Fix UAF in InputGate::Waiter #232

harrishancock · 2022-12-20T02:17:19Z

When a critical section completes with leftover waiters, they are reparented such that the waiters are now waiting on the parent scope. Before this commit, this did not correctly update the gate reference in the waiter.

This commit also fixes 2 other reparenting bugs, and adds additional test coverage for reparenting:

Ensures that reparenting works with multiple layers of nested critical sections, by skipping already reparented critical sections in the family hierarchy.
Fixes bug when reparenting waiters for nested critical sections, where they were being removed from the incorrect list.

(@xortive wrote this commit, and the above text.)

When a critical section completes with leftover waiters, they are reparented such that the waiters are now waiting on the parent scope. Before this commit, this did not correctly update the `gate` reference in the waiter. This commit also fixes 2 other reparenting bugs, and adds additional test coverage for reparenting: * Ensures that reparenting works with multiple layers of nested critical sections, by skipping already reparented critical sections in the family hierarchy. * Fixes bug when reparenting waiters for nested critical sections, where they were being removed from the incorrect list.

harrishancock requested review from xortive and kentonv December 20, 2022 02:17

kentonv approved these changes Dec 20, 2022

View reviewed changes

harrishancock merged commit 489bb49 into main Dec 20, 2022

harrishancock deleted the harris/fix-uaf-in-input-gate-waiter branch December 20, 2022 21:58

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix UAF in InputGate::Waiter #232

Fix UAF in InputGate::Waiter #232

harrishancock commented Dec 20, 2022

Fix UAF in InputGate::Waiter #232

Fix UAF in InputGate::Waiter #232

Conversation

harrishancock commented Dec 20, 2022