The usefulness of this is limited, and `libwayland-client` doesn't
provide a way to pass a null `new_id` since the id is generated by the
library and given to the caller as the return value.
Signed-off-by: Ian Douglas Scott <idscott@system76.com>
Nullable arrays, which are not used anywhere, were marshalled the same
way as an empty non-null array. The demarshalling logic did not
recognize anything as a null array. Given this, it seems better to just
explicitly not support it.
Fixes https://gitlab.freedesktop.org/wayland/wayland/-/issues/306.
Signed-off-by: Ian Douglas Scott <idscott@system76.com>
Initialiaze the entire msghdr struct to 0 before use.
Example of the report fixed with this change:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==20035==ERROR: AddressSanitizer: SEGV on unknown address 0x2dad4dbffffa0d (pc 0x0055555c7488 bp 0x007fffffc760 sp 0x007fffffc760 T0)
==20035==The signal is caused by a READ memory access.
#0 0x55555c7488 in read_msghdr(void*, __sanitizer::__sanitizer_msghdr*, long) (/home/ftrvx/w/_/uxn/bin/uxnemu+0x77488)
#1 0x55555c810c in sendmsg (/home/ftrvx/w/_/uxn/bin/uxnemu+0x7810c)
#2 0x7ff7f2db20 in wl_connection_flush /home/ftrvx/q/wayland/build/../src/connection.c:315:10
#3 0x7ff7f2d014 in wl_display_flush /home/ftrvx/q/wayland/build/../src/wayland-client.c:2154:9
#4 0x7ff7e80bc0 (/lib/libSDL2-2.0.so.0+0x104bc0)
#5 0x7ff7e523b0 (/lib/libSDL2-2.0.so.0+0xd63b0)
#6 0x7ff7e534e4 (/lib/libSDL2-2.0.so.0+0xd74e4)
#7 0x7ff7e535e8 (/lib/libSDL2-2.0.so.0+0xd75e8)
#8 0x7ff7daad54 (/lib/libSDL2-2.0.so.0+0x2ed54)
#9 0x7ff7dab130 (/lib/libSDL2-2.0.so.0+0x2f130)
#10 0x555565bb40 in main /home/ftrvx/w/_/uxn/src/uxnemu.c:519:2
#11 0x7ff7f62484 in libc_start_main_stage2 /builddir/musl-1.1.24/src/env/__libc_start_main.c:94:2
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/ftrvx/w/_/uxn/bin/uxnemu+0x77488) in read_msghdr(void*, __sanitizer::__sanitizer_msghdr*, long)
==20035==ABORTING
Signed-off-by: Sigrid Solveig Haflínudóttir <ftrvxmtrx@gmail.com>
When multiple threads are used, output from different threads was intermixed in one line. That what breaking parsing of the log messages. Now, intermixing is prevented by using a memstream.
Signed-off-by: Alexander Irion <alexander_irion@mentor.com>
When allocating memory for structs, use zalloc instead of malloc.
This ensures the memory is zero-initialized, and reduces the risk
of forgetting to initialize all struct fields.
Signed-off-by: Simon Ser <contact@emersion.fr>
The client side closure traces have incorrect object ids for new server
generated objects. This is because create_proxies() overwrites the id in
'n' type arguments by storing a pointer to the actual object in the 'o'
field of the union.
Getting back to an id from this pointer requires accessing a structure
that isn't visible outside of wayland-client.c.
Add a function pointer to fish the correct value out of the argument and
pass it to wl_closure_print.
Signed-off-by: Derek Foreman <derek.foreman@collabora.com>
struct wl_buffer has other meaning in wayland, thus making this a pretty
confusing structure name. Function names like wl_buffer_put() just
compound the confusion.
Rename the struct and the associated functions (none of which are called
from outside this file anyway). The struct retains a wl_ prefix, as is
the custom for wayland internal data structures. The function names
have not retained this prefix, as we have many static function that
aren't prefixed.
Signed-off-by: Derek Foreman <derek.foreman@collabora.com>
Specifically, in the log formed when WAYLAND_DEBUG is set, this commit
ensures that floating point numbers are formatted using '.' instead of
the locale-specific decimal separator. As the debug logs are not
otherwise localized for end-users, and may be parsed by scripts, it is
better to have consistent output here.
The 24.8 fixed point numbers are now represented with 8 digits after
the decimal, since this is both exact and simpler to compute.
Signed-off-by: Manuel Stoeckl <code@mstoeckl.com>
Before this patch, setting WAYLAND_DEBUG=1 or WAYLAND_DEBUG=client made
a program log all requests sent and events that it processes. However,
some events received are not processed. This can happen when a Wayland
server sends an event to an object that does not exist, or was recently
destroyed by the client program (either before the event was decoded,
or after being decoded but before being dispatched.)
This commit prints all discarded messages in the debug log, producing
lines like:
[1234567.890] discarded [unknown]@42.[event 0](0 fd, 12 byte)
[1234567.890] discarded wl_callback@3.done(34567)
[1234567.890] discarded [zombie]@13.[event 1](3 fd, 8 byte)
The first indicates an event to an object that does not exist; the
second, an event to an object that was deleted after decoding, but
before dispatch; the third, an event to an object that left a
'zombie' marker behind to indicate which events have associated
file descriptors.
Signed-off-by: Manuel Stoeckl <code@mstoeckl.com>
Currently a null string passed into a non-nullable argument of a message
will decode succesfully, probably resulting in the handler function
crashing. Instead treat it the same way we do non-nullable objects and ids.
Signed-off-by: Fergus Dall <sidereal@google.com>
Instead, cleanly exit wl_closure_marshal and let the caller handler
the error. For wayland-client, the sole calling function will call
wl_abort() anyway. For wayland-server, the calling function will
cleanly shutdown the client.
This change ensures that compositors run with low file descriptor
limits or internal leaks need not crash suddenly (and sometimes
far from the problem) when space runs out.
Signed-off-by: Manuel Stoeckl <code@mstoeckl.com>
The size argument to wl_connection_demarshal() is taken from the message by the
caller wl_client_connection_data(), therefore 'size' is untrusted data
controllable by a Wayland client. The size should always be at least the header
size, otherwise the header is invalid.
If the size is smaller than header size, it leads to reading past the end of
allocated memory. Furthermore if size is zero, wl_closure_init() changes
behaviour and leaves num_arrays uninitialized, leading to access of arbitrary
memory.
Check that 'size' fits at least the header. The space for arguments is already
properly checked.
This makes the request_bogus_size test free of errors under Valgrind.
Fixes: https://gitlab.freedesktop.org/wayland/wayland/issues/52
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
Reviewed-by: Simon Ser <contact@emersion.fr>
Calling printf("%s", NULL) is undefined behaviour.
Signed-off-by: Simon Ser <contact@emersion.fr>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.com>
If the remote side sends sufficiently large `length` field, it will
overflow the `p` pointer. Technically it is undefined behavior, in
practice it makes `p < end`, so the length check passes. Attempts to
access the data later causes crashes.
This issue manifests only on 32bit systems, but the behavior is
undefined everywhere.
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Derek Foreman <derek.foreman.samsung@gmail.com>
The DIV_ROUNDUP macro would overflow when trying to round values higher
than MAX_UINT32 - (a - 1). The result is 0 after the division. This is
potential security issue when demarshalling an array because the length
check is performed with the overflowed value, but then the original huge
value is stored for later use.
The issue was present only on 32bit platforms. The use of size_t in the
DIV_ROUNDUP macro already promoted everything to 64 bit size on 64 bit
systems.
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Derek Foreman <derek.foreman.samsung@gmail.com>
Style changes by Derek Foreman
Like the similar wl_log() message further into this function that was
fixed in commit 2fc248dc2c this should
be printing the sender_id saved earlier instead of *p.
Since p is incremented during the loop it would not only print an
incorrect object id, it could read past the end of the array.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
commit 52609ddf79 was intended to
set fds to -1 in the arg list, however it failed to account for
version information at the start of signatures.
Most noticably, this broke mesa's create_prime_buffer by setting
width to -1 instead of the fd, as the width was the argument
following the fd, and the version was one byte long.
This should close https://bugs.kde.org/show_bug.cgi?id=389200
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Daniel Stone <daniels@collabora.com>
We need to close file descriptors sent to zombie proxies to avoid leaking
them, and perhaps more importantly, to prevent them from being dispatched
in events on other objects (since they would previously be left in the
buffer and potentially fed to following events destined for live proxies)
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Add a new map entry flag to indicate that the object received is valid,
but a zombie. Previously this relied on a fixed object pointer, but
future patches in this series will have map entries returning either
NULL, or a different structure type entirely, for zombie objects.
wl_object_is_zombie() now solely uses the new flag to determine whether
or not the object is a zombie.
[daniels: Extracted from Derek's bespoke-zombie patch as an intermediate
step.]
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Add a helper function which determines whether or not an object is a
zombie.
[daniels: Extracted from Derek's bespoke-zombie patch as an intermediate
step.]
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
When we have a closure that can't be dispatched for some reason, and it
contains file descriptors, we must close those descriptors to prevent
leaking them.
Previous commits ensure that only FDs belonging to this invocation of
the closure, i.e. not FDs provided by the client for marshalling, nor
FDs which have already been dispatched to either client or server, will
be left in the closure by destroy time.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
This initializes all the fd arguments in closures to -1 and clears
them back to -1 when they've been dispatched or serialized.
This means that any valid fd in a closure is currently libwayland's
responsibility to close in the case of an error.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Moves the common/similar bits into one place.
This has a minor functional change - count and message are now initialized
immediately, previously they'd only be set if (de)marshal was successful.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
We can sizeof the struct type instead of declaring a pointer and
taking the size of what it points to.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
There were two places where we did the same calculation manually.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
All current callers close all fds, so this has gone unnoticed, but if
we close less than all fds with close_fds() we leak all the unclosed
ones and ruin further event demarshalling.
A future patch will close less than the full buffer's worth of fds,
so this is now noticed.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
message-test.c did not cover wl_message_count_arrays, so add one test that
specifically tests this method. Note that this exposes wl_message_count_arrays
in a private header (wayland-private.h), and removes the `static` modifier of
the implementation.
Signed-off-by: Yong Bakos <ybakos@humanoriented.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Move the wl_interface_equal prototype to the top of wayland-private, where
it is not buried in the middle of map, connection and closure functions.
Move the implementation out of connection and into util. This is a utility
function, not specific to connections, and has call sites within connection,
wayland-client and wayland-server.
Signed-off-by: Yong Bakos <ybakos@humanoriented.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
the code is something like:
if (object == NULL && ...) {
object = NULL;
return;
}
first, the object is already NULL, second, the assignment has no effect
since we return from the function right away
Signed-off-by: Marek Chalupa <mchqwerty@gmail.com>
Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
Reviewed-by: Jonas Ådahl <jadahl@gmail.com>
When we are adding padding bytes making our wl_buffer buffer content 4
byte aligned, we are just moving the pointer. Since the buffer is
allocated using plain malloc(), this means our padding bytes are
effectively uninitialized data, which could be anything previously
allocated in the server process. As we'll be sharing this buffer
content with arbitrary clients, we are effectively sharing private
memory with every client, and even though a well behaving client will
discard any such memory, a malicious client may not.
Therefor, to avoid any potential missuse of the uninitialized padding
memory shared between the server and client, initialize the buffer
content to 0, making the padding bytes always 0.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
This adds an API to get the file descriptor for a client.
The client file descriptor can be used for a wayland compositor to validate
a request from a client if there are any additional information provided from
the client's file descriptor.
For instance, this will be helpful in some linux distributions, in which SELinux
or SMACK is enabled. In those environments, each file (including socket) will have
each security contexts in its inode as xattr member variable. A wayland compositor
can validate a client request by getting the file descriptor of the client and
by checking the security contexts associated with the file descriptor.
Signed-off-by: Sung-Jin Park <input.hacker@gmail.com>
When processing a closure, data in the connection can be consumed again
if the closure itself invokes extra event dispatch. In that case the
remaining data size is also altered, so the variable len should be
updated after the closure is processed.
Signed-off-by: Jaeyoon Jung <jaeyoon.jung@lge.com>
Reviewed-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Marek Chalupa <mchqwerty@gmail.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
On many places in the code we use wl_log + abort or wl_log + assert(0).
Replace these with one call to wl_abort, so that we don't mix abort(),
assert(0) and we'll save few lines
Signed-off-by: Marek Chalupa <mchqwerty@gmail.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
It expects ((msg_controllen == 0) == (msg_control == NULL)), and returns
EINVAL otherwise. It can't hurt to be tidy about things on other platforms
either though.
See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=99356#c5
Signed-off-by: Philip Withnall <philip at tecnocode.co.uk>
Signed-off-by: Karsten Otto <ottoka at posteo.de>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Calling close() on the same file descriptor that a previous call to
close() already closed is wrong, and racy if another thread received
that same file descriptor as a eg. new socket or actual file.
There are two situations where wl_connection_destroy() would close its
file descriptor and then another function up in the call chain would
close the same file descriptor:
* When wl_client_create() fails after calling wl_connection_create(),
it will call wl_connection_destroy() before returning. However, its
caller will always close the file descriptor if wl_client_create()
fails.
* wl_display_disconnect() unconditionally closes the display file
descriptor and also calls wl_connection_destroy().
So these two seem to expect wl_connection_destroy() to leave the file
descriptor open. The other caller of wl_connection_destroy(),
wl_client_destroy(), does however expect wl_connection_destroy() to
close its file descriptor, alas.
This patch changes wl_connection_destroy() to indulge this majority of
two callers by simply not closing the file descriptor. For the benefit
of wl_client_destroy(), wl_connection_destroy() then returns the
unclosed file descriptor so that wl_client_destroy() can close it
itself.
Since wl_connection_destroy() is a private function called from few
places, changing its semantics seemed like the more expedient way to
address the double-close() problem than shuffling around the logic in
wl_client_create() to somehow enable it to always avoid calling
wl_connection_destroy().
Signed-off-by: Benjamin Herr <ben@0x539.de>
Reviewed-by: Marek Chalupa <mchqwerty@gmail.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
If a message was too big to fit in the connection buffer, the code
in wl_buffer_put would just write past the end of it.
I haven't seen any real world use case that would trigger this bug, but
it was possible to trigger it by sending a long enough string to the
wl_data_source.offer request.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=69267
In some cases, like Xwayland, stdout and stderr are redirected to
/dev/null, losing us valuable information, while wl_log can be
overridden, allowing us to send it to a log file instead. This
can help debugging immensely.
Otherwise the tail of fds_in buffer would just shift beyond the beginning.
That confuses the actual request handler and results in a crash further on
due to corrupted tail.
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
This commit adds support for server-side languages bindings. This is done
in two ways:
1. Adding a wl_resource_set_dispatcher function that corresponds to
wl_resource_set_interface. The only difference between the two functions
is that the new version takes a dispatcher along with the implementation,
data, and destructor. This allows for runtime calling of native language
functions for callbacks instead of having to generate function pointers.
2. Adding versions of wl_resource_post_event and wl_resource_queue_event
that take an array of wl_argument instead of a variable argument list.
This allows for easier run-time argument conversion and removes the need
for libffi-based calling of variadic functions.
Signed-off-by: Jason Ekstrand <jason@jlekstrand.net>
Functions like wl_argument_from_va_list expect from get_next_argument,
to initialize details->type but when the signature is empty or contains
only version (like in desktop-shell-protocol.c in weston) it is left
uninitialized.
This patch fixes it, by initializing details->type with '\0' value,
signaling end of arguments.
Signed-off-by: Mariusz Ceier <mceier+wayland@gmail.com>
