Bug #21883: IO::Buffer can be unlocked and freed by another thread during syscall - Ruby - Ruby Issue Tracking System

Actions

Copy link

Bug #21883

open

IO::Buffer can be unlocked and freed by another thread during syscall

Bug #21883: IO::Buffer can be unlocked and freed by another thread during syscall

Added by hanazuki (Kasumi Hanazuki) about 1 month ago. Updated 16 days ago.

Status:

Assigned

Assignee:

ioquatix (Samuel Williams)

Target version:

ruby -v:

ruby 4.0.1 (2026-01-13 revision e04267a14b) +PRISM [x86_64-linux]

Backport:

3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN, 4.0: UNKNOWN

[ruby-core:124840]

Description

# Assume this file is on a very slow device such as NFS.
io = File.open('/mnt/slowfs/slow')

buf = IO::Buffer.new(100)

t1 = Thread.new do
  buf.locked do
    sleep 0.5
  end

  buf.free
end

t2 = Thread.new do
  buf.read(io)  # syscall takes 1 second
  # When the kernal writes to the memory, buf is already freed, thus use-after-free
end

t1.join
t2.join

io_buffer_blocking_region skips taking a lock when the buffer is already locked, but this lock may be owned by another thread and can be unlocked during the syscall.

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

Ruby

Custom queries

Bug #21883

IO::Buffer can be unlocked and freed by another thread during syscall

Updated by mame (Yusuke Endoh) 16 days ago Actions
Copy link
#1

Project

General

Profile

Ruby

Custom queries

Bug #21883

IO::Buffer can be unlocked and freed by another thread during syscall

Updated by mame (Yusuke Endoh) 16 days ago ActionsCopy link #1

Updated by mame (Yusuke Endoh) 16 days ago Actions
Copy link
#1