17 00:00:00 2001
|
|
|
2
|
+From: Povilas Kanapickas <povilas@radix.lt>
|
|
|
3
|
+Date: Sun, 19 Dec 2021 18:11:07 +0200
|
|
|
4
|
+Subject: [PATCH] dix: Fix use after free in input device shutdown
|
|
|
5
|
+
|
|
|
6
|
+This fixes access to freed heap memory via dev->master. E.g. when
|
|
|
7
|
+running BarrierNotify.ReceivesNotifyEvents/7 test from
|
|
|
8
|
+xorg-integration-tests:
|
|
|
9
|
+
|
|
|
10
|
+==24736==ERROR: AddressSanitizer: heap-use-after-free on address
|
|
|
11
|
+0x619000065020 at pc 0x55c450e2b9cf bp 0x7fffc532fd20 sp 0x7fffc532fd10
|
|
|
12
|
+READ of size 4 at 0x619000065020 thread T0
|
|
|
13
|
+ #0 0x55c450e2b9ce in GetMaster ../../../dix/devices.c:2722
|
|
|
14
|
+ #1 0x55c450e9d035 in IsFloating ../../../dix/events.c:346
|
|
|
15
|
+ #2 0x55c4513209c6 in GetDeviceUse ../../../Xi/xiquerydevice.c:525
|
|
|
16
|
+../../../Xi/xichangehierarchy.c:95
|
|
|
17
|
+ #4 0x55c450e3455c in RemoveDevice ../../../dix/devices.c:1204
|
|
|
18
|
+../../../hw/xfree86/common/xf86Xinput.c:1142
|
|
|
19
|
+ #6 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
|
|
|
20
|
+ #7 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
|
|
|
21
|
+ #8 0x55c450e837ef in dix_main ../../../dix/main.c:302
|
|
|
22
|
+ #9 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
|
|
|
23
|
+(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
|
|
|
24
|
+ #11 0x55c450d0113d in _start (/usr/lib/xorg/Xorg+0x117713d)
|
|
|
25
|
+
|
|
|
26
|
+0x619000065020 is located 160 bytes inside of 912-byte region
|
|
|
27
|
+[0x619000064f80,0x619000065310)
|
|
|
28
|
+freed by thread T0 here:
|
|
|
29
|
+(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
|
|
|
30
|
+ #1 0x55c450e19f1c in CloseDevice ../../../dix/devices.c:1014
|
|
|
31
|
+ #2 0x55c450e343a4 in RemoveDevice ../../../dix/devices.c:1186
|
|
|
32
|
+../../../hw/xfree86/common/xf86Xinput.c:1142
|
|
|
33
|
+ #4 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
|
|
|
34
|
+ #5 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
|
|
|
35
|
+ #6 0x55c450e837ef in dix_main ../../../dix/main.c:302
|
|
|
36
|
+ #7 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
|
|
|
37
|
+(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
|
|
|
38
|
+
|
|
|
39
|
+previously allocated by thread T0 here:
|
|
|
40
|
+(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
|
|
|
41
|
+ #1 0x55c450e1c57b in AddInputDevice ../../../dix/devices.c:259
|
|
|
42
|
+ #2 0x55c450e34840 in AllocDevicePair ../../../dix/devices.c:2755
|
|
|
43
|
+ #3 0x55c45130318f in add_master ../../../Xi/xichangehierarchy.c:152
|
|
|
44
|
+../../../Xi/xichangehierarchy.c:465
|
|
|
45
|
+ #5 0x55c4512cb9f5 in ProcIDispatch ../../../Xi/extinit.c:390
|
|
|
46
|
+ #6 0x55c450e6a92b in Dispatch ../../../dix/dispatch.c:551
|
|
|
47
|
+ #7 0x55c450e834b7 in dix_main ../../../dix/main.c:272
|
|
|
48
|
+ #8 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
|
|
|
49
|
+(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
|
|
|
50
|
+
|
|
|
51
|
+The problem is caused by dev->master being not reset when disabling the
|
|
|
52
|
+device, which then causes dangling pointer when the master device itself
|
|
|
53
|
+is being deleted when exiting whole server.
|
|
|
54
|
+
|
|
|
55
|
+Note that RecalculateMasterButtons() requires dev->master to be still
|
|
|
56
|
+valid, so we can reset it only at the end of function.
|
|
|
57
|
+
|
|
|
58
|
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
|
|
59
|
+---
|
|
|
60
|
+ dix/devices.c | 1 +
|
|
|
61
|
+ 1 file changed, 1 insertion(+)
|
|
|
62
|
+
|
|
|
63
|
+diff --git a/dix/devices.c b/dix/devices.c
|
|
|
64
|
+index e62c34c55e95..5f9ce1678fc4 100644
|
|
|
65
|
+--- a/dix/devices.c
|
|
|
66
|
++++ b/dix/devices.c
|
|
|
67
|
+@@ -520,6 +520,7 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
|
|
|
68
|
+ }
|
|
|
69
|
+
|
|
|
70
|
+ RecalculateMasterButtons(dev);
|
|
|
71
|
++ dev->master = NULL;
|
|
|
72
|
+
|
|
|
73
|
+ return TRUE;
|
|
|
74
|
+ }
|
|
|
75
|
+--
|
|
|
76
|
+2.43.0
|
|
|
77
|
+ |