From f722dc6f084fa8c331561855f667c69ec5e508bd Mon Sep 17 00:00:00 2001 From: Marius Vlad Date: Wed, 12 May 2021 17:04:28 +0300 Subject: [PATCH] compositor: Prevent an invalid access against content protection Avoids an user-after-free when destroying the surface, like in the following ASAN message: ==25180==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000589d8 at pc 0x7ff70a4f7102 bp 0x7fff8f7e13b0 sp 0x7fff8f7e13a8 READ of size 8 at 0x6060000589d8 thread T0 #0 0x7ff70a4f7101 in weston_schedule_surface_protection_update ../libweston/compositor.c:1163 #1 0x7ff70a4f743b in weston_surface_update_output_mask ../libweston/compositor.c:1212 #2 0x7ff70a4f7a47 in weston_surface_assign_output ../libweston/compositor.c:1298 #3 0x7ff70a4f7f44 in weston_view_assign_output ../libweston/compositor.c:1348 #4 0x7ff70a4fa12f in weston_view_update_transform ../libweston/compositor.c:1589 #5 0x7ff70a4ffc20 in view_list_add ../libweston/compositor.c:2657 #6 0x7ff70a5000ee in weston_compositor_build_view_list ../libweston/compositor.c:2688 #7 0x7ff70a4fd577 in weston_view_destroy ../libweston/compositor.c:2202 #8 0x7ff70a4fd7df in weston_surface_destroy ../libweston/compositor.c:2239 #9 0x7ff70a4fdbb0 in destroy_surface ../libweston/compositor.c:2285 #10 0x7ff70a4a2d3e in destroy_resource ../src/wayland-server.c:723 #11 0x7ff70a4a8940 in for_each_helper ../src/wayland-util.c:372 #12 0x7ff70a4a8e1f in wl_map_for_each ../src/wayland-util.c:385 #13 0x7ff70a4a3748 in wl_client_destroy ../src/wayland-server.c:882 #14 0x7ff6fe04e866 in shell_destroy ../desktop-shell/shell.c:5004 #15 0x7ff70a4ee923 in wl_signal_emit /home/mvlad/install-amd64/include/wayland-server-core.h:481 #16 0x7ff70a51598d in weston_compositor_destroy ../libweston/compositor.c:7903 #17 0x7ff70a903a58 in wet_main ../compositor/main.c:3493 #18 0x560de7b3b179 in main ../compositor/executable.c:33 #19 0x7ff70a73ecc9 in __libc_start_main ../csu/libc-start.c:308 #20 0x560de7b3b099 in _start (/home/mvlad/install-amd64/bin/weston+0x1099) 0x6060000589d8 is located 56 bytes inside of 64-byte region [0x6060000589a0,0x6060000589e0) freed by thread T0 here: #0 0x7ff70a9d3b6f in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.6+0xa9b6f) #1 0x7ff70a5167d2 in cp_destroy_listener ../libweston/content-protection.c:193 #2 0x7ff70a4ee923 in wl_signal_emit /home/mvlad/install-amd64/include/wayland-server-core.h:481 #3 0x7ff70a51598d in weston_compositor_destroy ../libweston/compositor.c:7903 #4 0x7ff70a903a58 in wet_main ../compositor/main.c:3493 #5 0x560de7b3b179 in main ../compositor/executable.c:33 #6 0x7ff70a73ecc9 in __libc_start_main ../csu/libc-start.c:308 previously allocated by thread T0 here: #0 0x7ff70a9d4037 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.6+0xaa037) #1 0x7ff70a5160aa in zalloc ../include/libweston/zalloc.h:38 #2 0x7ff70a516cda in weston_compositor_enable_content_protection ../libweston/content-protection.c:329 #3 0x7ff7070247e0 in drm_backend_create ../libweston/backend-drm/drm.c:3180 #4 0x7ff707024cae in weston_backend_init ../libweston/backend-drm/drm.c:3250 #5 0x7ff70a515d02 in weston_compositor_load_backend ../libweston/compositor.c:7999 #6 0x7ff70a8fbcfb in load_drm_backend ../compositor/main.c:2614 #7 0x7ff70a900b46 in load_backend ../compositor/main.c:3103 #8 0x7ff70a902ecd in wet_main ../compositor/main.c:3380 #9 0x560de7b3b179 in main ../compositor/executable.c:33 #10 0x7ff70a73ecc9 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-use-after-free ../libweston/compositor.c:1163 in weston_schedule_surface_protection_update Signed-off-by: Marius Vlad --- libweston/content-protection.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libweston/content-protection.c b/libweston/content-protection.c index 98b93fc0f..32dc3f065 100644 --- a/libweston/content-protection.c +++ b/libweston/content-protection.c @@ -190,6 +190,7 @@ cp_destroy_listener(struct wl_listener *listener, void *data) weston_log_scope_destroy(cp->debug); cp->debug = NULL; cp->surface_protection_update = NULL; + cp->compositor->content_protection = NULL; free(cp); }