From 20f03ddcefffaf5e42d9060144a6cc3aa1313dd4 Mon Sep 17 00:00:00 2001
From: Gabriel Baraldi <baraldigabriel@gmail.com>
Date: Tue, 4 Jun 2024 21:06:14 -0300
Subject: [PATCH] Add boundscheck in bindingkey_eq to avoid OOB access due to
 data race (#54671)

The race here is that svec might be replaced and a new binding
introduced into the keyset while we hold a reference to the old svec,
which led to a OOB access on the svec with the index a binding
introduced at the same time. This now introduces a bounds check which
will force taking the lock if we fail the lookup i.e we had a data race.

Fixes https://github.com/JuliaLang/julia/issues/54285

---------

Co-authored-by: Jameson Nash <vtjnash@gmail.com>
---
 src/module.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/module.c b/src/module.c
index 1be2d5c8673d9..9242a65950201 100644
--- a/src/module.c
+++ b/src/module.c
@@ -710,13 +710,15 @@ JL_DLLEXPORT int jl_binding_resolved_p(jl_module_t *m, jl_sym_t *var)
 
 static uint_t bindingkey_hash(size_t idx, jl_value_t *data)
 {
-    jl_binding_t *b = (jl_binding_t*)jl_svecref(data, idx);
+    jl_binding_t *b = (jl_binding_t*)jl_svecref(data, idx); // This must always happen inside the lock
     jl_sym_t *var = b->globalref->name;
     return var->hash;
 }
 
 static int bindingkey_eq(size_t idx, const void *var, jl_value_t *data, uint_t hv)
 {
+    if (idx >= jl_svec_len(data))
+        return 0; // We got a OOB access, probably due to a data race
     jl_binding_t *b = (jl_binding_t*)jl_svecref(data, idx);
     jl_sym_t *name = b->globalref->name;
     return var == name;