8000 [Backport 3.3] [Bug #20688] Fix use-after-free for WeakMap and WeakKeyMap by peterzhu2118 · Pull Request #11439 · ruby/ruby · GitHub
[go: up one dir, main page]
Skip to content

[Backport 3.3] [Bug #20688] Fix use-after-free for WeakMap and WeakKeyMap #11439

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Aug 22, 2024
Merged

[Backport 3.3] [Bug #20688] Fix use-after-free for WeakMap and WeakKeyMap #11439

Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
c206d37
Add struct weakmap_entry for WeakMap entries
peterzhu2118 Aug 19, 2024
191163a
Refactor wmap_foreach to pass weakmap_entry
peterzhu2118 Aug 20, 2024
15147ee
Use wmap_foreach for wmap_mark
peterzhu2118 Aug 20, 2024
66e7ca4
Refactor wmap_compact to use wmap_foreach
peterzhu2118 Aug 20, 2024
69f6406
Remove wmap_free_entry
peterzhu2118 Aug 20, 2024
7852f91
Fix WeakMap use-after-free
peterzhu2118 Aug 20, 2024
6605b80
Fix use-after-free for WeakKeyMap
peterzhu2118 Aug 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Remove wmap_free_entry
  • Loading branch information
@peterzhu2118
peterzhu2118 committed Aug 22, 2024
commit 69f6406d3ab0cb766dac0e6b542f5ce3d4be9a1d
20 changes: 7 additions & 13 deletions weakmap.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,16 +41,6 @@ wmap_live_p(VALUE obj)
return !UNDEF_P(obj);
}

static void
wmap_free_entry(VALUE *key, VALUE *val)
{
assert(key + 1 == val);

/* We only need to free key because val is allocated beside key on in the
* same malloc call. */
ruby_sized_xfree(key, sizeof(struct weakmap_entry));
}

struct wmap_foreach_data {
int (*func)(struct weakmap_entry *, st_data_t);
st_data_t arg;
Expand All @@ -76,7 +66,7 @@ wmap_foreach_i(st_data_t key, st_data_t val, st_data_t arg)
return ret;
}
else {
wmap_free_entry((VALUE *)key, (VALUE *)val);
ruby_sized_xfree(entry, sizeof(struct weakmap_entry));

return ST_DELETE;
}
Expand Down Expand Up @@ -114,7 +104,10 @@ wmap_mark(void *ptr)
static int
wmap_free_table_i(st_data_t key, st_data_t val, st_data_t arg)
{
wmap_free_entry((VALUE *)key, (VALUE *)val);
struct weakmap_entry *entry = (struct weakmap_entry *)key;
RUBY_ASSERT(&entry->val == (VALUE *)val);
ruby_sized_xfree(entry, sizeof(struct weakmap_entry));

return ST_CONTINUE;
}

Expand Down Expand Up @@ -534,7 +527,8 @@ wmap_delete(VALUE self, VALUE key)
rb_gc_remove_weak(self, (VALUE *)orig_key_data);
rb_gc_remove_weak(self, (VALUE *)orig_val_data);

wmap_free_entry((VALUE *)orig_key_data, (VALUE *)orig_val_data);
struct weakmap_entry *entry = (struct weakmap_entry *)orig_key_data;
ruby_sized_xfree(entry, sizeof(struct weakmap_entry));

if (wmap_live_p(orig_val)) {
return orig_val;
Expand Down
0