Projects
Factory:RISC-V:Base
glib2
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 5
View file
_service:tar_scm:glib2.spec
Changed
@@ -1,11 +1,13 @@ Name: glib2 Version: 2.74.4 -Release: 1 +Release: 2 Summary: The core library that forms the basis for projects such as GTK+ and GNOME License: LGPLv2+ URL: https://www.gtk.org Source0: https://download.gnome.org/sources/glib/2.74/glib-%{version}.tar.xz +patch6001: backport-gdbusinterfaceskeleton-Fix-a-use-after-free-of-a-GDBusMethodInvocation.patch + BuildRequires: chrpath gcc gcc-c++ gettext perl-interpreter BUildRequires: glibc-devel libattr-devel libselinux-devel meson BuildRequires: systemtap-sdt-devel pkgconfig(libelf) pkgconfig(libffi) @@ -201,6 +203,9 @@ %endif %changelog +* Tue Mar 14 2023 hanhuihui <hanhuihui5@huawei.com> - 2.74.4-2 +- fix a use-after-free of a GDBusMethodInvocation + * Mon Jan 2 2023 lin zhang <lin.zhang@turbolinux.com.cn> - 2.74.4-1 - Update to 2.74.1
View file
_service:tar_scm:backport-gdbusinterfaceskeleton-Fix-a-use-after-free-of-a-GDBusMethodInvocation.patch
Added
@@ -0,0 +1,182 @@ +From 1f86923766a3d1d319fe54ad24fcf6e2d75aca0d Mon Sep 17 00:00:00 2001 +From: Philip Withnall <pwithnall@endlessos.org> +Date: Wed, 22 Feb 2023 12:40:49 +0000 +Subject: PATCH 1/3 gdbusinterfaceskeleton: Remove an unnecessary helper + struct member +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The `GDBusInterfaceSkeleton` is already stored as the source object of +the `GTask` here, with a strong reference. + +Storing it again in the task’s data struct is redundant, and makes it +look like the `GDBusInterfaceSkeleton` is being used without holding a +strong reference. (There’s not actually a bug there though: the strong +reference from the `GTask` outlives the data struct, so is sufficient.) + +Remove the unnecessary helper struct member to clarify the code a bit. + +Signed-off-by: Philip Withnall <pwithnall@endlessos.org> + +Helps: #2924 +--- + gio/gdbusinterfaceskeleton.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/gio/gdbusinterfaceskeleton.c b/gio/gdbusinterfaceskeleton.c +index 3f07d4d0b2..d28282fea3 100644 +--- a/gio/gdbusinterfaceskeleton.c ++++ b/gio/gdbusinterfaceskeleton.c +@@ -461,7 +461,6 @@ dbus_interface_interface_init (GDBusInterfaceIface *iface) + typedef struct + { + gint ref_count; /* (atomic) */ +- GDBusInterfaceSkeleton *interface; + GDBusInterfaceMethodCallFunc method_call_func; + GDBusMethodInvocation *invocation; + } DispatchData; +@@ -502,16 +501,17 @@ dispatch_in_thread_func (GTask *task, + GCancellable *cancellable) + { + DispatchData *data = task_data; ++ GDBusInterfaceSkeleton *interface = g_task_get_source_object (task); + GDBusInterfaceSkeletonFlags flags; + GDBusObject *object; + gboolean authorized; + +- g_mutex_lock (&data->interface->priv->lock); +- flags = data->interface->priv->flags; +- object = data->interface->priv->object; ++ g_mutex_lock (&interface->priv->lock); ++ flags = interface->priv->flags; ++ object = interface->priv->object; + if (object != NULL) + g_object_ref (object); +- g_mutex_unlock (&data->interface->priv->lock); ++ g_mutex_unlock (&interface->priv->lock); + + /* first check on the enclosing object (if any), then the interface */ + authorized = TRUE; +@@ -519,13 +519,13 @@ dispatch_in_thread_func (GTask *task, + { + g_signal_emit_by_name (object, + "authorize-method", +- data->interface, ++ interface, + data->invocation, + &authorized); + } + if (authorized) + { +- g_signal_emit (data->interface, ++ g_signal_emit (interface, + signalsG_AUTHORIZE_METHOD_SIGNAL, + 0, + data->invocation, +@@ -627,7 +627,6 @@ g_dbus_interface_method_dispatch_helper (GDBusInterfaceSkeleton *interface + DispatchData *data; + + data = g_slice_new0 (DispatchData); +- data->interface = interface; + data->method_call_func = method_call_func; + data->invocation = invocation; + data->ref_count = 1; +-- +GitLab + + +From d5710deb9d621bcf0cec0ff2db0708f361490752 Mon Sep 17 00:00:00 2001 +From: Philip Withnall <pwithnall@endlessos.org> +Date: Wed, 22 Feb 2023 12:47:36 +0000 +Subject: PATCH 2/3 gdbusinterfaceskeleton: Fix a use-after-free of a + GDBusMethodInvocation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This `GDBusMethodInvocation` may be shared across threads, with no +guarantee on the strong ref in one thread outlasting any refs in other +threads — so it needs a ref in this helper struct. + +This should fix a use-after-free where the `GDBusMethodInvocation` is +freed from `g_value_unset()` after `g_signal_emit()` returns in +`dispatch_in_thread_func()` in one thread; but then dereferenced again +in `g_source_destroy_internal()` from another thread. + +Signed-off-by: Philip Withnall <pwithnall@endlessos.org> + +Fixes: #2924 +--- + gio/gdbusinterfaceskeleton.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/gio/gdbusinterfaceskeleton.c b/gio/gdbusinterfaceskeleton.c +index d28282fea3..a2a79fe3d8 100644 +--- a/gio/gdbusinterfaceskeleton.c ++++ b/gio/gdbusinterfaceskeleton.c +@@ -462,14 +462,17 @@ typedef struct + { + gint ref_count; /* (atomic) */ + GDBusInterfaceMethodCallFunc method_call_func; +- GDBusMethodInvocation *invocation; ++ GDBusMethodInvocation *invocation; /* (owned) */ + } DispatchData; + + static void + dispatch_data_unref (DispatchData *data) + { + if (g_atomic_int_dec_and_test (&data->ref_count)) +- g_slice_free (DispatchData, data); ++ { ++ g_clear_object (&data->invocation); ++ g_slice_free (DispatchData, data); ++ } + } + + static DispatchData * +@@ -628,7 +631,7 @@ g_dbus_interface_method_dispatch_helper (GDBusInterfaceSkeleton *interface + + data = g_slice_new0 (DispatchData); + data->method_call_func = method_call_func; +- data->invocation = invocation; ++ data->invocation = g_object_ref (invocation); + data->ref_count = 1; + + task = g_task_new (interface, NULL, NULL, NULL); +-- +GitLab + + +From 7b101588e924f3783a0f5075f06b3e1d698be936 Mon Sep 17 00:00:00 2001 +From: Philip Withnall <pwithnall@endlessos.org> +Date: Wed, 22 Feb 2023 12:50:10 +0000 +Subject: PATCH 3/3 gdbusconnection: Make GDBusMethodInvocation transfer a + bit clearer + +Add a missing steal call in `schedule_method_call()`. This introduces no +functional changes, but documents the ownership transfer more clearly. + +Signed-off-by: Philip Withnall <pwithnall@endlessos.org> + +Helps: #2924 +--- + gio/gdbusconnection.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c +index d938f71b99..da6b66f2ec 100644 +--- a/gio/gdbusconnection.c ++++ b/gio/gdbusconnection.c +@@ -5043,7 +5043,7 @@ schedule_method_call (GDBusConnection *connection, + g_source_set_priority (idle_source, G_PRIORITY_DEFAULT); + g_source_set_callback (idle_source, + call_in_idle_cb, +- invocation, ++ g_steal_pointer (&invocation), + g_object_unref); + g_source_set_static_name (idle_source, "gio, " __FILE__ " call_in_idle_cb"); + g_source_attach (idle_source, main_context); +-- +GitLab +
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2