!133 Fix a use-after-free of a GDBusMethodInvocation

From: @han_hui_hui 
Reviewed-by: @yanan-rock 
Signed-off-by: @yanan-rock

backport-gdbusinterfaceskeleton-Fix-a-use-after-free-of-a-GDBusMethodInvocation.patch

@@ -0,0 +1,182 @@
+From 1f86923766a3d1d319fe54ad24fcf6e2d75aca0d Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Wed, 22 Feb 2023 12:40:49 +0000
+Subject: [PATCH 1/3] gdbusinterfaceskeleton: Remove an unnecessary helper
+ struct member
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The `GDBusInterfaceSkeleton` is already stored as the source object of
+the `GTask` here, with a strong reference.
+
+Storing it again in the task’s data struct is redundant, and makes it
+look like the `GDBusInterfaceSkeleton` is being used without holding a
+strong reference. (There’s not actually a bug there though: the strong
+reference from the `GTask` outlives the data struct, so is sufficient.)
+
+Remove the unnecessary helper struct member to clarify the code a bit.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+Helps: #2924
+---
+ gio/gdbusinterfaceskeleton.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/gio/gdbusinterfaceskeleton.c b/gio/gdbusinterfaceskeleton.c
+index 3f07d4d0b2..d28282fea3 100644
+--- a/gio/gdbusinterfaceskeleton.c
++++ b/gio/gdbusinterfaceskeleton.c
+@@ -461,7 +461,6 @@ dbus_interface_interface_init (GDBusInterfaceIface *iface)
+ typedef struct
+ {
+   gint ref_count;  /* (atomic) */
+-  GDBusInterfaceSkeleton       *interface;
+   GDBusInterfaceMethodCallFunc  method_call_func;
+   GDBusMethodInvocation        *invocation;
+ } DispatchData;
+@@ -502,16 +501,17 @@ dispatch_in_thread_func (GTask        *task,
+                          GCancellable *cancellable)
+ {
+   DispatchData *data = task_data;
++  GDBusInterfaceSkeleton *interface = g_task_get_source_object (task);
+   GDBusInterfaceSkeletonFlags flags;
+   GDBusObject *object;
+   gboolean authorized;
+ 
+-  g_mutex_lock (&data->interface->priv->lock);
+-  flags = data->interface->priv->flags;
+-  object = data->interface->priv->object;
++  g_mutex_lock (&interface->priv->lock);
++  flags = interface->priv->flags;
++  object = interface->priv->object;
+   if (object != NULL)
+     g_object_ref (object);
+-  g_mutex_unlock (&data->interface->priv->lock);
++  g_mutex_unlock (&interface->priv->lock);
+ 
+   /* first check on the enclosing object (if any), then the interface */
+   authorized = TRUE;
+@@ -519,13 +519,13 @@ dispatch_in_thread_func (GTask        *task,
+     {
+       g_signal_emit_by_name (object,
+                              "authorize-method",
+-                             data->interface,
++                             interface,
+                              data->invocation,
+                              &authorized);
+     }
+   if (authorized)
+     {
+-      g_signal_emit (data->interface,
++      g_signal_emit (interface,
+                      signals[G_AUTHORIZE_METHOD_SIGNAL],
+                      0,
+                      data->invocation,
+@@ -627,7 +627,6 @@ g_dbus_interface_method_dispatch_helper (GDBusInterfaceSkeleton       *interface
+       DispatchData *data;
+ 
+       data = g_slice_new0 (DispatchData);
+-      data->interface = interface;
+       data->method_call_func = method_call_func;
+       data->invocation = invocation;
+       data->ref_count = 1;
+-- 
+GitLab
+
+
+From d5710deb9d621bcf0cec0ff2db0708f361490752 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Wed, 22 Feb 2023 12:47:36 +0000
+Subject: [PATCH 2/3] gdbusinterfaceskeleton: Fix a use-after-free of a
+ GDBusMethodInvocation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This `GDBusMethodInvocation` may be shared across threads, with no
+guarantee on the strong ref in one thread outlasting any refs in other
+threads — so it needs a ref in this helper struct.
+
+This should fix a use-after-free where the `GDBusMethodInvocation` is
+freed from `g_value_unset()` after `g_signal_emit()` returns in
+`dispatch_in_thread_func()` in one thread; but then dereferenced again
+in `g_source_destroy_internal()` from another thread.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+Fixes: #2924
+---
+ gio/gdbusinterfaceskeleton.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/gio/gdbusinterfaceskeleton.c b/gio/gdbusinterfaceskeleton.c
+index d28282fea3..a2a79fe3d8 100644
+--- a/gio/gdbusinterfaceskeleton.c
++++ b/gio/gdbusinterfaceskeleton.c
+@@ -462,14 +462,17 @@ typedef struct
+ {
+   gint ref_count;  /* (atomic) */
+   GDBusInterfaceMethodCallFunc  method_call_func;
+-  GDBusMethodInvocation        *invocation;
++  GDBusMethodInvocation        *invocation;  /* (owned) */
+ } DispatchData;
+ 
+ static void
+ dispatch_data_unref (DispatchData *data)
+ {
+   if (g_atomic_int_dec_and_test (&data->ref_count))
+-    g_slice_free (DispatchData, data);
++    {
++      g_clear_object (&data->invocation);
++      g_slice_free (DispatchData, data);
++    }
+ }
+ 
+ static DispatchData *
+@@ -628,7 +631,7 @@ g_dbus_interface_method_dispatch_helper (GDBusInterfaceSkeleton       *interface
+ 
+       data = g_slice_new0 (DispatchData);
+       data->method_call_func = method_call_func;
+-      data->invocation = invocation;
++      data->invocation = g_object_ref (invocation);
+       data->ref_count = 1;
+ 
+       task = g_task_new (interface, NULL, NULL, NULL);
+-- 
+GitLab
+
+
+From 7b101588e924f3783a0f5075f06b3e1d698be936 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Wed, 22 Feb 2023 12:50:10 +0000
+Subject: [PATCH 3/3] gdbusconnection: Make GDBusMethodInvocation transfer a
+ bit clearer
+
+Add a missing steal call in `schedule_method_call()`. This introduces no
+functional changes, but documents the ownership transfer more clearly.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+Helps: #2924
+---
+ gio/gdbusconnection.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c
+index d938f71b99..da6b66f2ec 100644
+--- a/gio/gdbusconnection.c
++++ b/gio/gdbusconnection.c
+@@ -5043,7 +5043,7 @@ schedule_method_call (GDBusConnection            *connection,
+   g_source_set_priority (idle_source, G_PRIORITY_DEFAULT);
+   g_source_set_callback (idle_source,
+                          call_in_idle_cb,
+-                         invocation,
++                         g_steal_pointer (&invocation),
+                          g_object_unref);
+   g_source_set_static_name (idle_source, "[gio, " __FILE__ "] call_in_idle_cb");
+   g_source_attach (idle_source, main_context);
+-- 
+GitLab
+

glib2.spec

@@ -1,11 +1,13 @@
 Name:           glib2
 Version:        2.74.4
-Release:        1
+Release:        2
 Summary:        The core library that forms the basis for projects such as GTK+ and GNOME
 License:        LGPLv2+
 URL:            https://www.gtk.org
 Source0:        https://download.gnome.org/sources/glib/2.74/glib-%{version}.tar.xz
 
+patch6001:	backport-gdbusinterfaceskeleton-Fix-a-use-after-free-of-a-GDBusMethodInvocation.patch
+
 BuildRequires:  chrpath gcc gcc-c++ gettext perl-interpreter
 BUildRequires:  glibc-devel libattr-devel libselinux-devel meson
 BuildRequires:  systemtap-sdt-devel pkgconfig(libelf) pkgconfig(libffi)
@@ -201,6 +203,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
 %endif
 
 %changelog
+* Tue Mar 14 2023 hanhuihui <hanhuihui5@huawei.com> - 2.74.4-2
+- fix a use-after-free of a GDBusMethodInvocation
+
 * Mon Jan 2 2023 lin zhang <lin.zhang@turbolinux.com.cn> - 2.74.4-1
 - Update to 2.74.1