On Mon Jun 23, 2025 at 2:51 PM CEST, Danilo Krummrich wrote:
> On Mon, Jun 23, 2025 at 12:01:14PM +0000, Alice Ryhl wrote:
>> On Sun, Jun 22, 2025 at 06:40:41PM +0200, Danilo Krummrich wrote:
>> > +pub fn register_release<P>(dev: &Device<Bound>, data: P) -> Result
>> > +where
>> > + P: ForeignOwnable,
>> > + for<'a> P::Borrowed<'a>: Release,
>>
>> I think we need where P: ForeignOwnable + 'static too.
>>
>> otherwise I can pass something with a reference that expires before the
>> device is unbound and access it in the devm callback as a UAF.
>
> I can't really come up with an example for such a case, mind providing one? :)
{
let local = MyLocalData { /* ... */ };
let data = Arc::new(Data { r: &local });
devres::register_release(dev, data)?;
}
// devres still holds onto `data`, but that points at `MyLocalData`
// which is on the stack and freed here...
---
Cheers,
Benno
