Bug 94519

Summary: wl_resource_destroy use-heap-after-free which destroied by weston_seat_release
Product: Wayland Reporter: comicfans44 <comicfans44>
Component: westonAssignee: Wayland bug list <wayland-bugs>
Status: RESOLVED MOVED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description comicfans44 2016-03-12 23:21:30 UTC 
I'm trying weston with rdp backend, after rdp session disconnect, weston crash.

seems weston_seat_release already calls

weston_keyboard_destroy(seat->keyboardstate)

but later 
wl_resource_destroy->destroy_resource->wl_list_remove 
access this memory



address sanitizer report :

==10695==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000020d50 at pc 0x7f05e9f6c567 bp 0x7ffee886bf10 sp 0x7ffee886bf00
WRITE of size 8 at 0x611000020d50 thread T0
    #0 0x7f05e9f6c566 in wl_list_remove /usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/wayland-util.c:57
    #1 0x7f05e9f5df7a in destroy_resource /usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/wayland-server.c:571
    #2 0x7f05e9f5f89e in wl_resource_destroy /usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/wayland-server.c:584
    #3 0x7f05e84cae2f in ffi_call_unix64 (/usr/lib64/libffi.so.6+0xce2f)
    #4 0x7f05e84c9a2d in ffi_call (/usr/lib64/libffi.so.6+0xba2d)
    #5 0x7f05e9f6af75 in wl_closure_invoke /usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/connection.c:949
    #6 0x7f05e9f603b5 in wl_client_connection_data /usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/wayland-server.c:337
    #7 0x7f05e9f650d1 in wl_event_loop_dispatch /usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/event-loop.c:421
    #8 0x7f05e9f611af in wl_display_run /usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/wayland-server.c:1051
    #9 0x40a333 in main src/main.c:859
    #10 0x7f05e8ea459f in __libc_start_main (/lib64/libc.so.6+0x2059f)
    #11 0x40a8c8 in _start (/usr/bin/weston+0x40a8c8)

0x611000020d50 is located 16 bytes inside of 232-byte region [0x611000020d40,0x611000020e28)
freed by thread T0 here:
    #0 0x7f05ea1d455f in __interceptor_free (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x5755f)
    #1 0x42c92c in weston_seat_release src/input.c:2675

previously allocated by thread T0 here:
    #0 0x7f05ea1d4935 in calloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x57935)
    #1 0x423e6f in zalloc shared/zalloc.h:38
    #2 0x423e6f in weston_keyboard_create src/input.c:756
Comment 1 comicfans44 2016-03-12 23:28:56 UTC 
this bug may be same as 66830
Comment 2 GitLab Migration User 2018-06-08 23:54:20 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/wayland/weston/issues/72.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.