Skip to content

[3.4] Fix use-after-free when resizing exivars #13637

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 18, 2025
Merged

[3.4] Fix use-after-free when resizing exivars #13637

merged 1 commit into from
Jun 18, 2025

Conversation

byroot
Copy link
Member

@byroot byroot commented Jun 17, 2025

[Bug #21438]
Ref: https://bugs.ruby-lang.org/issues/21438
Backport of #13635 and #13589.

Previously GC could trigger a table rebuild of the generic ivar st_table in the middle of calling the st_update callback.
This could cause entries to be reallocated or rearranged and the update to be for the wrong entry.

This commit adds an assertion to make that case easier to detect, and replaces the st_update with a separate st_lookup and st_insert.

Also free after insert in generic_ivar_set_shape_ivptr

Previously we were performing a realloc and then inserting the new value into the table.
If the table was flagged as requiring a rebuild, this could trigger GC work and marking within that GC could access the ivptr freed by realloc.

@byroot byroot requested a review from k0kubun as a code owner June 17, 2025 06:35
@jhawthorn @tenderlove @byroot
Fix generic_ivar_set_shape_ivptr for table rebuild
5461885 
[Bug #21438]

Previously GC could trigger a table rebuild of the generic ivar
st_table in the middle of calling the st_update callback. This could
cause entries to be reallocated or rearranged and the update to be for
the wrong entry.

This commit adds an assertion to make that case easier to detect, and
replaces the st_update with a separate st_lookup and st_insert.

Also free after insert in generic_ivar_set_shape_ivptr

Previously we were performing a realloc and then inserting the new value
into the table. If the table was flagged as requiring a rebuild, this
could trigger GC work and marking within that GC could access the ivptr
freed by realloc.

Co-authored-by: Aaron Patterson <tenderlove@ruby-lang.org>
Co-authored-by: Jean Boussier <byroot@ruby-lang.org>
@byroot byroot force-pushed the ruby_3_4-generic-ivar-fix branch from 7f997b6 to 5461885 Compare June 17, 2025 06:48
@k0kubun k0kubun merged commit 45ddafb into ruby:ruby_3_4 Jun 18, 2025
75 checks passed
@hsbt hsbt added the Backport label Jun 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@k0kubun k0kubun k0kubun approved these changes

Assignees
No one assigned
Labels
Backport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@byroot @k0kubun @hsbt @jhawthorn
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy