[Tarantool-patches] [PATCH 1/1] access: fix use-after-free of struct credentials

Tarantool development patches archive
 help / color / mirror / Atom feed

* [Tarantool-patches] [PATCH 1/1] access: fix use-after-free of struct credentials
@ 2019-10-30 23:57 Vladislav Shpilevoy
  2019-10-31  7:35 ` Kirill Yukhin
  0 siblings, 1 reply; 2+ messages in thread
From: Vladislav Shpilevoy @ 2019-10-30 23:57 UTC (permalink / raw)
  To: tarantool-patches

Func_delete() called credentials_destroy() after
func->vtab->destroy(). But appeared, that vtab->destroy() is
actually delete, and it frees the func object. Now the func's
owner credentials are destroyed before the function is freed.

Closes #4597
Follow up #2763
---
Branch: https://github.com/tarantool/tarantool/tree/gerold103/gh-4597-credentials-follow-up
Issue: https://github.com/tarantool/tarantool/issues/4597

 src/box/func.c     | 3 ++-
 src/box/lua/call.c | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/box/func.c b/src/box/func.c
index c94ca4974..7ac92bc84 100644
--- a/src/box/func.c
+++ b/src/box/func.c
@@ -463,6 +463,7 @@ func_c_destroy(struct func *base)
 	assert(base != NULL && base->def->language == FUNC_LANGUAGE_C);
 	struct func_c *func = (struct func_c *) base;
 	func_c_unload(func);
+	TRASH(base);
 	free(func);
 }
 
@@ -548,8 +549,8 @@ void
 func_delete(struct func *func)
 {
 	struct func_def *def = func->def;
-	func->vtab->destroy(func);
 	credentials_destroy(&func->owner_credentials);
+	func->vtab->destroy(func);
 	free(def);
 }
 
diff --git a/src/box/lua/call.c b/src/box/lua/call.c
index 00322f6c8..f1bbde7f0 100644
--- a/src/box/lua/call.c
+++ b/src/box/lua/call.c
@@ -734,6 +734,7 @@ func_lua_destroy(struct func *func)
 {
 	assert(func != NULL && func->def->language == FUNC_LANGUAGE_LUA);
 	assert(func->vtab == &func_lua_vtab);
+	TRASH(func);
 	free(func);
 }
 
-- 
2.21.0 (Apple Git-122)

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [Tarantool-patches] [PATCH 1/1] access: fix use-after-free of struct credentials
  2019-10-30 23:57 [Tarantool-patches] [PATCH 1/1] access: fix use-after-free of struct credentials Vladislav Shpilevoy
@ 2019-10-31  7:35 ` Kirill Yukhin
  0 siblings, 0 replies; 2+ messages in thread
From: Kirill Yukhin @ 2019-10-31  7:35 UTC (permalink / raw)
  To: Vladislav Shpilevoy; +Cc: tarantool-patches

Hello,

On 31 окт 00:57, Vladislav Shpilevoy wrote:
> Func_delete() called credentials_destroy() after
> func->vtab->destroy(). But appeared, that vtab->destroy() is
> actually delete, and it frees the func object. Now the func's
> owner credentials are destroyed before the function is freed.
> 
> Closes #4597
> Follow up #2763
> ---
> Branch: https://github.com/tarantool/tarantool/tree/gerold103/gh-4597-credentials-follow-up
> Issue: https://github.com/tarantool/tarantool/issues/4597

I've checked your patch into 1.10, 2.1, 2.2 and master.

--
Regards, Kirill Yukhin

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2019-10-31  7:35 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-30 23:57 [Tarantool-patches] [PATCH 1/1] access: fix use-after-free of struct credentials Vladislav Shpilevoy
2019-10-31  7:35 ` Kirill Yukhin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox