[PATCH] box: fix use-after-free in space_truncate
Vladimir Davydov
vdavydov.dev at gmail.com
Sun Apr 7 14:38:14 MSK 2019
On Sun, Apr 07, 2019 at 02:24:30PM +0300, Vladimir Davydov wrote:
> space_truncate allocates a statement on the stack which is grossly
> incorrect as the stack may be purged once the function returns while
> box_process_rw expects the statement to be valid until the end of
> the transaction. By happy accident, it worked fine until commit
> 1f7b0d6577f4 ("Require for single statement not autocommit in case of
> ddl"), which made it possible to run this function from a transaction
> and hence increased the probability of hitting the use-after-free bug.
> The fix is trivial: allocate a truncation statement on the region.
>
> Fixes commit 353bcdc5d010 ("Rework space truncation").
>
> Closes #4093
> ---
> https://github.com/tarantool/tarantool/issues/4093
> https://github.com/tarantool/tarantool/commits/dv/fix-use-after-free-in-space-truncate
>
> src/box/box.cc | 12 ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
This one is pretty obvious. Pushed to master and resurrected the
box/transaction test case that triggered the use-after-free bug.
Since the bus was there for two years and we were just lucky not to step
on it, I also cherry-picked this commit to 2.1 and 1.10.
More information about the Tarantool-patches
mailing list