internal/proc.h · b200bad6cd40d08e9f33b93e1a85c270b337867c · ruby / ruby-deleted-200

Jan 14, 2025

merge revision(s) : [Backport #20950] · 299455be

Takashi Kokubun authored Jan 14, 2025

	Fix use-after-free in ep in Proc#dup for ifunc procs

	[Bug #20950]

	ifunc proc has the ep allocated in the cfunc_proc_t which is the data of
	the TypedData object. If an ifunc proc is duplicated, the ep points to
	the ep of the source object. If the source object is freed, then the ep
	of the duplicated object now points to a freed memory region. If we try
	to use the ep we could crash.

	For example, the following script crashes:

	    p = { a: 1 }.to_proc
	    100.times do
	      p = p.dup
	      GC.start
	      p.call
	    rescue ArgumentError
	    end

	This commit changes ifunc proc to also duplicate the ep when it is duplicated.

299455be

merge revision(s) : [Backport #20950]

Takashi Kokubun authored Jan 14, 2025

	Fix use-after-free in ep in Proc#dup for ifunc procs

	[Bug #20950]

	ifunc proc has the ep allocated in the cfunc_proc_t which is the data of
	the TypedData object. If an ifunc proc is duplicated, the ep points to
	the ep of the source object. If the source object is freed, then the ep
	of the duplicated object now points to a freed memory region. If we try
	to use the ep we could crash.

	For example, the following script crashes:

	    p = { a: 1 }.to_proc
	    100.times do
	      p = p.dup
	      GC.start
	      p.call
	    rescue ArgumentError
	    end

	This commit changes ifunc proc to also duplicate the ep when it is duplicated.