Fixes a regression with 672c3a561f5.
---
A few applications (Quicken, some Wine Mono tests) hit this server assertion after the 10.11 merge:
``` Assertion failed: (mutex->owner == thread), function abandon_mutexes, file mutex.c, line 244. ```
I'm not sure that this patch is correct, exactly. But the current situation is that `mutex_destroy` frees its mutex's sync object, but leaves it in its owning thread's list of `mutex_sync`s. So later, `abandon_mutexes` will enumerate it, which is a UAF. If the memory got stomped on in the meantime (or zeroed, as macOS' `free` does recently), it will hit the above assertion.
Arguably I suppose this could call `mutex_sync_destroy` instead of the direct `do_release`?
Also should this do a `release_object` on the `struct mutex *` itself?
From: Tim Clem tclem@codeweavers.com
Fixes a regression with 672c3a561f5. --- server/mutex.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/server/mutex.c b/server/mutex.c index 573fcda1083..f92ecb6610e 100644 --- a/server/mutex.c +++ b/server/mutex.c @@ -267,7 +267,11 @@ static void mutex_destroy( struct object *obj ) { struct mutex *mutex = (struct mutex *)obj; assert( obj->ops == &mutex_ops ); - if (mutex->sync) release_object( mutex->sync ); + if (mutex->sync) + { + if (mutex->sync->count) do_release( mutex->sync, current, mutex->sync->count ); + release_object( mutex->sync ); + } }
/* create a mutex */
-
Tim Clem -
Tim Clem (@tclem)