|
 |
4101d1 |
From 77f8517710a724fa1f29de8ad806692782f962bd Mon Sep 17 00:00:00 2001
|
|
|
4101d1 |
From: Frediano Ziglio <fziglio@redhat.com>
|
|
|
4101d1 |
Date: Wed, 29 Jan 2020 09:06:54 +0000
|
|
|
4101d1 |
Subject: [PATCH libX11] Fix poll_for_response race condition
|
|
|
4101d1 |
|
|
|
4101d1 |
In poll_for_response is it possible that event replies are skipped
|
|
|
4101d1 |
and a more up to date message reply is returned.
|
|
|
4101d1 |
This will cause next poll_for_event call to fail aborting the program.
|
|
|
4101d1 |
|
|
|
4101d1 |
This was proved using some slow ssh tunnel or using some program
|
|
|
4101d1 |
to slow down server replies (I used a combination of xtrace and strace).
|
|
|
4101d1 |
|
|
|
4101d1 |
How the race happens:
|
|
|
4101d1 |
- program enters into poll_for_response;
|
|
|
4101d1 |
- poll_for_event is called but the server didn't still send the reply;
|
|
|
4101d1 |
- pending_requests is not NULL because we send a request (see call
|
|
|
4101d1 |
to append_pending_request in _XSend);
|
|
|
4101d1 |
- xcb_poll_for_reply64 is called from poll_for_response;
|
|
|
4101d1 |
- xcb_poll_for_reply64 will read from server, at this point
|
|
|
4101d1 |
server reply with an event (say sequence N) and the reply to our
|
|
|
4101d1 |
last request (say sequence N+1);
|
|
|
4101d1 |
- xcb_poll_for_reply64 returns the reply for the request we asked;
|
|
|
4101d1 |
- last_request_read is set to N+1 sequence in poll_for_response;
|
|
|
4101d1 |
- poll_for_response returns the response to the request;
|
|
|
4101d1 |
- poll_for_event is called (for instance from another poll_for_response);
|
|
|
4101d1 |
- event with sequence N is retrieved;
|
|
|
4101d1 |
- the N sequence is widen, however, as the "new" number computed from
|
|
|
4101d1 |
last_request_read is less than N the number is widened to N + 2^32
|
|
|
4101d1 |
(assuming last_request_read is still contained in 32 bit);
|
|
|
4101d1 |
- poll_for_event enters the nested if statement as req is NULL;
|
|
|
4101d1 |
- we compare the widen N (which now does not fit into 32 bit) with
|
|
|
4101d1 |
request (which fits into 32 bit) hitting the throw_thread_fail_assert.
|
|
|
4101d1 |
|
|
|
4101d1 |
I propose to change the widen to not go too far from the wide number
|
|
|
4101d1 |
instead of supposing the result is always bigger than the wide number
|
|
|
4101d1 |
passed.
|
|
|
4101d1 |
|
|
|
4101d1 |
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
|
|
4101d1 |
---
|
|
|
4101d1 |
src/xcb_io.c | 4 +---
|
|
|
4101d1 |
1 file changed, 1 insertion(+), 3 deletions(-)
|
|
|
4101d1 |
|
|
|
4101d1 |
diff --git a/src/xcb_io.c b/src/xcb_io.c
|
|
|
4101d1 |
index 6a12d150..2aacbda3 100644
|
|
|
4101d1 |
--- a/src/xcb_io.c
|
|
|
4101d1 |
+++ b/src/xcb_io.c
|
|
|
4101d1 |
@@ -201,12 +201,10 @@ static int handle_error(Display *dpy, xError *err, Bool in_XReply)
|
|
|
4101d1 |
}
|
|
|
4101d1 |
|
|
|
4101d1 |
/* Widen a 32-bit sequence number into a 64bit (uint64_t) sequence number.
|
|
|
4101d1 |
- * Treating the comparison as a 1 and shifting it avoids a conditional branch.
|
|
|
4101d1 |
*/
|
|
|
4101d1 |
static void widen(uint64_t *wide, unsigned int narrow)
|
|
|
4101d1 |
{
|
|
|
4101d1 |
- uint64_t new = (*wide & ~((uint64_t)0xFFFFFFFFUL)) | narrow;
|
|
|
4101d1 |
- *wide = new + (((uint64_t)(new < *wide)) << 32);
|
|
|
4101d1 |
+ *wide += (int32_t) (narrow - *wide);
|
|
|
4101d1 |
}
|
|
|
4101d1 |
|
|
|
4101d1 |
/* Thread-safety rules:
|
|
|
4101d1 |
--
|
|
|
4101d1 |
2.23.0
|
|
|
4101d1 |
|