diff --git a/backport-gdbusinterfaceskeleton-Fix-a-use-after-free-of-a-GDBusMethodInvocation.patch b/backport-gdbusinterfaceskeleton-Fix-a-use-after-free-of-a-GDBusMethodInvocation.patch new file mode 100644 index 0000000000000000000000000000000000000000..666153caefedb3cadf414e1913610789edc0f708 --- /dev/null +++ b/backport-gdbusinterfaceskeleton-Fix-a-use-after-free-of-a-GDBusMethodInvocation.patch @@ -0,0 +1,182 @@ +From 1f86923766a3d1d319fe54ad24fcf6e2d75aca0d Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Wed, 22 Feb 2023 12:40:49 +0000 +Subject: [PATCH 1/3] gdbusinterfaceskeleton: Remove an unnecessary helper + struct member +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The `GDBusInterfaceSkeleton` is already stored as the source object of +the `GTask` here, with a strong reference. + +Storing it again in the task’s data struct is redundant, and makes it +look like the `GDBusInterfaceSkeleton` is being used without holding a +strong reference. (There’s not actually a bug there though: the strong +reference from the `GTask` outlives the data struct, so is sufficient.) + +Remove the unnecessary helper struct member to clarify the code a bit. + +Signed-off-by: Philip Withnall + +Helps: #2924 +--- + gio/gdbusinterfaceskeleton.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/gio/gdbusinterfaceskeleton.c b/gio/gdbusinterfaceskeleton.c +index 3f07d4d0b2..d28282fea3 100644 +--- a/gio/gdbusinterfaceskeleton.c ++++ b/gio/gdbusinterfaceskeleton.c +@@ -461,7 +461,6 @@ dbus_interface_interface_init (GDBusInterfaceIface *iface) + typedef struct + { + gint ref_count; /* (atomic) */ +- GDBusInterfaceSkeleton *interface; + GDBusInterfaceMethodCallFunc method_call_func; + GDBusMethodInvocation *invocation; + } DispatchData; +@@ -502,16 +501,17 @@ dispatch_in_thread_func (GTask *task, + GCancellable *cancellable) + { + DispatchData *data = task_data; ++ GDBusInterfaceSkeleton *interface = g_task_get_source_object (task); + GDBusInterfaceSkeletonFlags flags; + GDBusObject *object; + gboolean authorized; + +- g_mutex_lock (&data->interface->priv->lock); +- flags = data->interface->priv->flags; +- object = data->interface->priv->object; ++ g_mutex_lock (&interface->priv->lock); ++ flags = interface->priv->flags; ++ object = interface->priv->object; + if (object != NULL) + g_object_ref (object); +- g_mutex_unlock (&data->interface->priv->lock); ++ g_mutex_unlock (&interface->priv->lock); + + /* first check on the enclosing object (if any), then the interface */ + authorized = TRUE; +@@ -519,13 +519,13 @@ dispatch_in_thread_func (GTask *task, + { + g_signal_emit_by_name (object, + "authorize-method", +- data->interface, ++ interface, + data->invocation, + &authorized); + } + if (authorized) + { +- g_signal_emit (data->interface, ++ g_signal_emit (interface, + signals[G_AUTHORIZE_METHOD_SIGNAL], + 0, + data->invocation, +@@ -627,7 +627,6 @@ g_dbus_interface_method_dispatch_helper (GDBusInterfaceSkeleton *interface + DispatchData *data; + + data = g_slice_new0 (DispatchData); +- data->interface = interface; + data->method_call_func = method_call_func; + data->invocation = invocation; + data->ref_count = 1; +-- +GitLab + + +From d5710deb9d621bcf0cec0ff2db0708f361490752 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Wed, 22 Feb 2023 12:47:36 +0000 +Subject: [PATCH 2/3] gdbusinterfaceskeleton: Fix a use-after-free of a + GDBusMethodInvocation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This `GDBusMethodInvocation` may be shared across threads, with no +guarantee on the strong ref in one thread outlasting any refs in other +threads — so it needs a ref in this helper struct. + +This should fix a use-after-free where the `GDBusMethodInvocation` is +freed from `g_value_unset()` after `g_signal_emit()` returns in +`dispatch_in_thread_func()` in one thread; but then dereferenced again +in `g_source_destroy_internal()` from another thread. + +Signed-off-by: Philip Withnall + +Fixes: #2924 +--- + gio/gdbusinterfaceskeleton.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/gio/gdbusinterfaceskeleton.c b/gio/gdbusinterfaceskeleton.c +index d28282fea3..a2a79fe3d8 100644 +--- a/gio/gdbusinterfaceskeleton.c ++++ b/gio/gdbusinterfaceskeleton.c +@@ -462,14 +462,17 @@ typedef struct + { + gint ref_count; /* (atomic) */ + GDBusInterfaceMethodCallFunc method_call_func; +- GDBusMethodInvocation *invocation; ++ GDBusMethodInvocation *invocation; /* (owned) */ + } DispatchData; + + static void + dispatch_data_unref (DispatchData *data) + { + if (g_atomic_int_dec_and_test (&data->ref_count)) +- g_slice_free (DispatchData, data); ++ { ++ g_clear_object (&data->invocation); ++ g_slice_free (DispatchData, data); ++ } + } + + static DispatchData * +@@ -628,7 +631,7 @@ g_dbus_interface_method_dispatch_helper (GDBusInterfaceSkeleton *interface + + data = g_slice_new0 (DispatchData); + data->method_call_func = method_call_func; +- data->invocation = invocation; ++ data->invocation = g_object_ref (invocation); + data->ref_count = 1; + + task = g_task_new (interface, NULL, NULL, NULL); +-- +GitLab + + +From 7b101588e924f3783a0f5075f06b3e1d698be936 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Wed, 22 Feb 2023 12:50:10 +0000 +Subject: [PATCH 3/3] gdbusconnection: Make GDBusMethodInvocation transfer a + bit clearer + +Add a missing steal call in `schedule_method_call()`. This introduces no +functional changes, but documents the ownership transfer more clearly. + +Signed-off-by: Philip Withnall + +Helps: #2924 +--- + gio/gdbusconnection.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c +index d938f71b99..da6b66f2ec 100644 +--- a/gio/gdbusconnection.c ++++ b/gio/gdbusconnection.c +@@ -5043,7 +5043,7 @@ schedule_method_call (GDBusConnection *connection, + g_source_set_priority (idle_source, G_PRIORITY_DEFAULT); + g_source_set_callback (idle_source, + call_in_idle_cb, +- invocation, ++ g_steal_pointer (&invocation), + g_object_unref); + g_source_set_static_name (idle_source, "[gio, " __FILE__ "] call_in_idle_cb"); + g_source_attach (idle_source, main_context); +-- +GitLab + diff --git a/glib2.spec b/glib2.spec index 8872a558b4597d0ebe70640894f302787b4a3653..7d82da98bbb1b7e160c428d258201e72c81bd715 100644 --- a/glib2.spec +++ b/glib2.spec @@ -1,6 +1,6 @@ Name: glib2 Version: 2.72.2 -Release: 8 +Release: 9 Summary: The core library that forms the basis for projects such as GTK+ and GNOME License: LGPLv2+ URL: http://www.gtk.org @@ -59,6 +59,7 @@ Patch6049: backport-gregex-Drop-explanation-G_REGEX_JAVASCRIPT_COMPAT.patch Patch6050: backport-gregex-Remove-an-unreachable-return-statement.patch Patch6051: backport-gmessages-Add-missing-trailing-newline-in-fallback-log-hander.patch Patch6052: backport-Revert-Handling-collision-between-standard-i-o-filedescriptors-and-newly-created-ones.patch +patch6053: backport-gdbusinterfaceskeleton-Fix-a-use-after-free-of-a-GDBusMethodInvocation.patch BuildRequires: chrpath gcc gcc-c++ gettext perl-interpreter BUildRequires: glibc-devel libattr-devel libselinux-devel meson @@ -254,6 +255,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : %endif %changelog +* Tue Mar 14 2023 hanhuihui - 2.72.2-9 +- fix a use-after-free of GDBusMethodInvocation + * Thu Feb 16 2023 hanhuihui - 2.72.2-8 - backport some patches from community