Project

General

Profile

Actions
Copy link

Bug #21883

open

IO::Buffer can be unlocked and freed by another thread during syscall

Bug #21883: IO::Buffer can be unlocked and freed by another thread during syscall

Added by hanazuki (Kasumi Hanazuki) about 1 month ago. Updated 16 days ago.

Status:
Assigned
Assignee:
ioquatix (Samuel Williams)
Target version:
-
ruby -v:
ruby 4.0.1 (2026-01-13 revision e04267a14b) +PRISM [x86_64-linux]
Backport:
3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN, 4.0: UNKNOWN
[ruby-core:124840]

Description

# Assume this file is on a very slow device such as NFS.
io = File.open('/mnt/slowfs/slow')

buf = IO::Buffer.new(100)

t1 = Thread.new do
  buf.locked do
    sleep 0.5
  end

  buf.free
end

t2 = Thread.new do
  buf.read(io)  # syscall takes 1 second
  # When the kernal writes to the memory, buf is already freed, thus use-after-free
end

t1.join
t2.join

io_buffer_blocking_region skips taking a lock when the buffer is already locked, but this lock may be owned by another thread and can be unlocked during the syscall.

Updated by mame (Yusuke Endoh) 16 days ago Actions
Copy link
 #1

  • Status changed from Open to Assigned
  • Assignee set to ioquatix (Samuel Williams)
Actions
Copy link

Also available in: PDF Atom