Skip to content

Fix Reference Count Overflow (Use-After-Free) in Atom::clone#301

Open
matteoldani wants to merge 1 commit into
servo:mainfrom
matteoldani:fix-refcount-overflow
Open

Fix Reference Count Overflow (Use-After-Free) in Atom::clone#301
matteoldani wants to merge 1 commit into
servo:mainfrom
matteoldani:fix-refcount-overflow

Conversation

@matteoldani

Copy link
Copy Markdown

This PR adds a safeguard against Reference Count Overflow in Atom::clone.

If an Atom's reference count exceeds isize::MAX, it will now deterministically abort the process (std::process::abort()) rather than wrapping around to a negative number and risking a subsequent Use-After-Free vulnerability.

Despite being unlikely to occur in practice, the fix should be easy and without real tradeoffs.

Fixes #299

Previously, cloning a dynamic Atom blindly incremented the atomic
reference count using `fetch_add` without any bounds checking. This
allowed a degenerate program to clone an Atom ~2.1 billion times on
a 32-bit platform, wrapping the reference count to negative and
eventually back to 0. This would cause the entry to be freed while
clones still exist, triggering an exploitable Use-After-Free.

This patch adds an overflow check to abort the process if the
reference count reaches `isize::MAX`, mirroring the safety mechanisms
of `std::sync::Arc`. Local benchmarks show the performance impact is
less than 0.2 nanoseconds per clone, which is statistically indistinguishable
from the baseline noise.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Reference count overflow in Atom::clone

1 participant