xref: /third_party/glib/patch/backport-gdbusinterfaceskeleton-Fix-a-use-after-free-of-a-GDBusMethodInvocation.patch

From 1f86923766a3d1d319fe54ad24fcf6e2d75aca0d Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@endlessos.org>
Date: Wed, 22 Feb 2023 12:40:49 +0000
Subject: [PATCH 1/3] gdbusinterfaceskeleton: Remove an unnecessary helper
 struct member
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The `GDBusInterfaceSkeleton` is already stored as the source object of
the `GTask` here, with a strong reference.

Storing it again in the task’s data struct is redundant, and makes it
look like the `GDBusInterfaceSkeleton` is being used without holding a
strong reference. (There’s not actually a bug there though: the strong
reference from the `GTask` outlives the data struct, so is sufficient.)

Remove the unnecessary helper struct member to clarify the code a bit.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #2924
---
 gio/gdbusinterfaceskeleton.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/gio/gdbusinterfaceskeleton.c b/gio/gdbusinterfaceskeleton.c
index 3f07d4d0b2..d28282fea3 100644
--- a/gio/gdbusinterfaceskeleton.c
+++ b/gio/gdbusinterfaceskeleton.c
@@ -461,7 +461,6 @@ dbus_interface_interface_init (GDBusInterfaceIface *iface)
 typedef struct
 {
   gint ref_count;  /* (atomic) */
-  GDBusInterfaceSkeleton       *interface;
   GDBusInterfaceMethodCallFunc  method_call_func;
   GDBusMethodInvocation        *invocation;
 } DispatchData;
@@ -502,16 +501,17 @@ dispatch_in_thread_func (GTask        *task,
                          GCancellable *cancellable)
 {
   DispatchData *data = task_data;
+  GDBusInterfaceSkeleton *interface = g_task_get_source_object (task);
   GDBusInterfaceSkeletonFlags flags;
   GDBusObject *object;
   gboolean authorized;
 
-  g_mutex_lock (&data->interface->priv->lock);
-  flags = data->interface->priv->flags;
-  object = data->interface->priv->object;
+  g_mutex_lock (&interface->priv->lock);
+  flags = interface->priv->flags;
+  object = interface->priv->object;
   if (object != NULL)
     g_object_ref (object);
-  g_mutex_unlock (&data->interface->priv->lock);
+  g_mutex_unlock (&interface->priv->lock);
 
   /* first check on the enclosing object (if any), then the interface */
   authorized = TRUE;
@@ -519,13 +519,13 @@ dispatch_in_thread_func (GTask        *task,
     {
       g_signal_emit_by_name (object,
                              "authorize-method",
-                             data->interface,
+                             interface,
                              data->invocation,
                              &authorized);
     }
   if (authorized)
     {
-      g_signal_emit (data->interface,
+      g_signal_emit (interface,
                      signals[G_AUTHORIZE_METHOD_SIGNAL],
                      0,
                      data->invocation,
@@ -627,7 +627,6 @@ g_dbus_interface_method_dispatch_helper (GDBusInterfaceSkeleton       *interface
       DispatchData *data;
 
       data = g_slice_new0 (DispatchData);
-      data->interface = interface;
       data->method_call_func = method_call_func;
       data->invocation = invocation;
       data->ref_count = 1;
-- 
GitLab


From d5710deb9d621bcf0cec0ff2db0708f361490752 Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@endlessos.org>
Date: Wed, 22 Feb 2023 12:47:36 +0000
Subject: [PATCH 2/3] gdbusinterfaceskeleton: Fix a use-after-free of a
 GDBusMethodInvocation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This `GDBusMethodInvocation` may be shared across threads, with no
guarantee on the strong ref in one thread outlasting any refs in other
threads — so it needs a ref in this helper struct.

This should fix a use-after-free where the `GDBusMethodInvocation` is
freed from `g_value_unset()` after `g_signal_emit()` returns in
`dispatch_in_thread_func()` in one thread; but then dereferenced again
in `g_source_destroy_internal()` from another thread.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Fixes: #2924
---
 gio/gdbusinterfaceskeleton.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/gio/gdbusinterfaceskeleton.c b/gio/gdbusinterfaceskeleton.c
index d28282fea3..a2a79fe3d8 100644
--- a/gio/gdbusinterfaceskeleton.c
+++ b/gio/gdbusinterfaceskeleton.c
@@ -462,14 +462,17 @@ typedef struct
 {
   gint ref_count;  /* (atomic) */
   GDBusInterfaceMethodCallFunc  method_call_func;
-  GDBusMethodInvocation        *invocation;
+  GDBusMethodInvocation        *invocation;  /* (owned) */
 } DispatchData;
 
 static void
 dispatch_data_unref (DispatchData *data)
 {
   if (g_atomic_int_dec_and_test (&data->ref_count))
-    g_slice_free (DispatchData, data);
+    {
+      g_clear_object (&data->invocation);
+      g_slice_free (DispatchData, data);
+    }
 }
 
 static DispatchData *
@@ -628,7 +631,7 @@ g_dbus_interface_method_dispatch_helper (GDBusInterfaceSkeleton       *interface
 
       data = g_slice_new0 (DispatchData);
       data->method_call_func = method_call_func;
-      data->invocation = invocation;
+      data->invocation = g_object_ref (invocation);
       data->ref_count = 1;
 
       task = g_task_new (interface, NULL, NULL, NULL);
-- 
GitLab


From 7b101588e924f3783a0f5075f06b3e1d698be936 Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@endlessos.org>
Date: Wed, 22 Feb 2023 12:50:10 +0000
Subject: [PATCH 3/3] gdbusconnection: Make GDBusMethodInvocation transfer a
 bit clearer

Add a missing steal call in `schedule_method_call()`. This introduces no
functional changes, but documents the ownership transfer more clearly.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #2924
---
 gio/gdbusconnection.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c
index d938f71b99..da6b66f2ec 100644
--- a/gio/gdbusconnection.c
+++ b/gio/gdbusconnection.c
@@ -5043,7 +5043,7 @@ schedule_method_call (GDBusConnection            *connection,
   g_source_set_priority (idle_source, G_PRIORITY_DEFAULT);
   g_source_set_callback (idle_source,
                          call_in_idle_cb,
-                         invocation,
+                         g_steal_pointer (&invocation),
                          g_object_unref);
   g_source_set_static_name (idle_source, "[gio, " __FILE__ "] call_in_idle_cb");
   g_source_attach (idle_source, main_context);
-- 
GitLab