From c913f837320adf05ae13f4840d9c936a9c659b9b Mon Sep 17 00:00:00 2001 From: Dave Airlie Date: Aug 16 2010 02:25:21 +0000 Subject: xserver: fix use-after-free for root window - hopefully fix (#596985) --- diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index a998bbc..af2e324 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -30,7 +30,7 @@ Summary: X.Org X11 X server Name: xorg-x11-server Version: 1.8.99.906 -Release: 1%{?gitdate:.%{gitdate}}%{dist} +Release: 2%{?gitdate:.%{gitdate}}%{dist} URL: http://www.x.org License: MIT Group: User Interface/X @@ -97,6 +97,7 @@ Patch6053: xserver-1.8-disable-vboxvideo.patch # https://bugs.freedesktop.org/show_bug.cgi?id=28672 Patch7000: xserver-1.8.0-no-xorg.patch +Patch7001: xserver-1.9-reset-root-null.patch %define moduledir %{_libdir}/xorg/modules %define drimoduledir %{_libdir}/dri @@ -546,6 +547,9 @@ rm -rf $RPM_BUILD_ROOT %{xserver_source_dir} %changelog +* Mon Aug 16 2010 Dave Airlie 1.8.99.906-2 +- fix use-after-free for root window - hopefully fix (#596985) + * Fri Aug 13 2010 Peter Hutterer 1.8.99.906-1 - xserver 1.8.99.906 - xserver-1.8-enter-leave-woes.patch: drop, upstream. diff --git a/xserver-1.9-reset-root-null.patch b/xserver-1.9-reset-root-null.patch new file mode 100644 index 0000000..67e64a6 --- /dev/null +++ b/xserver-1.9-reset-root-null.patch @@ -0,0 +1,59 @@ +From d25c74c843b83e7c6acbeb52d4807559c83f98cb Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Mon, 16 Aug 2010 12:16:48 +1000 +Subject: [PATCH] dix: reset pScreen->root to NULL when root window is deleted. + +We were seeing a crash in the FreeAllResources codepath, +running valgrind revealed this, + +==12536== Invalid read of size 4 +==12536== at 0x810BCAB: DeliverPropertyEvent (rrproperty.c:33) +==12536== by 0x80958A4: TraverseTree (window.c:227) +==12536== by 0x809593E: WalkTree (window.c:255) +==12536== by 0x810BC66: RRDeliverPropertyEvent (rrproperty.c:53) +==12536== by 0x810BD5D: RRDeleteProperty.clone.0 (rrproperty.c:76) +==12536== by 0x810BD98: RRDeleteAllOutputProperties (rrproperty.c:88) +==12536== by 0x810A36E: RROutputDestroyResource (rroutput.c:407) +==12536== by 0x808DF4E: FreeClientResources (resource.c:859) +==12536== by 0x808E005: FreeAllResources (resource.c:876) +==12536== by 0x8062300: main (main.c:305) +==12536== Address 0x46ba8ac is 4 bytes inside a block of size 164 free'd +==12536== at 0x40057F6: free (vg_replace_malloc.c:325) +==12536== by 0x8087F1F: _dixFreeObjectWithPrivates (privates.c:357) +==12536== by 0x809832A: DeleteWindow (window.c:926) +==12536== by 0x808DF4E: FreeClientResources (resource.c:859) +==12536== by 0x808E005: FreeAllResources (resource.c:876) +==12536== by 0x8062300: main (main.c:305) + +Its a use after free on the root window, since we have already deleted it +at this point. This patch checks if the window we are destroying is the root +window and resets the pointer to NULL if it is. + +Signed-off-by: Dave Airlie +--- + dix/window.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +diff --git a/dix/window.c b/dix/window.c +index 4a47dd5..33ef943 100644 +--- a/dix/window.c ++++ b/dix/window.c +@@ -895,10 +895,15 @@ DeleteWindow(pointer value, XID wid) + WindowPtr pParent; + WindowPtr pWin = (WindowPtr)value; + xEvent event; ++ ScreenPtr pScreen; ++ ++ pScreen = pWin->drawable.pScreen; + + UnmapWindow(pWin, FALSE); + + CrushTree(pWin); ++ if (pWin == pScreen->root) ++ pScreen->root = NULL; + + pParent = pWin->parent; + if (wid && pParent && SubStrSend(pWin, pParent)) +-- +1.7.2.1 +