|
 |
82b592 |
From bbf1893cc039155432a960b61d55978f1b706295 Mon Sep 17 00:00:00 2001
|
|
|
82b592 |
From: Martin Peres <martin.peres@linux.intel.com>
|
|
|
82b592 |
Date: Mon, 20 Jul 2015 10:37:30 +0300
|
|
|
82b592 |
Subject: [PATCH xserver] os: make sure the clientsWritable fd_set is
|
|
|
82b592 |
initialized before use
|
|
|
82b592 |
|
|
|
82b592 |
In WaitForSomething(), the fd_set clientsWritable may be used
|
|
|
82b592 |
unitialized when the boolean AnyClientsWriteBlocked is set in the
|
|
|
82b592 |
WakeupHandler(). This leads to a crash in FlushAllOutput() after
|
|
|
82b592 |
x11proto's commit 2c94cdb453bc641246cc8b9a876da9799bee1ce7.
|
|
|
82b592 |
|
|
|
82b592 |
The problem did not manifest before because both the XFD_SIZE and the
|
|
|
82b592 |
maximum number of clients were set to 256. As the connectionTranslation
|
|
|
82b592 |
table was initalized for the 256 clients to 0, the test on the index not
|
|
|
82b592 |
being 0 was aborting before dereferencing the client #0.
|
|
|
82b592 |
|
|
|
82b592 |
As of commit 2c94cdb453bc641246cc8b9a876da9799bee1ce7 in x11proto, the
|
|
|
82b592 |
XFD_SIZE got bumped to 512. This lead the OutputPending fd_set to have
|
|
|
82b592 |
any fd above 256 to be uninitialized which in turns lead to reading an
|
|
|
82b592 |
index after the end of the ConnectionTranslation table. This index would
|
|
|
82b592 |
then be used to find the client corresponding to the fd marked as
|
|
|
82b592 |
pending writes and would also result to an out-of-bound access which
|
|
|
82b592 |
would usually be the fatal one.
|
|
|
82b592 |
|
|
|
82b592 |
Fix this by zeroing the clientsWritable fd_set at the beginning of
|
|
|
82b592 |
WaitForSomething(). In this case, the bottom part of the loop, which
|
|
|
82b592 |
would indirectly call FlushAllOutput, will not do any work but the next
|
|
|
82b592 |
call to select will result in the execution of the right codepath. This
|
|
|
82b592 |
is exactly what we want because we need to know the writable clients
|
|
|
82b592 |
before handling them. In the end, it also makes sure that the fds above
|
|
|
82b592 |
MaxClient are initialized, preventing the crash in FlushAllOutput().
|
|
|
82b592 |
|
|
|
82b592 |
Thanks to everyone involved in tracking this one down!
|
|
|
82b592 |
|
|
|
82b592 |
Reported-by: Karol Herbst <freedesktop@karolherbst.de>
|
|
|
82b592 |
Reported-by: Tobias Klausmann <tobias.klausmann@mni.thm.de>
|
|
|
82b592 |
Signed-off-by: Martin Peres <martin.peres@linux.intel.com>
|
|
|
82b592 |
Tested-by: Tobias Klausmann <tobias.klausmann@mni.thm.de>
|
|
|
82b592 |
Tested-by: Martin Peres <martin.peres@linux.intel.com>
|
|
|
82b592 |
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=91316
|
|
|
82b592 |
Cc: Ilia Mirkin <imirkin@alum.mit.edu>
|
|
|
82b592 |
Cc: Olivier Fourdan
|
|
|
82b592 |
Cc: Adam Jackson <ajax@redhat.com>
|
|
|
82b592 |
Cc: Alan Coopersmith
|
|
|
82b592 |
Cc: Chris Wilson <chris@chris-wilson.co.uk>
|
|
|
82b592 |
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
|
82b592 |
---
|
|
|
82b592 |
os/WaitFor.c | 1 +
|
|
|
82b592 |
1 file changed, 1 insertion(+)
|
|
|
82b592 |
|
|
|
82b592 |
diff --git a/os/WaitFor.c b/os/WaitFor.c
|
|
|
82b592 |
index 431f1a6..993c14e 100644
|
|
|
82b592 |
--- a/os/WaitFor.c
|
|
|
82b592 |
+++ b/os/WaitFor.c
|
|
|
82b592 |
@@ -158,6 +158,7 @@ WaitForSomething(int *pClientsReady)
|
|
|
82b592 |
Bool someReady = FALSE;
|
|
|
82b592 |
|
|
|
82b592 |
FD_ZERO(&clientsReadable);
|
|
|
82b592 |
+ FD_ZERO(&clientsWritable);
|
|
|
82b592 |
|
|
|
82b592 |
if (nready)
|
|
|
82b592 |
SmartScheduleStopTimer();
|
|
|
82b592 |
--
|
|
|
82b592 |
2.5.5
|
|
|
82b592 |
|