fix(nif): validate event-loop fd handles via a registry

The asyncio reader/writer integration handed Python a raw fd_resource
pointer cast to an integer, then cast it back and dereferenced it in
remove/update/clear/release. A stale, duplicate, or fabricated id was a
double-free or arbitrary-pointer deref that crashed the node.

Hand out opaque ids tracked in a validating registry instead: producers
register and return an id; removing consumers take (and release) the
entry so a duplicate id is a no-op; non-removing consumers look up with a
temporary keep. An unknown id is a safe no-op or a clean ValueError.

fd_read/fd_write also moved to ERL_NIF_DIRTY_JOB_IO_BOUND.

Adds py_fd_ops_SUITE:fd_registry_invalid_id_test.

Author: benoitc

CHANGELOG.md

@@ -4,6 +4,11 @@
 
 ### Security
 
+- **Validated event-loop fd handles** - The asyncio reader/writer integration no longer
+  hands Python a raw `fd_resource` pointer as an integer key. Each handle is an opaque id
+  validated against a registry on every use, so a stale, duplicate, or fabricated id is a
+  safe no-op (or clean error) instead of a double-free or arbitrary-pointer dereference
+  that crashed the node. `fd_read`/`fd_write` also moved to dirty IO schedulers.
 - **OWN_GIL worker robustness** (Python 3.14+) - A per-request allocation failure in
   a subinterpreter worker no longer `break`s (and permanently kills) the worker command
   loop; it returns an error and keeps serving. The `owngil_*` dispatch NIFs now run on

c_src/py_event_loop.c

@@ -6516,6 +6516,83 @@ static PyObject *py_get_isolation_mode(PyObject *self, PyObject *args) {
     return PyUnicode_FromString("global");
 }
 
+/* ============================================================================
+ * Validating fd-handle registry
+ *
+ * Python receives an opaque integer id for each fd resource, never a raw
+ * pointer. Every consumer validates the id against this table, so a stale,
+ * duplicate, or fabricated id is a safe no-op instead of a use-after-free or
+ * arbitrary-pointer dereference. The producer's resource reference lives in the
+ * table entry: fd_reg_get hands out a temporary keep, fd_reg_take transfers the
+ * reference to the caller to release.
+ * ============================================================================ */
+typedef struct { uint64_t id; fd_resource_t *res; } fd_reg_entry_t;
+static fd_reg_entry_t *g_fd_reg = NULL;
+static size_t g_fd_reg_len = 0;
+static size_t g_fd_reg_cap = 0;
+static uint64_t g_fd_reg_next_id = 1;
+static pthread_mutex_t g_fd_reg_mutex = PTHREAD_MUTEX_INITIALIZER;
+
+/* Store res and return its opaque id (0 on allocation failure). The caller's
+ * existing resource reference becomes owned by the table entry. */
+static uint64_t fd_reg_add(fd_resource_t *res) {
+    pthread_mutex_lock(&g_fd_reg_mutex);
+    if (g_fd_reg_len == g_fd_reg_cap) {
+        size_t ncap = g_fd_reg_cap ? g_fd_reg_cap * 2 : 16;
+        fd_reg_entry_t *n = enif_realloc(g_fd_reg, ncap * sizeof(*n));
+        if (n == NULL) {
+            pthread_mutex_unlock(&g_fd_reg_mutex);
+            return 0;
+        }
+        g_fd_reg = n;
+        g_fd_reg_cap = ncap;
+    }
+    uint64_t id = g_fd_reg_next_id++;
+    if (id == 0) id = g_fd_reg_next_id++;  /* never hand out 0 */
+    g_fd_reg[g_fd_reg_len].id = id;
+    g_fd_reg[g_fd_reg_len].res = res;
+    g_fd_reg_len++;
+    pthread_mutex_unlock(&g_fd_reg_mutex);
+    return id;
+}
+
+/* Look up id; on hit, keep the resource and return it (caller must release).
+ * Returns NULL for an unknown/stale/fabricated id. */
+static fd_resource_t *fd_reg_get(uint64_t id) {
+    fd_resource_t *res = NULL;
+    if (id != 0) {
+        pthread_mutex_lock(&g_fd_reg_mutex);
+        for (size_t i = 0; i < g_fd_reg_len; i++) {
+            if (g_fd_reg[i].id == id) {
+                res = g_fd_reg[i].res;
+                enif_keep_resource(res);
+                break;
+            }
+        }
+        pthread_mutex_unlock(&g_fd_reg_mutex);
+    }
+    return res;
+}
+
+/* Remove id; on hit, return the resource (caller owns the entry's reference and
+ * must release it). Returns NULL for an unknown/stale/duplicate id. */
+static fd_resource_t *fd_reg_take(uint64_t id) {
+    fd_resource_t *res = NULL;
+    if (id != 0) {
+        pthread_mutex_lock(&g_fd_reg_mutex);
+        for (size_t i = 0; i < g_fd_reg_len; i++) {
+            if (g_fd_reg[i].id == id) {
+                res = g_fd_reg[i].res;
+                g_fd_reg[i] = g_fd_reg[g_fd_reg_len - 1];  /* swap with last */
+                g_fd_reg_len--;
+                break;
+            }
+        }
+        pthread_mutex_unlock(&g_fd_reg_mutex);
+    }
+    return res;
+}
+
 /* Python function: _add_reader(fd, callback_id) -> fd_key */
 static PyObject *py_add_reader(PyObject *self, PyObject *args) {
     (void)self;
@@ -6567,8 +6644,17 @@ static PyObject *py_add_reader(PyObject *self, PyObject *args) {
     }
 
     /* Return a key that can be used to remove the reader */
-    unsigned long long key = (unsigned long long)(uintptr_t)fd_res;
-    return PyLong_FromUnsignedLongLong(key);
+    /* Hand Python an opaque, validated id instead of a raw pointer. The
+     * producer's resource reference is taken over by the registry entry. */
+    uint64_t id = fd_reg_add(fd_res);
+    if (id == 0) {
+        enif_select(loop->msg_env, (ErlNifEvent)fd, ERL_NIF_SELECT_STOP,
+                    fd_res, NULL, ATOM_UNDEFINED);
+        enif_release_resource(fd_res);
+        PyErr_SetString(PyExc_MemoryError, "fd registry full");
+        return NULL;
+    }
+    return PyLong_FromUnsignedLongLong((unsigned long long)id);
 }
 
 /* Python function: _remove_reader(fd_key) -> None */
@@ -6581,11 +6667,13 @@ static PyObject *py_remove_reader(PyObject *self, PyObject *args) {
     }
 
     /* Use per-interpreter event loop lookup - but still allow cleanup even if loop is gone */
-    fd_resource_t *fd_res = (fd_resource_t *)(uintptr_t)fd_key;
-    if (fd_res != NULL && fd_res->loop != NULL) {
-        enif_select(fd_res->loop->msg_env, (ErlNifEvent)fd_res->fd,
-                    ERL_NIF_SELECT_STOP, fd_res, NULL, ATOM_UNDEFINED);
-        fd_res->reader_active = false;
+    fd_resource_t *fd_res = fd_reg_take(fd_key);
+    if (fd_res != NULL) {
+        if (fd_res->loop != NULL) {
+            enif_select(fd_res->loop->msg_env, (ErlNifEvent)fd_res->fd,
+                        ERL_NIF_SELECT_STOP, fd_res, NULL, ATOM_UNDEFINED);
+            fd_res->reader_active = false;
+        }
         enif_release_resource(fd_res);
     }
 
@@ -6643,8 +6731,17 @@ static PyObject *py_add_writer(PyObject *self, PyObject *args) {
     }
 
     /* Return a key that can be used to remove the writer */
-    unsigned long long key = (unsigned long long)(uintptr_t)fd_res;
-    return PyLong_FromUnsignedLongLong(key);
+    /* Hand Python an opaque, validated id instead of a raw pointer. The
+     * producer's resource reference is taken over by the registry entry. */
+    uint64_t id = fd_reg_add(fd_res);
+    if (id == 0) {
+        enif_select(loop->msg_env, (ErlNifEvent)fd, ERL_NIF_SELECT_STOP,
+                    fd_res, NULL, ATOM_UNDEFINED);
+        enif_release_resource(fd_res);
+        PyErr_SetString(PyExc_MemoryError, "fd registry full");
+        return NULL;
+    }
+    return PyLong_FromUnsignedLongLong((unsigned long long)id);
 }
 
 /* Python function: _remove_writer(fd_key) -> None */
@@ -6657,11 +6754,13 @@ static PyObject *py_remove_writer(PyObject *self, PyObject *args) {
     }
 
     /* Use fd_res->loop directly - allows cleanup even if interpreter's loop is gone */
-    fd_resource_t *fd_res = (fd_resource_t *)(uintptr_t)fd_key;
-    if (fd_res != NULL && fd_res->loop != NULL) {
-        enif_select(fd_res->loop->msg_env, (ErlNifEvent)fd_res->fd,
-                    ERL_NIF_SELECT_STOP, fd_res, NULL, ATOM_UNDEFINED);
-        fd_res->writer_active = false;
+    fd_resource_t *fd_res = fd_reg_take(fd_key);
+    if (fd_res != NULL) {
+        if (fd_res->loop != NULL) {
+            enif_select(fd_res->loop->msg_env, (ErlNifEvent)fd_res->fd,
+                        ERL_NIF_SELECT_STOP, fd_res, NULL, ATOM_UNDEFINED);
+            fd_res->writer_active = false;
+        }
         enif_release_resource(fd_res);
     }
 
@@ -7391,8 +7490,17 @@ static PyObject *py_add_reader_for(PyObject *self, PyObject *args) {
         return NULL;
     }
 
-    unsigned long long key = (unsigned long long)(uintptr_t)fd_res;
-    return PyLong_FromUnsignedLongLong(key);
+    /* Hand Python an opaque, validated id instead of a raw pointer. The
+     * producer's resource reference is taken over by the registry entry. */
+    uint64_t id = fd_reg_add(fd_res);
+    if (id == 0) {
+        enif_select(loop->msg_env, (ErlNifEvent)fd, ERL_NIF_SELECT_STOP,
+                    fd_res, NULL, ATOM_UNDEFINED);
+        enif_release_resource(fd_res);
+        PyErr_SetString(PyExc_MemoryError, "fd registry full");
+        return NULL;
+    }
+    return PyLong_FromUnsignedLongLong((unsigned long long)id);
 }
 
 /* Python function: _remove_reader_for(capsule, fd_key) -> None */
@@ -7411,11 +7519,13 @@ static PyObject *py_remove_reader_for(PyObject *self, PyObject *args) {
         return NULL;
     }
 
-    fd_resource_t *fd_res = (fd_resource_t *)(uintptr_t)fd_key;
-    if (fd_res != NULL && fd_res->loop != NULL) {
-        enif_select(fd_res->loop->msg_env, (ErlNifEvent)fd_res->fd,
-                    ERL_NIF_SELECT_STOP, fd_res, NULL, ATOM_UNDEFINED);
-        fd_res->reader_active = false;
+    fd_resource_t *fd_res = fd_reg_take(fd_key);
+    if (fd_res != NULL) {
+        if (fd_res->loop != NULL) {
+            enif_select(fd_res->loop->msg_env, (ErlNifEvent)fd_res->fd,
+                        ERL_NIF_SELECT_STOP, fd_res, NULL, ATOM_UNDEFINED);
+            fd_res->reader_active = false;
+        }
         enif_release_resource(fd_res);
     }
 
@@ -7472,8 +7582,17 @@ static PyObject *py_add_writer_for(PyObject *self, PyObject *args) {
         return NULL;
     }
 
-    unsigned long long key = (unsigned long long)(uintptr_t)fd_res;
-    return PyLong_FromUnsignedLongLong(key);
+    /* Hand Python an opaque, validated id instead of a raw pointer. The
+     * producer's resource reference is taken over by the registry entry. */
+    uint64_t id = fd_reg_add(fd_res);
+    if (id == 0) {
+        enif_select(loop->msg_env, (ErlNifEvent)fd, ERL_NIF_SELECT_STOP,
+                    fd_res, NULL, ATOM_UNDEFINED);
+        enif_release_resource(fd_res);
+        PyErr_SetString(PyExc_MemoryError, "fd registry full");
+        return NULL;
+    }
+    return PyLong_FromUnsignedLongLong((unsigned long long)id);
 }
 
 /* Python function: _remove_writer_for(capsule, fd_key) -> None */
@@ -7492,11 +7611,13 @@ static PyObject *py_remove_writer_for(PyObject *self, PyObject *args) {
         return NULL;
     }
 
-    fd_resource_t *fd_res = (fd_resource_t *)(uintptr_t)fd_key;
-    if (fd_res != NULL && fd_res->loop != NULL) {
-        enif_select(fd_res->loop->msg_env, (ErlNifEvent)fd_res->fd,
-                    ERL_NIF_SELECT_STOP, fd_res, NULL, ATOM_UNDEFINED);
-        fd_res->writer_active = false;
+    fd_resource_t *fd_res = fd_reg_take(fd_key);
+    if (fd_res != NULL) {
+        if (fd_res->loop != NULL) {
+            enif_select(fd_res->loop->msg_env, (ErlNifEvent)fd_res->fd,
+                        ERL_NIF_SELECT_STOP, fd_res, NULL, ATOM_UNDEFINED);
+            fd_res->writer_active = false;
+        }
         enif_release_resource(fd_res);
     }
 
@@ -7516,8 +7637,9 @@ static PyObject *py_update_fd_read(PyObject *self, PyObject *args) {
         return NULL;
     }
 
-    fd_resource_t *fd_res = (fd_resource_t *)(uintptr_t)fd_key;
+    fd_resource_t *fd_res = fd_reg_get(fd_key);
     if (fd_res == NULL || fd_res->loop == NULL) {
+        if (fd_res) enif_release_resource(fd_res);
         PyErr_SetString(PyExc_ValueError, "Invalid fd resource");
         return NULL;
     }
@@ -7531,6 +7653,7 @@ static PyObject *py_update_fd_read(PyObject *self, PyObject *args) {
     enif_select(fd_res->loop->msg_env, (ErlNifEvent)fd_res->fd,
                 ERL_NIF_SELECT_READ, fd_res, target_pid, ATOM_UNDEFINED);
 
+    enif_release_resource(fd_res);
     Py_RETURN_NONE;
 }
 
@@ -7547,8 +7670,9 @@ static PyObject *py_update_fd_write(PyObject *self, PyObject *args) {
         return NULL;
     }
 
-    fd_resource_t *fd_res = (fd_resource_t *)(uintptr_t)fd_key;
+    fd_resource_t *fd_res = fd_reg_get(fd_key);
     if (fd_res == NULL || fd_res->loop == NULL) {
+        if (fd_res) enif_release_resource(fd_res);
         PyErr_SetString(PyExc_ValueError, "Invalid fd resource");
         return NULL;
     }
@@ -7562,6 +7686,7 @@ static PyObject *py_update_fd_write(PyObject *self, PyObject *args) {
     enif_select(fd_res->loop->msg_env, (ErlNifEvent)fd_res->fd,
                 ERL_NIF_SELECT_WRITE, fd_res, target_pid, ATOM_UNDEFINED);
 
+    enif_release_resource(fd_res);
     Py_RETURN_NONE;
 }
 
@@ -7577,9 +7702,10 @@ static PyObject *py_clear_fd_read(PyObject *self, PyObject *args) {
         return NULL;
     }
 
-    fd_resource_t *fd_res = (fd_resource_t *)(uintptr_t)fd_key;
+    fd_resource_t *fd_res = fd_reg_get(fd_key);
     if (fd_res == NULL || fd_res->loop == NULL) {
-        Py_RETURN_NONE;  /* Already cleaned up */
+        if (fd_res) enif_release_resource(fd_res);
+        Py_RETURN_NONE;  /* Already cleaned up / invalid id */
     }
 
     if (fd_res->reader_active) {
@@ -7590,6 +7716,7 @@ static PyObject *py_clear_fd_read(PyObject *self, PyObject *args) {
         fd_res->read_callback_id = 0;
     }
 
+    enif_release_resource(fd_res);
     Py_RETURN_NONE;
 }
 
@@ -7605,9 +7732,10 @@ static PyObject *py_clear_fd_write(PyObject *self, PyObject *args) {
         return NULL;
     }
 
-    fd_resource_t *fd_res = (fd_resource_t *)(uintptr_t)fd_key;
+    fd_resource_t *fd_res = fd_reg_get(fd_key);
     if (fd_res == NULL || fd_res->loop == NULL) {
-        Py_RETURN_NONE;  /* Already cleaned up */
+        if (fd_res) enif_release_resource(fd_res);
+        Py_RETURN_NONE;  /* Already cleaned up / invalid id */
     }
 
     if (fd_res->writer_active) {
@@ -7618,6 +7746,7 @@ static PyObject *py_clear_fd_write(PyObject *self, PyObject *args) {
         fd_res->write_callback_id = 0;
     }
 
+    enif_release_resource(fd_res);
     Py_RETURN_NONE;
 }
 
@@ -7633,10 +7762,12 @@ static PyObject *py_release_fd_resource(PyObject *self, PyObject *args) {
         return NULL;
     }
 
-    fd_resource_t *fd_res = (fd_resource_t *)(uintptr_t)fd_key;
-    if (fd_res != NULL && fd_res->loop != NULL) {
-        enif_select(fd_res->loop->msg_env, (ErlNifEvent)fd_res->fd,
-                    ERL_NIF_SELECT_STOP, fd_res, NULL, ATOM_UNDEFINED);
+    fd_resource_t *fd_res = fd_reg_take(fd_key);
+    if (fd_res != NULL) {
+        if (fd_res->loop != NULL) {
+            enif_select(fd_res->loop->msg_env, (ErlNifEvent)fd_res->fd,
+                        ERL_NIF_SELECT_STOP, fd_res, NULL, ATOM_UNDEFINED);
+        }
         enif_release_resource(fd_res);
     }
 

c_src/py_nif.c

@@ -8032,8 +8032,8 @@ static ErlNifFunc nif_funcs[] = {
     {"reactor_close_fd", 2, nif_reactor_close_fd, 0},
 
     /* Direct FD operations */
-    {"fd_read", 2, nif_fd_read, 0},
-    {"fd_write", 2, nif_fd_write, 0},
+    {"fd_read", 2, nif_fd_read, ERL_NIF_DIRTY_JOB_IO_BOUND},
+    {"fd_write", 2, nif_fd_write, ERL_NIF_DIRTY_JOB_IO_BOUND},
     {"fd_select_read", 1, nif_fd_select_read, 0},
     {"fd_select_write", 1, nif_fd_select_write, 0},
     {"fd_close", 1, nif_fd_close, 0},

test/py_fd_ops_SUITE.erl

@@ -28,7 +28,8 @@
     fd_read_write_test/1,
     fd_close_test/1,
     fd_select_test/1,
-    dup_fd_test/1
+    dup_fd_test/1,
+    fd_registry_invalid_id_test/1
 ]).
 
 all() ->
@@ -37,7 +38,8 @@ all() ->
         fd_read_write_test,
         fd_close_test,
         fd_select_test,
-        dup_fd_test
+        dup_fd_test,
+        fd_registry_invalid_id_test
     ].
 
 init_per_suite(Config) ->
@@ -176,3 +178,18 @@ dup_fd_test(_Config) ->
     ok = py_nif:fd_close(DupFd2),
     ok = py_nif:fd_close(Fd1),
     ok.
+
+%% @doc A stale, duplicate, or fabricated fd id must be a safe no-op (or clean
+%% error), not a raw-pointer dereference. Regression for the validating
+%% fd-handle registry: pre-fix the id was cast straight to a pointer and
+%% dereferenced, so a bogus id crashed the node.
+fd_registry_invalid_id_test(_Config) ->
+    {ok, none} = py:eval(<<"__import__('py_event_loop')._remove_reader(999999999)">>),
+    {ok, none} = py:eval(<<"__import__('py_event_loop')._remove_writer(123456789)">>),
+    {ok, none} = py:eval(<<"__import__('py_event_loop')._release_fd_resource(42)">>),
+    {ok, none} = py:eval(<<"__import__('py_event_loop')._clear_fd_read(7)">>),
+    %% _update_fd_* rejects an unknown id with a clean ValueError, not a crash.
+    {error, _} = py:eval(<<"__import__('py_event_loop')._update_fd_read(54321, 1)">>),
+    %% Node still alive and usable.
+    {ok, 2} = py:eval(<<"1+1">>),
+    ok.