[1/2] server: Grab borrowed debugger reference while handling wake_up() events. (Valgrind)

[Sebastian Lackner]

Found by using Valgrind + fuzzing testing.

When taking a look at the following code from server/debugger.c:

--- snip ---
static void link_event( struct debug_event *event )
{
    struct debug_ctx *debug_ctx = event->debugger->debug_ctx;
[...]
    if (!event->sender->debug_event) wake_up( &debug_ctx->obj, 0 );
}
--- snip ---

You'll notice that debuger_ctx is a borrowed reference, which is owned
by the debugger thread. As wake_up() might destroy this object
indirectly ( wake_up -> wake_thread -> send_thread_wakeup -> kill_thread
-> ... -> release_object ) we should keep an additional reference here.

NOTE: I didn't find any other place where a similar error can occur, but
it probably wouldn't hurt to review the rest of the code for similar places.


Valgrind output:
----------------

(line numbers might differ due to some other unrelated modifications and
additional debug messages)

==12530== Invalid read of size 4
==12530==    at 0x807EC4C: wake_up (thread.c:873)
==12530==    by 0x8052F8A: link_event (debugger.c:244)
==12530==    by 0x80535CF: generate_debug_event (debugger.c:404)
==12530==    by 0x8066A74: remove_process_thread (process.c:697)
==12530==    by 0x807F2C8: kill_thread (thread.c:1099)
==12530==    by 0x8077855: read_request (request.c:320)
==12530==    by 0x807D425: thread_poll_event (thread.c:261)
==12530==    by 0x8056E86: fd_poll_event (fd.c:446)
==12530==    by 0x805713C: main_loop_epoll (fd.c:541)
==12530==    by 0x8057536: main_loop (fd.c:886)
==12530==    by 0x805FF48: main (main.c:148)
==12530==  Address 0x8a489c0 is 8 bytes inside a block of size 44 free'd
==12530==    at 0x49EF06C: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==12530==    by 0x8064DF6: release_object (object.c:318)
==12530==    by 0x805C899: handle_table_destroy (handle.c:169)
==12530==    by 0x8064D9B: release_object (object.c:311)
==12530==    by 0x805C8EA: close_process_handles (handle.c:180)
==12530==    by 0x80667FD: process_killed (process.c:633)
==12530==    by 0x8066A7F: remove_process_thread (process.c:698)
==12530==    by 0x807F2C8: kill_thread (thread.c:1099)
==12530==    by 0x807E50B: send_thread_wakeup (thread.c:696)
==12530==    by 0x807E5D0: wake_thread (thread.c:715)
==12530==    by 0x807EC1D: wake_up (thread.c:876)
==12530==    by 0x8052F8A: link_event (debugger.c:244)
==12530==
==12530== Invalid read of size 4
==12530==    at 0x807DF23: get_wait_queue_thread (thread.c:551)
==12530==    by 0x807EC15: wake_up (thread.c:876)
==12530==    by 0x8052F8A: link_event (debugger.c:244)
==12530==    by 0x80535CF: generate_debug_event (debugger.c:404)
==12530==    by 0x8066A74: remove_process_thread (process.c:697)
==12530==    by 0x807F2C8: kill_thread (thread.c:1099)
==12530==    by 0x8077855: read_request (request.c:320)
==12530==    by 0x807D425: thread_poll_event (thread.c:261)
==12530==    by 0x8056E86: fd_poll_event (fd.c:446)
==12530==    by 0x805713C: main_loop_epoll (fd.c:541)
==12530==    by 0x8057536: main_loop (fd.c:886)
==12530==    by 0x805FF48: main (main.c:148)
==12530==  Address 0xaaaaaab6 is not stack'd, malloc'd or (recently) free'd

---
 server/debugger.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-server-Grab-borrowed-debugger-reference-while-handli.patch
Type: text/x-patch
Size: 1057 bytes
Desc: not available
URL: <http://www.winehq.org/pipermail/wine-patches/attachments/20140621/23045b40/attachment.bin>