Unix GC Remastered
5 hours ago
- #Linux Kernel
- #Garbage Collection
- #AF_UNIX
- AF_UNIX garbage collector frees sockets stuck in kernel due to SCM_RIGHTS, addressing memory inefficiency.
- The collector was rewritten with a graph/SCC model but remains bug-prone; includes a UAF bug discussion.
- GC triggers when there are too many inflight sockets (\>16000) or a socket close occurs with any inflight sockets.
- New GC uses Tarjan's algorithm to find SCCs; fast path reuses previous SCCs if graph unchanged, slow path rebuilds.
- CVE-2025-40214 UAF bug arises from uninitialized scc_index causing false dead-SCC detection, leading to premature purge.
- Exploit involves vertex spraying to manipulate scc_index, building cycles, and triggering fast-path GC to cause UAF.