From 4eee8a48ecae5a4bd909eace8e617657222c91f5 Mon Sep 17 00:00:00 2001 From: Peter Harris Date: Fri, 25 Jul 2025 22:15:20 +0100 Subject: [PATCH] Fix use-after-free of dispatch table --- source_common/framework/manual_functions.cpp | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/source_common/framework/manual_functions.cpp b/source_common/framework/manual_functions.cpp index 196a1a1..f651ab9 100644 --- a/source_common/framework/manual_functions.cpp +++ b/source_common/framework/manual_functions.cpp @@ -751,13 +751,15 @@ VKAPI_ATTR void VKAPI_CALL layer_vkDestroyInstance_default(VkInstance instance, std::unique_lock lock {g_vulkanLock}; auto* layer = Instance::retrieve(instance); - // Layer proxy must be destroyed before the driver version - // so we can clean up any layer-owned resources + // Save the driver function to avoid a use-after free when proxy is destroyed + auto destroyInstance = layer->driver.vkDestroyInstance; + + // Layer proxy must be destroyed before the driver object as we use its dispatchable handle Instance::destroy(layer); // Release the lock to call into the driver lock.unlock(); - layer->driver.vkDestroyInstance(instance, pAllocator); + destroyInstance(instance, pAllocator); } /* See Vulkan API for documentation. */ @@ -839,13 +841,15 @@ VKAPI_ATTR void VKAPI_CALL layer_vkDestroyDevice_default(VkDevice device, const std::unique_lock lock {g_vulkanLock}; auto* layer = Device::retrieve(device); - // Layer proxy must be destroyed before the driver version - // so we can clean up any layer-owned resources + // Save the driver function to avoid a use-after free when proxy is destroyed + auto destroyDevice = layer->driver.vkDestroyDevice; + + // Layer proxy must be destroyed before the driver object as we use its dispatchable handle Device::destroy(layer); // Release the lock to call into the driver lock.unlock(); - layer->driver.vkDestroyDevice(device, pAllocator); + destroyDevice(device, pAllocator); } /* See Vulkan API for documentation. */