Skip to content

[3.3] Fix use-after-free when resizing exivars #13638

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 19, 2025
Merged

[3.3] Fix use-after-free when resizing exivars #13638

merged 1 commit into from
Jul 19, 2025
+71 −56

Conversation

byroot
Copy link
Member

@byroot byroot commented Jun 17, 2025

[Bug #21438]
Ref: https://bugs.ruby-lang.org/issues/21438
Backport of #13635 and #13589.

Previously GC could trigger a table rebuild of the generic ivar st_table in the middle of calling the st_update callback.
This could cause entries to be reallocated or rearranged and the update to be for the wrong entry.

This commit adds an assertion to make that case easier to detect, and replaces the st_update with a separate st_lookup and st_insert.

Also free after insert in generic_ivar_set_shape_ivptr

Previously we were performing a realloc and then inserting the new value into the table.
If the table was flagged as requiring a rebuild, this could trigger GC work and marking within that GC could access the ivptr freed by realloc.

@jhawthorn @tenderlove @byroot
Fix generic_ivar_set_shape_ivptr for table rebuild
ae06d7f 
[Bug #21438]

Previously GC could trigger a table rebuild of the generic ivar
st_table in the middle of calling the st_update callback. This could
cause entries to be reallocated or rearranged and the update to be for
the wrong entry.

This commit adds an assertion to make that case easier to detect, and
replaces the st_update with a separate st_lookup and st_insert.

Also free after insert in generic_ivar_set_shape_ivptr

Previously we were performing a realloc and then inserting the new value
into the table. If the table was flagged as requiring a rebuild, this
could trigger GC work and marking within that GC could access the ivptr
freed by realloc.

Co-authored-by: Aaron Patterson <tenderlove@ruby-lang.org>
Co-authored-by: Jean Boussier <byroot@ruby-lang.org>
@byroot byroot force-pushed the ruby_3_3-generic-ivar-fix branch from ad633be to ae06d7f Compare June 17, 2025 06:50
@hsbt hsbt added the Backport label Jun 25, 2025
@nagachika nagachika merged commit 3471ee0 into ruby:ruby_3_3 Jul 19, 2025
94 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nagachika nagachika nagachika approved these changes

Assignees
No one assigned
Labels
Backport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@byroot @nagachika @hsbt @jhawthorn
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy