From 92e75f0e2ae71321053d1529ba2acc797ce955b5 Mon Sep 17 00:00:00 2001 From: Zach Reizner Date: Fri, 26 Jul 2019 13:31:55 -0700 Subject: gpu_display: fix use after free for the wayland socket path Using .map in the way it was caused the CString to get moved into the closure and then dropped by that closure. The returned pointer is then used in dwl_context_setup after it was freed by the drop. This change fixes that first by using .as_ref() before calling .map to prevent the move. As an additional safeguard, some optional types were added to the closure to make sure a reference to the CString was being handled instead of a moved CString. TEST=vmc start --enable-gpu termina BUG=chromium:988082 Change-Id: I58c2c002f08688ecd85715d9cd45085dffb32457 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1721615 Tested-by: Zach Reizner Tested-by: kokoro Auto-Submit: Zach Reizner Reviewed-by: Daniel Verkamp Commit-Queue: Zach Reizner --- gpu_display/src/gpu_display_wl.rs | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/gpu_display/src/gpu_display_wl.rs b/gpu_display/src/gpu_display_wl.rs index a079d87..670c429 100644 --- a/gpu_display/src/gpu_display_wl.rs +++ b/gpu_display/src/gpu_display_wl.rs @@ -111,8 +111,14 @@ impl DisplayWl { Some(None) => return Err(GpuDisplayError::InvalidPath), None => None, }; - let setup_success = - unsafe { dwl_context_setup(ctx.0, cstr_path.map(|s| s.as_ptr()).unwrap_or(null())) }; + // This grabs a pointer to cstr_path without moving the CString into the .map closure + // accidentally, which triggeres a really hard to catch use after free in + // dwl_context_setup. + let cstr_path_ptr = cstr_path + .as_ref() + .map(|s: &CString| CStr::as_ptr(s)) + .unwrap_or(null()); + let setup_success = unsafe { dwl_context_setup(ctx.0, cstr_path_ptr) }; if !setup_success { return Err(GpuDisplayError::Connect); } -- cgit 1.4.1