frontend/drivers/platform_darwin: fix dispatch_source_cancel UAF in path watcher teardown

LibretroAdmin · LibretroAdmin · commit a04f966a0e5b · 2026-04-24T06:14:18.000+02:00
The GCD-based directory watcher in platform_darwin.m had a
latent use-after-free in its teardown path.

=== The bug ===

darwin_watch_data_free was calling dispatch_source_cancel
followed immediately by free(watch_data):

    dispatch_source_cancel(watch_data-&gt;watches[i].source);
    ...
    free(watch_data);

This is unsafe because dispatch_source_cancel is asynchronous.
Per Apple's dispatch documentation, cancel() only marks the
source as cancelled - any event handler invocation that was
already dispatched to the source's target queue will run to
completion.  The cancel handler is guaranteed to fire only
AFTER all pending event handler invocations have drained.

The event handler in question captures watch_data by pointer
and writes to it:

    dispatch_source_set_event_handler(source, ^{
       OSAtomicCompareAndSwap32(0, 1, &amp;watch_data-&gt;has_changes);
    });

Because the target queue is the global concurrent dispatch
queue (dispatch_get_global_queue at line 953), event handlers
run on any of the system worker threads.  If the main thread
is inside darwin_watch_data_free while a kqueue event fires
for the watched vnode, the sequence is:

    thread A (main)          thread B (global queue)
    -------------------      -------------------------
    dispatch_source_cancel
    dispatch_release         (event handler dispatched
    free(watch_data)          before cancel took effect)
                             OSAtomicCompareAndSwap32(
                               0, 1, &amp;watch_data-&gt;
                                       has_changes);
                             /* WRITES TO FREED MEMORY */

The old cancel handler was a no-op with a misleading comment:

    dispatch_source_set_cancel_handler(source, ^{
       /* File descriptor is closed in cleanup function */
    });

This gave the impression that cleanup was synchronised, but
in fact nothing blocked the main thread until the cancel
handler had actually fired.

=== Reachability ===

The watcher is installed by video_shader_parse_preset to
monitor .slangp/.cgp files and their included passes for
changes.  frontend_driver_watch_path_for_changes(NULL, 0, ...)
is called on every preset reload, shader restart, or user
navigation away from the current preset.  Under normal
interactive use (user saves a shader file, then immediately
navigates the menu) the race window is readily reached - the
kqueue event for the save is in flight while the menu action
tears down the watcher.

On modern macOS this often crashes immediately because the
freed memory is immediately re-used by the allocator.  On
iOS/tvOS the same race exists but crashes less often due to
different allocator behaviour.

=== The fix ===

Add a per-source dispatch_semaphore_t cancel_sem to
darwin_watch_entry_t.  The cancel handler signals it; the
teardown path cancels then waits on the semaphore before
freeing.  This is the canonical safe-teardown pattern for
dispatch sources:

  1. dispatch_source_set_cancel_handler signals cancel_sem.
  2. darwin_watch_data_free:
       - dispatch_source_cancel(source)
       - dispatch_semaphore_wait(cancel_sem, FOREVER)
       - RARCH_DISPATCH_RELEASE on source and semaphore
       - close fd, free path, free watch entries
       - free watch_data

By the time dispatch_semaphore_wait returns, GCD guarantees
no event handler for this source is executing or will execute
again.  The subsequent free(watch_data) is safe.

=== Semaphore lifetime ===

The cancel handler block captures cancel_sem.  On both ARC
and MRC-with-OS_OBJECT_USE_OBJC (the default on modern
macOS/iOS) the block retains the captured dispatch object,
so the semaphore survives until the block does.  Even without
block-level retention, we also hold cancel_sem through
watch_data-&gt;watches[i].cancel_sem until AFTER the wait has
returned, so the pointer passed to dispatch_semaphore_signal
is always valid.

=== Semaphore creation failure ===

dispatch_semaphore_create can in theory fail on OOM
(realistically rare).  If it does, we skip source creation
entirely rather than create a source we cannot safely
cancel.  Also added cleanup release on the
source-creation-failure path so the semaphore doesn't leak
when dispatch_source_create fails but the semaphore
succeeded.

=== ARC/MRC compatibility ===

Uses RARCH_DISPATCH_RELEASE from libretro-common/include/
defines/cocoa_defines.h instead of an inline
'#if !__has_feature(objc_arc)' + dispatch_release guard.
The macro is a no-op under ARC and 'do { if (x) dispatch_
release(x); } while (0)' under MRC.  Three advantages over
the inline guard:

  1. Single-line call instead of a 3-line ifdef block.
  2. NULL-guarded automatically - dispatch_release(NULL) is
     explicitly undefined per Apple's docs; the macro makes
     it impossible to forget the check.
  3. Safe on pre-10.8 SDKs where OS_OBJECT_USE_OBJC=0 and
     dispatch types are plain C handles (the cocoa_defines.h
     comment explains why '[x release]' is the wrong choice
     for dispatch objects).

This matches the only other user in the tree
(record/drivers/record_avfoundation.m line 160), keeping the
macro's usage consistent across .m files that release
dispatch objects.

Added '#include &lt;defines/cocoa_defines.h&gt;' inside the
existing '#ifdef HAVE_GCD' block at the top of the file,
matching the placement convention for GCD-specific headers.

=== HAVE_GCD guards ===

All edits are inside existing '#ifdef HAVE_GCD' blocks
(struct definition at line 134, darwin_watch_data_free at
line 897, and frontend_darwin_watch_path_for_changes at
line 962).  No HAVE_GCD scope changes - builds without GCD
(non-macOS/iOS darwin targets) are unaffected.

=== Thread-safety ===

darwin_watch_data_free is called from the main thread during
shader preset teardown.  dispatch_semaphore_wait with
DISPATCH_TIME_FOREVER is blocking but bounded: the cancel
handler runs on the global concurrent queue which always has
worker threads available, and the cancel handler itself does
almost nothing (one semaphore signal), so the wait is
measured in microseconds in practice.

If somehow the cancel handler never fires (hypothetical
GCD bug), the main thread would block forever - but the
same condition would also mean leaked memory and dangling
watches in the existing code, so the new behaviour is
strictly better.

=== Not changing ===

The event handler body is unchanged.  OSAtomicCompareAndSwap32
on &amp;watch_data-&gt;has_changes is still correct - we've just
made sure the pointer is valid for every invocation.  The
field is int32_t volatile and the atomic primitive provides
the necessary memory ordering with frontend_darwin_check_for_
path_changes which reads the flag on the main thread.

=== Verification ===

Brace balance verified on both modified functions.  The
'continue' statement added to skip a watch when semaphore
creation fails lands inside the 'for (i = 0; i &lt; list-&gt;size;
i++)' loop, which is the intended scope.

Can't compile-test locally (no macOS SDK), but the diff is
localised and the changes match the canonical GCD
safe-teardown pattern documented by Apple.
diff --git a/frontend/drivers/platform_darwin.m b/frontend/drivers/platform_darwin.m
@@ -26,6 +26,7 @@
 #include <mach/mach.h>
 #ifdef HAVE_GCD
 #include <dispatch/dispatch.h>
+#include <defines/cocoa_defines.h>
 #endif
 
 #include <CoreFoundation/CoreFoundation.h>
@@ -137,6 +138,19 @@
 {
    int fd;                    /* File descriptor opened with O_EVTONLY */
    dispatch_source_t source;  /* GCD dispatch source for monitoring */
+   /* Per-entry semaphore signalled from the source's cancel
+    * handler.  Needed because dispatch_source_cancel is
+    * asynchronous: it flags the source for cancellation but
+    * any already-dispatched event handler invocation keeps
+    * running to completion on its target queue, which is the
+    * global concurrent queue here.  The event handler
+    * dereferences &watch_data->has_changes, so we cannot free
+    * watch_data until we're sure no in-flight handler remains.
+    * The cancel handler fires once all handler invocations
+    * have drained, so waiting on this semaphore before free()
+    * is the standard safe-teardown pattern for dispatch
+    * sources. */
+   dispatch_semaphore_t cancel_sem;
    char *path;                /* Watched file path */
 } darwin_watch_entry_t;
 
@@ -911,10 +925,29 @@ static void darwin_watch_data_free(darwin_watch_data_t *watch_data)
       {
          if (watch_data->watches[i].source)
          {
+            /* Cancel the source, then wait for the cancel
+             * handler to fire.  dispatch_source_cancel is
+             * asynchronous - it only marks the source as
+             * cancelled.  Any already-dispatched event handler
+             * invocation (the one that reads
+             * &watch_data->has_changes) keeps running to
+             * completion on the global concurrent queue.  The
+             * cancel handler is guaranteed to fire AFTER all
+             * pending event handler invocations have drained,
+             * so dispatch_semaphore_wait(cancel_sem, FOREVER)
+             * is the standard 'wait until source is fully
+             * quiesced' pattern.  Without this wait a racing
+             * event handler would NUL-deref or, worse, write
+             * into freed memory for has_changes. */
             dispatch_source_cancel(watch_data->watches[i].source);
-#if !__has_feature(objc_arc)
-            dispatch_release(watch_data->watches[i].source);
-#endif
+            if (watch_data->watches[i].cancel_sem)
+            {
+               dispatch_semaphore_wait(
+                     watch_data->watches[i].cancel_sem,
+                     DISPATCH_TIME_FOREVER);
+            }
+            RARCH_DISPATCH_RELEASE(watch_data->watches[i].source);
+            RARCH_DISPATCH_RELEASE(watch_data->watches[i].cancel_sem);
          }
          if (watch_data->watches[i].fd >= 0)
             close(watch_data->watches[i].fd);
@@ -984,16 +1017,32 @@ static void frontend_darwin_watch_path_for_changes(
          const char *path = list->elems[i].data;
          int fd           = open(path, O_EVTONLY);
 
-         watch_data->watches[i].fd     = fd;
-         watch_data->watches[i].source = NULL;
-         watch_data->watches[i].path   = NULL;
+         watch_data->watches[i].fd         = fd;
+         watch_data->watches[i].source     = NULL;
+         watch_data->watches[i].path       = NULL;
+         watch_data->watches[i].cancel_sem = NULL;
 
          if (fd >= 0)
          {
-            dispatch_source_t source;
+            dispatch_source_t    source;
+            dispatch_semaphore_t cancel_sem;
 
             watch_data->watches[i].path = strdup(path);
 
+            /* Create cancel semaphore up-front.  If this fails
+             * (realistically only on OOM) we skip source creation
+             * entirely rather than create a source we cannot
+             * safely tear down - without a semaphore the free
+             * path has no way to wait for in-flight event
+             * handlers to drain before the free(). */
+            cancel_sem = dispatch_semaphore_create(0);
+            if (!cancel_sem)
+            {
+               close(fd);
+               watch_data->watches[i].fd = -1;
+               continue;
+            }
+
             /* Create dispatch source for monitoring file events */
             source = dispatch_source_create(
                   DISPATCH_SOURCE_TYPE_VNODE,
@@ -1003,22 +1052,31 @@ static void frontend_darwin_watch_path_for_changes(
 
             if (source)
             {
-               /* Set up event handler - sets atomic flag when changes occur */
+               /* Set up event handler - sets atomic flag when changes
+                * occur.  This block captures watch_data by pointer and
+                * the cancel-handler synchronisation below is what keeps
+                * the capture safe against the teardown path. */
                dispatch_source_set_event_handler(source, ^{
                   OSAtomicCompareAndSwap32(0, 1, &watch_data->has_changes);
                });
 
-               /* Set up cancellation handler to prevent fd leak */
+               /* Cancel handler signals cancel_sem.  darwin_watch_
+                * data_free will cancel the source and wait on this
+                * semaphore, guaranteeing all pending event handlers
+                * have completed before watch_data is freed. */
                dispatch_source_set_cancel_handler(source, ^{
-                  /* File descriptor is closed in cleanup function */
+                  dispatch_semaphore_signal(cancel_sem);
                });
 
-               watch_data->watches[i].source = source;
+               watch_data->watches[i].source     = source;
+               watch_data->watches[i].cancel_sem = cancel_sem;
                dispatch_resume(source);
             }
             else
             {
-               /* Failed to create dispatch source, close fd */
+               /* Failed to create dispatch source, close fd and
+                * release the unused semaphore. */
+               RARCH_DISPATCH_RELEASE(cancel_sem);
                close(fd);
                watch_data->watches[i].fd = -1;
             }
