On Fri, Jul 7, 2023 at 7:04 AM Andrew Werner <awerner32@xxxxxxxxx> wrote: > > When it comes to fixing the problem, I don't quite know where to start. > Perhaps these iteration callbacks ought to be treated more like global functions > -- you can't always make assumptions about the state of the data in the context > pointer. Treating the context pointer as totally opaque seems bad from > a usability > perspective. Maybe there's a way to attempt to verify the function > body of the function > by treating all or part of the context as read-only, and then if that > fails, go back and > assume nothing about that part of the context structure. What is the > right way to > think about plugging this hole? 'treat as global' might be a way to fix it, but it will likely break some setups, since people passing pointers in a context and current global func verification doesn't support that. I think the simplest fix would be to disallow writes into any pointers within a ctx. Writes to scalars should still be allowed. Much more complex fix would be to verify callbacks as process_iter_next_call(). See giant comment next to it. But since we need a fix for stable I'd try the simple approach first. Could you try to implement that?
