From 7e7bb5ecf2a2d77d401436ac835820b6e69a323c Mon Sep 17 00:00:00 2001 From: Gabriel Baraldi Date: Tue, 4 Jun 2024 13:36:43 -0300 Subject: [PATCH 1/2] Add boundscheck in bindingkey_eq to avoid OOB access due to data race --- src/module.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/module.c b/src/module.c index 1be2d5c8673d9..730666f3efde6 100644 --- a/src/module.c +++ b/src/module.c @@ -710,13 +710,15 @@ JL_DLLEXPORT int jl_binding_resolved_p(jl_module_t *m, jl_sym_t *var) static uint_t bindingkey_hash(size_t idx, jl_value_t *data) { - jl_binding_t *b = (jl_binding_t*)jl_svecref(data, idx); + jl_binding_t *b = (jl_binding_t*)jl_svecref(data, idx); // This must always happen inside the lock jl_sym_t *var = b->globalref->name; return var->hash; } static int bindingkey_eq(size_t idx, const void *var, jl_value_t *data, uint_t hv) { + if ((idx >= ((jl_svec_t*)data)->length || idx < 0)) + return 0; // We got a OOB access, probably due to a data race jl_binding_t *b = (jl_binding_t*)jl_svecref(data, idx); jl_sym_t *name = b->globalref->name; return var == name; From 776ff413437db4ab9dfcfc250ee86e78567cd31b Mon Sep 17 00:00:00 2001 From: Gabriel Baraldi Date: Tue, 4 Jun 2024 14:38:56 -0300 Subject: [PATCH 2/2] Update src/module.c Co-authored-by: Jameson Nash --- src/module.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/module.c b/src/module.c index 730666f3efde6..9242a65950201 100644 --- a/src/module.c +++ b/src/module.c @@ -717,7 +717,7 @@ static uint_t bindingkey_hash(size_t idx, jl_value_t *data) static int bindingkey_eq(size_t idx, const void *var, jl_value_t *data, uint_t hv) { - if ((idx >= ((jl_svec_t*)data)->length || idx < 0)) + if (idx >= jl_svec_len(data)) return 0; // We got a OOB access, probably due to a data race jl_binding_t *b = (jl_binding_t*)jl_svecref(data, idx); jl_sym_t *name = b->globalref->name;