Merging internal commits for release/6.0 (#9005)

* [internal/release/6.0] Update dependencies from dnceng/internal/dotnet-winforms

* Fixes PenIMC UAF MSRC .NET 6

* Update dependencies from https://dev.azure.com/dnceng/internal/_git/dotnet-winforms build 20240311.13

Microsoft.Dotnet.WinForms.ProjectTemplates , Microsoft.Private.Winforms
 From Version 6.0.29-servicing.24158.7 -> To Version 6.0.29-servicing.24161.13

* Update dependencies from https://dev.azure.com/dnceng/internal/_git/dotnet-winforms build 20240312.6

Microsoft.Dotnet.WinForms.ProjectTemplates , Microsoft.Private.Winforms
 From Version 6.0.29-servicing.24158.7 -> To Version 6.0.29-servicing.24162.6

* Local dependencies updated based on build with BAR id 217668 (20240315.6 from https://dev.azure.com/dnceng/internal/_git/dotnet-winforms@refs/heads/internal/release/6.0)

* Update dependencies from https://dev.azure.com/dnceng/internal/_git/dotnet-winforms build

Microsoft.Dotnet.WinForms.ProjectTemplates , Microsoft.Private.Winforms
 From Version 6.0.29-servicing.24165.6 -> To Version 6.0.29-servicing.24169.15

Dependency coherency updates

Microsoft.NETCore.Platforms,Microsoft.NETCore.ILDAsm,Microsoft.NETCore.ILAsm,Microsoft.NETCore.App.Ref,Microsoft.NETCore.App.Runtime.win-x64,VS.Redist.Common.NetCore.SharedFramework.x64.6.0
 From Version 6.0.13 -> To Version 6.0.13 (parent: Microsoft.Private.Winforms

* Merged PR 38439: [internal/release/6.0] Update dependencies from dnceng/internal/dotnet-winforms

This pull request updates the following dependencies

[marker]: <> (Begin:Coherency Updates)
## Coherency Updates

The following updates ensure that dependencies with a *CoherentParentDependency*
attribute were produced in a build used as input to the parent dependency's build.
See [Dependency Description Format](https://github.com/dotnet/arcade/blob/master/Documentation/DependencyDescriptionFormat.md#dependency-description-overview)

[DependencyUpdate]: <> (Begin)

- **Coherency Updates**:
  - **Microsoft.NETCore.Platforms**: from 6.0.13 to 6.0.13 (parent: Microsoft.Private.Winforms)
  - **Microsoft.NETCore.ILDAsm**: from 6.0.29-servicing.24169.13 to 6.0.29-servicing.24171.5 (parent: Microsoft.Private.Winforms)
  - **Microsoft.NETCore.ILAsm**: from 6.0.29-servicing.24169.13 to 6.0.29-servicing.24171.5 (parent: Microsoft.Private.Winforms)
  - **Microsoft.NETCore.App.Ref**: from 6.0.29 to 6.0.29 (parent: Microsoft.Private.Winforms)
  - **Microsoft.NETCore.App.Runtime.win-x64**: from 6.0.29 to 6.0.29 (parent: Microsoft.Private.Winforms)
  - **VS.Redist.Common.NetCore.SharedFramework.x64.6.0**: from 6.0.29-servicing.24169.13 to 6.0.29-servicing.24171.5 (parent: Microsoft.Private.Winforms)

[DependencyUpdate]: <> (End)

[marker]: <> (End:Coherency Updates)

[marker]: <> (Begin:a88d6455-e128-4280-39b4-08d960f4ca81)
## From https://dev.azure.com/dnceng/internal/_git/dotnet-winforms
- **Subscription**: a88d6455-e128-4280-39b4-08d960f4ca81
- **Build**:
- **Date Produced**: March 21, 2024 8:50:10 PM UTC
- **Commit**: 6525c5174ef1b8ee5b29c397e8a4b76e76487927
- **Branch**: refs/heads/internal/release/6.0

[DependencyUpdate]: <> (Begin)

- **Updates**:
  - **Microsoft.Dotnet.WinForms.ProjectTemplates**: [from 6.0.29-servicing.24169.15 to 6.0.29-servicing.24171.6][1]
  - **Microsoft.Private.Winforms**: [from 6.0.29-servicing.24169.15 to 6.0.29-servicing.24171.6][1]
  - **Microsoft.NETCore.Platforms**: [from 6.0.13 to 6.0.13][2]
  - **Microsoft.NETCore.ILDAsm**: [from 6.0.29-servicing.24169.13 to 6.0.29-servicing.24171.5][2]
  - **Microsoft.NETCore.ILAsm**: [from 6.0.29-servicing.24169.13 to 6.0.29-servicing.24171.5][2]
  - **Microsoft.NETCore.App.Ref**: [from 6.0.29 to 6.0.29][2]
  - **Microsoft.NETCore.App.Runtime.win-x64**: [from 6.0.29 to 6.0.29][2]
  - **VS.Redist.Common.NetCore.SharedFramework.x64.6.0**: [from 6.0.29-servicing.24169.13 to 6.0.29-servicing.24171.5][2]

[1]: https://dev.azure.com/dnceng/internal/_git/dotnet-winforms/branches?baseVersion=GC8b4de777b2ddf7e0f4a06dec30bbc152315fdef8&targetVersion=GC6525c5174ef1b8ee5b29c397e8a4b76e76487927&_a=files
[2]: https://dev.azure.com/dnceng/internal/_git/dotnet-runtime/branches?baseVersion=GCc95b68327d40062beb0c9d4cd08295a85d86bd27&targetVersion=GC189fbbd88d97dd6d65515ba2da05b62eab4e5039&_a=files

[DependencyUpdate]: <> (End)

[marker]: <> (End:a88d6455-e128-4280-39b4-08d960f4ca81)

* Merged PR 38452: [internal/release/6.0] Merge from public

Merge from public release/6.0 to internal/release/6.0 and resolve conflicts if necessary

---------

Co-authored-by: dotnet-bot <[email protected]>
Co-authored-by: DotNet Bot <[email protected]>
Co-authored-by: dipeshmsft <[email protected]>

Author: 3 people

NuGet.config

@@ -5,6 +5,7 @@
     <clear />
     <!--Begin: Package sources managed by Dependency Flow automation. Do not edit the sources below.-->
     <!--  Begin: Package sources from dotnet-runtime -->
+    <add key="darc-int-dotnet-runtime-189fbbd" value="https://pkgs.dev.azure.com/dnceng/internal/_packaging/darc-int-dotnet-runtime-189fbbd8/nuget/v3/index.json" />
     <!--  End: Package sources from dotnet-runtime -->
     <!--End: Package sources managed by Dependency Flow automation. Do not edit the sources above.-->
     <add key="dotnet-eng" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json" />
@@ -18,6 +19,7 @@
   <disabledPackageSources>
     <!--Begin: Package sources managed by Dependency Flow automation. Do not edit the sources below.-->
     <!--  Begin: Package sources from dotnet-runtime -->
+    <add key="darc-int-dotnet-runtime-189fbbd" value="true" />
     <!--  End: Package sources from dotnet-runtime -->
     <!--End: Package sources managed by Dependency Flow automation. Do not edit the sources above.-->
   </disabledPackageSources>

eng/Version.Details.xml

@@ -1,13 +1,13 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Dependencies>
   <ProductDependencies>
-    <Dependency Name="Microsoft.Private.Winforms" Version="6.0.28-servicing.24120.4">
+    <Dependency Name="Microsoft.Private.Winforms" Version="6.0.29-servicing.24171.6">
       <Uri>https://dev.azure.com/dnceng/internal/_git/dotnet-winforms</Uri>
-      <Sha>9de94bff9795bb0644835098b91e81edccfaa367</Sha>
+      <Sha>6525c5174ef1b8ee5b29c397e8a4b76e76487927</Sha>
     </Dependency>
-    <Dependency Name="Microsoft.Dotnet.WinForms.ProjectTemplates" Version="6.0.28-servicing.24120.4">
+    <Dependency Name="Microsoft.Dotnet.WinForms.ProjectTemplates" Version="6.0.29-servicing.24171.6">
       <Uri>https://dev.azure.com/dnceng/internal/_git/dotnet-winforms</Uri>
-      <Sha>9de94bff9795bb0644835098b91e81edccfaa367</Sha>
+      <Sha>6525c5174ef1b8ee5b29c397e8a4b76e76487927</Sha>
     </Dependency>
     <Dependency Name="System.CodeDom" Version="6.0.0" CoherentParentDependency="Microsoft.Private.Winforms">
       <Uri>https://github.com/dotnet/runtime</Uri>
@@ -45,9 +45,9 @@
       <Uri>https://github.com/dotnet/runtime</Uri>
       <Sha>4822e3c3aa77eb82b2fb33c9321f923cf11ddde6</Sha>
     </Dependency>
-    <Dependency Name="Microsoft.NETCore.Platforms" Version="6.0.12" CoherentParentDependency="Microsoft.Private.Winforms">
+    <Dependency Name="Microsoft.NETCore.Platforms" Version="6.0.13" CoherentParentDependency="Microsoft.Private.Winforms">
       <Uri>https://dev.azure.com/dnceng/internal/_git/dotnet-runtime</Uri>
-      <Sha>34a109148c7d8a2c8e6431e83e4bce5712dd8083</Sha>
+      <Sha>189fbbd88d97dd6d65515ba2da05b62eab4e5039</Sha>
     </Dependency>
     <Dependency Name="Microsoft.DotNet.Wpf.DncEng" Version="6.0.0-rtm.24171.2">
       <Uri>https://dev.azure.com/dnceng/internal/_git/dotnet-wpf-int</Uri>
@@ -57,29 +57,29 @@
       <Uri>https://github.com/dotnet/runtime</Uri>
       <Sha>4822e3c3aa77eb82b2fb33c9321f923cf11ddde6</Sha>
     </Dependency>
-    <Dependency Name="Microsoft.NETCore.ILDAsm" Version="6.0.28-servicing.24120.7" CoherentParentDependency="Microsoft.Private.Winforms">
+    <Dependency Name="Microsoft.NETCore.ILDAsm" Version="6.0.29-servicing.24171.5" CoherentParentDependency="Microsoft.Private.Winforms">
       <Uri>https://dev.azure.com/dnceng/internal/_git/dotnet-runtime</Uri>
-      <Sha>34a109148c7d8a2c8e6431e83e4bce5712dd8083</Sha>
+      <Sha>189fbbd88d97dd6d65515ba2da05b62eab4e5039</Sha>
     </Dependency>
-    <Dependency Name="Microsoft.NETCore.ILAsm" Version="6.0.28-servicing.24120.7" CoherentParentDependency="Microsoft.Private.Winforms">
+    <Dependency Name="Microsoft.NETCore.ILAsm" Version="6.0.29-servicing.24171.5" CoherentParentDependency="Microsoft.Private.Winforms">
       <Uri>https://dev.azure.com/dnceng/internal/_git/dotnet-runtime</Uri>
-      <Sha>34a109148c7d8a2c8e6431e83e4bce5712dd8083</Sha>
+      <Sha>189fbbd88d97dd6d65515ba2da05b62eab4e5039</Sha>
     </Dependency>
     <Dependency Name="System.Resources.Extensions" Version="6.0.0" CoherentParentDependency="Microsoft.Private.Winforms">
       <Uri>https://github.com/dotnet/runtime</Uri>
       <Sha>4822e3c3aa77eb82b2fb33c9321f923cf11ddde6</Sha>
     </Dependency>
-    <Dependency Name="Microsoft.NETCore.App.Ref" Version="6.0.28" CoherentParentDependency="Microsoft.Private.Winforms">
+    <Dependency Name="Microsoft.NETCore.App.Ref" Version="6.0.29" CoherentParentDependency="Microsoft.Private.Winforms">
       <Uri>https://dev.azure.com/dnceng/internal/_git/dotnet-runtime</Uri>
-      <Sha>34a109148c7d8a2c8e6431e83e4bce5712dd8083</Sha>
+      <Sha>189fbbd88d97dd6d65515ba2da05b62eab4e5039</Sha>
     </Dependency>
-    <Dependency Name="Microsoft.NETCore.App.Runtime.win-x64" Version="6.0.28" CoherentParentDependency="Microsoft.Private.Winforms">
+    <Dependency Name="Microsoft.NETCore.App.Runtime.win-x64" Version="6.0.29" CoherentParentDependency="Microsoft.Private.Winforms">
       <Uri>https://dev.azure.com/dnceng/internal/_git/dotnet-runtime</Uri>
-      <Sha>34a109148c7d8a2c8e6431e83e4bce5712dd8083</Sha>
+      <Sha>189fbbd88d97dd6d65515ba2da05b62eab4e5039</Sha>
     </Dependency>
-    <Dependency Name="VS.Redist.Common.NetCore.SharedFramework.x64.6.0" Version="6.0.28-servicing.24120.7" CoherentParentDependency="Microsoft.Private.Winforms">
+    <Dependency Name="VS.Redist.Common.NetCore.SharedFramework.x64.6.0" Version="6.0.29-servicing.24171.5" CoherentParentDependency="Microsoft.Private.Winforms">
       <Uri>https://dev.azure.com/dnceng/internal/_git/dotnet-runtime</Uri>
-      <Sha>34a109148c7d8a2c8e6431e83e4bce5712dd8083</Sha>
+      <Sha>189fbbd88d97dd6d65515ba2da05b62eab4e5039</Sha>
     </Dependency>
   </ProductDependencies>
   <ToolsetDependencies>

eng/Versions.props

@@ -26,20 +26,20 @@
   </PropertyGroup>
   <!-- NuGet Package Versions -->
   <PropertyGroup>
-    <MicrosoftPrivateWinformsVersion>6.0.28-servicing.24120.4</MicrosoftPrivateWinformsVersion>
+    <MicrosoftPrivateWinformsVersion>6.0.29-servicing.24171.6</MicrosoftPrivateWinformsVersion>
   </PropertyGroup>
   <!-- Packages that come from https://github.com/dotnet/coreclr -->
   <PropertyGroup>
     <MicrosoftNETCoreRuntimeCoreCLRVersion>5.0.0-alpha1.19562.1</MicrosoftNETCoreRuntimeCoreCLRVersion>
-    <MicrosoftNETCoreILDAsmVersion>6.0.28-servicing.24120.7</MicrosoftNETCoreILDAsmVersion>
-    <MicrosoftNETCoreILAsmVersion>6.0.28-servicing.24120.7</MicrosoftNETCoreILAsmVersion>
+    <MicrosoftNETCoreILDAsmVersion>6.0.29-servicing.24171.5</MicrosoftNETCoreILDAsmVersion>
+    <MicrosoftNETCoreILAsmVersion>6.0.29-servicing.24171.5</MicrosoftNETCoreILAsmVersion>
   </PropertyGroup>
   <!-- Packages that come from https://github.com/dotnet/core-setup -->
   <PropertyGroup>
-    <VSRedistCommonNetCoreSharedFrameworkx6460PackageVersion>6.0.28-servicing.24120.7</VSRedistCommonNetCoreSharedFrameworkx6460PackageVersion>
-    <MicrosoftNETCoreAppRefVersion>6.0.28</MicrosoftNETCoreAppRefVersion>
-    <MicrosoftNETCoreAppRuntimewinx64Version>6.0.28</MicrosoftNETCoreAppRuntimewinx64Version>
-    <MicrosoftNETCorePlatformsVersion>6.0.12</MicrosoftNETCorePlatformsVersion>
+    <VSRedistCommonNetCoreSharedFrameworkx6460PackageVersion>6.0.29-servicing.24171.5</VSRedistCommonNetCoreSharedFrameworkx6460PackageVersion>
+    <MicrosoftNETCoreAppRefVersion>6.0.29</MicrosoftNETCoreAppRefVersion>
+    <MicrosoftNETCoreAppRuntimewinx64Version>6.0.29</MicrosoftNETCoreAppRuntimewinx64Version>
+    <MicrosoftNETCorePlatformsVersion>6.0.13</MicrosoftNETCorePlatformsVersion>
     <SystemDrawingCommonVersion>6.0.0</SystemDrawingCommonVersion>
     <SystemDirectoryServicesVersion>6.0.1</SystemDirectoryServicesVersion>
     <SystemReflectionMetadataLoadContextVersion>6.0.0</SystemReflectionMetadataLoadContextVersion>

src/Microsoft.DotNet.Wpf/src/PenImc/dll/ComLockableWrapper.hpp

@@ -40,6 +40,11 @@ namespace ComUtils
         // The apartment is verified during this call.
         HRESULT Unlock();
 
+        // Unlocking a wrapper permanently nulls out the server object pointer, so a
+        // wrapper contains a non-null server object pointer if and only if it is
+        // bound to a server object which has never been unlocked.
+        bool HasNotBeenUnlocked() { return (m_serverObject != nullptr); }
+
     private:
 
         IUnknown *m_serverObject;

src/Microsoft.DotNet.Wpf/src/PenImc/dll/PimcManager.cpp

@@ -396,6 +396,94 @@ void CPimcManager::TerminateHookThread(__inout CHookThreadItem * pThread)
 void CPimcManager::FinalRelease() 
 {
     m_wispManagerLock.RevokeIfValid();
+
+    //
+    // The CComObject<CPimcManager> destructor is the only function which calls into this
+    // FinalRelease code.
+    //
+    // In all successful usage of CPimcManager: 1) Managed WPF code uses CoCreateInstance
+    // to acquire an IPimcManager2 interface to a brand-new CPimcManager instance (created by
+    // the ATL CComCreator<T>::CreateInstance machinery), meaning FinalConstruct by-definition
+    // completes successfully, meaning "m_managerLock" is therefore guaranteed to be locked;
+    // 2) Managed WPF code then runs through its full end-to-end usage of the CPimcManager
+    // object (generally managed by the code in PenThreadWorker.cs); 3) When/if the managed WPF
+    // code determines that the CPimcManager object is no longer needed, it sends a
+    // RELEASE_MANAGER_EXT message (see UnsafeNativeMethods.ReleaseManagerExternalLock()) which
+    // unlocks "m_managerLock"; 4) Now that it is unlocked, the CComObject<CPimcManager> object
+    // can be destroyed when/if its refcount drops to zero, and this FinalRelease function will
+    // run at that time.
+    //
+    // So in all successful usage cases, it is guaranteed that "m_managerLock" is already
+    // unlocked when this code runs (because if it was still locked, the lock itself would have
+    // prevented the refcount from reaching zero, and would have prevented this function from
+    // ever running).
+    //
+    // That said, in unsuccessful usage cases, the ATL CComCreator<T>::CreateInstance machinery
+    // can fail, meaning it will destroy the brand-new CPimcManager instance before returning
+    // an error back to the CreateInstance caller.  Destroying the brand-new instance triggers
+    // the CComObject<CPimcManager> destructor and therefore calls into this function during
+    // the CComCreator<T>::CreateInstance operation itself.
+    //
+    // The final step in CComCreator<T>::CreateInstance is a QI which queries the newly-created
+    // object for whatever interface has been requested by the caller.  This operation is the
+    // main way that CComCreator<T>::CreateInstance can fail.  For example, this QI is
+    // guaranteed to fail whenever the CoCreateInstance caller targets the CPimcManager CLSID
+    // but passes in a "random" IID that has nothing to do with IPimcManager2 or anything else
+    // that CPimcManager implements.
+    //
+    // (In CPimcManager construction, outside of pathological cases (e.g., where a small heap
+    // allocation in OS code fails due to out-of-memory), there are no other known ways that
+    // the CComCreator<T>::CreateInstance sequence can fail; so the QI failure is the only
+    // failure mode that is known to be of general interest.)
+    //
+    // The QI failure can only occur after the preceding FinalConstruct call has completed
+    // successfully (since any FinalConstruct failure would have caused
+    // CComCreator<T>::CreateInstance to abort without ever trying the QI); since
+    // CPimcManager::FinalConstruct always locks the "m_managerLock", this implies that the
+    // "m_managerLock" is guaranteed to be locked when this code runs (which is exactly
+    // opposite to what happens in all successful usage cases as discussed above).
+    //
+    // In this case, it is crucial to unlock "m_managerLock" before allowing this CPimcManager
+    // object to be destroyed.  Without the unlock, this CPimcManager object would be destroyed
+    // while the associated CStdIdentity in the OS code still holds a reference to it; during
+    // any future apartment unload, the OS code would release this reference, and the release
+    // would be a use-after-free at that point.
+    //
+    // Note that the crucial unlock causes overactive ATL debug asserts to fire if a chk build
+    // of this DLL is used; specifically:
+    //
+    //    - The code in the CComObject<CPimcManager> destructor always stomps the refcount to
+    //      0xc0000001 (i.e., "-(LONG_MAX/2)"), meaning this CPimcManager object's refcount is
+    //      always 0xc0000001 when this code runs; unlocking "m_managerLock" will cause the refcount
+    //      to drop by one (because, as discussed above, the crucial operation which prevents
+    //      use-after-free problems will release the associated CStdIdentity's reference to this
+    //      CPimcManager object, and in this way releases the reference that was added when
+    //      "managerLock" was locked during FinalConstruct); as a result, unlocking "m_managerLock"
+    //      will move this CPimcManager object's refcount through a "0xc0000001 -> 0xc0000000"
+    //      transition.
+    //
+    //    - Both of the CComObjectRootEx<T>::InternalRelease specializations contain debug asserts
+    //      which will fire whenever the refcount drops below 0xc0000001, so this transition always
+    //      triggers a debug assert when using a chk build of this DLL.
+    //
+    //    - That said, all evidence strongly suggests that this is just an overactive assert in
+    //      the ATL code (probably just indicating that it is rare for FinalConstruct to add
+    //      "self-references" like it does for CPimcManager (since these self-references generally
+    //      prevent the server object from being destroyed unless a manual action like the
+    //      RELEASE_MANAGER_EXT message is taken later on), meaning it is rare to have a situation
+    //      where FinalRelease needs to release self-references that were acquired in
+    //      FinalConstruct, meaning this is a rare enough case that the ATL authors either didn't
+    //      test it or didn't think it was common enough to warrant adjusting the assert).
+    //
+    // Since this change is being made in servicing, attempt to change behavior as little as
+    // possible in the "successful usage" cases where "m_managerLock" is already unlocked,
+    // while still ensuring that FinalRelease will always run the crucial unlock in all
+    // "unsuccessful usage" cases.
+    //
+    if (m_managerLock.HasNotBeenUnlocked())
+    {
+        m_managerLock.Unlock();
+    }
 }
 
 /////////////////////////////////////////////////////////////////////////////