[PR #3863] [CLOSED] Fixed potential UAF in `EqueueInternal::ScheduleEvent` #3769

New issue

Closed

opened 2026-02-27 22:04:55 +03:00 by kerem · 0 comments

kerem commented

2026-02-27 22:04:55 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/shadps4-emu/shadPS4/pull/3863
Author: @Rabbit0w0
Created: 12/10/2025
Status: ❌ Closed

Base: main ← Head: main

📝 Commits (3)

a8a01bf Kernel.Event: fix potential use-after-free in EqueueInternal::ScheduleEvent
6e3360d Kernel.Event: fix style
ca30c66 Merge branch 'main' into main

📊 Changes

2 files changed (+20 additions, -12 deletions)

View changed files

📝 src/core/libraries/kernel/equeue.cpp (+19 -12)
📝 src/core/libraries/kernel/equeue.h (+1 -0)

📄 Description

Problem

Asynchronous timer callbacks in ScheduleEvent() could access the this pointer after the destruction of EqueueInternal object.

Changes

Added a life token to EqueueInternal.
When scheduling a timer, we capture a weak_ptr to this token in the async_wait callback.
Before executing the callback, check if the weak token has expired (indicating the EqueueInternal object has been destroyed)

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/shadps4-emu/shadPS4/pull/3863 **Author:** [@Rabbit0w0](https://github.com/Rabbit0w0) **Created:** 12/10/2025 **Status:** ❌ Closed **Base:** `main` ← **Head:** `main` --- ### 📝 Commits (3) - [`a8a01bf`](https://github.com/shadps4-emu/shadPS4/commit/a8a01bfaaee11c8bf0893b27889bc8d91e4a6159) Kernel.Event: fix potential use-after-free in EqueueInternal::ScheduleEvent - [`6e3360d`](https://github.com/shadps4-emu/shadPS4/commit/6e3360dcc6987ac25ad4647e3e195afecb0d2c6e) Kernel.Event: fix style - [`ca30c66`](https://github.com/shadps4-emu/shadPS4/commit/ca30c66566adbd1553b0d2a5826a0c6cb4352f20) Merge branch 'main' into main ### 📊 Changes **2 files changed** (+20 additions, -12 deletions) <details> <summary>View changed files</summary> 📝 `src/core/libraries/kernel/equeue.cpp` (+19 -12) 📝 `src/core/libraries/kernel/equeue.h` (+1 -0) </details> ### 📄 Description ### Problem Asynchronous timer callbacks in `ScheduleEvent()` could access the this pointer after the destruction of `EqueueInternal` object. ### Changes - Added a life token to `EqueueInternal`. - When scheduling a timer, we capture a weak_ptr to this token in the async_wait callback. - Before executing the callback, check if the weak token has expired (indicating the `EqueueInternal` object has been destroyed) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>