Bug 38321 - BlockHandler and WakeupHandler can call deleted handlers
Summary: BlockHandler and WakeupHandler can call deleted handlers
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/General (show other bugs)
Version: git
Hardware: All Linux (All)
: medium major
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-14 16:26 UTC by Scott James Remnant
Modified: 2011-07-30 10:52 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:


Attachments
[PATCH] dix: avoid calling deleted block and wakeup handlers (1.73 KB, patch)
2011-06-14 16:35 UTC, Scott James Remnant
no flags Details | Splinter Review

Description Scott James Remnant 2011-06-14 16:26:16 UTC
If RemoveBlockAndWakeupHandlers is called within a BlockHandler or WakeupHandler for a handler other than the one it's being called from, X marks the other handler as deleted but never checks whether handlers are deleted before calling them.

This is unfortunately common due to config/udev, which will remove input devices from its own handler - and those input device drivers may well have handlers of their own that need to be removed.

The end result is the removed handler gets called, with data that's been freed, and the X server segfaults underneath WakeupHandler or BlockHandler due to a bad pointer dereference.
Comment 1 Scott James Remnant 2011-06-14 16:35:49 UTC
Created attachment 47973 [details] [review]
[PATCH] dix: avoid calling deleted block and wakeup handlers
Comment 2 Julien Cristau 2011-07-30 10:52:55 UTC
commit 2ee85d954c8f3a6affbd9b1b745594ff12e8b670
Author: Scott James Remnant <scott@netsplit.com>
Date:   Tue Jun 14 16:36:07 2011 -0700

    dix: avoid calling deleted block and wakeup handlers
    
    BlockHandler and WakeupHandlers may be removed within a different
    BlockHandler or WakeupHandler, especially since config/udev uses
    these and removes devices.
    
    Calling the deleted handlers and passing potentially freed data
    can result in the X server segfaulting after device removal, or
    events that result in device removal such as undocking or suspend/
    resume.
    
    Signed-off-by: Scott James Remnant <scott@netsplit.com>
    Reviewed-by: Daniel Stone <daniel@fooishbar.org>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.