2d42f4
From 1801fe0ac3926882d47d7e1ad6c0518a2cdffd41 Mon Sep 17 00:00:00 2001
2d42f4
From: Povilas Kanapickas <povilas@radix.lt>
2d42f4
Date: Sun, 19 Dec 2021 18:11:07 +0200
2d42f4
Subject: [PATCH] dix: Fix use after free in input device shutdown
2d42f4
2d42f4
This fixes access to freed heap memory via dev->master. E.g. when
2d42f4
running BarrierNotify.ReceivesNotifyEvents/7 test from
2d42f4
xorg-integration-tests:
2d42f4
2d42f4
==24736==ERROR: AddressSanitizer: heap-use-after-free on address
2d42f4
0x619000065020 at pc 0x55c450e2b9cf bp 0x7fffc532fd20 sp 0x7fffc532fd10
2d42f4
READ of size 4 at 0x619000065020 thread T0
2d42f4
    #0 0x55c450e2b9ce in GetMaster ../../../dix/devices.c:2722
2d42f4
    #1 0x55c450e9d035 in IsFloating ../../../dix/events.c:346
2d42f4
    #2 0x55c4513209c6 in GetDeviceUse ../../../Xi/xiquerydevice.c:525
2d42f4
../../../Xi/xichangehierarchy.c:95
2d42f4
    #4 0x55c450e3455c in RemoveDevice ../../../dix/devices.c:1204
2d42f4
../../../hw/xfree86/common/xf86Xinput.c:1142
2d42f4
    #6 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
2d42f4
    #7 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
2d42f4
    #8 0x55c450e837ef in dix_main ../../../dix/main.c:302
2d42f4
    #9 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
2d42f4
(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
2d42f4
    #11 0x55c450d0113d in _start (/usr/lib/xorg/Xorg+0x117713d)
2d42f4
2d42f4
0x619000065020 is located 160 bytes inside of 912-byte region
2d42f4
[0x619000064f80,0x619000065310)
2d42f4
freed by thread T0 here:
2d42f4
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
2d42f4
    #1 0x55c450e19f1c in CloseDevice ../../../dix/devices.c:1014
2d42f4
    #2 0x55c450e343a4 in RemoveDevice ../../../dix/devices.c:1186
2d42f4
../../../hw/xfree86/common/xf86Xinput.c:1142
2d42f4
    #4 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
2d42f4
    #5 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
2d42f4
    #6 0x55c450e837ef in dix_main ../../../dix/main.c:302
2d42f4
    #7 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
2d42f4
(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
2d42f4
2d42f4
previously allocated by thread T0 here:
2d42f4
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
2d42f4
    #1 0x55c450e1c57b in AddInputDevice ../../../dix/devices.c:259
2d42f4
    #2 0x55c450e34840 in AllocDevicePair ../../../dix/devices.c:2755
2d42f4
    #3 0x55c45130318f in add_master ../../../Xi/xichangehierarchy.c:152
2d42f4
../../../Xi/xichangehierarchy.c:465
2d42f4
    #5 0x55c4512cb9f5 in ProcIDispatch ../../../Xi/extinit.c:390
2d42f4
    #6 0x55c450e6a92b in Dispatch ../../../dix/dispatch.c:551
2d42f4
    #7 0x55c450e834b7 in dix_main ../../../dix/main.c:272
2d42f4
    #8 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
2d42f4
(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
2d42f4
2d42f4
The problem is caused by dev->master being not reset when disabling the
2d42f4
device, which then causes dangling pointer when the master device itself
2d42f4
is being deleted when exiting whole server.
2d42f4
2d42f4
Note that RecalculateMasterButtons() requires dev->master to be still
2d42f4
valid, so we can reset it only at the end of function.
2d42f4
2d42f4
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
2d42f4
---
2d42f4
 dix/devices.c | 1 +
2d42f4
 1 file changed, 1 insertion(+)
2d42f4
2d42f4
diff --git a/dix/devices.c b/dix/devices.c
2d42f4
index e62c34c55..5f9ce1678 100644
2d42f4
--- a/dix/devices.c
2d42f4
+++ b/dix/devices.c
2d42f4
@@ -520,6 +520,7 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
2d42f4
     }
2d42f4
 
2d42f4
     RecalculateMasterButtons(dev);
2d42f4
+    dev->master = NULL;
2d42f4
 
2d42f4
     return TRUE;
2d42f4
 }
2d42f4
-- 
2d42f4
2.43.0
2d42f4