Skip to content

Fix use-after-free triggered by gnome-session-binary

Stefan Sperling requested to merge stsp/glib:use_after_free into master

ostream_flush_cb() was calling flush_data_list_complete() with a single element list with an item that had already been freed. This was observed on OpenBSD where memory is overwritten with 0xdf during free():

    error=0x0) at ../glib-2.58.3/gio/gdbusprivate.c:1156
1156          g_mutex_lock (&f->mutex);
(gdb) p /x *f
$74 = {mutex = {p = 0xdfdfdfdfdfdfdfdf, i = {0xdfdfdfdf, 0xdfdfdfdf}},
  cond = { p = 0xdfdfdfdfdfdfdfdf, i = {0xdfdfdfdf, 0xdfdfdfdf}},
  number_to_wait_for = 0xdfdfdfdfdfdfdfdf, error = 0x0}

This happened because the thread freeing the element didn't properly wait for the asynchronous flush operation to finish. Gnome's developer docs say: "g_cond_wait() must always be used in a loop" https://developer.gnome.org/glib/stable/glib-Threads.html#g-cond-wait

Edited by Philip Withnall

Merge request reports