Bug #22101
closed
ASAN heap-use-after-free in rb_data_free after TypedData dfree frees dynamic rb_data_type_t
Description
rb_data_free currently calls dfree and then evaluates RTYPEDDATA_EMBEDDABLE_P(obj).
Since RTYPEDDATA_EMBEDDABLE_P(obj) reads RTYPEDDATA_TYPE(obj)->flags, this can become a use-after-free if an extension's dfree releases a dynamically allocated rb_data_type_t.
This was observed under ASAN with glib2 4.3.6, where cinfo_free frees cinfo->data_type.
I have a fix that simply caches the TypedData type and the embeddable/free decision before invoking dfree, matching the existing pattern of caching dfree and RUBY_TYPED_FREE_IMMEDIATELY before extension cleanup code runs:
https://github.com/ruby/ruby/pull/17266
This is a small defensive fix and is suitable for backport because it avoids a shutdown-time ASAN heap-use-after-free without changing TypedData ownership semantics.
Updated by rwstauner (Randy Stauner) 9 days ago
backport for 4.0: https://github.com/ruby/ruby/pull/17267
Updated by rwstauner (Randy Stauner) 9 days ago
backport for 3.4: https://github.com/ruby/ruby/pull/17268
Updated by rwstauner (Randy Stauner) 9 days ago
- Status changed from Open to Closed
Applied in changeset git|86c23c9e51c79dff04ebf493a3e94e3d63b9118e.
Avoid reading TypedData type after dfree
[Bug #22101] (Backport)
Updated by rwstauner (Randy Stauner) 9 days ago
Backport for 3.3 https://github.com/ruby/ruby/pull/17271
Updated by luke-gru (Luke Gruber) 8 days ago
- Backport changed from 3.3: REQUIRED, 3.4: REQUIRED, 4.0: REQUIRED to 3.3: REQUIRED, 3.4: REQUIRED, 4.0: DONE