Re: [PATCH] dix: Prevent access to freed memory if a client kills itself.
On 09/22/2011 07:34 PM, Jamey Sharp wrote: This patch makes sense to me, but I have a couple of requests: I'm not sure why you extracted out a separate function; I'm not convinced that makes the code more clear, in this case. Originally, there was no good reason for extracting the code to a separate function. However, I'm currently suspecting that a certain XACE module (https://meego.gitorious.org/maemo-multimedia/xserver-policy-enforcement) might be suffering from the same problem. In this case I'd want to have a separate function and export it as well so that I wouldn't have to copy-paste its contents into the XACE module. If it turns out that XPE works fine, I can remove that function in the next patch revision. More importantly, I'd like to see justification in the commit message for deleting LBX support here. I seem to recall that support was deleted from the rest of the server already, which would be excellent justification, but please say so if that's true. To be honest, I didn't know what LBX was when I wrote the patch and didn't take into account the effect of extensions on closing down clients. But it seems that LBX has been gone for 5 years now, so I can clarify this in the commit message of the next patch revision. -- Rami ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH] dix: Prevent access to freed memory if a client kills itself.
The 'Dispatch' function accesses freed client structure if a client happens to kill itself in a request. For example, I have a test client that is used to check that it handles the XIO error correctly. The XIO error is generated by requesting the client to kill itself with XKillClient. Signed-off-by: Rami Ylimäki rami.ylim...@vincit.fi Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi --- dix/dispatch.c | 32 +--- 1 files changed, 17 insertions(+), 15 deletions(-) diff --git a/dix/dispatch.c b/dix/dispatch.c index 43cb4d1..cc5ee09 100644 --- a/dix/dispatch.c +++ b/dix/dispatch.c @@ -3226,6 +3226,20 @@ ProcChangeAccessControl(ClientPtr client) return ChangeAccessControl(client, stuff-mode == EnableAccess); } +/** + * Prevents a client from killing itself immediately. + */ +static void CloseDownClientByClient(ClientPtr client, ClientPtr killclient) +{ +if (client == killclient) +{ +MarkClientException(client); +isItTimeToYield = TRUE; +} +else +CloseDownClient(killclient); +} + /* * CloseDownRetainedResources * @@ -3263,21 +3277,9 @@ ProcKillClient(ClientPtr client) } rc = dixLookupClient(killclient, stuff-id, client, DixDestroyAccess); -if (rc == Success) { - CloseDownClient(killclient); - /* if an LBX proxy gets killed, isItTimeToYield will be set */ - if (isItTimeToYield || (client == killclient)) - { - /* force yield and return Success, so that Dispatch() -* doesn't try to touch client -*/ - isItTimeToYield = TRUE; - return Success; - } - return Success; -} -else - return rc; +if (rc == Success) + CloseDownClientByClient(client, killclient); +return rc; } int -- 1.7.1 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
Re: [PATCH] dix: Prevent access to freed memory if a client kills itself.
This patch makes sense to me, but I have a couple of requests: I'm not sure why you extracted out a separate function; I'm not convinced that makes the code more clear, in this case. More importantly, I'd like to see justification in the commit message for deleting LBX support here. I seem to recall that support was deleted from the rest of the server already, which would be excellent justification, but please say so if that's true. Jamey On 9/22/11, Rami Ylimäki rami.ylim...@vincit.fi wrote: The 'Dispatch' function accesses freed client structure if a client happens to kill itself in a request. For example, I have a test client that is used to check that it handles the XIO error correctly. The XIO error is generated by requesting the client to kill itself with XKillClient. Signed-off-by: Rami Ylimäki rami.ylim...@vincit.fi Reviewed-by: Erkki Seppälä erkki.sepp...@vincit.fi --- dix/dispatch.c | 32 +--- 1 files changed, 17 insertions(+), 15 deletions(-) diff --git a/dix/dispatch.c b/dix/dispatch.c index 43cb4d1..cc5ee09 100644 --- a/dix/dispatch.c +++ b/dix/dispatch.c @@ -3226,6 +3226,20 @@ ProcChangeAccessControl(ClientPtr client) return ChangeAccessControl(client, stuff-mode == EnableAccess); } +/** + * Prevents a client from killing itself immediately. + */ +static void CloseDownClientByClient(ClientPtr client, ClientPtr killclient) +{ +if (client == killclient) +{ +MarkClientException(client); +isItTimeToYield = TRUE; +} +else +CloseDownClient(killclient); +} + /* * CloseDownRetainedResources * @@ -3263,21 +3277,9 @@ ProcKillClient(ClientPtr client) } rc = dixLookupClient(killclient, stuff-id, client, DixDestroyAccess); -if (rc == Success) { - CloseDownClient(killclient); - /* if an LBX proxy gets killed, isItTimeToYield will be set */ - if (isItTimeToYield || (client == killclient)) - { - /* force yield and return Success, so that Dispatch() - * doesn't try to touch client - */ - isItTimeToYield = TRUE; - return Success; - } - return Success; -} -else - return rc; +if (rc == Success) + CloseDownClientByClient(client, killclient); +return rc; } int -- 1.7.1 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel