Open quininer opened 5 years ago
Thanks for bringing this up. Could you please elaborate a bit on the reasons?
This is actually a use-after-free. You can see that 13L dropped buf
, which causes the kernel to write data to the wrong memory (15L).
That is, submit
should be unsafe unless we can guarantee that the buffer is valid until the IO operation is complete.
You're right, thanks. I'll update the interface ASAP.
I noticed that io-uring marks both
prepare_*
andsubmit_requests
as safe, but this should actually be unsafe.Here is a POC that proof it is not safe: https://gist.github.com/quininer/dbdc7c1fde3553a911015395bc886398