Miroirs/slackware-current
1
0
Fork 0
mirror of git://slackware.nl/current.git synced 2024-12-28 09:59:53 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
slackware-current/source/l/glib2/82c764ce2e42f0d1032627dabcbd742d5f2bd8fa.patch
Patrick J Volkerding 8daddd6079 Thu Sep 14 02:38:14 UTC 2023 
a/kernel-firmware-20230907_dfa1146-noarch-1.txz:  Upgraded.
a/kernel-generic-6.1.53-x86_64-1.txz:  Upgraded.
a/kernel-huge-6.1.53-x86_64-1.txz:  Upgraded.
a/kernel-modules-6.1.53-x86_64-1.txz:  Upgraded.
ap/ghostscript-10.02.0-x86_64-1.txz:  Upgraded.
ap/vim-9.0.1897-x86_64-2.txz:  Rebuilt.
  Recompiled against libsodium-1.0.19.
d/cbindgen-0.26.0-x86_64-1.txz:  Upgraded.
d/kernel-headers-6.1.53-x86-1.txz:  Upgraded.
k/kernel-source-6.1.53-noarch-1.txz:  Upgraded.
kde/keysmith-23.08.0-x86_64-2.txz:  Rebuilt.
  Recompiled against libsodium-1.0.19.
l/glib2-2.78.0-x86_64-2.txz:  Rebuilt.
  [PATCH] gthreadedresolver: Fix race between source callbacks and finalize.
  Thanks to marav.
l/libarchive-3.7.2-x86_64-1.txz:  Upgraded.
  This update fixes multiple security vulnerabilities in the PAX writer:
  Heap overflow in url_encode() in archive_write_set_format_pax.c.
  NULL dereference in archive_write_pax_header_xattrs().
  Another NULL dereference in archive_write_pax_header_xattrs().
  NULL dereference in archive_write_pax_header_xattr().
  (* Security fix *)
l/librsvg-2.56.4-x86_64-1.txz:  Upgraded.
l/libsodium-1.0.19-x86_64-1.txz:  Upgraded.
  Shared library .so-version bump.
n/curl-8.3.0-x86_64-1.txz:  Upgraded.
  This update fixes a security issue:
  HTTP headers eat all memory.
    https://curl.se/docs/CVE-2023-38039.html
    https://www.cve.org/CVERecord?id=CVE-2023-38039
  (* Security fix *)
n/dovecot-2.3.20-x86_64-4.txz:  Rebuilt.
  Recompiled against libsodium-1.0.19.
n/netatalk-3.1.16-x86_64-1.txz:  Upgraded.
  This update fixes bugs and security issues.
  Shared library .so-version bump.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-23121
    https://www.cve.org/CVERecord?id=CVE-2022-23123
  (* Security fix *)
n/openldap-2.6.6-x86_64-2.txz:  Rebuilt.
  Recompiled against libsodium-1.0.19.
n/php-8.2.10-x86_64-2.txz:  Rebuilt.
  Recompiled against libsodium-1.0.19.
n/proftpd-1.3.8-x86_64-4.txz:  Rebuilt.
  Recompiled against libsodium-1.0.19.
x/libglvnd-1.7.0-x86_64-1.txz:  Upgraded.
xap/mozilla-thunderbird-115.2.2-x86_64-1.txz:  Upgraded.
  This release contains a security fix for a critical heap buffer overflow.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.2.2/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
    https://www.cve.org/CVERecord?id=CVE-2023-4863
  (* Security fix *)
xap/vim-gvim-9.0.1897-x86_64-2.txz:  Rebuilt.
  Recompiled against libsodium-1.0.19.
isolinux/initrd.img:  Rebuilt.
kernels/*:  Upgraded.
usb-and-pxe-installers/usbboot.img:  Rebuilt.
2023-09-14 05:06:53 +02:00

132 lines
4.5 KiB
Diff
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From 82c764ce2e42f0d1032627dabcbd742d5f2bd8fa Mon Sep 17 00:00:00 2001
From: Philip Withnall <philip@tecnocode.co.uk>
Date: Mon, 11 Sep 2023 16:02:15 +0100
Subject: [PATCH] gthreadedresolver: Fix race between source callbacks and
finalize
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
I had thought that because `g_source_destroy()` was called for the two
sources (cancel and timeout) in the `GTask` finalize function for a
threaded resolver operation, that it would be fine to use a plain
pointer in the source callbacks to point to the `GTask`.
That turns out to not be true: because the source callbacks are executed
in the GLib worker thread, and the `GTask` can be finalized in another
thread, its possible for a source callback (e.g. `cancelled_cb()`) to
be scheduled in the worker thread, then for the `GTask` to be finalized,
and then the source callback to continue execution and find itself
doing a use-after-free.
Fix that by using a weak ref to the `GTask` in the source callbacks,
rather than a plain pointer.
Signed-off-by: Philip Withnall <philip@tecnocode.co.uk>
Fixes: #3105
---
gio/gthreadedresolver.c | 43 +++++++++++++++++++++++++++++++++++------
1 file changed, 37 insertions(+), 6 deletions(-)
diff --git a/gio/gthreadedresolver.c b/gio/gthreadedresolver.c
index 2d94531bfd..c7a567549f 100644
--- a/gio/gthreadedresolver.c
+++ b/gio/gthreadedresolver.c
@@ -1422,10 +1422,17 @@ lookup_records_finish (GResolver *resolver,
static gboolean
timeout_cb (gpointer user_data)
{
- GTask *task = G_TASK (user_data);
- LookupData *data = g_task_get_task_data (task);
+ GWeakRef *weak_task = user_data;
+ GTask *task = NULL; /* (owned) */
+ LookupData *data;
gboolean should_return;
+ task = g_weak_ref_get (weak_task);
+ if (task == NULL)
+ return G_SOURCE_REMOVE;
+
+ data = g_task_get_task_data (task);
+
g_mutex_lock (&data->lock);
should_return = g_atomic_int_compare_and_exchange (&data->will_return, NOT_YET, TIMED_OUT);
@@ -1443,6 +1450,8 @@ timeout_cb (gpointer user_data)
g_cond_broadcast (&data->cond);
g_mutex_unlock (&data->lock);
+ g_object_unref (task);
+
return G_SOURCE_REMOVE;
}
@@ -1452,10 +1461,17 @@ static gboolean
cancelled_cb (GCancellable *cancellable,
gpointer user_data)
{
- GTask *task = G_TASK (user_data);
- LookupData *data = g_task_get_task_data (task);
+ GWeakRef *weak_task = user_data;
+ GTask *task = NULL; /* (owned) */
+ LookupData *data;
gboolean should_return;
+ task = g_weak_ref_get (weak_task);
+ if (task == NULL)
+ return G_SOURCE_REMOVE;
+
+ data = g_task_get_task_data (task);
+
g_mutex_lock (&data->lock);
g_assert (g_cancellable_is_cancelled (cancellable));
@@ -1473,9 +1489,18 @@ cancelled_cb (GCancellable *cancellable,
g_cond_broadcast (&data->cond);
g_mutex_unlock (&data->lock);
+ g_object_unref (task);
+
return G_SOURCE_REMOVE;
}
+static void
+weak_ref_clear_and_free (GWeakRef *weak_ref)
+{
+ g_weak_ref_clear (weak_ref);
+ g_free (weak_ref);
+}
+
static void
run_task_in_thread_pool_async (GThreadedResolver *self,
GTask *task)
@@ -1490,17 +1515,23 @@ run_task_in_thread_pool_async (GThreadedResolver *self,
if (timeout_ms != 0)
{
+ GWeakRef *weak_task = g_new0 (GWeakRef, 1);
+ g_weak_ref_set (weak_task, task);
+
data->timeout_source = g_timeout_source_new (timeout_ms);
g_source_set_static_name (data->timeout_source, "[gio] threaded resolver timeout");
- g_source_set_callback (data->timeout_source, G_SOURCE_FUNC (timeout_cb), task, NULL);
+ g_source_set_callback (data->timeout_source, G_SOURCE_FUNC (timeout_cb), g_steal_pointer (&weak_task), (GDestroyNotify) weak_ref_clear_and_free);
g_source_attach (data->timeout_source, GLIB_PRIVATE_CALL (g_get_worker_context) ());
}
if (cancellable != NULL)
{
+ GWeakRef *weak_task = g_new0 (GWeakRef, 1);
+ g_weak_ref_set (weak_task, task);
+
data->cancellable_source = g_cancellable_source_new (cancellable);
g_source_set_static_name (data->cancellable_source, "[gio] threaded resolver cancellable");
- g_source_set_callback (data->cancellable_source, G_SOURCE_FUNC (cancelled_cb), task, NULL);
+ g_source_set_callback (data->cancellable_source, G_SOURCE_FUNC (cancelled_cb), g_steal_pointer (&weak_task), (GDestroyNotify) weak_ref_clear_and_free);
g_source_attach (data->cancellable_source, GLIB_PRIVATE_CALL (g_get_worker_context) ());
}
--
GitLab
Reference in a new issue View git blame Copy permalink