[ruby-core:124840] [Ruby Bug#21883] IO::Buffer can be unlocked and freed by another thread during syscall

[ruby-core:124840] [Ruby Bug#21883] IO::Buffer can be unlocked and freed by another thread during syscall

[hanazuki (Kasumi Hanazuki) via ruby-core]

Issue #21883 has been reported by hanazuki (Kasumi Hanazuki).

----------------------------------------
Bug #21883: IO::Buffer can be unlocked and freed by another thread during syscall
https://bugs.ruby-lang.org/issues/21883

* Author: hanazuki (Kasumi Hanazuki)
* Status: Open
* ruby -v: ruby 4.0.1 (2026-01-13 revision e04267a14b) +PRISM [x86_64-linux]
* Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN, 4.0: UNKNOWN
----------------------------------------
```ruby
# Assume this file is on a very slow device such as NFS.
io = File.open('/mnt/slowfs/slow')

buf = IO::Buffer.new(100)

t1 = Thread.new do
  buf.locked do
    sleep 0.5
  end

  buf.free
end

t2 = Thread.new do
  buf.read(io)  # syscall takes 1 second
  # When the kernal writes to the memory, buf is already freed, thus use-after-free
end

t1.join
t2.join
```

`io_buffer_blocking_region` skips taking a lock when the buffer is already locked, but this lock may be owned by another thread and can be unlocked during the syscall.



-- 
https://bugs.ruby-lang.org/
______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/