Project

General

Profile

Actions
Copy link

Bug #22101

closed

ASAN heap-use-after-free in rb_data_free after TypedData dfree frees dynamic rb_data_type_t

Bug #22101: ASAN heap-use-after-free in rb_data_free after TypedData dfree frees dynamic rb_data_type_t

Added by rwstauner (Randy Stauner) 9 days ago. Updated 8 days ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
Backport:
3.3: REQUIRED, 3.4: REQUIRED, 4.0: DONE
[ruby-core:125675]

Description

rb_data_free currently calls dfree and then evaluates RTYPEDDATA_EMBEDDABLE_P(obj).

Since RTYPEDDATA_EMBEDDABLE_P(obj) reads RTYPEDDATA_TYPE(obj)->flags, this can become a use-after-free if an extension's dfree releases a dynamically allocated rb_data_type_t.

This was observed under ASAN with glib2 4.3.6, where cinfo_free frees cinfo->data_type.

I have a fix that simply caches the TypedData type and the embeddable/free decision before invoking dfree, matching the existing pattern of caching dfree and RUBY_TYPED_FREE_IMMEDIATELY before extension cleanup code runs:

https://github.com/ruby/ruby/pull/17266

This is a small defensive fix and is suitable for backport because it avoids a shutdown-time ASAN heap-use-after-free without changing TypedData ownership semantics.

Actions
Copy link

Also available in: PDF Atom