Fix GCHandle leak in OSX SafeDeleteSslContext (#128325)

liveans · Copilot · jkotas · web-flow · commit 5d5af623f3ae · 2026-05-25T21:18:03.000Z
> [!NOTE] > This PR was authored with help from GitHub Copilot. The `GCHandle` allocated in `SafeDeleteSslContext.SslSetConnection` was never freed, leaking one GCHandle table slot per SSL context on the legacy macOS SecureTransport path. Freeing it in `SafeDeleteSslContext.Dispose` races with in-flight native `Read`/`Write` callbacks (reliably reproduced as a `Debug.Assert` crash in `SslStreamSniTest.SslStream_ServerCallbackAndLocalCertificateSelectionSet_Throws`). Instead, ownership of the handle is moved into `SafeSslHandle` and freed from its `ReleaseHandle`, which only runs after the ref count hits zero and the native `SSLContext` is released, so no further callbacks can fire. Tested locally on osx-arm64: `System.Net.Security.Unit.Tests` (124) and `System.Net.Security.Tests` functional (4964) all pass. Fixes #128136 --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Jan Kotas <jkotas@microsoft.com> Co-authored-by: Miha Zupan <mihazupan.zupan1@gmail.com>
diff --git a/src/libraries/Common/src/Interop/OSX/System.Security.Cryptography.Native.Apple/Interop.Ssl.cs b/src/libraries/Common/src/Interop/OSX/System.Security.Cryptography.Native.Apple/Interop.Ssl.cs
@@ -460,6 +460,13 @@ namespace System.Net
 {
     internal sealed class SafeSslHandle : SafeHandle
     {
+        // Backreference used by AppleCryptoNative_SslSetConnection so native
+        // Read/Write callbacks can resolve the owning SafeDeleteSslContext.
+        // Owned here so the lifetime is tied to ReleaseHandle, which only
+        // runs once all outstanding P/Invokes (and therefore any in-flight
+        // callbacks) have completed.
+        private GCHandle<SafeDeleteSslContext> _connectionGCHandle;
+
         public SafeSslHandle()
             : base(IntPtr.Zero, ownsHandle: true)
         {
@@ -470,10 +477,18 @@ internal SafeSslHandle(IntPtr invalidHandleValue, bool ownsHandle)
         {
         }
 
+        internal void SetConnectionGCHandle(GCHandle<SafeDeleteSslContext> handle)
+        {
+            Debug.Assert(!_connectionGCHandle.IsAllocated, "Connection GCHandle already set");
+            _connectionGCHandle = handle;
+        }
+
         protected override bool ReleaseHandle()
         {
             Interop.CoreFoundation.CFRelease(handle);
             SetHandle(IntPtr.Zero);
+            _connectionGCHandle.Dispose();
+
             return true;
         }
 
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/Pal.OSX/SafeDeleteSslContext.cs b/src/libraries/System.Net.Security/src/System/Net/Security/Pal.OSX/SafeDeleteSslContext.cs
@@ -191,9 +191,10 @@ private static SafeSslHandle CreateSslContext(SslAuthenticationOptions sslAuthen
 
         private void SslSetConnection(SafeSslHandle sslContext)
         {
-            GCHandle handle = GCHandle.Alloc(this, GCHandleType.Weak);
+            var handle = new GCHandle<SafeDeleteSslContext>(this);
+            sslContext.SetConnectionGCHandle(handle);
 
-            Interop.AppleCrypto.SslSetConnection(sslContext, GCHandle.ToIntPtr(handle));
+            Interop.AppleCrypto.SslSetConnection(sslContext, GCHandle<SafeDeleteSslContext>.ToIntPtr(handle));
         }
 
         public override bool IsInvalid => _sslContext?.IsInvalid ?? true;
@@ -220,8 +221,7 @@ protected override void Dispose(bool disposing)
         [UnmanagedCallersOnly]
         private static unsafe int WriteToConnection(IntPtr connection, byte* data, void** dataLength)
         {
-            SafeDeleteSslContext? context = (SafeDeleteSslContext?)GCHandle.FromIntPtr(connection).Target;
-            Debug.Assert(context != null);
+            SafeDeleteSslContext context = GCHandle<SafeDeleteSslContext>.FromIntPtr(connection).Target;
 
             // We don't pool these buffers and we can't because there's a race between their us in the native
             // read/write callbacks and being disposed when the SafeHandle is disposed. This race is benign currently,
@@ -255,8 +255,7 @@ private static unsafe int WriteToConnection(IntPtr connection, byte* data, void*
         [UnmanagedCallersOnly]
         private static unsafe int ReadFromConnection(IntPtr connection, byte* data, void** dataLength)
         {
-            SafeDeleteSslContext? context = (SafeDeleteSslContext?)GCHandle.FromIntPtr(connection).Target;
-            Debug.Assert(context != null);
+            SafeDeleteSslContext context = GCHandle<SafeDeleteSslContext>.FromIntPtr(connection).Target;
 
             try
             {

Original file line number	Diff line number	Diff line change
`@@ -460,6 +460,13 @@ namespace System.Net`
`460`	`460`	`{`
`461`	`461`	`internal sealed class SafeSslHandle : SafeHandle`
`462`	`462`	`{`
	`463`	`+ // Backreference used by AppleCryptoNative_SslSetConnection so native`
	`464`	`+ // Read/Write callbacks can resolve the owning SafeDeleteSslContext.`
	`465`	`+ // Owned here so the lifetime is tied to ReleaseHandle, which only`
	`466`	`+ // runs once all outstanding P/Invokes (and therefore any in-flight`
	`467`	`+ // callbacks) have completed.`
	`468`	`+ private GCHandle<SafeDeleteSslContext> _connectionGCHandle;`
	`469`	`+`
`463`	`470`	`public SafeSslHandle()`
`464`	`471`	`: base(IntPtr.Zero, ownsHandle: true)`
`465`	`472`	`{`
`@@ -470,10 +477,18 @@ internal SafeSslHandle(IntPtr invalidHandleValue, bool ownsHandle)`
`470`	`477`	`{`
`471`	`478`	`}`
`472`	`479`
	`480`	`+ internal void SetConnectionGCHandle(GCHandle<SafeDeleteSslContext> handle)`
	`481`	`+ {`
	`482`	`+ Debug.Assert(!_connectionGCHandle.IsAllocated, "Connection GCHandle already set");`
	`483`	`+ _connectionGCHandle = handle;`
	`484`	`+ }`
	`485`	`+`
`473`	`486`	`protected override bool ReleaseHandle()`
`474`	`487`	`{`
`475`	`488`	`Interop.CoreFoundation.CFRelease(handle);`
`476`	`489`	`SetHandle(IntPtr.Zero);`
	`490`	`+ _connectionGCHandle.Dispose();`
	`491`	`+`
`477`	`492`	`return true;`
`478`	`493`	`}`
`479`	`494`
Original file line number	Diff line number	Diff line change
`@@ -191,9 +191,10 @@ private static SafeSslHandle CreateSslContext(SslAuthenticationOptions sslAuthen`
`191`	`191`
`192`	`192`	`private void SslSetConnection(SafeSslHandle sslContext)`
`193`	`193`	`{`
`194`		`- GCHandle handle = GCHandle.Alloc(this, GCHandleType.Weak);`
	`194`	`+ var handle = new GCHandle<SafeDeleteSslContext>(this);`
	`195`	`+ sslContext.SetConnectionGCHandle(handle);`
`195`	`196`
`196`		`- Interop.AppleCrypto.SslSetConnection(sslContext, GCHandle.ToIntPtr(handle));`
	`197`	`+ Interop.AppleCrypto.SslSetConnection(sslContext, GCHandle<SafeDeleteSslContext>.ToIntPtr(handle));`
`197`	`198`	`}`
`198`	`199`
`199`	`200`	`public override bool IsInvalid => _sslContext?.IsInvalid ?? true;`
`@@ -220,8 +221,7 @@ protected override void Dispose(bool disposing)`
`220`	`221`	`[UnmanagedCallersOnly]`
`221`	`222`	`private static unsafe int WriteToConnection(IntPtr connection, byte* data, void** dataLength)`
`222`	`223`	`{`
`223`		`- SafeDeleteSslContext? context = (SafeDeleteSslContext?)GCHandle.FromIntPtr(connection).Target;`
`224`		`- Debug.Assert(context != null);`
	`224`	`+ SafeDeleteSslContext context = GCHandle<SafeDeleteSslContext>.FromIntPtr(connection).Target;`
`225`	`225`
`226`	`226`	`// We don't pool these buffers and we can't because there's a race between their us in the native`
`227`	`227`	`// read/write callbacks and being disposed when the SafeHandle is disposed. This race is benign currently,`
`@@ -255,8 +255,7 @@ private static unsafe int WriteToConnection(IntPtr connection, byte* data, void*`
`255`	`255`	`[UnmanagedCallersOnly]`
`256`	`256`	`private static unsafe int ReadFromConnection(IntPtr connection, byte* data, void** dataLength)`
`257`	`257`	`{`
`258`		`- SafeDeleteSslContext? context = (SafeDeleteSslContext?)GCHandle.FromIntPtr(connection).Target;`
`259`		`- Debug.Assert(context != null);`
	`258`	`+ SafeDeleteSslContext context = GCHandle<SafeDeleteSslContext>.FromIntPtr(connection).Target;`
`260`	`259`
`261`	`260`	`try`
`262`	`261`	`{`