Skip to content

Commit

Permalink
Add boundscheck in bindingkey_eq to avoid OOB access due to data race (
Browse files Browse the repository at this point in the history
…#54671)

The race here is that svec might be replaced and a new binding
introduced into the keyset while we hold a reference to the old svec,
which led to a OOB access on the svec with the index a binding
introduced at the same time. This now introduces a bounds check which
will force taking the lock if we fail the lookup i.e we had a data race.

Fixes #54285

---------

Co-authored-by: Jameson Nash <vtjnash@gmail.com>
(cherry picked from commit 20f03dd)
  • Loading branch information
gbaraldi authored and KristofferC committed Jun 19, 2024
1 parent 236d2ce commit 936673b
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion src/module.c
Original file line number Diff line number Diff line change
Expand Up @@ -702,13 +702,15 @@ JL_DLLEXPORT int jl_binding_resolved_p(jl_module_t *m, jl_sym_t *var)

static uint_t bindingkey_hash(size_t idx, jl_svec_t *data)
{
jl_binding_t *b = (jl_binding_t*)jl_svecref(data, idx);
jl_binding_t *b = (jl_binding_t*)jl_svecref(data, idx); // This must always happen inside the lock
jl_sym_t *var = b->globalref->name;
return var->hash;
}

static int bindingkey_eq(size_t idx, const void *var, jl_svec_t *data, uint_t hv)
{
if (idx >= jl_svec_len(data))
return 0; // We got a OOB access, probably due to a data race
jl_binding_t *b = (jl_binding_t*)jl_svecref(data, idx);
jl_sym_t *name = b->globalref->name;
return var == name;
Expand Down

0 comments on commit 936673b

Please sign in to comment.