* [Tarantool-patches] [PATCH] Memtx_tuple_delete used heap after free @ 2019-11-29 21:39 Maria 2019-12-06 11:29 ` Maria Khaydich 0 siblings, 1 reply; 6+ messages in thread From: Maria @ 2019-11-29 21:39 UTC (permalink / raw) To: tarantool-patches, georgy Struct of type tuple_format is being passed as an argument to tuple_format_unref where it might be freed. On such occasion any further references to format fields should not take place. Closes #4658 --- Issue: https://github.com/tarantool/tarantool/issues/4658 Branch: https://github.com/tarantool/tarantool/compare/eljashm/gh-4658-heap-use-after-free src/box/memtx_engine.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/box/memtx_engine.c b/src/box/memtx_engine.c index 23ccc4703..bdce4ac32 100644 --- a/src/box/memtx_engine.c +++ b/src/box/memtx_engine.c @@ -1177,13 +1177,13 @@ memtx_tuple_delete(struct tuple_format *format, struct tuple *tuple) struct memtx_engine *memtx = (struct memtx_engine *)format->engine; say_debug("%s(%p)", __func__, tuple); assert(tuple->refs == 0); + bool is_temp = format->is_temporary; tuple_format_unref(format); struct memtx_tuple *memtx_tuple = container_of(tuple, struct memtx_tuple, base); size_t total = tuple_size(tuple) + offsetof(struct memtx_tuple, base); if (memtx->alloc.free_mode != SMALL_DELAYED_FREE || - memtx_tuple->version == memtx->snapshot_version || - format->is_temporary) + memtx_tuple->version == memtx->snapshot_version || is_temp) smfree(&memtx->alloc, memtx_tuple, total); else smfree_delayed(&memtx->alloc, memtx_tuple, total); -- 2.20.1 (Apple Git-117) ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Tarantool-patches] [PATCH] Memtx_tuple_delete used heap after free 2019-11-29 21:39 [Tarantool-patches] [PATCH] Memtx_tuple_delete used heap after free Maria @ 2019-12-06 11:29 ` Maria Khaydich 2020-01-14 17:30 ` Cyrill Gorcunov [not found] ` <20200113164548.GA2451@uranus> 0 siblings, 2 replies; 6+ messages in thread From: Maria Khaydich @ 2019-12-06 11:29 UTC (permalink / raw) To: Maria; +Cc: tarantool-patches [-- Attachment #1: Type: text/plain, Size: 3079 bytes --] Overlooked a better solution as @PersDep kindly suggested. Sending the fixed version. Subject: [PATCH] Memtx_tuple_delete used heap after free Struct of type tuple_format is being passed as an argument to tuple_format_unref where it might be freed. On such occasion any further references to format fields should not take place. Closes #4658 --- Issue: https://github.com/tarantool/tarantool/issues/4658 Branch: https://github.com/tarantool/tarantool/compare/eljashm/gh-4658-heap-use-after-free src/box/memtx_engine.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/box/memtx_engine.c b/src/box/memtx_engine.c index 23ccc4703..4da80824a 100644 --- a/src/box/memtx_engine.c +++ b/src/box/memtx_engine.c @@ -1177,7 +1177,6 @@ memtx_tuple_delete(struct tuple_format *format, struct tuple *tuple) struct memtx_engine *memtx = (struct memtx_engine *)format->engine; say_debug("%s(%p)", __func__, tuple); assert(tuple->refs == 0); - tuple_format_unref(format); struct memtx_tuple *memtx_tuple = container_of(tuple, struct memtx_tuple, base); size_t total = tuple_size(tuple) + offsetof(struct memtx_tuple, base); @@ -1187,6 +1186,7 @@ memtx_tuple_delete(struct tuple_format *format, struct tuple *tuple) smfree(&memtx->alloc, memtx_tuple, total); else smfree_delayed(&memtx->alloc, memtx_tuple, total); + tuple_format_unref(format); } void -- 2.20.1 (Apple Git-117) >Суббота, 30 ноября 2019, 0:39 +03:00 от Maria <maria.khaydich@tarantool.org>: > >Struct of type tuple_format is being passed as >an argument to tuple_format_unref where it might >be freed. On such occasion any further references >to format fields should not take place. > >Closes #4658 >--- >Issue: >https://github.com/tarantool/tarantool/issues/4658 >Branch: >https://github.com/tarantool/tarantool/compare/eljashm/gh-4658-heap-use-after-free > > src/box/memtx_engine.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/src/box/memtx_engine.c b/src/box/memtx_engine.c >index 23ccc4703..bdce4ac32 100644 >--- a/src/box/memtx_engine.c >+++ b/src/box/memtx_engine.c >@@ -1177,13 +1177,13 @@ memtx_tuple_delete(struct tuple_format *format, struct tuple *tuple) > struct memtx_engine *memtx = (struct memtx_engine *)format->engine; > say_debug("%s(%p)", __func__, tuple); > assert(tuple->refs == 0); >+ bool is_temp = format->is_temporary; > tuple_format_unref(format); > struct memtx_tuple *memtx_tuple = > container_of(tuple, struct memtx_tuple, base); > size_t total = tuple_size(tuple) + offsetof(struct memtx_tuple, base); > if (memtx->alloc.free_mode != SMALL_DELAYED_FREE || >- memtx_tuple->version == memtx->snapshot_version || >- format->is_temporary) >+ memtx_tuple->version == memtx->snapshot_version || is_temp) > smfree(&memtx->alloc, memtx_tuple, total); > else > smfree_delayed(&memtx->alloc, memtx_tuple, total); >-- >2.20.1 (Apple Git-117) > -- Maria Khaydich [-- Attachment #2: Type: text/html, Size: 4777 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Tarantool-patches] [PATCH] Memtx_tuple_delete used heap after free 2019-12-06 11:29 ` Maria Khaydich @ 2020-01-14 17:30 ` Cyrill Gorcunov 2020-01-14 20:24 ` Nikita Pettik [not found] ` <20200113164548.GA2451@uranus> 1 sibling, 1 reply; 6+ messages in thread From: Cyrill Gorcunov @ 2020-01-14 17:30 UTC (permalink / raw) To: tarantool-patches On Fri, Dec 06, 2019 at 02:29:25PM +0300, Maria Khaydich wrote: > Overlooked a better solution as @PersDep kindly suggested. Sending the > fixed version. > > Subject: [PATCH] Memtx_tuple_delete used heap after free > Struct of type tuple_format is being passed as > an argument to tuple_format_unref where it might > be freed. On such occasion any further references > to format fields should not take place. > > Closes #4658 > --- > Issue: > https://github.com/tarantool/tarantool/issues/4658 > Branch: > https://github.com/tarantool/tarantool/compare/eljashm/gh-4658-heap-use-after-free Acked-by: Cyrill Gorcunov <gorcunov@gmail.com> ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Tarantool-patches] [PATCH] Memtx_tuple_delete used heap after free 2020-01-14 17:30 ` Cyrill Gorcunov @ 2020-01-14 20:24 ` Nikita Pettik 2020-01-14 21:21 ` Cyrill Gorcunov 0 siblings, 1 reply; 6+ messages in thread From: Nikita Pettik @ 2020-01-14 20:24 UTC (permalink / raw) To: Cyrill Gorcunov; +Cc: tarantool-patches On 14 Jan 20:30, Cyrill Gorcunov wrote: > On Fri, Dec 06, 2019 at 02:29:25PM +0300, Maria Khaydich wrote: > > Overlooked a better solution as @PersDep kindly suggested. Sending the > > fixed version. > > > > Subject: [PATCH] Memtx_tuple_delete used heap after free > > Struct of type tuple_format is being passed as > > an argument to tuple_format_unref where it might > > be freed. On such occasion any further references > > to format fields should not take place. > > > > Closes #4658 > > --- > > Issue: > > https://github.com/tarantool/tarantool/issues/4658 > > Branch: > > https://github.com/tarantool/tarantool/compare/eljashm/gh-4658-heap-use-after-free > Acked-by: Cyrill Gorcunov <gorcunov@gmail.com> Changed commit message to "Fix use-after-free in memtx_tuple_delete()" and pushed to master. Thanks. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Tarantool-patches] [PATCH] Memtx_tuple_delete used heap after free 2020-01-14 20:24 ` Nikita Pettik @ 2020-01-14 21:21 ` Cyrill Gorcunov 0 siblings, 0 replies; 6+ messages in thread From: Cyrill Gorcunov @ 2020-01-14 21:21 UTC (permalink / raw) To: Nikita Pettik; +Cc: tarantool-patches On Tue, Jan 14, 2020 at 11:24:55PM +0300, Nikita Pettik wrote: > > > --- > > > Issue: > > > https://github.com/tarantool/tarantool/issues/4658 > > > Branch: > > > https://github.com/tarantool/tarantool/compare/eljashm/gh-4658-heap-use-after-free > > Acked-by: Cyrill Gorcunov <gorcunov@gmail.com> > > Changed commit message to "Fix use-after-free in memtx_tuple_delete()" > and pushed to master. Thanks. Thanks! And don;t forget to prune the branch once it merged/cherry-picked. ^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <20200113164548.GA2451@uranus>]
* Re: [Tarantool-patches] [PATCH] Memtx_tuple_delete used heap after free [not found] ` <20200113164548.GA2451@uranus> @ 2020-01-14 22:14 ` Alexander Turenko 0 siblings, 0 replies; 6+ messages in thread From: Alexander Turenko @ 2020-01-14 22:14 UTC (permalink / raw) To: Cyrill Gorcunov; +Cc: tarantool-patches On Mon, Jan 13, 2020 at 07:45:48PM +0300, Cyrill Gorcunov wrote: > On Fri, Dec 06, 2019 at 02:29:25PM +0300, Maria Khaydich wrote: > > Overlooked a better solution as @PersDep kindly suggested. Sending the > > fixed version. > > > > Subject: [PATCH] Memtx_tuple_delete used heap after free > > Struct of type tuple_format is being passed as > > an argument to tuple_format_unref where it might > > be freed. On such occasion any further references > > to format fields should not take place. > > > > Closes #4658 > > --- > > Issue: > > https://github.com/tarantool/tarantool/issues/4658 > > Branch: > > https://github.com/tarantool/tarantool/compare/eljashm/gh-4658-heap-use-after-free > > > > src/box/memtx_engine.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/src/box/memtx_engine.c b/src/box/memtx_engine.c > > index 23ccc4703..4da80824a 100644 > > --- a/src/box/memtx_engine.c > > +++ b/src/box/memtx_engine.c > > @@ -1177,7 +1177,6 @@ memtx_tuple_delete(struct tuple_format *format, > > struct tuple *tuple) > > struct memtx_engine *memtx = (struct memtx_engine *)format->engine; > > say_debug("%s(%p)", __func__, tuple); > > assert(tuple->refs == 0); > > - tuple_format_unref(format); > > struct memtx_tuple *memtx_tuple = > > container_of(tuple, struct memtx_tuple, base); > > size_t total = tuple_size(tuple) + offsetof(struct memtx_tuple, > > base); > > @@ -1187,6 +1186,7 @@ memtx_tuple_delete(struct tuple_format *format, > > struct tuple *tuple) > > smfree(&memtx->alloc, memtx_tuple, total); > > else > > smfree_delayed(&memtx->alloc, memtx_tuple, total); > > + tuple_format_unref(format); > > } > > So we basically defer unref. > Reviewed-by: Cyrill Gorcunov <gorcunov@gmail.com> LGTM too (it was already pushed to the master, but I looked anyway). > > FWIW the use after free introduced by the commit f9299c43d4fcc918a98c45563a5f96bb13863337 Added to the issue just in case. WBR, Alexander Turenko. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-01-14 22:13 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-29 21:39 [Tarantool-patches] [PATCH] Memtx_tuple_delete used heap after free Maria
2019-12-06 11:29 ` Maria Khaydich
2020-01-14 17:30 ` Cyrill Gorcunov
2020-01-14 20:24 ` Nikita Pettik
2020-01-14 21:21 ` Cyrill Gorcunov
[not found] ` <20200113164548.GA2451@uranus>
2020-01-14 22:14 ` Alexander Turenko
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox