[Tarantool-patches] [PATCH] Memtx_tuple_delete used heap after free

[Tarantool-patches] [PATCH] Memtx_tuple_delete used heap after free

[Maria]

Struct of type tuple_format is being passed as
an argument to tuple_format_unref where it might
be freed. On such occasion any further references
to format fields should not take place.

Closes #4658
---
Issue:
https://github.com/tarantool/tarantool/issues/4658
Branch:
https://github.com/tarantool/tarantool/compare/eljashm/gh-4658-heap-use-after-free

 src/box/memtx_engine.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/box/memtx_engine.c b/src/box/memtx_engine.c
index 23ccc4703..bdce4ac32 100644
--- a/src/box/memtx_engine.c
+++ b/src/box/memtx_engine.c
@@ -1177,13 +1177,13 @@ memtx_tuple_delete(struct tuple_format *format, struct tuple *tuple)
 	struct memtx_engine *memtx = (struct memtx_engine *)format->engine;
 	say_debug("%s(%p)", __func__, tuple);
 	assert(tuple->refs == 0);
+	bool is_temp = format->is_temporary;
 	tuple_format_unref(format);
 	struct memtx_tuple *memtx_tuple =
 		container_of(tuple, struct memtx_tuple, base);
 	size_t total = tuple_size(tuple) + offsetof(struct memtx_tuple, base);
 	if (memtx->alloc.free_mode != SMALL_DELAYED_FREE ||
-	    memtx_tuple->version == memtx->snapshot_version ||
-	    format->is_temporary)
+	    memtx_tuple->version == memtx->snapshot_version || is_temp)
 		smfree(&memtx->alloc, memtx_tuple, total);
 	else
 		smfree_delayed(&memtx->alloc, memtx_tuple, total);
-- 
2.20.1 (Apple Git-117)

Re: [Tarantool-patches] [PATCH] Memtx_tuple_delete used heap after free

[Maria Khaydich]

[-- Attachment #1: Type: text/plain, Size: 3079 bytes --]


Overlooked a better solution as @PersDep kindly suggested. Sending the fixed version. 
 
Subject: [PATCH] Memtx_tuple_delete used heap after free
Struct of type tuple_format is being passed as
an argument to tuple_format_unref where it might
be freed. On such occasion any further references
to format fields should not take place.
 
Closes #4658
---
Issue:
https://github.com/tarantool/tarantool/issues/4658
Branch:
https://github.com/tarantool/tarantool/compare/eljashm/gh-4658-heap-use-after-free
 
 src/box/memtx_engine.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 
diff --git a/src/box/memtx_engine.c b/src/box/memtx_engine.c
index 23ccc4703..4da80824a 100644
--- a/src/box/memtx_engine.c
+++ b/src/box/memtx_engine.c
@@ -1177,7 +1177,6 @@ memtx_tuple_delete(struct tuple_format *format, struct tuple *tuple)
     struct memtx_engine *memtx = (struct memtx_engine *)format->engine;
     say_debug("%s(%p)", __func__, tuple);
     assert(tuple->refs == 0);
-    tuple_format_unref(format);
     struct memtx_tuple *memtx_tuple =
         container_of(tuple, struct memtx_tuple, base);
     size_t total = tuple_size(tuple) + offsetof(struct memtx_tuple, base);
@@ -1187,6 +1186,7 @@ memtx_tuple_delete(struct tuple_format *format, struct tuple *tuple)
         smfree(&memtx->alloc, memtx_tuple, total);
     else
         smfree_delayed(&memtx->alloc, memtx_tuple, total);
+    tuple_format_unref(format);
 }
 
 void
-- 
2.20.1 (Apple Git-117)
  
>Суббота, 30 ноября 2019, 0:39 +03:00 от Maria <maria.khaydich@tarantool.org>:
> 
>Struct of type tuple_format is being passed as
>an argument to tuple_format_unref where it might
>be freed. On such occasion any further references
>to format fields should not take place.
>
>Closes #4658
>---
>Issue:
>https://github.com/tarantool/tarantool/issues/4658
>Branch:
>https://github.com/tarantool/tarantool/compare/eljashm/gh-4658-heap-use-after-free
>
> src/box/memtx_engine.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
>diff --git a/src/box/memtx_engine.c b/src/box/memtx_engine.c
>index 23ccc4703..bdce4ac32 100644
>--- a/src/box/memtx_engine.c
>+++ b/src/box/memtx_engine.c
>@@ -1177,13 +1177,13 @@ memtx_tuple_delete(struct tuple_format *format, struct tuple *tuple)
>  struct memtx_engine *memtx = (struct memtx_engine *)format->engine;
>  say_debug("%s(%p)", __func__, tuple);
>  assert(tuple->refs == 0);
>+ bool is_temp = format->is_temporary;
>  tuple_format_unref(format);
>  struct memtx_tuple *memtx_tuple =
>  container_of(tuple, struct memtx_tuple, base);
>  size_t total = tuple_size(tuple) + offsetof(struct memtx_tuple, base);
>  if (memtx->alloc.free_mode != SMALL_DELAYED_FREE ||
>- memtx_tuple->version == memtx->snapshot_version ||
>- format->is_temporary)
>+ memtx_tuple->version == memtx->snapshot_version || is_temp)
>  smfree(&memtx->alloc, memtx_tuple, total);
>  else
>  smfree_delayed(&memtx->alloc, memtx_tuple, total);
>--
>2.20.1 (Apple Git-117)
>  
 
 
--
Maria Khaydich
 

[-- Attachment #2: Type: text/html, Size: 4777 bytes --]

Re: [Tarantool-patches] [PATCH] Memtx_tuple_delete used heap after free

[Cyrill Gorcunov]

On Fri, Dec 06, 2019 at 02:29:25PM +0300, Maria Khaydich wrote:
>    Overlooked a better solution as @PersDep kindly suggested. Sending the
>    fixed version. 
>     
>    Subject: [PATCH] Memtx_tuple_delete used heap after free
>    Struct of type tuple_format is being passed as
>    an argument to tuple_format_unref where it might
>    be freed. On such occasion any further references
>    to format fields should not take place.
>     
>    Closes #4658
>    ---
>    Issue:
>    https://github.com/tarantool/tarantool/issues/4658
>    Branch:
>    https://github.com/tarantool/tarantool/compare/eljashm/gh-4658-heap-use-after-free
Acked-by: Cyrill Gorcunov <gorcunov@gmail.com>

Re: [Tarantool-patches] [PATCH] Memtx_tuple_delete used heap after free

[Nikita Pettik]

On 14 Jan 20:30, Cyrill Gorcunov wrote:
> On Fri, Dec 06, 2019 at 02:29:25PM +0300, Maria Khaydich wrote:
> >    Overlooked a better solution as @PersDep kindly suggested. Sending the
> >    fixed version. 
> >     
> >    Subject: [PATCH] Memtx_tuple_delete used heap after free
> >    Struct of type tuple_format is being passed as
> >    an argument to tuple_format_unref where it might
> >    be freed. On such occasion any further references
> >    to format fields should not take place.
> >     
> >    Closes #4658
> >    ---
> >    Issue:
> >    https://github.com/tarantool/tarantool/issues/4658
> >    Branch:
> >    https://github.com/tarantool/tarantool/compare/eljashm/gh-4658-heap-use-after-free
> Acked-by: Cyrill Gorcunov <gorcunov@gmail.com>

Changed commit message to "Fix use-after-free in memtx_tuple_delete()"
and pushed to master. Thanks.

Re: [Tarantool-patches] [PATCH] Memtx_tuple_delete used heap after free

[Cyrill Gorcunov]

On Tue, Jan 14, 2020 at 11:24:55PM +0300, Nikita Pettik wrote:
> > >    ---
> > >    Issue:
> > >    https://github.com/tarantool/tarantool/issues/4658
> > >    Branch:
> > >    https://github.com/tarantool/tarantool/compare/eljashm/gh-4658-heap-use-after-free
> > Acked-by: Cyrill Gorcunov <gorcunov@gmail.com>
> 
> Changed commit message to "Fix use-after-free in memtx_tuple_delete()"
> and pushed to master. Thanks.

Thanks! And don;t forget to prune the branch once it merged/cherry-picked.

Re: [Tarantool-patches] [PATCH] Memtx_tuple_delete used heap after free

[Alexander Turenko]

On Mon, Jan 13, 2020 at 07:45:48PM +0300, Cyrill Gorcunov wrote:
> On Fri, Dec 06, 2019 at 02:29:25PM +0300, Maria Khaydich wrote:
> >    Overlooked a better solution as @PersDep kindly suggested. Sending the
> >    fixed version. 
> >     
> >    Subject: [PATCH] Memtx_tuple_delete used heap after free
> >    Struct of type tuple_format is being passed as
> >    an argument to tuple_format_unref where it might
> >    be freed. On such occasion any further references
> >    to format fields should not take place.
> >     
> >    Closes #4658
> >    ---
> >    Issue:
> >    https://github.com/tarantool/tarantool/issues/4658
> >    Branch:
> >    https://github.com/tarantool/tarantool/compare/eljashm/gh-4658-heap-use-after-free
> >     
> >     src/box/memtx_engine.c | 2 +-
> >     1 file changed, 1 insertion(+), 1 deletion(-)
> >     
> >    diff --git a/src/box/memtx_engine.c b/src/box/memtx_engine.c
> >    index 23ccc4703..4da80824a 100644
> >    --- a/src/box/memtx_engine.c
> >    +++ b/src/box/memtx_engine.c
> >    @@ -1177,7 +1177,6 @@ memtx_tuple_delete(struct tuple_format *format,
> >    struct tuple *tuple)
> >         struct memtx_engine *memtx = (struct memtx_engine *)format->engine;
> >         say_debug("%s(%p)", __func__, tuple);
> >         assert(tuple->refs == 0);
> >    -    tuple_format_unref(format);
> >         struct memtx_tuple *memtx_tuple =
> >             container_of(tuple, struct memtx_tuple, base);
> >         size_t total = tuple_size(tuple) + offsetof(struct memtx_tuple,
> >    base);
> >    @@ -1187,6 +1186,7 @@ memtx_tuple_delete(struct tuple_format *format,
> >    struct tuple *tuple)
> >             smfree(&memtx->alloc, memtx_tuple, total);
> >         else
> >             smfree_delayed(&memtx->alloc, memtx_tuple, total);
> >    +    tuple_format_unref(format);
> >     }
> 
> So we basically defer unref.
> Reviewed-by: Cyrill Gorcunov <gorcunov@gmail.com>

LGTM too (it was already pushed to the master, but I looked anyway).

> 
> FWIW the use after free introduced by the commit f9299c43d4fcc918a98c45563a5f96bb13863337

Added to the issue just in case.

WBR, Alexander Turenko.