UAF in hyprland/workspaces

[voxxal]

Archlinux 6.19.6-arch1-3-g14, Using the niri window manager, but I don't believe it should be UAFing regardless of whether or not it is in a hyprland enviornment. Crashes when compiled for release but doesn't crash when debug compiled.

==72903==ERROR: AddressSanitizer: heap-use-after-free on address 0x7d9ff0c1d280 at pc 0x5555556930dc bp 0x7fffffffc0c0 sp 0x7fffffffc0b0
READ of size 8 at 0x7d9ff0c1d280 thread T0
    #0 0x5555556930db in operator() ../src/AModule.cpp:119
    #1 0x555555696561 in operator() /usr/include/sigc++-2.0/sigc++/adaptors/adaptor_trait.h:256
    #2 0x5555556961ea in call_it /usr/include/sigc++-2.0/sigc++/functors/slot.h:136
    #3 0x7ffff76e8205  (/usr/lib/libglibmm-2.4.so.1+0x59205) (BuildId: 331d7675efbe0ec4f0e822c2c456bac2ce1452f2)
    #4 0x7ffff64d6e40  (/usr/lib/libglib-2.0.so.0+0x60e40) (BuildId: 6ebf55121160517f15de71c1be3b28e1bbb62bd6)
    #5 0x7ffff64d4f4c  (/usr/lib/libglib-2.0.so.0+0x5ef4c) (BuildId: 6ebf55121160517f15de71c1be3b28e1bbb62bd6)
    #6 0x7ffff64d6606  (/usr/lib/libglib-2.0.so.0+0x60606) (BuildId: 6ebf55121160517f15de71c1be3b28e1bbb62bd6)
    #7 0x7ffff64d6814 in g_main_context_iteration (/usr/lib/libglib-2.0.so.0+0x60814) (BuildId: 6ebf55121160517f15de71c1be3b28e1bbb62bd6)
    #8 0x7ffff670af25 in g_application_run (/usr/lib/libgio-2.0.so.0+0xddf25) (BuildId: 6e4e3656e1fec3c03d98cb8a6dce04424c3d0dce)
    #9 0x55555580584e in waybar::Client::main(int, char**) ../src/client.cpp:312
    #10 0x5555557c7419 in main ../src/main.cpp:175
    #11 0x7ffff5b186c0  (/usr/lib/libc.so.6+0x276c0) (BuildId: 7a8d41a2df4fde040b4c6ac2832311ab645a1e41)
    #12 0x7ffff5b187f8 in __libc_start_main (/usr/lib/libc.so.6+0x277f8) (BuildId: 7a8d41a2df4fde040b4c6ac2832311ab645a1e41)
    #13 0x555555678f64 in _start (/tmp/Waybar/build/waybar+0x124f64) (BuildId: 30db561c7b9509b6b55ffd650e25e41a308551e7)

0x7d9ff0c1d280 is located 0 bytes inside of 1232-byte region [0x7d9ff0c1d280,0x7d9ff0c1d750)
freed by thread T0 here:
    #0 0x7ffff7922a2d in operator delete(void*, unsigned long) (/usr/lib/libasan.so.8+0x122a2d) (BuildId: 0b96d08695bbce2da9d4770c29ad2e72fb536f47)
    #1 0x55555567c67a in waybar::Factory::makeModule(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const ../src/factory.cpp:220
    #2 0x5555557df8f1 in waybar::Bar::getModules(waybar::Factory const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, waybar::Group*) ../src/bar.cpp:552
    #3 0x5555557e06fa in waybar::Bar::setupWidgets() ../src/bar.cpp:608
    #4 0x5555557da738 in waybar::Bar::Bar(waybar::waybar_output*, Json::Value const&) ../src/bar.cpp:309
    #5 0x55555581dfd6 in std::__detail::_MakeUniq<waybar::Bar>::__single_object std::make_unique<waybar::Bar, waybar::waybar_output*, Json::Value const&>(waybar::waybar_output*&&, Json::Value const&) (/tmp/Waybar/build/waybar+0x2c9fd6) (BuildId: 30db561c7b9509b6b55ffd650e25e41a308551e7)
    #6 0x555555800434 in waybar::Client::handleOutputDone(void*, zxdg_output_v1*) ../src/client.cpp:84
    #7 0x7ffff60b7ac5  (/usr/lib/libffi.so.8+0x7ac5) (BuildId: d5e3b0d8921923f35438adefa9f864745abc5e90)

previously allocated by thread T0 here:
    #0 0x7ffff79218cd in operator new(unsigned long) (/usr/lib/libasan.so.8+0x1218cd) (BuildId: 0b96d08695bbce2da9d4770c29ad2e72fb536f47)
    #1 0x55555567a60e in waybar::Factory::makeModule(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const ../src/factory.cpp:220
    #2 0x5555557df8f1 in waybar::Bar::getModules(waybar::Factory const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, waybar::Group*) ../src/bar.cpp:552
    #3 0x5555557e06fa in waybar::Bar::setupWidgets() ../src/bar.cpp:608
    #4 0x5555557da738 in waybar::Bar::Bar(waybar::waybar_output*, Json::Value const&) ../src/bar.cpp:309
    #5 0x55555581dfd6 in std::__detail::_MakeUniq<waybar::Bar>::__single_object std::make_unique<waybar::Bar, waybar::waybar_output*, Json::Value const&>(waybar::waybar_output*&&, Json::Value const&) (/tmp/Waybar/build/waybar+0x2c9fd6) (BuildId: 30db561c7b9509b6b55ffd650e25e41a308551e7)
    #6 0x555555800434 in waybar::Client::handleOutputDone(void*, zxdg_output_v1*) ../src/client.cpp:84
    #7 0x7ffff60b7ac5  (/usr/lib/libffi.so.8+0x7ac5) (BuildId: d5e3b0d8921923f35438adefa9f864745abc5e90)

SUMMARY: AddressSanitizer: heap-use-after-free ../src/AModule.cpp:119 in operator()

[Mrpaoo]

I guess it is because in niri environment, some IPC establish would go fail, so constructor of Workspaces fail and it was deleted in place, Unlucky, in constructor of AMoudle where we call setCursor(Gdk::HAND2); and it register a cb

Glib::signal_timeout().connect_seconds(
        [this, c]() {
          setCursor(c);
          return false;
        },
        1);
  }

Because operator new construct the Workspaces and its parent obj fail, it throw an excption and at this time, the obj has been deleted but the cb it registered didnt disconnect.

I think we have to ban some hyprland modules if we are in niri environment and maybe separate the init phase from obj construct, only after an obj is ready can we really do sth.