From a5c091e3026eb41d3a4daef3db95b47a3445aa11 Mon Sep 17 00:00:00 2001 From: Tobias Blass Date: Wed, 13 Jun 2018 00:39:24 +0200 Subject: [PATCH 1/9] Perform (partial) server initialization before dropping privileges. Some operations during backend creation (e.g. becoming DRM master) require CAP_SYS_ADMIN privileges. At this point, sway has dropped them already, though. This patch splits the privileged part of server_init into its own function and calls it before dropping its privileges. This fixes the bug with minimal security implications. --- include/sway/server.h | 2 ++ sway/main.c | 5 +++++ sway/server.c | 11 ++++++++--- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/include/sway/server.h b/include/sway/server.h index 65d96e7a..963d4dc1 100644 --- a/include/sway/server.h +++ b/include/sway/server.h @@ -47,6 +47,8 @@ struct sway_server { struct sway_server server; +/* Prepares an unprivileged server_init by performing all privileged operations in advance */ +bool server_privileged_prepare(struct sway_server *server); bool server_init(struct sway_server *server); void server_fini(struct sway_server *server); void server_run(struct sway_server *server); diff --git a/sway/main.c b/sway/main.c index a7e808ad..a325dc3a 100644 --- a/sway/main.c +++ b/sway/main.c @@ -359,6 +359,11 @@ int main(int argc, char **argv) { executable_sanity_check(); bool suid = false; + + if (!server_privileged_prepare(&server)) { + return 1; + } + #ifdef __linux__ if (getuid() != geteuid() || getgid() != getegid()) { // Retain capabilities after setuid() diff --git a/sway/server.c b/sway/server.c index 824b1d8e..4745ab6e 100644 --- a/sway/server.c +++ b/sway/server.c @@ -25,9 +25,8 @@ #include "sway/tree/layout.h" -bool server_init(struct sway_server *server) { - wlr_log(L_DEBUG, "Initializing Wayland server"); - +bool server_privileged_prepare(struct sway_server *server) { + wlr_log(L_DEBUG, "Preparing Wayland server initialization"); server->wl_display = wl_display_create(); server->wl_event_loop = wl_display_get_event_loop(server->wl_display); server->backend = wlr_backend_autocreate(server->wl_display, NULL); @@ -36,6 +35,12 @@ bool server_init(struct sway_server *server) { wlr_log(L_ERROR, "Unable to create backend"); return false; } + return true; +} + +bool server_init(struct sway_server *server) { + wlr_log(L_DEBUG, "Initializing Wayland server"); + struct wlr_renderer *renderer = wlr_backend_get_renderer(server->backend); assert(renderer); From aa9f058e3e8c49be88cadbf506d0c089795968b3 Mon Sep 17 00:00:00 2001 From: Rostislav Pehlivanov Date: Fri, 22 Jun 2018 13:44:16 +0100 Subject: [PATCH 2/9] Init the dmabuf exporting protocol in wlroots Allows desktop capture via the dmabuf-capture wlroots example client. --- sway/server.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sway/server.c b/sway/server.c index 824b1d8e..8af0bc5b 100644 --- a/sway/server.c +++ b/sway/server.c @@ -11,6 +11,7 @@ #include #include #include +#include #include #include #include @@ -97,6 +98,7 @@ bool server_init(struct sway_server *server) { deco_manager, WLR_SERVER_DECORATION_MANAGER_MODE_SERVER); wlr_linux_dmabuf_create(server->wl_display, renderer); + wlr_export_dmabuf_manager_v1_create(server->wl_display); server->socket = wl_display_add_socket_auto(server->wl_display); if (!server->socket) { From ad085c13325d17a242a813879b8574ba3dd43cc7 Mon Sep 17 00:00:00 2001 From: ael-code Date: Fri, 22 Jun 2018 15:41:44 +0200 Subject: [PATCH 3/9] bugfix: avoid access after free if src is NULL due to a previous error we cannot use it in the command result string. Moreover if `src` points to `p.we_wordv[0]` we cannot use it after `wordfree(&p)` in the command result string. Bonus feature: If there was an error accessing the file, the string rapresentation of the error is now included in the command result string. --- sway/commands/output/background.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/sway/commands/output/background.c b/sway/commands/output/background.c index 0c5c164f..82bccf68 100644 --- a/sway/commands/output/background.c +++ b/sway/commands/output/background.c @@ -3,6 +3,7 @@ #include #include #include +#include #include "sway/commands.h" #include "sway/config.h" #include "log.h" @@ -71,21 +72,27 @@ struct cmd_results *output_cmd_background(int argc, char **argv) { if (conf) { char *conf_path = dirname(conf); src = malloc(strlen(conf_path) + strlen(src) + 2); - if (src) { - sprintf(src, "%s/%s", conf_path, p.we_wordv[0]); - } else { + if (!src) { + free(conf); + wordfree(&p); wlr_log(L_ERROR, - "Unable to allocate background source"); + "Unable to allocate resource: Not enough memory"); + return cmd_results_new(CMD_FAILURE, "output", + "Unable to allocate resources"); } + sprintf(src, "%s/%s", conf_path, p.we_wordv[0]); free(conf); } else { wlr_log(L_ERROR, "Unable to allocate background source"); } } - if (!src || access(src, F_OK) == -1) { + + if (access(src, F_OK) == -1) { + struct cmd_results *cmd_res = cmd_results_new(CMD_FAILURE, "output", + "Unable to access background file '%s': %s", src, strerror(errno)); + free(src); wordfree(&p); - return cmd_results_new(CMD_INVALID, "output", - "Background file unreadable (%s).", src); + return cmd_res; } output->background = strdup(src); From e9ad10c2d62146784d7c40015d5ea2a8b5b68865 Mon Sep 17 00:00:00 2001 From: Tony Crisci Date: Sun, 24 Jun 2018 20:30:43 -0400 Subject: [PATCH 4/9] dont focus-follow-mouse when keyboard grab --- sway/input/cursor.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/sway/input/cursor.c b/sway/input/cursor.c index 37a87756..944e35aa 100644 --- a/sway/input/cursor.c +++ b/sway/input/cursor.c @@ -174,10 +174,13 @@ void cursor_send_pointer_motion(struct sway_cursor *cursor, uint32_t time_msec, seat_set_focus_warp(seat, c, false); } } else if (c->type == C_VIEW) { - // Focus c if both of the following are true: + // Focus c if the following are true: // - cursor is over a new view, i.e. entered a new window; and - // - the new view is visible, i.e. not hidden in a stack or tab. - if (c != prev_c && view_is_visible(c->sway_view)) { + // - the new view is visible, i.e. not hidden in a stack or tab; and + // - the seat does not have a keyboard grab + if (!wlr_seat_keyboard_has_grab(cursor->seat->wlr_seat) && + c != prev_c && + view_is_visible(c->sway_view)) { seat_set_focus_warp(seat, c, false); } else { struct sway_container *next_focus = From c9be0145576433e71f8b7732f7ff5ddee0d36076 Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Tue, 26 Jun 2018 11:59:06 +0900 Subject: [PATCH 5/9] xdg_shell: make view floating if a parent has been set Prompts e.g. authentication request from firefox-wayland ought to be floating. This is a bit coarse but just fixed size is not enough, here is what firefox does: [1285461.363] -> xdg_wm_base@18.get_xdg_surface(new id xdg_surface@68, wl_surface@71) [1285461.508] -> xdg_surface@68.get_toplevel(new id xdg_toplevel@67) [1285461.571] -> xdg_toplevel@67.set_parent(xdg_toplevel@37) [1285461.630] -> xdg_toplevel@67.set_title("Authentication Required") [1285461.736] -> xdg_toplevel@67.set_app_id("firefox") ... [1285476.549] xdg_toplevel@67.configure(0, 0, array) ... [1285502.080] -> xdg_toplevel@67.set_min_size(299, 187) [1285502.140] -> xdg_toplevel@67.set_max_size(1920, 32767) This can also be observed with e.g. the open window of gedit (gedit->open->other documents) --- sway/desktop/xdg_shell.c | 9 +++++---- sway/desktop/xdg_shell_v6.c | 10 ++++++---- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/sway/desktop/xdg_shell.c b/sway/desktop/xdg_shell.c index d2b8822c..8457c06b 100644 --- a/sway/desktop/xdg_shell.c +++ b/sway/desktop/xdg_shell.c @@ -120,11 +120,12 @@ static void set_fullscreen(struct sway_view *view, bool fullscreen) { } static bool wants_floating(struct sway_view *view) { - struct wlr_xdg_toplevel_state *state = - &view->wlr_xdg_surface->toplevel->current; - return state->min_width != 0 && state->min_height != 0 + struct wlr_xdg_toplevel *toplevel = view->wlr_xdg_surface->toplevel; + struct wlr_xdg_toplevel_state *state = &toplevel->current; + return (state->min_width != 0 && state->min_height != 0 && state->min_width == state->max_width - && state->min_height == state->max_height; + && state->min_height == state->max_height) + || toplevel->parent; } static void for_each_surface(struct sway_view *view, diff --git a/sway/desktop/xdg_shell_v6.c b/sway/desktop/xdg_shell_v6.c index 6ffe334a..eb1cef26 100644 --- a/sway/desktop/xdg_shell_v6.c +++ b/sway/desktop/xdg_shell_v6.c @@ -119,11 +119,13 @@ static void set_fullscreen(struct sway_view *view, bool fullscreen) { } static bool wants_floating(struct sway_view *view) { - struct wlr_xdg_toplevel_v6_state *state = - &view->wlr_xdg_surface_v6->toplevel->current; - return state->min_width != 0 && state->min_height != 0 + struct wlr_xdg_toplevel_v6 *toplevel = + view->wlr_xdg_surface_v6->toplevel; + struct wlr_xdg_toplevel_v6_state *state = &toplevel->current; + return (state->min_width != 0 && state->min_height != 0 && state->min_width == state->max_width - && state->min_height == state->max_height; + && state->min_height == state->max_height) + || toplevel->parent; } static void for_each_surface(struct sway_view *view, From 08800c8ee22f2aad8c00117756c15169d6e543b1 Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Tue, 26 Jun 2018 21:16:42 +0900 Subject: [PATCH 6/9] layer_shell: cleanup output link on output destroy Fixes this kind of use-after-free: ==1795==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000191ef0 at pc 0x00000048c388 bp 0x7ffe308f0410 sp 0x7ffe308f0400 WRITE of size 8 at 0x612000191ef0 thread T0 #0 0x48c387 in wl_list_remove ../common/list.c:157 #1 0x42196b in handle_destroy ../sway/desktop/layer_shell.c:275 #2 0x7f55cc2549fa in wlr_signal_emit_safe ../util/signal.c:29 #3 0x7f55cc22cf68 in layer_surface_destroy ../types/wlr_layer_shell.c:182 #4 0x7f55cc22d084 in layer_surface_resource_destroy ../types/wlr_layer_shell.c:196 #5 0x7f55cc4ca025 in destroy_resource src/wayland-server.c:688 #6 0x7f55cc4ca091 in wl_resource_destroy src/wayland-server.c:705 #7 0x7f55cc22c3a2 in resource_handle_destroy ../types/wlr_layer_shell.c:18 #8 0x7f55c8ef103d in ffi_call_unix64 (/lib64/libffi.so.6+0x603d) #9 0x7f55c8ef09fe in ffi_call (/lib64/libffi.so.6+0x59fe) #10 0x7f55cc4cdf2c (/lib64/libwayland-server.so.0+0xbf2c) #11 0x7f55cc4ca3de in wl_client_connection_data src/wayland-server.c:420 #12 0x7f55cc4cbf01 in wl_event_loop_dispatch src/event-loop.c:641 #13 0x7f55cc4ca601 in wl_display_run src/wayland-server.c:1260 #14 0x40bb1e in server_run ../sway/server.c:141 #15 0x40ab2f in main ../sway/main.c:432 #16 0x7f55cb97318a in __libc_start_main ../csu/libc-start.c:308 #17 0x408d29 in _start (/opt/wayland/bin/sway+0x408d29) 0x612000191ef0 is located 48 bytes inside of 312-byte region [0x612000191ec0,0x612000191ff8) freed by thread T0 here: #0 0x7f55ce3bb880 in __interceptor_free (/lib64/libasan.so.5+0xee880) #1 0x42f1db in handle_destroy ../sway/desktop/output.c:1275 #2 0x7f55cc2549fa in wlr_signal_emit_safe ../util/signal.c:29 #3 0x7f55cc23b4c2 in wlr_output_destroy ../types/wlr_output.c:284 #4 0x7f55cc1ddc20 in xdg_toplevel_handle_close ../backend/wayland/output.c:235 #5 0x7f55c8ef103d in ffi_call_unix64 (/lib64/libffi.so.6+0x603d) previously allocated by thread T0 here: #0 0x7f55ce3bbe50 in calloc (/lib64/libasan.so.5+0xeee50) #1 0x42f401 in handle_new_output ../sway/desktop/output.c:1308 #2 0x7f55cc2549fa in wlr_signal_emit_safe ../util/signal.c:29 #3 0x7f55cc1d6cbf in new_output_reemit ../backend/multi/backend.c:113 #4 0x7f55cc2549fa in wlr_signal_emit_safe ../util/signal.c:29 #5 0x7f55cc1deac7 in wlr_wl_output_create ../backend/wayland/output.c:327 #6 0x7f55cc1db353 in backend_start ../backend/wayland/backend.c:55 #7 0x7f55cc1bad55 in wlr_backend_start ../backend/backend.c:35 #8 0x7f55cc1d67a0 in multi_backend_start ../backend/multi/backend.c:24 #9 0x7f55cc1bad55 in wlr_backend_start ../backend/backend.c:35 #10 0x40ba8a in server_run ../sway/server.c:136 #11 0x40ab2f in main ../sway/main.c:432 #12 0x7f55cb97318a in __libc_start_main ../csu/libc-start.c:308 --- sway/desktop/layer_shell.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sway/desktop/layer_shell.c b/sway/desktop/layer_shell.c index 3accdefb..94dc22e7 100644 --- a/sway/desktop/layer_shell.c +++ b/sway/desktop/layer_shell.c @@ -219,6 +219,8 @@ static void handle_output_destroy(struct wl_listener *listener, void *data) { struct sway_layer_surface *sway_layer = wl_container_of(listener, sway_layer, output_destroy); wl_list_remove(&sway_layer->output_destroy.link); + wl_list_remove(&sway_layer->link); + wl_list_init(&sway_layer->link); sway_layer->layer_surface->output = NULL; wlr_layer_surface_close(sway_layer->layer_surface); } From 6856866a612c9f0708a42cbe6d9627173d9e3569 Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Tue, 26 Jun 2018 21:19:38 +0900 Subject: [PATCH 7/9] layer_shell: order destroying before sway_output Both sway_output and sway_layer_shell listen to wlr's output destroy event, but sway_layer_shell needs to access into sway_output's data strucure and needs to be destroyed first. Resolve this by making sway_layer_shell listen to a new event that happens at start of sway_output's destroy handler --- include/sway/output.h | 4 ++++ sway/desktop/layer_shell.c | 7 +++---- sway/desktop/output.c | 3 +++ 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/include/sway/output.h b/include/sway/output.h index 70f746dc..8180ce3d 100644 --- a/include/sway/output.h +++ b/include/sway/output.h @@ -32,6 +32,10 @@ struct sway_output { struct wl_list link; pid_t bg_pid; + + struct { + struct wl_signal destroy; + } events; }; void output_damage_whole(struct sway_output *output); diff --git a/sway/desktop/layer_shell.c b/sway/desktop/layer_shell.c index 94dc22e7..b57d1ee6 100644 --- a/sway/desktop/layer_shell.c +++ b/sway/desktop/layer_shell.c @@ -352,10 +352,6 @@ void handle_layer_shell_surface(struct wl_listener *listener, void *data) { wl_signal_add(&layer_surface->surface->events.commit, &sway_layer->surface_commit); - sway_layer->output_destroy.notify = handle_output_destroy; - wl_signal_add(&layer_surface->output->events.destroy, - &sway_layer->output_destroy); - sway_layer->destroy.notify = handle_destroy; wl_signal_add(&layer_surface->events.destroy, &sway_layer->destroy); sway_layer->map.notify = handle_map; @@ -368,6 +364,9 @@ void handle_layer_shell_surface(struct wl_listener *listener, void *data) { layer_surface->data = sway_layer; struct sway_output *output = layer_surface->output->data; + sway_layer->output_destroy.notify = handle_output_destroy; + wl_signal_add(&output->events.destroy, &sway_layer->output_destroy); + wl_list_insert(&output->layers[layer_surface->layer], &sway_layer->link); // Temporarily set the layer's current state to client_pending diff --git a/sway/desktop/output.c b/sway/desktop/output.c index d4115be8..f0f1603a 100644 --- a/sway/desktop/output.c +++ b/sway/desktop/output.c @@ -1199,6 +1199,8 @@ static void damage_handle_destroy(struct wl_listener *listener, void *data) { static void handle_destroy(struct wl_listener *listener, void *data) { struct sway_output *output = wl_container_of(listener, output, destroy); + wl_signal_emit(&output->events.destroy, output); + if (output->swayc) { container_destroy(output->swayc); } @@ -1277,6 +1279,7 @@ void output_enable(struct sway_output *output) { for (size_t i = 0; i < len; ++i) { wl_list_init(&output->layers[i]); } + wl_signal_init(&output->events.destroy); input_manager_configure_xcursor(input_manager); From 4550cb2b3e7e6b4242cf2a3e126b6f47bc8f2182 Mon Sep 17 00:00:00 2001 From: ael-code Date: Tue, 26 Jun 2018 12:53:47 +0200 Subject: [PATCH 8/9] fix memleak on background cmd error - src must be free after join_args() - wordfree must bee used after wordexp --- sway/commands/output/background.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/sway/commands/output/background.c b/sway/commands/output/background.c index 82bccf68..4f422cec 100644 --- a/sway/commands/output/background.c +++ b/sway/commands/output/background.c @@ -62,8 +62,11 @@ struct cmd_results *output_cmd_background(int argc, char **argv) { wordexp_t p; char *src = join_args(argv, j); if (wordexp(src, &p, 0) != 0 || p.we_wordv[0] == NULL) { - return cmd_results_new(CMD_INVALID, "output", - "Invalid syntax (%s).", src); + struct cmd_results *cmd_res = cmd_results_new(CMD_INVALID, "output", + "Invalid syntax (%s)", src); + free(src); + wordfree(&p); + return cmd_res; } free(src); src = p.we_wordv[0]; From a4578815f1fa30a7ebb15ddb6601f1ab2f3a3fb6 Mon Sep 17 00:00:00 2001 From: ael-code Date: Tue, 26 Jun 2018 12:57:22 +0200 Subject: [PATCH 9/9] cleanup output-background subcommand handling - fixes a double-free error when access() failed. - refactor code to make memory managment (alloc/free) more straightforward - do not bring the temporary wordexp_t struct around - do not postpone errors handling --- sway/commands/output/background.c | 51 ++++++++++++++++++------------- 1 file changed, 29 insertions(+), 22 deletions(-) diff --git a/sway/commands/output/background.c b/sway/commands/output/background.c index 4f422cec..55cbdff0 100644 --- a/sway/commands/output/background.c +++ b/sway/commands/output/background.c @@ -69,42 +69,49 @@ struct cmd_results *output_cmd_background(int argc, char **argv) { return cmd_res; } free(src); - src = p.we_wordv[0]; + src = strdup(p.we_wordv[0]); + wordfree(&p); + if (!src) { + wlr_log(L_ERROR, "Failed to duplicate string"); + return cmd_results_new(CMD_FAILURE, "output", + "Unable to allocate resource"); + } + if (config->reading && *src != '/') { + // src file is inside configuration dir + char *conf = strdup(config->current_config); - if (conf) { - char *conf_path = dirname(conf); - src = malloc(strlen(conf_path) + strlen(src) + 2); - if (!src) { - free(conf); - wordfree(&p); - wlr_log(L_ERROR, - "Unable to allocate resource: Not enough memory"); - return cmd_results_new(CMD_FAILURE, "output", + if(!conf) { + wlr_log(L_ERROR, "Failed to duplicate string"); + return cmd_results_new(CMD_FAILURE, "output", "Unable to allocate resources"); - } - sprintf(src, "%s/%s", conf_path, p.we_wordv[0]); - free(conf); - } else { - wlr_log(L_ERROR, "Unable to allocate background source"); } + + char *conf_path = dirname(conf); + char *rel_path = src; + src = malloc(strlen(conf_path) + strlen(src) + 2); + if (!src) { + free(rel_path); + free(conf); + wlr_log(L_ERROR, "Unable to allocate memory"); + return cmd_results_new(CMD_FAILURE, "output", + "Unable to allocate resources"); + } + + sprintf(src, "%s/%s", conf_path, rel_path); + free(rel_path); + free(conf); } if (access(src, F_OK) == -1) { struct cmd_results *cmd_res = cmd_results_new(CMD_FAILURE, "output", "Unable to access background file '%s': %s", src, strerror(errno)); free(src); - wordfree(&p); return cmd_res; } - output->background = strdup(src); + output->background = src; output->background_option = strdup(mode); - if (src != p.we_wordv[0]) { - free(src); - } - wordfree(&p); - argc -= j + 1; argv += j + 1; }