On Mon Mar 18 23:41:24 2024 +0000, Paul Gofman wrote:
I wonder if anything can really work after a client has deleted every object inside root kernel directory? Is it achievable on Windows? Or may legitimately happen in Wine due to some reasons? Maybe something is wrong elsewhere and some objects should be not removable even by privileged users? I. e., avoiding use after free in a case when everything is broken already beyond recovery maybe not wrong per se but also not all that practical.
`root_directory` is a global pointer. Removing all references it will free the directory object, and the pointer will become dangling.
The only way to achieve this is to delete every named object, which is yes, not that practical.
Does this mean that we can introduce another global pointer that works in a similar manner? !3103 introduces a global pointer to a permanent shared mapping, and deleting it will lead to the same kind of bug: not only use-after-free but also rendering win32u unusuable.
I submitted this MR mainly so that I can learn how serious is serious about the "wineserver crash = bug" rule.