Fix use-after-free when disabling the ASB (microsoft#19186)

lhecker · DHowett · commit 9357281507e2 · 2025-07-29T14:05:50.000-05:00
Closes microsoft#17515 ## Validation Steps Performed * Disable the ASB while there's a pending cooked read * Type some text * No crash ✅ (cherry picked from commit dfcc8f3) Service-Card-Id: PVTI_lADOAF3p4s4AxadtzgdFoBM Service-Version: 1.23
diff --git a/src/host/readDataCooked.cpp b/src/host/readDataCooked.cpp
@@ -176,6 +176,11 @@ COOKED_READ_DATA::COOKED_READ_DATA(_In_ InputBuffer* const pInputBuffer,
     }
 }
 
+const SCREEN_INFORMATION* COOKED_READ_DATA::GetScreenBuffer() const noexcept
+{
+    return &_screenInfo;
+}
+
 // Routine Description:
 // - This routine is called to complete a cooked read that blocked in ReadInputBuffer.
 // - The context of the read was saved in the CookedReadData structure.
diff --git a/src/host/readDataCooked.hpp b/src/host/readDataCooked.hpp
@@ -19,6 +19,7 @@ class COOKED_READ_DATA final : public ReadData
                      _In_ std::wstring_view initialData,
                      _In_ ConsoleProcessHandle* pClientProcess);
 
+    const SCREEN_INFORMATION* GetScreenBuffer() const noexcept override;
     void MigrateUserBuffersOnTransitionToBackgroundWait(const void* oldBuffer, void* newBuffer) noexcept override;
 
     bool Notify(WaitTerminationReason TerminationReason,
diff --git a/src/host/screenInfo.cpp b/src/host/screenInfo.cpp
@@ -192,6 +192,9 @@ void SCREEN_INFORMATION::s_InsertScreenBuffer(_In_ SCREEN_INFORMATION* const pSc
 void SCREEN_INFORMATION::s_RemoveScreenBuffer(_In_ SCREEN_INFORMATION* const pScreenInfo)
 {
     auto& gci = ServiceLocator::LocateGlobals().getConsoleInformation();
+
+    gci.GetActiveInputBuffer()->WaitQueue.CancelWaitersForScreenBuffer(pScreenInfo);
+
     if (pScreenInfo == gci.ScreenBuffers)
     {
         gci.ScreenBuffers = pScreenInfo->Next;
diff --git a/src/server/IWaitRoutine.h b/src/server/IWaitRoutine.h
@@ -42,6 +42,10 @@ class IWaitRoutine
     IWaitRoutine& operator=(const IWaitRoutine&) & = delete;
     IWaitRoutine& operator=(IWaitRoutine&&) & = delete;
 
+    virtual const SCREEN_INFORMATION* GetScreenBuffer() const noexcept
+    {
+        return nullptr;
+    }
     virtual void MigrateUserBuffersOnTransitionToBackgroundWait(const void* oldBuffer, void* newBuffer) = 0;
 
     virtual bool Notify(const WaitTerminationReason TerminationReason,
diff --git a/src/server/WaitBlock.cpp b/src/server/WaitBlock.cpp
@@ -75,6 +75,11 @@ ConsoleWaitBlock::~ConsoleWaitBlock()
     delete _pWaiter;
 }
 
+const SCREEN_INFORMATION* ConsoleWaitBlock::GetScreenBuffer() const noexcept
+{
+    return _pWaiter->GetScreenBuffer();
+}
+
 // Routine Description:
 // - Creates and enqueues a new wait for later callback when a routine cannot be serviced at this time.
 // - Will extract the process ID and the target object, enqueuing in both to know when to callback
diff --git a/src/server/WaitBlock.h b/src/server/WaitBlock.h
@@ -30,6 +30,7 @@ class ConsoleWaitBlock
 public:
     ~ConsoleWaitBlock();
 
+    const SCREEN_INFORMATION* GetScreenBuffer() const noexcept;
     bool Notify(const WaitTerminationReason TerminationReason);
 
     [[nodiscard]] static HRESULT s_CreateWait(_Inout_ CONSOLE_API_MSG* const pWaitReplymessage,
diff --git a/src/server/WaitQueue.cpp b/src/server/WaitQueue.cpp
@@ -103,6 +103,22 @@ bool ConsoleWaitQueue::NotifyWaiters(const bool fNotifyAll,
     return fResult;
 }
 
+void ConsoleWaitQueue::CancelWaitersForScreenBuffer(const SCREEN_INFORMATION* pScreenInfo)
+{
+    for (auto it = _blocks.begin(); it != _blocks.end();)
+    {
+        const auto nextIt = std::next(it); // we have to capture next before it is potentially erased
+        auto* pWaitBlock = *it;
+
+        if (pWaitBlock->GetScreenBuffer() == pScreenInfo)
+        {
+            _NotifyBlock(pWaitBlock, WaitTerminationReason::HandleClosing);
+        }
+
+        it = nextIt;
+    }
+}
+
 // Routine Description:
 // - A helper to delete successfully notified callbacks
 // Arguments:
diff --git a/src/server/WaitQueue.h b/src/server/WaitQueue.h
@@ -37,6 +37,8 @@ class ConsoleWaitQueue
     bool NotifyWaiters(const bool fNotifyAll,
                        const WaitTerminationReason TerminationReason);
 
+    void CancelWaitersForScreenBuffer(const SCREEN_INFORMATION* pScreenInfo);
+
     [[nodiscard]] static HRESULT s_CreateWait(_Inout_ CONSOLE_API_MSG* const pWaitReplyMessage,
                                               _In_ IWaitRoutine* const pWaiter);
 

Original file line number	Diff line number	Diff line change
`@@ -176,6 +176,11 @@ COOKED_READ_DATA::COOKED_READ_DATA(_In_ InputBuffer* const pInputBuffer,`
`176`	`176`	`}`
`177`	`177`	`}`
`178`	`178`
	`179`	`+const SCREEN_INFORMATION* COOKED_READ_DATA::GetScreenBuffer() const noexcept`
	`180`	`+{`
	`181`	`+ return &_screenInfo;`
	`182`	`+}`
	`183`	`+`
`179`	`184`	`// Routine Description:`
`180`	`185`	`// - This routine is called to complete a cooked read that blocked in ReadInputBuffer.`
`181`	`186`	`// - The context of the read was saved in the CookedReadData structure.`
Original file line number	Diff line number	Diff line change
`@@ -192,6 +192,9 @@ void SCREEN_INFORMATION::s_InsertScreenBuffer(_In_ SCREEN_INFORMATION* const pSc`
`192`	`192`	`void SCREEN_INFORMATION::s_RemoveScreenBuffer(_In_ SCREEN_INFORMATION* const pScreenInfo)`
`193`	`193`	`{`
`194`	`194`	`auto& gci = ServiceLocator::LocateGlobals().getConsoleInformation();`
	`195`	`+`
	`196`	`+ gci.GetActiveInputBuffer()->WaitQueue.CancelWaitersForScreenBuffer(pScreenInfo);`
	`197`	`+`
`195`	`198`	`if (pScreenInfo == gci.ScreenBuffers)`
`196`	`199`	`{`
`197`	`200`	`gci.ScreenBuffers = pScreenInfo->Next;`