kitchen/kiwmi
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Fix use-after-free in the lua object management

Browse source 
Wlroots does not call `wl_list_remove(&destroy.listener_list)` after the
destroy signal fires. It is the responsibility of the subscriber to
handle their own wl_listener being left with an invalid link.

This was an issue because it might happen that the kiwmi_object is not
destroyed immediately, but only later by a lua gc handler that finally
decrements the refcount to zero. We have to ensure that
`kiwmi_object_destroy` can succeed.

Here we first use `wl_list_remove` to unsubscribe from the signal, and
then `wl_list_init` to leave the link in a valid state for
`kiwmi_object_destroy`.
This commit is contained in:
György Kurucz 2023-03-30 20:44:49 +02:00
parent 17814972ab
commit d96b270829
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
kiwmi/luak/luak.c
View file

@ -87,6 +87,9 @@ kiwmi_object_destroy_notify(struct wl_listener *listener, void *data)
lua_settable(L, -3);
lua_pop(L, 1);
wl_list_remove(&obj->destroy.link);
wl_list_init(&obj->destroy.link);
obj->valid = false;
if (obj->refcount == 0) {