[Bug 48834] New: Rockstar Games Launcher CEF helper crashes (x11drv use-after-free for HWND_MESSAGE)

28 Mar 2020


      https://bugs.winehq.org/show_bug.cgi?id=48834
Bug ID: 48834
           Summary: Rockstar Games Launcher CEF helper crashes (x11drv
                    use-after-free for HWND_MESSAGE)
           Product: Wine
           Version: 5.4
          Hardware: x86
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: winex11.drv
          Assignee: wine-bugs@winehq.org
          Reporter: bshanks@codeweavers.com
      Distribution: ---
Created attachment 66751
  --> https://bugs.winehq.org/attachment.cgi?id=66751
Valgrind output showing backtraces of UAF
The problem: When the Rockstar Games Launcher is launched, 3 of its helper
processes (SocialClubHelper.exe) crash in XDeleteContext().
SocialClubHelper.exe is part of CEF, and the code causing the crash is ANGLE's
D3D9
renderer.https://github.com/google/angle/blob/6dfdca836806b661cd0d0e090ef2cf1dc06a2e6a/src/libANGLE/renderer/d3d/d3d9/Renderer9.cpp
Here's what I've figured out:
* ANGLE creates an HWND_MESSAGE window.
https://github.com/google/angle/blob/6dfdca836806b661cd0d0e090ef2cf1dc06a2e6a/src/libANGLE/renderer/d3d/d3d9/Renderer9.cpp#L290
In X11DRV_create_win_data(), win_data is not created for the window (comment:
"don't create win data for HWND_MESSAGE windows")
* ANGLE uses the window as the focus window and device window when initializing
D3D9.
* The wined3d CS thread starts and calls wined3d_swapchain_gl_create_context(),
leading to x11drv create_gl_drawable(), then create_client_window().
create_client_window() creates win_data (comment is "explicitly create data for
HWND_MESSAGE windows since they can be used for OpenGL"), using the current
thread's (the CS thread's) Display pointer. I believe this is when the CS
thread calls XOpenDisplay().
* This works ok, until ANGLE shuts down. It first releases all the D3D9
objects:
https://github.com/google/angle/blob/6dfdca836806b661cd0d0e090ef2cf1dc06a2e6a/src/libANGLE/renderer/d3d/d3d9/Renderer9.cpp#L173
Releasing D3D9 triggers wined3d to stop the CS thread, which ends with calling
FreeLibraryAndExitThread(). This eventually calls X11DRV_ThreadDetach(), which
closes the CS thread's Display.
* ANGLE then calls DestroyWindow() on the device/focus window. This leads to
x11drv destroy_whole_window(), which calls XDeleteContext() using the Display
from the win_data. This was the CS thread's Display, which has since been
closed/freed, causing use-after-free and (in this case) a crash.
Commenting out the HWND_MESSAGE exception in X11DRV_create_win_data() does fix
the crash, but this is likely not the correct fix.
I've attached part of a Valgrind output showing the crash and backtraces, and
should be able to add an ANGLE sample exe later that reproduces the bug.
-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

[Bug 48834] New: Rockstar Games Launcher CEF helper crashes (x11drv use-after-free for HWND_MESSAGE)