From d134745c4f1717d3ab6c2dc28f55e5c75b983950 Mon Sep 17 00:00:00 2001 From: Orestis Floros Date: Sat, 9 Dec 2017 22:17:48 +0200 Subject: [PATCH] Prevent access of freed workspace in _workspace_show The bug triggers when _workspace_show calls tree_close_internal and old == old_focus. Ie, when the old workspace was empty and needs to be closed but then is accessed as output_push_sticky_windows's argument: Breakpoint 1, output_push_sticky_windows (to_focus=0x55555589c8a0) at ../../i3/src/output.c:102 102 con_move_to_workspace(current, visible_ws, true, false, current != to_focus->parent); (gdb) print con_exists(to_focus) $1 = false The access violation can also be prevented by checking if con_exists(old_focus) but it shouldn't be necessary: the old_focus container can only be killed when it is an empty workspace. With --enable-sanitizers this causes i3 to exit but with --disable-sanitizers the access violation doesn't reliably cause a crash and the con_move_to_workspace call continues with: (gdb) print current != to_focus->parent $2 = 1 Since current->type is CT_FLOATING_CON and to_focus->type is CT_WORKSPACE, in this specific case ignore_focus would always be true. So, in this case, passing NULL instead of old_focus to output_push_sticky_windows doesn't change the behaviour of i3. Fixes #3075. --- src/output.c | 3 +- src/workspace.c | 5 ++++ testcases/t/293-sticky-output-crash.t | 41 +++++++++++++++++++++++++++ 3 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 testcases/t/293-sticky-output-crash.t diff --git a/src/output.c b/src/output.c index e7690384..c76dfd03 100644 --- a/src/output.c +++ b/src/output.c @@ -99,7 +99,8 @@ void output_push_sticky_windows(Con *to_focus) { continue; if (con_is_sticky(current)) { - con_move_to_workspace(current, visible_ws, true, false, current != to_focus->parent); + bool ignore_focus = (to_focus == NULL) || (current != to_focus->parent); + con_move_to_workspace(current, visible_ws, true, false, ignore_focus); } } } diff --git a/src/workspace.c b/src/workspace.c index 4b350b82..15313357 100644 --- a/src/workspace.c +++ b/src/workspace.c @@ -459,6 +459,11 @@ static void _workspace_show(Con *workspace) { y(free); + /* Avoid calling output_push_sticky_windows later with a freed container. */ + if (old == old_focus) { + old_focus = NULL; + } + ewmh_update_number_of_desktops(); ewmh_update_desktop_names(); ewmh_update_desktop_viewport(); diff --git a/testcases/t/293-sticky-output-crash.t b/testcases/t/293-sticky-output-crash.t new file mode 100644 index 00000000..93ebaee9 --- /dev/null +++ b/testcases/t/293-sticky-output-crash.t @@ -0,0 +1,41 @@ +#!perl +# vim:ts=4:sw=4:expandtab +# +# Please read the following documents before working on tests: +# • https://build.i3wm.org/docs/testsuite.html +# (or docs/testsuite) +# +# • https://build.i3wm.org/docs/lib-i3test.html +# (alternatively: perldoc ./testcases/lib/i3test.pm) +# +# • https://build.i3wm.org/docs/ipc.html +# (or docs/ipc) +# +# • http://onyxneon.com/books/modern_perl/modern_perl_a4.pdf +# (unless you are already familiar with Perl) +# +# Verifies that i3 does not crash when opening a floating sticky on one output +# and then switching empty workspaces on the other output. +# Ticket: #3075 +# Bug still in: 4.14-191-g9d2d602d +use i3test i3_config => < 0); +open_window; +cmd 'sticky enable, floating enable'; + +# Switch to the right output and open a new workspace. +my $ws = fresh_workspace(output => 1); +does_i3_live; + +# Verify results. +is(@{get_ws($ws)->{floating_nodes}}, 0, 'workspace in right output is empty'); +$ws = fresh_workspace(output => 0); +is(@{get_ws($ws)->{floating_nodes}}, 1, 'new workspace in left output has the sticky container'); + +done_testing;