8000 [3.4] Fix use-after-free when resizing exivars by byroot · Pull Request #13637 · ruby/ruby · GitHub
[go: up one dir, main page]
Skip to content

[3.4] Fix use-after-free when resizing exivars #13637

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you accou 8000 nt related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: ruby_3_4
Choose a base branch
from
Open

[3.4] Fix use-after-free when resizing exivars #13637

wants to merge 1 commit into from
+71 −56

Conversation

byroot
Copy link
Member
@byroot byroot commented Jun 17, 2025

[Bug #21438]
Ref: https://bugs.ruby-lang.org/issues/21438
Backport of #13635 and #13589.

Previously GC could trigger a table rebuild of the generic ivar st_table in the middle of calling the st_update callback.
This could cause entries to be reallocated or rearranged and the update to be for the wrong entry.

This commit adds an assertion to make that case easier to detect, and replaces the st_update with a separate st_lookup and st_insert.

Also free after insert in generic_ivar_set_shape_ivptr

Previously we were performing a realloc and then inserting the new value into the table.
If the table was flagged as requiring a rebuild, this could trigger GC work and marking within that GC could access the ivptr freed by realloc.

@byroot byroot requested a review from k0kubun as a code owner June 17, 2025 06:35
@jhawthorn @tenderlove @byroot
Fix generic_ivar_set_shape_ivptr for table rebuild
5461885 
[Bug #21438]

Previously GC could trigger a table rebuild of the generic ivar
st_table in the middle of calling the st_update callback. This could
cause entries to be reallocated or rearranged and the update to be for
the wrong entry.

This commit adds an assertion to make that case easier to detect, and
replaces the st_update with a separate st_lookup and st_insert.

Also free after insert in generic_ivar_set_shape_ivptr

Previously we were performing a realloc and then inserting the new value
into the table. If the table was flagged as requiring a rebuild, this
could trigger GC work and marking within that GC could access the ivptr
freed by realloc.

Co-authored-by: Aaron Patterson <tenderlove@ruby-lang.org>
Co-authored-by: Jean Boussier <byroot@ruby-lang.org>
@byroot byroot force-pushed the ruby_3_4-generic-ivar-fix branch from 7f997b6 to 5461885 Compare June 17, 2025 06:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@k0kubun k0kubun Awaiting requested review from k0kubun k0kubun is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@byroot @jhawthorn
0