diff options
| author | babenko <[email protected]> | 2026-05-27 10:16:47 +0300 |
|---|---|---|
| committer | babenko <[email protected]> | 2026-05-27 11:02:03 +0300 |
| commit | 70c071bc7469291f31c8ee9b2d706dabcd22f912 (patch) | |
| tree | ca05dd0317c878ea9dfdb0063846b787f9f5527b /contrib/python/ipython/py3/IPython/utils/_process_cli.py | |
| parent | 7e3ceef4b45703f7d682f6fc15b8a5fcd2e73ac1 (diff) | |
YT-28305: Fix UAF in TAtomicPtr hazard-pointer publish for virtually-derived types
For types that inherit TRefCountedBase virtually the original GetBasePtr implicitly converted T* to TRefCountedBase*, which requires reading the vptr of |*ptr| to find the vbase offset. The hazard protocol calls this with a ptr that another thread may have already retired, so the dereference was a heap-use-after-free.
Fix: TAtomicPtr now stores the typed pointer packed with the vbase offset (TPackedPtr / TTaggedPtr). The offset is computed once at Store time, when the caller still owns a strong reference and the vbase lookup is safe. Readers and the Drop path compute the canonical TRefCountedBase* address as |ptr + offset| without ever dereferencing |*ptr|.
THazardPtr::Acquire's T* overload is constrained to reject types that virtually inherit TRefCountedBase; such types must go through TAtomicPtr.
Adds a ASan regression test that triggered heap-use-after-free reliably on the buggy code with barrier-synchronised reader/writer threads.
commit_hash:0f15888a6224c9fbcf810d9093d82e3265a7210e
Diffstat (limited to 'contrib/python/ipython/py3/IPython/utils/_process_cli.py')
0 files changed, 0 insertions, 0 deletions