[Bug 48834] New: Rockstar Games Launcher CEF helper crashes (x11drv use-after-free for HWND_MESSAGE)
https://bugs.winehq.org/show_bug.cgi?id=48834
Bug ID: 48834 Summary: Rockstar Games Launcher CEF helper crashes (x11drv use-after-free for HWND_MESSAGE) Product: Wine Version: 5.4 Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: winex11.drv Assignee: wine-bugs@winehq.org Reporter: bshanks@codeweavers.com Distribution: ---
Created attachment 66751 --> https://bugs.winehq.org/attachment.cgi?id=66751 Valgrind output showing backtraces of UAF
The problem: When the Rockstar Games Launcher is launched, 3 of its helper processes (SocialClubHelper.exe) crash in XDeleteContext().
SocialClubHelper.exe is part of CEF, and the code causing the crash is ANGLE's D3D9 renderer.https://github.com/google/angle/blob/6dfdca836806b661cd0d0e090ef2cf1dc06a2e6a/src/libANGLE/renderer/d3d/d3d9/Renderer9.cpp
Here's what I've figured out:
* ANGLE creates an HWND_MESSAGE window. https://github.com/google/angle/blob/6dfdca836806b661cd0d0e090ef2cf1dc06a2e6a/src/libANGLE/renderer/d3d/d3d9/Renderer9.cpp#L290 In X11DRV_create_win_data(), win_data is not created for the window (comment: "don't create win data for HWND_MESSAGE windows")
* ANGLE uses the window as the focus window and device window when initializing D3D9.
* The wined3d CS thread starts and calls wined3d_swapchain_gl_create_context(), leading to x11drv create_gl_drawable(), then create_client_window(). create_client_window() creates win_data (comment is "explicitly create data for HWND_MESSAGE windows since they can be used for OpenGL"), using the current thread's (the CS thread's) Display pointer. I believe this is when the CS thread calls XOpenDisplay().
* This works ok, until ANGLE shuts down. It first releases all the D3D9 objects: https://github.com/google/angle/blob/6dfdca836806b661cd0d0e090ef2cf1dc06a2e6a/src/libANGLE/renderer/d3d/d3d9/Renderer9.cpp#L173 Releasing D3D9 triggers wined3d to stop the CS thread, which ends with calling FreeLibraryAndExitThread(). This eventually calls X11DRV_ThreadDetach(), which closes the CS thread's Display.
* ANGLE then calls DestroyWindow() on the device/focus window. This leads to x11drv destroy_whole_window(), which calls XDeleteContext() using the Display from the win_data. This was the CS thread's Display, which has since been closed/freed, causing use-after-free and (in this case) a crash.
Commenting out the HWND_MESSAGE exception in X11DRV_create_win_data() does fix the crash, but this is likely not the correct fix.
I've attached part of a Valgrind output showing the crash and backtraces, and should be able to add an ANGLE sample exe later that reproduces the bug.
https://bugs.winehq.org/show_bug.cgi?id=48834
Brendan Shanks bshanks@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |https://gamedownloads.rocks | |targames.com/public/install | |er/Rockstar-Games-Launcher. | |exe
--- Comment #1 from Brendan Shanks bshanks@codeweavers.com --- I wasn't able to get an ANGLE sample exe to do these steps with the right timing to reproduce the crash, but this can be reproduced with the Rockstar Games Launcher.
Apply these two patches:
https://github.com/ValveSoftware/wine/commit/1c66feddfb10f5b24b55723e5cb4ca0...
https://github.com/ValveSoftware/wine/commit/4f0d4717545b9c74b3708b593587520...
And then install the launcher from https://gamedownloads.rockstargames.com/public/installer/Rockstar-Games-Laun...
The CEF helpers should crash before the launcher gets to the login screen.
-
WineHQ Bugzilla