From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on starla X-Spam-Level: X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,MAILING_LIST_MULTI,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from nue.mailmanlists.eu (nue.mailmanlists.eu [94.130.110.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id E94C41F4CC for ; Wed, 15 Jan 2025 01:55:43 +0000 (UTC) Authentication-Results: dcvr.yhbt.net; dkim=pass (1024-bit key; unprotected) header.d=ml.ruby-lang.org header.i=@ml.ruby-lang.org header.a=rsa-sha256 header.s=mail header.b=KCa1ZD4h; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ruby-lang.org header.i=@ruby-lang.org header.a=rsa-sha256 header.s=s1 header.b=mfGES+WD; dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ml.ruby-lang.org; s=mail; t=1736906111; bh=//jScigE7ocf+c/gcv2NtgrpUtUJlRoloY9XAH13+B8=; h=Date:References:To:Reply-To:Subject:List-Id:List-Archive: List-Help:List-Owner:List-Post:List-Subscribe:List-Unsubscribe: From:Cc:From; b=KCa1ZD4h2hjshM2grs4x23vNQl8fI4S6+WfnQfsY2uahbaMd+sVWsHAgiJ0RMzmSW pKkUnjR+FcAdE/XXi013U914rAL6uPk0VoYYSvHk90tSZ1nTKta8l734lSYfq2s1yE SYtZCOSAm0WI87y19nCYPwZoo/T4q6HtaL9EEqdA= Received: from nue.mailmanlists.eu (localhost [IPv6:::1]) by nue.mailmanlists.eu (Postfix) with ESMTP id CAE7F470C1 for ; Wed, 15 Jan 2025 01:55:11 +0000 (UTC) Authentication-Results: nue.mailmanlists.eu; dkim=pass (2048-bit key; unprotected) header.d=ruby-lang.org header.i=@ruby-lang.org header.a=rsa-sha256 header.s=s1 header.b=mfGES+WD; dkim-atps=neutral Received: from s.wfbtzhsw.outbound-mail.sendgrid.net (s.wfbtzhsw.outbound-mail.sendgrid.net [159.183.224.105]) by nue.mailmanlists.eu (Postfix) with ESMTPS id A24EA4708F for ; Wed, 15 Jan 2025 01:54:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ruby-lang.org; h=from:references:subject:mime-version:content-type: content-transfer-encoding:list-id:to:cc:content-type:from:subject:to; s=s1; bh=5mzeOlD+RW3P7zfNV3ZXMI28uwG1zF/NomBe8hrLJ10=; b=mfGES+WDbmvtHmp94tXLlvt+m58LBUi+nYHUx32mQRlVmaX2298ZEoVPiRg5YIJ5ts+K f/4mxUdEhNqxBMKfeMPLcPI8Wzw1c1hyzITffGvmeebE+v4WEHwDPWzc8F3ehRaCDWfXhh MGIdAnuDJOEbS9O+t7XWzeFXs7qEEpnvpJlnyahFNQuAX41eWtjcYmHj5m8znlK6Ga2k8l UuT8hemTZ/2+TuEUOkrLvNmOuOcxX5LAW6f0e0cjKLU08kCi0b+zf+VIaJG9/Yt5H9yP2d OVEf+1BXByYBG64t1iRYR19iarT4ZgzgOBxT+RdEcov7u0HfQ5h3A57x6qj79l2g== Received: by recvd-5c8ccdbd88-csd79 with SMTP id recvd-5c8ccdbd88-csd79-1-67871570-10 2025-01-15 01:54:56.848784809 +0000 UTC m=+5286829.093183808 Received: from herokuapp.com (unknown) by geopod-ismtpd-32 (SG) with ESMTP id GfbVOW8bTRuYL3oK6WkJmA for ; Wed, 15 Jan 2025 01:54:56.832 +0000 (UTC) Date: Wed, 15 Jan 2025 01:55:11 +0000 (UTC) Message-ID: References: Mime-Version: 1.0 X-Redmine-Project: ruby-master X-Redmine-Issue-Tracker: Bug X-Redmine-Issue-Id: 20950 X-Redmine-Issue-Author: peterzhu2118 X-Redmine-Issue-Priority: Normal X-Redmine-Sender: k0kubun X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-Redmine-MailingListIntegration-Message-Ids: 97373 X-SG-EID: =?us-ascii?Q?u001=2EsWSpkbcla4bB6tSlkOwdN01=2FLLwMflJlYDs0Ak3Gg6dwg4YUERnU2ZQsI?= =?us-ascii?Q?KPesnHmuO3R4nEnLV41FQje7rMJs=2FlByQKQxPtJ?= =?us-ascii?Q?4AIt7Pq58gBWMPIfVUcWqm6Xzd9EUtsA7E+dWW6?= =?us-ascii?Q?RMuZTj5GSWpLs7AiOe4Ft5AI5mvPMQHqJ9m9mdj?= =?us-ascii?Q?XCb9ZKK9H6qGjKND1xIl+GXAMp5HG4uMqs8bXkl?= =?us-ascii?Q?R7mm29GxPx5mrvypt9JjddBRW4bgH3DiMpxLeh9?= =?us-ascii?Q?Q9je87hSsxps3+RT6=2FCS5e7law=3D=3D?= To: ruby-core@ml.ruby-lang.org X-Entity-ID: u001.I8uzylDtAfgbeCOeLBYDww== Message-ID-Hash: FSFWDW6NMII655QOJPEIOUPJ4JNB7KVP X-Message-ID-Hash: FSFWDW6NMII655QOJPEIOUPJ4JNB7KVP X-MailFrom: bounces+313651-b711-ruby-core=ml.ruby-lang.org@em5188.ruby-lang.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.9 Precedence: list Reply-To: Ruby developers Subject: [ruby-core:120687] [Ruby master Bug#20950] Use-after-free in ep in Proc#dup for ifunc procs List-Id: Ruby developers Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: "k0kubun (Takashi Kokubun) via ruby-core" Cc: "k0kubun (Takashi Kokubun)" Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Issue #20950 has been updated by k0kubun (Takashi Kokubun). Backport changed from 3.1: WONTFIX, 3.2: REQUIRED, 3.3: REQUIRED to 3.1: WONTFIX, 3.2: REQUIRED, 3.3: DONE ruby_3_3 commit:299455be9966c0a31dabe00014a4b8fae5093a7d merged revision(s) commit:92dd9734a967c20e628c8f77c5ce700058dcd58c. ---------------------------------------- Bug #20950: Use-after-free in ep in Proc#dup for ifunc procs https://bugs.ruby-lang.org/issues/20950#change-111510 * Author: peterzhu2118 (Peter Zhu) * Status: Closed * Backport: 3.1: WONTFIX, 3.2: REQUIRED, 3.3: DONE ---------------------------------------- GitHub PR: https://github.com/ruby/ruby/pull/12319 ifunc proc has the ep allocated in the data of the TypedData object. If an ifunc proc is duplicated, the ep points to the ep of the source object. If the source object is freed, then the ep of the duplicated object now points to a freed memory region. If we try to use the ep we could crash. For example, the following script crashes: ```ruby p = { a: 1 }.to_proc 100.times do p = p.dup GC.start p.call rescue ArgumentError end ``` This commit changes ifunc proc to also duplicate the ep when it is duplicated. -- https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- ruby-core@ml.ruby-lang.org To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/