search

slp / io-uring

Wrapper providing a safe and simple way to access liburing-sys features.
GNU Lesser General Public License v2.1
19 stars 1 forks source link

`prepare_*` or `submit_requests` should be unsafe #1

Open quininer opened 5 years ago

quininer commented 5 years ago

I noticed that io-uring marks both prepare_* and submit_requests as safe, but this should actually be unsafe.

Here is a POC that proof it is not safe: https://gist.github.com/quininer/dbdc7c1fde3553a911015395bc886398

slp commented 5 years ago

Thanks for bringing this up. Could you please elaborate a bit on the reasons?

quininer commented 5 years ago

This is actually a use-after-free. You can see that 13L dropped buf, which causes the kernel to write data to the wrong memory (15L).

That is, submit should be unsafe unless we can guarantee that the buffer is valid until the IO operation is complete.

slp commented 5 years ago

You're right, thanks. I'll update the interface ASAP.