gpu_display: fix use after free for the wayland socket path

Using .map in the way it was caused the CString to get moved into the closure
and then dropped by that closure. The returned pointer is then used in
dwl_context_setup after it was freed by the drop.

This change fixes that first by using .as_ref() before calling .map to
prevent the move. As an additional safeguard, some optional types were
added to the closure to make sure a reference to the CString was being
handled instead of a moved CString.

TEST=vmc start --enable-gpu termina
BUG=chromium:988082

Change-Id: I58c2c002f08688ecd85715d9cd45085dffb32457
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1721615
Tested-by: Zach Reizner <zachr@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Auto-Submit: Zach Reizner <zachr@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Commit-Queue: Zach Reizner <zachr@chromium.org>

1 files changed, 8 insertions, 2 deletions

diff --git a/gpu_display/src/gpu_display_wl.rs b/gpu_display/src/gpu_display_wl.rs
index a079d87..670c429 100644
--- a/gpu_display/src/gpu_display_wl.rs
+++ b/gpu_display/src/gpu_display_wl.rs
@@ -111,8 +111,14 @@ impl DisplayWl {
             Some(None) => return Err(GpuDisplayError::InvalidPath),
             None => None,
         };
-        let setup_success =
-            unsafe { dwl_context_setup(ctx.0, cstr_path.map(|s| s.as_ptr()).unwrap_or(null())) };
+        // This grabs a pointer to cstr_path without moving the CString into the .map closure
+        // accidentally, which triggeres a really hard to catch use after free in
+        // dwl_context_setup.
+        let cstr_path_ptr = cstr_path
+            .as_ref()
+            .map(|s: &CString| CStr::as_ptr(s))
+            .unwrap_or(null());
+        let setup_success = unsafe { dwl_context_setup(ctx.0, cstr_path_ptr) };
         if !setup_success {
             return Err(GpuDisplayError::Connect);
         }