From 22fb321d059aba283deade0a81528fd148fda7c3 Mon Sep 17 00:00:00 2001 From: barter-simsum Date: Tue, 12 Mar 2024 19:16:12 -0400 Subject: [PATCH 1/2] pma: clear pending_flist after completion of _pending_flist_merge use-after-free was responsible for crash --- rust/ares_pma/c-src/btree.c | 1 + 1 file changed, 1 insertion(+) diff --git a/rust/ares_pma/c-src/btree.c b/rust/ares_pma/c-src/btree.c index a796748..29693cc 100644 --- a/rust/ares_pma/c-src/btree.c +++ b/rust/ares_pma/c-src/btree.c @@ -1134,6 +1134,7 @@ _pending_flist_merge(BT_state *state) src_head = src_head->next; free(prev); } + state->pending_flist = 0; } From 45f7f00dc9b53a2ed1e6253524965eb9165d50f1 Mon Sep 17 00:00:00 2001 From: Edward Amsden Date: Tue, 12 Mar 2024 18:38:06 -0500 Subject: [PATCH 2/2] interpreter: check for copying flag in exit --- rust/ares/src/interpreter.rs | 6 ++++++ rust/ares/src/mem.rs | 4 ++++ 2 files changed, 10 insertions(+) diff --git a/rust/ares/src/interpreter.rs b/rust/ares/src/interpreter.rs index 12bb229..250aa96 100644 --- a/rust/ares/src/interpreter.rs +++ b/rust/ares/src/interpreter.rs @@ -1185,6 +1185,11 @@ fn exit( unsafe { context.restore(snapshot); + if context.stack.copying() { + assert!(context.stack.get_frame_pointer() != virtual_frame); + context.stack.frame_pop(); + } + let stack = &mut context.stack; let mut preserve = match error { Error::ScryBlocked(path) => path, @@ -1192,6 +1197,7 @@ fn exit( // Return $tang of traces let h = *(stack.local_noun_pointer(0)); // XX: Small chance of clobbering something important after OOM? + // XX: what if we OOM while making a stack trace T(stack, &[h, t]) } }; diff --git a/rust/ares/src/mem.rs b/rust/ares/src/mem.rs index 210e897..6852139 100644 --- a/rust/ares/src/mem.rs +++ b/rust/ares/src/mem.rs @@ -137,6 +137,10 @@ impl NockStack { }; } + pub fn copying(&self) -> bool { + self.pc + } + /** Current frame pointer of this NockStack */ pub fn get_frame_pointer(&self) -> *const u64 { self.frame_pointer