https://bugs.winehq.org/show_bug.cgi?id=48834 Bug ID: 48834 Summary: Rockstar Games Launcher CEF helper crashes (x11drv use-after-free for HWND_MESSAGE) Product: Wine Version: 5.4 Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: winex11.drv Assignee: wine-bugs(a)winehq.org Reporter: bshanks(a)codeweavers.com Distribution: --- Created attachment 66751 --> https://bugs.winehq.org/attachment.cgi?id=66751 Valgrind output showing backtraces of UAF The problem: When the Rockstar Games Launcher is launched, 3 of its helper processes (SocialClubHelper.exe) crash in XDeleteContext(). SocialClubHelper.exe is part of CEF, and the code causing the crash is ANGLE's D3D9 renderer.<https://github.com/google/angle/blob/6dfdca836806b661cd0d0e090ef2cf1dc06a2e6a/src/libANGLE/renderer/d3d/d3d9/Renderer9.cpp> Here's what I've figured out: * ANGLE creates an HWND_MESSAGE window. <https://github.com/google/angle/blob/6dfdca836806b661cd0d0e090ef2cf1dc06a2e6a/src/libANGLE/renderer/d3d/d3d9/Renderer9.cpp#L290> In X11DRV_create_win_data(), win_data is not created for the window (comment: "don't create win data for HWND_MESSAGE windows") * ANGLE uses the window as the focus window and device window when initializing D3D9. * The wined3d CS thread starts and calls wined3d_swapchain_gl_create_context(), leading to x11drv create_gl_drawable(), then create_client_window(). create_client_window() creates win_data (comment is "explicitly create data for HWND_MESSAGE windows since they can be used for OpenGL"), using the current thread's (the CS thread's) Display pointer. I believe this is when the CS thread calls XOpenDisplay(). * This works ok, until ANGLE shuts down. It first releases all the D3D9 objects: <https://github.com/google/angle/blob/6dfdca836806b661cd0d0e090ef2cf1dc06a2e6a/src/libANGLE/renderer/d3d/d3d9/Renderer9.cpp#L173> Releasing D3D9 triggers wined3d to stop the CS thread, which ends with calling FreeLibraryAndExitThread(). This eventually calls X11DRV_ThreadDetach(), which closes the CS thread's Display. * ANGLE then calls DestroyWindow() on the device/focus window. This leads to x11drv destroy_whole_window(), which calls XDeleteContext() using the Display from the win_data. This was the CS thread's Display, which has since been closed/freed, causing use-after-free and (in this case) a crash. Commenting out the HWND_MESSAGE exception in X11DRV_create_win_data() does fix the crash, but this is likely not the correct fix. I've attached part of a Valgrind output showing the crash and backtraces, and should be able to add an ANGLE sample exe later that reproduces the bug. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.