[PATCH 0/1] MR3040: services: Fix use after free on error path in service_start (scan-build). - Wine-gitlab - list.winehq.org

newer
[PATCH 0/2] MR3045: winepulse:...

[PATCH 0/1] MR3040: services: Fix use after free on error path in service_start (scan-build).

older
[PATCH v3 0/9] MR209:...

Alex Henrie (＠alexhenrie)

12 Jun 2023 12 Jun '23

5:04 a.m.

-- https://gitlab.winehq.org/wine/wine/-/merge_requests/3040

Reply

Sign in to reply online Use email software

Show replies by date

Alex Henrie

12 Jun 12 Jun

5:04 a.m.

New subject: [PATCH 1/1] services: Fix use after free on error path in service_start (scan-build).

From: Alex Henrie <alexhenrie24(a)gmail.com> --- programs/services/services.c | 1 - 1 file changed, 1 deletion(-) diff --git a/programs/services/services.c b/programs/services/services.c index 2db74f99e0f..a77c17c58a9 100644 --- a/programs/services/services.c +++ b/programs/services/services.c @@ -1214,7 +1214,6 @@ DWORD service_start(struct service_entry *service, DWORD service_argc, LPCWSTR * service->status.dwCurrentState = SERVICE_STOPPED; service->process = NULL; if (!--process->use_count) process_terminate(process); - release_process(process); } service_unlock(service); } -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/3040

Reply

Sign in to reply online Use email software

Piotr Caban (＠piotr)

12:02 p.m.

Piotr Caban (@piotr) commented about programs/services/services.c:

service->status.dwCurrentState = SERVICE_STOPPED; service->process = NULL; if (!--process->use_count) process_terminate(process); - release_process(process);

I don't see use after free error here. process_entry reference is stored in 2 places - in process variable and in service->process. Since The code is setting service->process to NULL it needs to decrease the reference counter. Later we're freeing process variable so another release_process call is needed. I guess the tool doesn't know that process == service->process. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/3040#note_35441

Reply

Sign in to reply online Use email software

Alex Henrie (＠alexhenrie)

6:55 p.m.

On Mon Jun 12 12:02:42 2023 +0000, Piotr Caban wrote:

I don't see use after free error here. process_entry reference is stored in 2 places - in process variable and in service->process. Since The code is setting service->process to NULL it needs to decrease the reference counter. Later we're freeing process variable so another release_process call is needed. I guess the tool doesn't know that process == service->process. scan-build thought that calling `release_process(process)` would free `process` before it is dereferenced in `ReleaseMutex(process->control_mutex)` a few lines later. But you're right, it's ref-counted, so there's no real problem here. Sorry for the noise.

-- https://gitlab.winehq.org/wine/wine/-/merge_requests/3040#note_35505

Reply

Sign in to reply online Use email software

Alex Henrie (＠alexhenrie)

6:55 p.m.

New subject: [PATCH 0/1] MR3040: services: Fix use after free on error path in service_start (scan-build). - closed

This merge request was closed by Alex Henrie. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/3040

Reply

Sign in to reply online Use email software

922

Age (days ago)

922

Last active (days ago)

Download

4 comments

3 participants

tags

participants (3)

Alex Henrie
Alex Henrie (＠alexhenrie)
Piotr Caban (＠piotr)