

<HTML><BODY><div>

<div>Overlooked a better solution as @PersDep kindly suggested. Sending the fixed version. </div>


<div> </div>


<div>

<div>Subject: [PATCH] Memtx_tuple_delete used heap after free</div>


<div>Struct of type tuple_format is being passed as<br>

an argument to tuple_format_unref where it might<br>

be freed. On such occasion any further references<br>

to format fields should not take place.</div>


<div> </div>


<div>Closes #4658<br>

---<br>

Issue:<br>

<a href="https://github.com/tarantool/tarantool/issues/4658Branch:https://github.com/tarantool/tarantool/compare/eljashm/gh-4658-heap-use-after-free">https://github.com/tarantool/tarantool/issues/4658</a><br>

Branch:<br>

<a href="https://github.com/tarantool/tarantool/issues/4658Branch:https://github.com/tarantool/tarantool/compare/eljashm/gh-4658-heap-use-after-free">https://github.com/tarantool/tarantool/compare/eljashm/gh-4658-heap-use-after-free</a></div>


<div> </div>


<div> src/box/memtx_engine.c | 2 +-<br>

 1 file changed, 1 insertion(+), 1 deletion(-)</div>


<div> </div>


<div>diff --git a/src/box/memtx_engine.c b/src/box/memtx_engine.c<br>

index 23ccc4703..4da80824a 100644<br>

--- a/src/box/memtx_engine.c<br>

+++ b/src/box/memtx_engine.c<br>

@@ -1177,7 +1177,6 @@ memtx_tuple_delete(struct tuple_format *format, struct tuple *tuple)<br>

     struct memtx_engine *memtx = (struct memtx_engine *)format->engine;<br>

     say_debug("%s(%p)", __func__, tuple);<br>

     assert(tuple->refs == 0);<br>

-    tuple_format_unref(format);<br>

     struct memtx_tuple *memtx_tuple =<br>

         container_of(tuple, struct memtx_tuple, base);<br>

     size_t total = tuple_size(tuple) + offsetof(struct memtx_tuple, base);<br>

@@ -1187,6 +1186,7 @@ memtx_tuple_delete(struct tuple_format *format, struct tuple *tuple)<br>

         smfree(&memtx->alloc, memtx_tuple, total);<br>

     else<br>

         smfree_delayed(&memtx->alloc, memtx_tuple, total);<br>

+    tuple_format_unref(format);<br>

 }<br>

 <br>

 void<br>

-- <br>

2.20.1 (Apple Git-117)</div>


<div> </div>

</div>


<blockquote style="border-left:1px solid #0857A6; margin:10px; padding:0 0 0 10px;">Суббота, 30 ноября 2019, 0:39 +03:00 от Maria <maria.khaydich@tarantool.org>:<br>

 
<div id="">

<div class="js-helper js-readmsg-msg">

<style type="text/css">

</style>

<div>

<div id="style_15750635511898594845_BODY">Struct of type tuple_format is being passed as<br>

an argument to tuple_format_unref where it might<br>

be freed. On such occasion any further references<br>

to format fields should not take place.<br>

<br>

Closes #4658<br>

---<br>

Issue:<br>

<a href="https://github.com/tarantool/tarantool/issues/4658" target="_blank">https://github.com/tarantool/tarantool/issues/4658</a><br>

Branch:<br>

<a href="https://github.com/tarantool/tarantool/compare/eljashm/gh-4658-heap-use-after-free" target="_blank">https://github.com/tarantool/tarantool/compare/eljashm/gh-4658-heap-use-after-free</a><br>

<br>

 src/box/memtx_engine.c | 4 ++--<br>

 1 file changed, 2 insertions(+), 2 deletions(-)<br>

<br>

diff --git a/src/box/memtx_engine.c b/src/box/memtx_engine.c<br>

index 23ccc4703..bdce4ac32 100644<br>

--- a/src/box/memtx_engine.c<br>

+++ b/src/box/memtx_engine.c<br>

@@ -1177,13 +1177,13 @@ memtx_tuple_delete(struct tuple_format *format, struct tuple *tuple)<br>

  struct memtx_engine *memtx = (struct memtx_engine *)format->engine;<br>

  say_debug("%s(%p)", __func__, tuple);<br>

  assert(tuple->refs == 0);<br>

+ bool is_temp = format->is_temporary;<br>

  tuple_format_unref(format);<br>

  struct memtx_tuple *memtx_tuple =<br>

  container_of(tuple, struct memtx_tuple, base);<br>

  size_t total = tuple_size(tuple) + offsetof(struct memtx_tuple, base);<br>

  if (memtx->alloc.free_mode != SMALL_DELAYED_FREE ||<br>

- memtx_tuple->version == memtx->snapshot_version ||<br>

- format->is_temporary)<br>

+ memtx_tuple->version == memtx->snapshot_version || is_temp)<br>

  smfree(&memtx->alloc, memtx_tuple, total);<br>

  else<br>

  smfree_delayed(&memtx->alloc, memtx_tuple, total);<br>

--<br>

2.20.1 (Apple Git-117)<br>

 </div>

</div>

</div>

</div>

</blockquote>

 
<div> </div>


<div data-signature-widget="container">

<div data-signature-widget="content">

<div>--<br>

Maria Khaydich</div>

</div>

</div>


<div> </div>

</div>

</BODY></HTML>