From 1f84729908affe91ab650eb3f86b0d7263f6115a Mon Sep 17 00:00:00 2001
From: Nick Khyl <nickk@tailscale.com>
Date: Tue, 7 Apr 2026 12:40:25 -0500
Subject: [PATCH] ipn/desktop: use runtime.Pinner to force heap-allocation of
 msg

GetMessage can call back into Go, triggering stack growth and causing the stack
to be copied to a new memory region, which invalidates the original stack pointer
passed to the syscall. Since GetMessage uses that pointer to write the message
before returning, this leads to memory corruption.

In this PR, we fix this by using runtime.Pinner, which requires the pointer to refer
to heap-allocated memory.

Fixes #19263
Fixes #17832

Signed-off-by: Nick Khyl <nickk@tailscale.com>
---
 ipn/desktop/sessions_windows.go | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/ipn/desktop/sessions_windows.go b/ipn/desktop/sessions_windows.go
index 6128548a5..7d51900f9 100644
--- a/ipn/desktop/sessions_windows.go
+++ b/ipn/desktop/sessions_windows.go
@@ -510,10 +510,13 @@ func sessionWatcherWndProc(hWnd windows.HWND, msg uint32, wParam, lParam uintptr
 }
 
 func pumpThreadMessages() {
-	var msg _MSG
-	for getMessage(&msg, 0, 0, 0) != 0 {
-		translateMessage(&msg)
-		dispatchMessage(&msg)
+	var p runtime.Pinner
+	defer p.Unpin()
+	msg := &_MSG{}
+	p.Pin(msg)
+	for getMessage(msg, 0, 0, 0) != 0 {
+		translateMessage(msg)
+		dispatchMessage(msg)
 	}
 }