[Stable-9.0.4 19/57] ui/win32: fix potential use-after-free with dbus sh

qemu-stable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Stable-9.0.4 19/57] ui/win32: fix potential use-after-free with dbus sh

From:	Michael Tokarev
Subject:	[Stable-9.0.4 19/57] ui/win32: fix potential use-after-free with dbus shared memory
Date:	Sat, 9 Nov 2024 15:07:21 +0300

From: Marc-André Lureau <marcandre.lureau@redhat.com>

DisplaySurface may be free before the pixman image is freed, since the
image is refcounted and used by different objects, including pending
dbus messages.

Furthermore, setting the destroy function in
create_displaysurface_from() isn't appropriate, as it may not be used,
and may be overriden as in ramfb.

Set the destroy function when the shared handle is set, use the HANDLE
directly for destroy data, using a single common helper
qemu_pixman_win32_image_destroy().

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-ID: <20241008125028.1177932-5-marcandre.lureau@redhat.com>
(cherry picked from commit 330ef31deb2e5461cff907488b710f5bd9cd2327)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index d60b1b2973..b0b64c1dc5 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -239,16 +239,6 @@ static uint32_t calc_image_hostmem(pixman_format_code_t 
pformat,
     return height * stride;
 }
 
-#ifdef WIN32
-static void
-win32_pixman_image_destroy(pixman_image_t *image, void *data)
-{
-    HANDLE handle = data;
-
-    qemu_win32_map_free(pixman_image_get_data(image), handle, &error_warn);
-}
-#endif
-
 static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
                                           struct virtio_gpu_ctrl_command *cmd)
 {
@@ -309,7 +299,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
             bits, c2d.height ? res->hostmem / c2d.height : 0);
 #ifdef WIN32
         if (res->image) {
-            pixman_image_set_destroy_function(res->image, 
win32_pixman_image_destroy, res->handle);
+            pixman_image_set_destroy_function(res->image, 
qemu_pixman_win32_image_destroy, res->handle);
         }
 #endif
     }
@@ -1328,7 +1318,7 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, 
size_t size,
             return -EINVAL;
         }
 #ifdef WIN32
-        pixman_image_set_destroy_function(res->image, 
win32_pixman_image_destroy, res->handle);
+        pixman_image_set_destroy_function(res->image, 
qemu_pixman_win32_image_destroy, res->handle);
 #endif
 
         res->addrs = g_new(uint64_t, res->iov_cnt);
diff --git a/include/ui/qemu-pixman.h b/include/ui/qemu-pixman.h
index ef13a8210c..e3dd72b9e3 100644
--- a/include/ui/qemu-pixman.h
+++ b/include/ui/qemu-pixman.h
@@ -97,6 +97,8 @@ void qemu_pixman_glyph_render(pixman_image_t *glyph,
 
 void qemu_pixman_image_unref(pixman_image_t *image);
 
+void qemu_pixman_win32_image_destroy(pixman_image_t *image, void *data);
+
 G_DEFINE_AUTOPTR_CLEANUP_FUNC(pixman_image_t, qemu_pixman_image_unref)
 
 #endif /* QEMU_PIXMAN_H */
diff --git a/ui/console.c b/ui/console.c
index 43226c5c14..bd9ee67f8e 100644
--- a/ui/console.c
+++ b/ui/console.c
@@ -460,24 +460,6 @@ void qemu_displaysurface_win32_set_handle(DisplaySurface 
*surface,
     surface->handle = h;
     surface->handle_offset = offset;
 }
-
-static void
-win32_pixman_image_destroy(pixman_image_t *image, void *data)
-{
-    DisplaySurface *surface = data;
-
-    if (!surface->handle) {
-        return;
-    }
-
-    assert(surface->handle_offset == 0);
-
-    qemu_win32_map_free(
-        pixman_image_get_data(surface->image),
-        surface->handle,
-        &error_warn
-    );
-}
 #endif
 
 DisplaySurface *qemu_create_displaysurface(int width, int height)
@@ -503,6 +485,8 @@ DisplaySurface *qemu_create_displaysurface(int width, int 
height)
 
 #ifdef WIN32
     qemu_displaysurface_win32_set_handle(surface, handle, 0);
+    pixman_image_set_destroy_function(surface->image,
+                                      qemu_pixman_win32_image_destroy, handle);
 #endif
     return surface;
 }
@@ -518,10 +502,6 @@ DisplaySurface *qemu_create_displaysurface_from(int width, 
int height,
                                               width, height,
                                               (void *)data, linesize);
     assert(surface->image != NULL);
-#ifdef WIN32
-    pixman_image_set_destroy_function(surface->image,
-                                      win32_pixman_image_destroy, surface);
-#endif
 
     return surface;
 }
diff --git a/ui/qemu-pixman.c b/ui/qemu-pixman.c
index 5ca55dd199..de6c88151c 100644
--- a/ui/qemu-pixman.c
+++ b/ui/qemu-pixman.c
@@ -4,6 +4,7 @@
  */
 
 #include "qemu/osdep.h"
+#include "qapi/error.h"
 #include "ui/console.h"
 #include "standard-headers/drm/drm_fourcc.h"
 #include "trace.h"
@@ -268,3 +269,17 @@ void qemu_pixman_glyph_render(pixman_image_t *glyph,
     pixman_image_unref(ibg);
 }
 #endif /* CONFIG_PIXMAN */
+
+#ifdef WIN32
+void
+qemu_pixman_win32_image_destroy(pixman_image_t *image, void *data)
+{
+    HANDLE handle = data;
+
+    qemu_win32_map_free(
+        pixman_image_get_data(image),
+        handle,
+        &error_warn
+    );
+}
+#endif
-- 
2.39.5

[Prev in Thread]

Current Thread

[Next in Thread]

[Stable-9.0.4 09/57] testing: bump mips64el cross to bookworm and fix package list, (continued)
- [Stable-9.0.4 09/57] testing: bump mips64el cross to bookworm and fix package list, Michael Tokarev, 2024/11/09
- [Stable-9.0.4 10/57] vnc: fix crash when no console attached, Michael Tokarev, 2024/11/09
- [Stable-9.0.4 11/57] linux-user/flatload: Take mmap_lock in load_flt_binary(), Michael Tokarev, 2024/11/09
- [Stable-9.0.4 13/57] tcg/ppc: Use TCG_REG_TMP2 for scratch tcg_out_qemu_st, Michael Tokarev, 2024/11/09
- [Stable-9.0.4 12/57] linux-user: Fix parse_elf_properties GNU0_MAGIC check, Michael Tokarev, 2024/11/09
- [Stable-9.0.4 15/57] target/m68k: Always return a temporary from gen_lea_mode, Michael Tokarev, 2024/11/09
- [Stable-9.0.4 14/57] tcg/ppc: Use TCG_REG_TMP2 for scratch index in prepare_host_addr, Michael Tokarev, 2024/11/09
- [Stable-9.0.4 16/57] hw/intc/arm_gicv3_cpuif: Add cast to match the documentation, Michael Tokarev, 2024/11/09
- [Stable-9.0.4 17/57] hw/audio/hda: free timer on exit, Michael Tokarev, 2024/11/09
- [Stable-9.0.4 18/57] ui/dbus: fix leak on message filtering, Michael Tokarev, 2024/11/09
- [Stable-9.0.4 19/57] ui/win32: fix potential use-after-free with dbus shared memory, Michael Tokarev <=
- [Stable-9.0.4 20/57] ui/dbus: fix filtering all update messages, Michael Tokarev, 2024/11/09
- [Stable-9.0.4 21/57] tcg/s390x: fix constraint for 32-bit TSTEQ/TSTNE, Michael Tokarev, 2024/11/09
- [Stable-9.0.4 23/57] tests: Wait for migration completion on destination QEMU to avoid failures, Michael Tokarev, 2024/11/09
- [Stable-9.0.4 24/57] Revert "hw/sh4/r2d: Realize IDE controller before accessing it", Michael Tokarev, 2024/11/09
- [Stable-9.0.4 25/57] tests/qemu-iotests/211.out: Update to expect MapEntry 'compressed' field, Michael Tokarev, 2024/11/09
- [Stable-9.0.4 22/57] KVM: Dynamic sized kvm memslots array, Michael Tokarev, 2024/11/09
- [Stable-9.0.4 27/57] tcg: Reset data_gen_ptr correctly, Michael Tokarev, 2024/11/09
- [Stable-9.0.4 26/57] raw-format: Fix error message for invalid offset/size, Michael Tokarev, 2024/11/09
- [Stable-9.0.4 28/57] target/i386: Walk NPT in guest real mode, Michael Tokarev, 2024/11/09
- [Stable-9.0.4 30/57] linux-user: Emulate /proc/self/maps under mmap_lock, Michael Tokarev, 2024/11/09

Prev by Date: [Stable-9.0.4 18/57] ui/dbus: fix leak on message filtering
Next by Date: [Stable-9.0.4 20/57] ui/dbus: fix filtering all update messages
Previous by thread: [Stable-9.0.4 18/57] ui/dbus: fix leak on message filtering
Next by thread: [Stable-9.0.4 20/57] ui/dbus: fix filtering all update messages
Index(es):
- Date
- Thread