[Bug 48834] New: Rockstar Games Launcher CEF helper crashes (x11drv use-after-free for HWND_MESSAGE)

WineHQ Bugzilla wine-bugs at winehq.org
Fri Mar 27 20:30:24 CDT 2020 

https://bugs.winehq.org/show_bug.cgi?id=48834

            Bug ID: 48834
           Summary: Rockstar Games Launcher CEF helper crashes (x11drv
                    use-after-free for HWND_MESSAGE)
           Product: Wine
           Version: 5.4
          Hardware: x86
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: winex11.drv
          Assignee: wine-bugs at winehq.org
          Reporter: bshanks at codeweavers.com
      Distribution: ---

Created attachment 66751
  --> https://bugs.winehq.org/attachment.cgi?id=66751
Valgrind output showing backtraces of UAF

The problem: When the Rockstar Games Launcher is launched, 3 of its helper
processes (SocialClubHelper.exe) crash in XDeleteContext().

SocialClubHelper.exe is part of CEF, and the code causing the crash is ANGLE's
D3D9
renderer.<https://github.com/google/angle/blob/6dfdca836806b661cd0d0e090ef2cf1dc06a2e6a/src/libANGLE/renderer/d3d/d3d9/Renderer9.cpp>

Here's what I've figured out:

* ANGLE creates an HWND_MESSAGE window.
<https://github.com/google/angle/blob/6dfdca836806b661cd0d0e090ef2cf1dc06a2e6a/src/libANGLE/renderer/d3d/d3d9/Renderer9.cpp#L290>
In X11DRV_create_win_data(), win_data is not created for the window (comment:
"don't create win data for HWND_MESSAGE windows")

* ANGLE uses the window as the focus window and device window when initializing
D3D9.

* The wined3d CS thread starts and calls wined3d_swapchain_gl_create_context(),
leading to x11drv create_gl_drawable(), then create_client_window().
create_client_window() creates win_data (comment is "explicitly create data for
HWND_MESSAGE windows since they can be used for OpenGL"), using the current
thread's (the CS thread's) Display pointer. I believe this is when the CS
thread calls XOpenDisplay().

* This works ok, until ANGLE shuts down. It first releases all the D3D9
objects:
<https://github.com/google/angle/blob/6dfdca836806b661cd0d0e090ef2cf1dc06a2e6a/src/libANGLE/renderer/d3d/d3d9/Renderer9.cpp#L173>
Releasing D3D9 triggers wined3d to stop the CS thread, which ends with calling
FreeLibraryAndExitThread(). This eventually calls X11DRV_ThreadDetach(), which
closes the CS thread's Display.

* ANGLE then calls DestroyWindow() on the device/focus window. This leads to
x11drv destroy_whole_window(), which calls XDeleteContext() using the Display
from the win_data. This was the CS thread's Display, which has since been
closed/freed, causing use-after-free and (in this case) a crash.

Commenting out the HWND_MESSAGE exception in X11DRV_create_win_data() does fix
the crash, but this is likely not the correct fix.

I've attached part of a Valgrind output showing the crash and backtraces, and
should be able to add an ANGLE sample exe later that reproduces the bug.

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list