Merge branch 'backport-3297-use-after-free-gdbus-method-invocation-glib-2-74' into 'glib-2-74'

Backport !3297 “gdbusinterfaceskeleton: Fix a use-after-free of a GDBusMethodInvocation” to glib-2-74 See merge request GNOME/glib!3298
2025-02-23 18:52:09 +01:00 · 2023-03-02 12:32:23 +00:00 · 2023-03-02 12:32:23 +00:00 · f34ab2af3e
commit f34ab2af3e
parent 925ae2fba1 2da9ca2727
2 changed files with 14 additions and 12 deletions
--- a/gio/gdbusconnection.c
+++ b/gio/gdbusconnection.c
@ -5048,7 +5048,7 @@ schedule_method_call (GDBusConnection            *connection,
  g_source_set_priority (idle_source, G_PRIORITY_DEFAULT);
  g_source_set_callback (idle_source,
                         call_in_idle_cb,
-                         invocation,
+                         g_steal_pointer (&invocation),
                         g_object_unref);
  g_source_set_static_name (idle_source, "[gio, " __FILE__ "] call_in_idle_cb");
  g_source_attach (idle_source, main_context);
--- a/gio/gdbusinterfaceskeleton.c
+++ b/gio/gdbusinterfaceskeleton.c
@ -461,17 +461,19 @@ dbus_interface_interface_init (GDBusInterfaceIface *iface)
 typedef struct
 {
  gint ref_count;  /* (atomic) */
-  GDBusInterfaceSkeleton       *interface;
  GDBusInterfaceMethodCallFunc  method_call_func;
-  GDBusMethodInvocation        *invocation;
+  GDBusMethodInvocation        *invocation;  /* (owned) */
 } DispatchData;

 static void
 dispatch_data_unref (DispatchData *data)
 {
  if (g_atomic_int_dec_and_test (&data->ref_count))
+    {
+      g_clear_object (&data->invocation);
      g_slice_free (DispatchData, data);
    }
+}

 static DispatchData *
 dispatch_data_ref (DispatchData *data)
@ -502,16 +504,17 @@ dispatch_in_thread_func (GTask        *task,
                         GCancellable *cancellable)
 {
  DispatchData *data = task_data;
+  GDBusInterfaceSkeleton *interface = g_task_get_source_object (task);
  GDBusInterfaceSkeletonFlags flags;
  GDBusObject *object;
  gboolean authorized;

-  g_mutex_lock (&data->interface->priv->lock);
-  flags = data->interface->priv->flags;
-  object = data->interface->priv->object;
+  g_mutex_lock (&interface->priv->lock);
+  flags = interface->priv->flags;
+  object = interface->priv->object;
  if (object != NULL)
    g_object_ref (object);
-  g_mutex_unlock (&data->interface->priv->lock);
+  g_mutex_unlock (&interface->priv->lock);

  /* first check on the enclosing object (if any), then the interface */
  authorized = TRUE;
@ -519,13 +522,13 @@ dispatch_in_thread_func (GTask        *task,
    {
      g_signal_emit_by_name (object,
                             "authorize-method",
-                             data->interface,
+                             interface,
                             data->invocation,
                             &authorized);
    }
  if (authorized)
    {
-      g_signal_emit (data->interface,
+      g_signal_emit (interface,
                     signals[G_AUTHORIZE_METHOD_SIGNAL],
                     0,
                     data->invocation,
@ -627,9 +630,8 @@ g_dbus_interface_method_dispatch_helper (GDBusInterfaceSkeleton       *interface
      DispatchData *data;

      data = g_slice_new0 (DispatchData);
-      data->interface = interface;
      data->method_call_func = method_call_func;
-      data->invocation = invocation;
+      data->invocation = g_object_ref (invocation);
      data->ref_count = 1;

      task = g_task_new (interface, NULL, NULL, NULL);