47de87263c
There are situations in which a call into wl_client_destroy() can result in a reentrant call into wl_client_destroy() - which results in UAF / double free crashes. For example, this can occur in the following scenario. 1. Server receives a message notifying it that a client has disconnected (WL_EVENT_HANGUP [1]) 2. This beings client destruction with a call to wl_client_destroy() 3. wl_client_destroy() kicks off callbacks as client-associated resources are cleaned up and their destructors and destruction signals are invoked. 4. These callbacks eventually lead to an explicit call to wl_display_flush_clients() as the server attempts to flush events to other connected clients. 5. Since the client has already begun destruction, when it is reached in the iteration the flush fails wl_client_destroy() is called again [2]. This patch guards against this reentrant condition by removing the client from the display's client list when wl_client_destroy() is first called. This prevents access / iteration over the client after wl_client_destroy() is called. In the example above, wl_display_flush_clients() will pass over the client currently undergoing destruction and the reentrant call is avoided. [1] |
||
|---|---|---|
| .gitlab/issue_templates | ||
| cursor | ||
| doc | ||
| egl | ||
| protocol | ||
| src | ||
| tests | ||
| .editorconfig | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| .mailmap | ||
| .triage-policies.yml | ||
| CONTRIBUTING.md | ||
| COPYING | ||
| meson.build | ||
| meson_options.txt | ||
| README.md | ||
| release.sh | ||
| releasing.txt | ||
| wayland-scanner.m4 | ||
| wayland-scanner.mk | ||
Wayland
Wayland is a project to define a protocol for a compositor to talk to its clients as well as a library implementation of the protocol. The compositor can be a standalone display server running on Linux kernel modesetting and evdev input devices, an X application, or a wayland client itself. The clients can be traditional applications, X servers (rootless or fullscreen) or other display servers.
The wayland protocol is essentially only about input handling and buffer management. The compositor receives input events and forwards them to the relevant client. The clients creates buffers and renders into them and notifies the compositor when it needs to redraw. The protocol also handles drag and drop, selections, window management and other interactions that must go through the compositor. However, the protocol does not handle rendering, which is one of the features that makes wayland so simple. All clients are expected to handle rendering themselves, typically through cairo or OpenGL.
Building the wayland libraries is fairly simple, aside from libffi, they don't have many dependencies:
$ git clone https://gitlab.freedesktop.org/wayland/wayland
$ cd wayland
$ meson build/ --prefix=PREFIX
$ ninja -C build/ install
where PREFIX is where you want to install the libraries.
See https://wayland.freedesktop.org for documentation.