本文记录 dotnet 8.0.4 版本修复的 WPF 的触摸模块安全问题,此问题影响所有的 .NET 版本,修复方法是更新 SDK 和运行时

宣布安全漏洞地址: https://github.com/dotnet/wpf/issues/9003

安全漏洞宣布地址: https://github.com/dotnet/announcements/issues/303

漏洞代号: CVE-2024-21409

核心更改: https://github.com/dotnet/wpf/commit/c15b5c68cd74ae28bc99af539d05880658c45024

影响模块: 触摸模块

开发者侧的修复方法: 升级 .NET SDK 或运行时版本,携带此更新的版本分别如下

  • .NET 6 : 6.0.29
  • .NET 7 : 7.0.18
  • .NET 8 : 8.0.4

微软系统更新 Microsoft Update 将会自动推送以上版本的 .NET Core 更新,以及相应的 .NET Framework 质量更新

修复的原因和修复的方法请参阅核心请参阅核心更改里面的注释,注释内容如下

    // The CComObject<CPimcManager> destructor is the only function which calls into this

    // FinalRelease code.

    //

    // In all successful usage of CPimcManager: 1) Managed WPF code uses CoCreateInstance

    // to acquire an IPimcManager2 interface to a brand-new CPimcManager instance (created by

    // the ATL CComCreator<T>::CreateInstance machinery), meaning FinalConstruct by-definition

    // completes successfully, meaning "m_managerLock" is therefore guaranteed to be locked;

    // 2) Managed WPF code then runs through its full end-to-end usage of the CPimcManager

    // object (generally managed by the code in PenThreadWorker.cs); 3) When/if the managed WPF

    // code determines that the CPimcManager object is no longer needed, it sends a

    // RELEASE_MANAGER_EXT message (see UnsafeNativeMethods.ReleaseManagerExternalLock()) which

    // unlocks "m_managerLock"; 4) Now that it is unlocked, the CComObject<CPimcManager> object

    // can be destroyed when/if its refcount drops to zero, and this FinalRelease function will

    // run at that time.

    //

    // So in all successful usage cases, it is guaranteed that "m_managerLock" is already

    // unlocked when this code runs (because if it was still locked, the lock itself would have

    // prevented the refcount from reaching zero, and would have prevented this function from

    // ever running).

    //

    // That said, in unsuccessful usage cases, the ATL CComCreator<T>::CreateInstance machinery

    // can fail, meaning it will destroy the brand-new CPimcManager instance before returning

    // an error back to the CreateInstance caller.  Destroying the brand-new instance triggers

    // the CComObject<CPimcManager> destructor and therefore calls into this function during

    // the CComCreator<T>::CreateInstance operation itself.

    //

    // The final step in CComCreator<T>::CreateInstance is a QI which queries the newly-created

    // object for whatever interface has been requested by the caller.  This operation is the

    // main way that CComCreator<T>::CreateInstance can fail.  For example, this QI is

    // guaranteed to fail whenever the CoCreateInstance caller targets the CPimcManager CLSID

    // but passes in a "random" IID that has nothing to do with IPimcManager2 or anything else

    // that CPimcManager implements.

    //

    // (In CPimcManager construction, outside of pathological cases (e.g., where a small heap

    // allocation in OS code fails due to out-of-memory), there are no other known ways that

    // the CComCreator<T>::CreateInstance sequence can fail; so the QI failure is the only

    // failure mode that is known to be of general interest.)

    //

    // The QI failure can only occur after the preceding FinalConstruct call has completed

    // successfully (since any FinalConstruct failure would have caused

    // CComCreator<T>::CreateInstance to abort without ever trying the QI); since

    // CPimcManager::FinalConstruct always locks the "m_managerLock", this implies that the

    // "m_managerLock" is guaranteed to be locked when this code runs (which is exactly

    // opposite to what happens in all successful usage cases as discussed above).

    //

    // In this case, it is crucial to unlock "m_managerLock" before allowing this CPimcManager

    // object to be destroyed.  Without the unlock, this CPimcManager object would be destroyed

    // while the associated CStdIdentity in the OS code still holds a reference to it; during

    // any future apartment unload, the OS code would release this reference, and the release

    // would be a use-after-free at that point.

    //

    // Note that the crucial unlock causes overactive ATL debug asserts to fire if a chk build

    // of this DLL is used; specifically:

    //

    //    - The code in the CComObject<CPimcManager> destructor always stomps the refcount to

    //      0xc0000001 (i.e., "-(LONG_MAX/2)"), meaning this CPimcManager object's refcount is

    //      always 0xc0000001 when this code runs; unlocking "m_managerLock" will cause the refcount

    //      to drop by one (because, as discussed above, the crucial operation which prevents

    //      use-after-free problems will release the associated CStdIdentity's reference to this

    //      CPimcManager object, and in this way releases the reference that was added when

    //      "managerLock" was locked during FinalConstruct); as a result, unlocking "m_managerLock"

    //      will move this CPimcManager object's refcount through a "0xc0000001 -> 0xc0000000"

    //      transition.

    //

    //    - Both of the CComObjectRootEx<T>::InternalRelease specializations contain debug asserts

    //      which will fire whenever the refcount drops below 0xc0000001, so this transition always

    //      triggers a debug assert when using a chk build of this DLL.

    //

    //    - That said, all evidence strongly suggests that this is just an overactive assert in

    //      the ATL code (probably just indicating that it is rare for FinalConstruct to add

    //      "self-references" like it does for CPimcManager (since these self-references generally

    //      prevent the server object from being destroyed unless a manual action like the

    //      RELEASE_MANAGER_EXT message is taken later on), meaning it is rare to have a situation

    //      where FinalRelease needs to release self-references that were acquired in

    //      FinalConstruct, meaning this is a rare enough case that the ATL authors either didn't

    //      test it or didn't think it was common enough to warrant adjusting the assert).

    //

    // Since this change is being made in servicing, attempt to change behavior as little as

    // possible in the "successful usage" cases where "m_managerLock" is already unlocked,

    // while still ensuring that FinalRelease will always run the crucial unlock in all

    // "unsuccessful usage" cases.

以下是 new Bing 对上面注释的解释

这段代码注释讨论的是一个关于 CPimcManager 类的析构函数(destructor)的问题。让我来解释一下:

  1. 首先,我们有一个 CPimcManager 类,它的析构函数(destructor)被称为 FinalRelease
  2. 在成功使用 CPimcManager 的情况下,以下步骤发生:
    • 托管的 WPF 代码使用 CoCreateInstance 来获取一个指向全新 CPimcManager 实例的 IPimcManager2 接口(由 ATL CComCreator<T>::CreateInstance 机制创建)。
    • 这意味着 FinalConstruct 已经成功完成,也就是说,“m_managerLock”已经被锁定。
    • 然后,托管的 WPF 代码通过发送 RELEASE_MANAGER_EXT 消息(参见 UnsafeNativeMethods.ReleaseManagerExternalLock())来解锁 “m_managerLock”,表示不再需要 CPimcManager 对象。
    • 现在,“m_managerLock”已经解锁,CComObject<CPimcManager> 对象可以在其引用计数降至零时被销毁,此时 FinalRelease 函数将运行。
  3. 因此,在所有成功的使用情况下,当此代码运行时,“m_managerLock”已经解锁(因为如果它仍然被锁定,锁本身将阻止引用计数达到零,从而阻止此函数运行)。
  4. 但是,在不成功的使用情况下,ATL CComCreator<T>::CreateInstance 机制可能会失败,这意味着它将在将错误返回给 CreateInstance 调用者之前销毁全新的 CPimcManager 实例。
  5. 销毁全新实例会触发 CComObject<CPimcManager> 析构函数,因此在 CComCreator<T>::CreateInstance操作本身期间会调用此函数。
  6. CComCreator<T>::CreateInstance 的最后一步是查询新创建的对象,以获取已重新定义的任何接口。

总之,这段注释详细描述了 CPimcManager 类的析构函数在不同使用情况下的行为和保证。

记 dotnet 8.0.4 修复的 WPF 的触摸模块安全问题的更多相关文章

  1. XCODE 出现 The operation couldn't be completed.(LaunchServicesError error 0.)错误修复

    XCODE 出现 The operation couldn't be completed.(LaunchServicesError error 0.)错误修复   XCODE 出现 The opera ...

  2. sql2000/sql2005/sql2008数据库变为0字节修复/MDF文件0字节恢复

    [数据恢复故障描述]  这个客户是生产型数据库,数据比较重要,产生量也比较大,客户要求必须尽快修复,保证生产尽快恢复运行.sql数据库文件,由于碎片链接过长,mdf文件突然变为0字节,开始客户尝试自行 ...

  3. 网站漏洞检测之WordPress 5.0.0 系统修复方案

    2019年正月刚开始,WordPress最新版本存在远程代码注入获取SHELL漏洞,该网站漏洞影响的版本是wordpress5.0.0,漏洞的产生是因为image模块导致的,因为代码里可以进行获取目录 ...

  4. 致远·面向人工智能-逐浪CMS v8.1.2全面发布[全球首个基于dotNET core3.0的中文CMS]

    原文:https://www.z01.com/down/3484.shtml 再远, 我都不会停息, 因为技术而生, 因为技术而强, 这是逐浪软件的命与根! 全新打造, 三百多项超级功能, 助你十分钟 ...

  5. Git使用总结 Asp.net生命周期与Http协议 托管代码与非托管代码的区别 通过IEnumerable接口遍历数据 依赖注入与控制反转 C#多线程——优先级 AutoFac容器初步 C#特性详解 C#特性详解 WPF 可触摸移动的ScrollViewer控件 .NET(C#)能开发出什么样的APP?盘点那些通过Smobiler开发的移动应用

    一,原理 首先,我们要明白Git是什么,它是一个管理工具或软件,用来管理什么的呢?当然是在软件开发过程中管理软件或者文件的不同版本的工具,一些作家也可以用这个管理自己创作的文本文件,由Linus开发的 ...

  6. WPF 获得触摸精度和触摸点

    原文:WPF 获得触摸精度和触摸点 本文主要告诉大家如何获得所有的触摸设备的触摸精度和触摸点数. 需要通过反射的方法才可以拿到触摸的精度. 使用 Tablet.TabletDevices 可以获得所有 ...

  7. WPF多点触摸放大缩小旋转

    原文:WPF多点触摸放大缩小旋转 版权声明:本文为博主原创文章,需要转载尽管转载. https://blog.csdn.net/z5976749/article/details/40118437 如果 ...

  8. 关于正餐智能POS6.0.1.1改版后,订单模块无法进行部分退款的FAQ

    适用版本:智能POS正餐V6.0.1.1+ 适用情况:订单模块,无法输入自定义金额进行部分退款. 原因:为让报表统计的数据更准确. 改版之后仍可适用部分退款的情况: 1.口碑先付订单,可在口碑模块,选 ...

  9. 【饿了么】—— Vue2.0高仿饿了么核心模块&移动端Web App项目爬坑(三)

    前言:接着上一篇项目总结,这一篇是学习过程记录的最后一篇,这里会梳理:评论组件.商家组件.优化.打包.相关资料链接.项目github地址:https://github.com/66Web/ljq_el ...

  10. WPF 多点触摸开发[2]:WPF触摸的几个手势的执行顺序

    原文:WPF 多点触摸开发[2]:WPF触摸的几个手势的执行顺序 前面我讲了在win7下使用模拟器,进行调试模拟多点触摸,其实际开发中这样也比较麻烦.. 要拿几个鼠标. 所以更多的人会 买个触摸套 套 ...

随机推荐

  1. 三维模型3DTile格式轻量化纹理压缩技术方法浅析

    三维模型3DTile格式轻量化纹理压缩技术方法浅析 三维模型的纹理数据通常占据了模型数据的大部分,因此纹理压缩对于3DTile格式轻量化压缩来说至关重要.下面将详细分析几种主要的纹理压缩技术方法: D ...

  2. 网页端实现Excel转JSON

    1. 引言 有时工作中拿到的数据是Excel表格,要在前端网页上使用,通常需要把文件转为JSON 微软的Microsoft Excel没有导出为JSON的功能,其他的第三方网站又不太信任 开源的Exc ...

  3. 记录--`ElementUI` 中的奇技淫巧

    这里给大家分享我在网上总结出来的一些知识,希望对大家有所帮助 在ElementUI的世界中,不仅有基础的组件和功能,还有一些让你眼前一亮.*得不能再*的高级技巧和窍门.本文将揭示这些技巧,让你在前端开 ...

  4. %USERPROFILE% 查看系统变量

    %USERPROFILE% =C:\Users\用户名 win+r,输入cmd 回车 在cmd窗口下输入 set 回车,可以查看系统变量(想要了解更多 set 命令请看 这里)

  5. KingbaseES V8R6运维案例之---数据库resetwal后启动失败

    KingbaseES V8R6运维案例之---数据库resetwal后启动失败 案例说明: KingbaseES V8R6集群触发failover切换后,原主库自动recovery失败,现在需要将原主 ...

  6. KingbaseESV8R6等待事件之LWLock buffer_mapping

    等待事件含义 当会话将数据块与共享缓冲池中的缓冲区关联时,会发生此等待事件. 类似Oracle cbc闩锁的是一种Kingbase的轻量级锁lwlock,这个锁的名字在不同数据库版本中可能有所不同,我 ...

  7. FineReport报表绕过预览直接打印

    常规情况下,打印报表的一版操作是: 1.点击相关报表查询页面,展示查询结果,即即将打印的页面 2.点击打印按钮,进入浏览器的打印预览界面 3.点击打印 但是某些时候我们可能会希望不需要点开某张报表即可 ...

  8. 内存分析利器之UMDH

    近两周投入分析产品的内存泄漏问题. 测试团队反馈产品在安卓平台运行时,随用户操作,应用占用的内存出现上涨的趋势,停止操作并等待一段时间之后,应用占用的内存没有下降,怀疑存在内存泄漏问题. 结合复现的情 ...

  9. SQL JOIN 子句:合并多个表中相关行的完整指南

    SQL JOIN JOIN子句用于基于它们之间的相关列合并来自两个或更多表的行. 让我们看一下"Orders"表的一部分选择: OrderID CustomerID OrderDa ...

  10. Go 编程语言详解:用途、特性、与 Python 和 C++ 的比较

    什么是Go? Go是一个跨平台.开源的编程语言 Go可用于创建高性能应用程序 Go是一种快速.静态类型.编译型语言,感觉上像动态类型.解释型语言 Go由Robert Griesemer.Rob Pik ...