review.tizen.org Git - platform/upstream/wayland.git/commit

author	Thomas Lukaszewicz <tluk@chromium.org>
	Mon, 8 Jan 2024 00:36:10 +0000 (00:36 +0000)
committer	duna.oh <duna.oh@samsung.com>
	Thu, 25 Apr 2024 07:15:21 +0000 (16:15 +0900)
commit	2362721e6b7f044279bd947d95dd50025c205d58
tree	0f6c689f32e12d65bb3b6255cae8675b8d611bf7	tree \| snapshot
parent	b339cc9eac6012ac51752ad902205d1db6edacc2	commit \| diff

Mitigate UAF crashes due to iteration over freed wl_resources

Currently it is possible to iterate over client-owned resources
during client destruction that have had their associated memory
released.

This can occur when client code calls wl_client_destroy(). The
following sequence illustrates how this may occur.

1. The server initiates destruction of the connected client via
    call to wl_client_destroy().

2. Resource destroy listeners / destructors are invoked and
    resource memory is freed one resource at a time [1].

3. If a listener / destructor for a resource results in a call
    to wl_client_for_each_resource(), the iteration will proceed
    over resources that have been previously freed in step 2,
    resulting in UAFs / crashes.

The issue is that resources remain in the client's object map
even after they have had their memory freed, and are removed
from the map only after each individual resource has had its
memory released.

This patch corrects this by ensuring resource destruction first
invokes listeners / destructors and then removing them from the
client's object map before releasing the associated memory.

[1] https://gitlab.freedesktop.org/wayland/wayland/-/blob/main/src/wayland-server.c?ref_type=heads#L928

Change-Id: Idb48ea9d4ea5edf8572185436f15138bab4f27f3
Signed-off-by: Thomas Lukaszewicz thomaslukaszewicz@gmail.com

src/wayland-server.c		diff \| blob \| history
tests/resources-test.c		diff \| blob \| history