mirrors/wayland
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/wayland/wayland.git synced 2025-10-29 05:40:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
wayland/tests
History
Thomas Lukaszewicz 47de87263c Mitigate UAF crashes due to wl_client_destroy reentrancy 
There are situations in which a call into wl_client_destroy() can
result in a reentrant call into wl_client_destroy() - which
results in UAF / double free crashes.

For example, this can occur in the following scenario.

1. Server receives a message notifying it that a client has
   disconnected (WL_EVENT_HANGUP [1])

2. This beings client destruction with a call to wl_client_destroy()

3. wl_client_destroy() kicks off callbacks as client-associated
   resources are cleaned up and their destructors and destruction
   signals are invoked.

4. These callbacks eventually lead to an explicit call to
   wl_display_flush_clients() as the server attempts to flush
   events to other connected clients.

5. Since the client has already begun destruction, when it is
   reached in the iteration the flush fails wl_client_destroy()
   is called again [2].

This patch guards against this reentrant condition by removing
the client from the display's client list when wl_client_destroy()
is first called. This prevents access / iteration over the client
after wl_client_destroy() is called.

In the example above, wl_display_flush_clients() will pass over
the client currently undergoing destruction and the reentrant
call is avoided.

[1] 8f499bf404/src/wayland-server.c (L342)

[2] 8f499bf404/src/wayland-server.c (L1512)

Signed-off-by: Thomas Lukaszewicz [thomaslukaszewicz@gmail.com](mailto:thomaslukaszewicz@gmail.com)
2024-02-23 00:40:32 +00:00
..
data build: add a gen-scanner-test target 2024-01-15 14:29:10 +01:00
array-test.c Avoid pointer arithmetic on void * 2019-06-05 10:01:07 +00:00
client-test.c Mitigate UAF crashes due to wl_client_destroy reentrancy 2024-02-23 00:40:32 +00:00
compositor-introspection-test.c Check that XDG base directories paths are absolute 2022-06-09 18:34:17 +00:00
connection-test.c Do not allow nullable new_id 2022-07-14 08:38:49 -07:00
cpp-compile-test.cpp tests: C++ compilation test 2015-01-27 11:17:42 +00:00
display-test.c tests: add a test for dynamic filtered globals 2022-06-15 07:53:19 +00:00
event-loop-test.c build: don't rely on implicit GNU extensions 2022-01-10 15:08:46 +01:00
exec-fd-leak-checker.c tests: Require base 10 for the string specifying the number of open fd's 2016-07-11 13:32:15 -07:00
fixed-test.c build: don't rely on implicit GNU extensions 2022-01-10 15:08:46 +01:00
headers-protocol-core-test.c tests: Check for client/server-core.h inclusion 2016-05-19 14:31:18 -07:00
headers-protocol-test.c tests: Update boilerplate from MIT X11 license to MIT Expat license 2015-06-12 15:31:24 -07:00
headers-test.c tests: Update boilerplate from MIT X11 license to MIT Expat license 2015-06-12 15:31:24 -07:00
interface-test.c tests: Test wl_interface_equal 2016-11-18 16:21:19 +02:00
list-test.c tests: Add test for wl_list_length 2016-09-05 15:10:43 +03:00
map-test.c util: Avoid undefined behaviour in for_each_helper 2021-07-21 11:42:42 +00:00
meson.build build: add a gen-scanner-test target 2024-01-15 14:29:10 +01:00
message-test.c Do not allow nullable new_id 2022-07-14 08:38:49 -07:00
newsignal-test.c tests: fix typos 2020-12-17 16:03:14 -05:00
os-wrappers-test.c tests: manually wrap libc functions 2023-06-27 13:31:50 +02:00
protocol-logger-test.c Check that XDG base directories paths are absolute 2022-06-09 18:34:17 +00:00
proxy-test.c client: Add method to get display for a given proxy 2023-08-07 13:38:01 +00:00
queue-test.c client: Allow setting names for queues 2024-01-22 12:34:14 +00:00
resources-test.c Mitigate UAF crashes due to iteration over freed wl_resources 2024-02-07 09:45:41 +00:00
sanity-test.c tests: Capture the test client log 2023-02-28 11:22:04 +00:00
scanner-test-gen.sh build: add a gen-scanner-test target 2024-01-15 14:29:10 +01:00
scanner-test.sh tests: Verify that wayland_scanner can catch bad identifiers 2019-05-02 17:42:59 +00:00
signal-test.c server: introduce wl_signal_emit_mutable 2022-03-28 19:06:16 +00:00
socket-test.c Check that XDG base directories paths are absolute 2022-06-09 18:34:17 +00:00
test-compositor.c compat: prefer waitpid() over waitid() 2024-02-21 15:46:41 +00:00
test-compositor.h tests: Support tests that check for client failure 2023-02-28 11:22:04 +00:00
test-helpers.c build: fix build and provide compat for OpenBSD 2024-02-21 15:46:41 +00:00
test-runner.c build: fix build and provide compat for OpenBSD 2024-02-21 15:46:41 +00:00
test-runner.h tests: Remove memory leak checking infrastructure 2018-08-29 09:59:04 +01:00