Added patch to fix possible use-after-free in wineserver device IPR code.

2025-01-28 22:04:43 -08:00 · 2015-06-16 03:26:43 +02:00 · 2015-06-16 03:26:43 +02:00 · 50b37c2d7e
commit 50b37c2d7e
parent 333de90b1a
5 changed files with 94 additions and 40 deletions
--- a/README.md
+++ b/README.md
@ -39,8 +39,9 @@ Wine. All those differences are also documented on the
 Included bug fixes and improvements
 -----------------------------------

-**Bug fixes and features included in the next upcoming release [2]:**
+**Bug fixes and features included in the next upcoming release [3]:**

+* Fix possible use-after-free in wineserver device IPR code ([Wine Bug #38764](https://bugs.winehq.org/show_bug.cgi?id=38764))
 * Globally invalidate key state on changes in other threads ([Wine Bug #29871](https://bugs.winehq.org/show_bug.cgi?id=29871))
 * SecuROM 5.x media validation fails ([Wine Bug #21448](https://bugs.winehq.org/show_bug.cgi?id=21448))

--- a/debian/changelog
+++ b/debian/changelog
@ -2,6 +2,7 @@ wine-staging (1.7.46) UNRELEASED; urgency=low
  * Add reference to upstream bug report for various patchsets.
  * Added patch to improve IoGetDeviceObjectPointer stub to appease SecuROM 5.x.
  * Added patch to globally invalidate key state on changes in other threads.
+  * Added patch to fix possible use-after-free in wineserver device IPR code.
  * Removed patch for implementation of GdipCreateRegionRgnData (accepted
    upstream).
  * Removed patch to fix output buffer size for IOCTL_DVD_READ_STRUCTURE
--- a/patches/patchinstall.sh
+++ b/patches/patchinstall.sh
@ -213,6 +213,7 @@ patch_enable_all ()
 	enable_server_OpenProcess="$1"
 	enable_server_PeekMessage="$1"
 	enable_server_Realtime_Priority="$1"
+	enable_server_Release_File="$1"
 	enable_server_RootDirectory_File="$1"
 	enable_server_Shared_Memory="$1"
 	enable_server_Stored_ACLs="$1"
@ -719,6 +720,9 @@ patch_enable ()
 		server-Realtime_Priority)
 			enable_server_Realtime_Priority="$2"
 			;;
+		server-Release_File)
+			enable_server_Release_File="$2"
+			;;
 		server-RootDirectory_File)
 			enable_server_RootDirectory_File="$2"
 			;;
@ -4415,6 +4419,21 @@ if test "$enable_server_Realtime_Priority" -eq 1; then
 	) >> "$patchlist"
 fi

+# Patchset server-Release_File
+# |
+# | This patchset fixes the following Wine bugs:
+# |   *	[#38764] Fix possible use-after-free in wineserver device IPR code
+# |
+# | Modified files:
+# |   *	server/device.c
+# |
+if test "$enable_server_Release_File" -eq 1; then
+	patch_apply server-Release_File/0001-server-Delay-destruction-of-file-object-in-set_irp_r.patch
+	(
+		echo '+    { "Sebastian Lackner", "server: Delay destruction of file object in set_irp_result.", 1 },';
+	) >> "$patchlist"
+fi
+
 # Patchset server-Shared_Memory
 # |
 # | Modified files:
@ -5077,6 +5096,45 @@ if test "$enable_wined3d_CSMT_Helper" -eq 1; then
 	) >> "$patchlist"
 fi

+# Patchset wined3d-Multisampling
+# |
+# | This patchset fixes the following Wine bugs:
+# |   *	[#12652] Allow to override number of quality levels for D3DMULTISAMPLE_NONMASKABLE.
+# |
+# | Modified files:
+# |   *	dlls/wined3d/directx.c, dlls/wined3d/wined3d_main.c, dlls/wined3d/wined3d_private.h
+# |
+if test "$enable_wined3d_Multisampling" -eq 1; then
+	patch_apply wined3d-Multisampling/0001-wined3d-Allow-to-specify-multisampling-AA-quality-le.patch
+	(
+		echo '+    { "Austin English", "wined3d: Allow to specify multisampling AA quality levels via registry.", 1 },';
+	) >> "$patchlist"
+fi
+
+# Patchset wined3d-UnhandledBlendFactor
+# |
+# | Modified files:
+# |   *	dlls/wined3d/state.c
+# |
+if test "$enable_wined3d_UnhandledBlendFactor" -eq 1; then
+	patch_apply wined3d-UnhandledBlendFactor/0001-wined3d-Silence-repeated-Unhandled-blend-factor-0-me.patch
+	(
+		echo '+    { "Sebastian Lackner", "wined3d: Silence repeated '\''Unhandled blend factor 0'\'' messages.", 1 },';
+	) >> "$patchlist"
+fi
+
+# Patchset wined3d-wined3d_swapchain_present
+# |
+# | Modified files:
+# |   *	dlls/wined3d/swapchain.c
+# |
+if test "$enable_wined3d_wined3d_swapchain_present" -eq 1; then
+	patch_apply wined3d-wined3d_swapchain_present/0001-wined3d-Silence-repeated-wined3d_swapchain_present-F.patch
+	(
+		echo '+    { "Sebastian Lackner", "wined3d: Silence repeated wined3d_swapchain_present FIXME.", 1 },';
+	) >> "$patchlist"
+fi
+
 # Patchset wined3d-Revert_PixelFormat
 # |
 # | This patchset fixes the following Wine bugs:
@ -5123,45 +5181,6 @@ if test "$enable_wined3d_resource_check_usage" -eq 1; then
 	) >> "$patchlist"
 fi

-# Patchset wined3d-UnhandledBlendFactor
-# |
-# | Modified files:
-# |   *	dlls/wined3d/state.c
-# |
-if test "$enable_wined3d_UnhandledBlendFactor" -eq 1; then
-	patch_apply wined3d-UnhandledBlendFactor/0001-wined3d-Silence-repeated-Unhandled-blend-factor-0-me.patch
-	(
-		echo '+    { "Sebastian Lackner", "wined3d: Silence repeated '\''Unhandled blend factor 0'\'' messages.", 1 },';
-	) >> "$patchlist"
-fi
-
-# Patchset wined3d-wined3d_swapchain_present
-# |
-# | Modified files:
-# |   *	dlls/wined3d/swapchain.c
-# |
-if test "$enable_wined3d_wined3d_swapchain_present" -eq 1; then
-	patch_apply wined3d-wined3d_swapchain_present/0001-wined3d-Silence-repeated-wined3d_swapchain_present-F.patch
-	(
-		echo '+    { "Sebastian Lackner", "wined3d: Silence repeated wined3d_swapchain_present FIXME.", 1 },';
-	) >> "$patchlist"
-fi
-
-# Patchset wined3d-Multisampling
-# |
-# | This patchset fixes the following Wine bugs:
-# |   *	[#12652] Allow to override number of quality levels for D3DMULTISAMPLE_NONMASKABLE.
-# |
-# | Modified files:
-# |   *	dlls/wined3d/directx.c, dlls/wined3d/wined3d_main.c, dlls/wined3d/wined3d_private.h
-# |
-if test "$enable_wined3d_Multisampling" -eq 1; then
-	patch_apply wined3d-Multisampling/0001-wined3d-Allow-to-specify-multisampling-AA-quality-le.patch
-	(
-		echo '+    { "Austin English", "wined3d: Allow to specify multisampling AA quality levels via registry.", 1 },';
-	) >> "$patchlist"
-fi
-
 # Patchset wined3d-CSMT_Main
 # |
 # | This patchset fixes the following Wine bugs:
--- a/patches/server-Release_File/0001-server-Delay-destruction-of-file-object-in-set_irp_r.patch
+++ b/patches/server-Release_File/0001-server-Delay-destruction-of-file-object-in-set_irp_r.patch
@ -0,0 +1,32 @@
+From 12bf8396bd22a181e9d49c70b84b98b85eacefea Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Tue, 16 Jun 2015 03:16:10 +0200
+Subject: server: Delay destruction of file object in set_irp_result.
+
+---
+ server/device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/server/device.c b/server/device.c
+index dc0325e..da99c32 100644
+--- a/server/device.c
+++ b/server/device.c
+@@ -288,7 +288,6 @@ static void set_irp_result( struct irp_call *irp, unsigned int status,
+     irp->out_size = min( irp->out_size, out_size );
+     if (irp->out_size && !(irp->out_data = memdup( out_data, irp->out_size )))
+         irp->out_size = 0;
+-    release_object( file );
+     irp->file = NULL;
+     if (irp->async)
+     {
+@@ -306,6 +305,7 @@ static void set_irp_result( struct irp_call *irp, unsigned int status,
+         list_remove( &irp->dev_entry );
+         release_object( irp );  /* no longer on the device queue */
+     }
+    release_object( file );
+ }
+ 
+ 
+-- 
+2.4.3
+
--- a/patches/server-Release_File/definition
+++ b/patches/server-Release_File/definition
@ -0,0 +1 @@
+Fixes: [38764] Fix possible use-after-free in wineserver device IPR code
				`@ -0,0 +1 @@`
				`Fixes: [38764] Fix possible use-after-free in wineserver device IPR code`