From dd1f5f9726c2610870b6481122d445e564ebe6e8 Mon Sep 17 00:00:00 2001 From: Dentomologist Date: Thu, 21 Dec 2023 15:24:31 -0800 Subject: [PATCH] NetKDRequestDevice: Fix use-after-free crash Explicitly shut down work queues in NetKDRequestDevice's destructor to prevent their threads from accessing members after they've been freed. This crash would occur sporadically if NetKDRequestDevice's periodic download or mail checks happened to overlap with emulation shutdown in the wrong way. An example sequence of events that could cause the crash: * m_scheduler_timer_thread queues a periodic Download event in m_scheduler_work_queue, then waits for m_shutdown_event. * A request to stop emulation results in s_ios being reset by the CPU thread. This triggers NetKDRequestDevice's destructor which sets m_shutdown_event and joins m_scheduler_timer_thread. * m_scheduler_timer_thread wakes from m_shutdown_event and returns from its thread function, ending the thread. * The CPU thread resumes execution at the end of NetKDRequestDevice's destructor and begins destroying NetKDRequestDevice's members in reverse declaration order. * m_http is declared after m_scheduler_work_queue and is therefore destroyed earlier. * m_scheduler_work_queue's destructor calls its Shutdown function, which by default finishes the work items in the queue. * The queued Download event calls KDDownload which calls m_http.Get() which calls Fetch() which passes garbage data from the freed m_curl into curl_easy_setopt(). * Curl promptly crashes. Shutting down the work queues manually in the destructor prevents the above because m_http and the other members don't get freed until after the queue threads finish. --- Source/Core/Core/IOS/Network/KD/NetKDRequest.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Source/Core/Core/IOS/Network/KD/NetKDRequest.cpp b/Source/Core/Core/IOS/Network/KD/NetKDRequest.cpp index 3d4dc35613..c2420a9dd1 100644 --- a/Source/Core/Core/IOS/Network/KD/NetKDRequest.cpp +++ b/Source/Core/Core/IOS/Network/KD/NetKDRequest.cpp @@ -190,6 +190,8 @@ NetKDRequestDevice::~NetKDRequestDevice() } m_scheduler_timer_thread.join(); + m_scheduler_work_queue.Shutdown(); + m_work_queue.Shutdown(); } void NetKDRequestDevice::Update()