Skip to content

Fix NULL ptr deref in ipc_describe_workspace #8868

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix NULL ptr deref in ipc_describe_workspace #8868

wants to merge 1 commit into from
+3 −2

Conversation

@TheBlueMatt
Copy link

@TheBlueMatt TheBlueMatt commented Sep 11, 2025

When hot-plugging monitor(s) ipc_json_describe_workspace can end up dereferencing a NULL ptr in wlr_output->name. Here we simply check that it is set.

While this is probably a race and just checking that it is not NULL before accessing it won't fully solve the race, it should make it substantially more rare.

Mostly addresses #8747

@TheBlueMatt
Fix NULL ptr deref in ipc_describe_workspace
6f5587b 
When hot-plugging monitor(s) `ipc_json_describe_workspace` can end
up dereferencing a NULL ptr in `wlr_output->name`. Here we simply
check that it is set.

While this is probably a race and just checking that it is not NULL
before accessing it won't fully solve the race, it should make it
substantially more rare.

Mostly addresses swaywm#8747
@emersion
Copy link
Member

emersion commented Sep 15, 2025

I would prefer to find the root cause of this NULL pointer instead of adding a workaround.

@TheBlueMatt
Copy link
Author

TheBlueMatt commented Sep 15, 2025

Sure, don't disagree, but absent someone having time to dig into it probably worth at least making sway stable.

@TheBlueMatt
Copy link
Author

TheBlueMatt commented Nov 3, 2025

Any update here?

@emersion
Copy link
Member

emersion commented Nov 3, 2025

Would still prefer to find the root cause rather than merge this.

@TheBlueMatt
Copy link
Author

TheBlueMatt commented Nov 3, 2025

If no one has time to dig into the root cause it still might presumably be preferrable to merge this so that at least sway is stable on impacted devices. A broken sway seems worse than a workaround for a bug.

@emersion
Copy link
Member

emersion commented Nov 3, 2025

If a workaround is merged, it removes any incentive to find the root cause.

@TheBlueMatt
Copy link
Author

TheBlueMatt commented Nov 3, 2025

If impacted users migrate off of sway, it also removes any incentive to fix the issue :p

@kennylevinsen
Copy link
Member

kennylevinsen commented Nov 3, 2025

If impacted users migrate off of sway, it also removes any incentive to fix the issue :p

The fact remains that adding a NULL check for a field that can never be NULL isn't a fix. The value should be set by the backend at the very start, and when destroyed it is simply free'd, not NULL'd.

It could possibly be a use-after-free/dangling pointer of sway_output or wlr_output, rather than being related to the name field itself. Reproducing the issue with address sanitizer enabled might help pinpoint things. That is done by specifying -Db_sanitize=address to meson, and will cause a report to be logged to stderr when a memory snafu is detected, and might give a clue as to what's happening.

(I don't have a reproduction of this issue myself.)

@njdom24

This comment was marked as off-topic.

Sign in to view
@emersion
Copy link
Member

emersion commented Nov 11, 2025
edited
Loading

@njdom24, that sounds like a different issue. My guess would be that con->pending.workspace is NULL.

@deep4lpha

This comment was marked as duplicate.

Sign in to view
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@TheBlueMatt @emersion @kennylevinsen @njdom24 @deep4lpha