Bug #21883: IO::Buffer can be unlocked and freed by another thread during syscall - Ruby - Ruby Issue Tracking System

Actions

Copy link

Bug #21883

open

IO::Buffer can be unlocked and freed by another thread during syscall

Bug #21883: IO::Buffer can be unlocked and freed by another thread during syscall

Added by hanazuki (Kasumi Hanazuki) 6 days ago.

Status:

Open

Assignee:

Target version:

ruby -v:

ruby 4.0.1 (2026-01-13 revision e04267a14b) +PRISM [x86_64-linux]

Backport:

3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN, 4.0: UNKNOWN

[ruby-core:124840]

Description

# Assume this file is on a very slow device such as NFS.
io = File.open('/mnt/slowfs/slow')

buf = IO::Buffer.new(100)

t1 = Thread.new do
  buf.locked do
    sleep 0.5
  end

  buf.free
end

t2 = Thread.new do
  buf.read(io)  # syscall takes 1 second
  # When the kernal writes to the memory, buf is already freed, thus use-after-free
end

t1.join
t2.join

io_buffer_blocking_region skips taking a lock when the buffer is already locked, but this lock may be owned by another thread and can be unlocked during the syscall.

No data to display

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

Ruby

Custom queries

Bug #21883

IO::Buffer can be unlocked and freed by another thread during syscall