| commit | c4e0097c27ee1e5c10072752fec35794a2aa41ce | |
| author | Alexander Kyte <alexmkyte@fastmail.com> | |
| Wed, 17 Jun 2015 00:07:08 +0000 (16 20:07 -0400) | ||
| committer | Alexander Kyte <alexmkyte@fastmail.com> | |
| Wed, 17 Jun 2015 00:07:08 +0000 (16 20:07 -0400) | ||
| tree | ecf379cad59faa11a772fb52f359483666e5fb0d | treesnapshot (tar.gz zip) |
| parent | 823aa3dd4ee4abd745afe6366616d3669bd321de | commitdiff |
[runtime] Fixed use-after-free in context freeing
We had a use-after-free bug in context freeing that creating and freeing AppDomains in parallel exposed.
We called g_hash_table_remove in a callback to g_hash_table_foreach,
which
resulted in freeing the Slot struct that the g_hash_table_foreach was
holding a local reference to.
When it tried to get the chained 'next' element in the table, if
other threads caused enough memory pressure to reuse that memory
between freeing and getting the 'next' pointer, then we try to
dereference a garbage value and get a SIGSEGV.
We had a use-after-free bug in context freeing that creating and freeing AppDomains in parallel exposed.
We called g_hash_table_remove in a callback to g_hash_table_foreach,
which
resulted in freeing the Slot struct that the g_hash_table_foreach was
holding a local reference to.
When it tried to get the chained 'next' element in the table, if
other threads caused enough memory pressure to reuse that memory
between freeing and getting the 'next' pointer, then we try to
dereference a garbage value and get a SIGSEGV.
| mono/metadata/threads.c | diffblobblamehistory |