[frameworks-kwayland] [Bug 408553] Segmentation faults and invalid reads/writes in powerdevil when logging out of Plasma 5.15.5 on Wayland in Fedora 30

Mon, 08 Jul 2019 23:54:41 -0700 

https://bugs.kde.org/show_bug.cgi?id=408553

Matt Fagnani <matthew.fagn...@utoronto.ca> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|wayland-generic             |general
           Assignee|kwin-bugs-n...@kde.org      |mgraess...@kde.org
            Product|kwin                        |frameworks-kwayland
            Version|5.15.5                      |5.59.0

--- Comment #5 from Matt Fagnani <matthew.fagn...@utoronto.ca> ---
I've noticed similarities in the first invalid read at wl_proxy_unref
(wayland-client.c:229) I reported and invalid reads starting at
wayland-client.c:229 in in plasmashell
https://bugs.kde.org/show_bug.cgi?id=409021#c1
konsole https://bugs.kde.org/show_bug.cgi?id=408971
kglobalaccel5 and akonadi_sendlater_agent

The address freed had the following common functions and source lines and was
44 bytes inside a block of size 72 free'd

==4203==  Address 0x1934ea3c is 44 bytes inside a block of size 72 free'd
==4203==    at 0x4839A0C: free (vg_replace_malloc.c:540)
==4203==    by 0x1949F844: destroy (wayland_pointer_p.h:63)
==4203==    by 0x1949F844:
KWayland::Client::Registry::Private::globalSync(void*, wl_callback*, unsigned
int) (registry.cpp:539)
==4203==    by 0x485CB27: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2)
==4203==    by 0x485C338: ffi_call (in /usr/lib64/libffi.so.6.0.2)
==4203==    by 0x172C3606: wl_closure_invoke (connection.c:1014)
==4203==    by 0x172BFF17: dispatch_event.isra.0 (wayland-client.c:1430)
==4203==    by 0x172C146B: dispatch_queue (wayland-client.c:1576)
==4203==    by 0x172C146B: wl_display_dispatch_queue_pending
(wayland-client.c:1818)
==4203==    by 0x172C18AA: wl_display_roundtrip_queue (wayland-client.c:1241)
==4203==    by 0x194887C3: KWayland::Client::ConnectionThread::roundtrip()
(connection_thread.cpp:290)

Functions in those stacks might have freed the pointer before the other
programs used it. KWayland::Client::Registry::Private::globalSync
(registry.cpp:539) might be where the freeing was done too early.

(gdb) list registry.cpp:533,540
533     void Registry::Private::globalSync(void* data, wl_callback* callback,
uint32_t serial)
534     {
535         Q_UNUSED(serial)
536         auto r = reinterpret_cast<Registry::Private*>(data);
537         Q_ASSERT(r->callback == callback);
538         r->handleGlobalSync();
539         r->callback.destroy();
540     }

Memory corruption due to the use-after-free errors might have led to the
segmentation faults I saw. I'm reassigning this to frameworks-kwayland based on
the above. kwayland-integration or libwayland-client are other possible
packages involved.

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to