ucontext-cp: don't free coroutine stack and context in use#1591
Open
rootvector2 wants to merge 1 commit into
Open
ucontext-cp: don't free coroutine stack and context in use#1591rootvector2 wants to merge 1 commit into
rootvector2 wants to merge 1 commit into
Conversation
ammarfaizi2
suggested changes
Jun 4, 2026
Contributor
ammarfaizi2
left a comment
ammarfaizi2
left a comment
There was a problem hiding this comment.
Please, read the pull request guidelines.
- The commit message must contain a Signed-off-by tag.
- The explanation about the commit should be included in the commit message itself, word-wrapped at 72 chars.
copy_file_wrapper() runs as a makecontext() coroutine on the stack pointed to by pctx->stack_buf. On completion it freed stack_buf and pctx, then called swapcontext(&pctx->ctx_fnew, &pctx->ctx_main). That swap saves into and loads from the just-freed pctx while still running on the freed stack, so the final switch back to main is a use-after-free. Drop the two frees from the coroutine and reclaim stack_buf and pctx in main()'s event loop once the coroutine has finished, detected via the completion counter. A coroutine only completes in the event loop, since the setup loop always yields at the first await_readv. Signed-off-by: rootvector2 <dxbnaveed.k@gmail.com>
rootvector2
force-pushed
the
ucontext-cp-coro-uaf
branch
from
0749150 to
d9fe09c
Compare
Contributor
Author
|
done. added the sign-off and moved the explanation into the commit message body, wrapped at 72. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
copy_file_wrapperruns as amakecontextcoroutine onpctx->stack_buf, but on completion it frees that stack andpctxand thenswapcontexts through them, so the final switch back to main runs on freed memory. found it reading the cleanup path. move the frees ofstack_bufandpctxintomain, which reclaims them once the coroutine has finished.