From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <tarantool-patches-bounces@dev.tarantool.org>
Received: from [87.239.111.99] (localhost [127.0.0.1])
	by dev.tarantool.org (Postfix) with ESMTP id 93D4A6EC5B;
	Wed, 12 May 2021 14:39:20 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 93D4A6EC5B
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev;
	t=1620819560; bh=KYMz596pUblI0AmJlX9UKuoPxTNJ6mxdu84xa3Y1axQ=;
	h=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:Cc:From;
	b=yt2xqfeFHHPILGNOK9AOUqAcCNeUZf+ZoQZk7wgmUFoaauNuGcuEQ9LRKhnyMpB5d
	 sPkCy5wtC/76kD0isk2FzKDZYCpsF7UQsyX8BEhvPneUoVk4MzmOjPGY889lm8WUsp
	 o1xEyxl0tRHXf8hxjLpB/9JMYb7EaHtOEXX8gmaM=
Received: from smtp32.i.mail.ru (smtp32.i.mail.ru [94.100.177.92])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by dev.tarantool.org (Postfix) with ESMTPS id D7C766EC5B
 for <tarantool-patches@dev.tarantool.org>;
 Wed, 12 May 2021 14:39:19 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org D7C766EC5B
Received: by smtp32.i.mail.ru with esmtpa (envelope-from
 <sergepetrenko@tarantool.org>)
 id 1lgnCx-0007LD-2o; Wed, 12 May 2021 14:39:19 +0300
To: v.shpilevoy@tarantool.org,
	gorcunov@gmail.com
Date: Wed, 12 May 2021 14:39:07 +0300
Message-Id: <20210512113907.12968-1-sergepetrenko@tarantool.org>
X-Mailer: git-send-email 2.30.1 (Apple Git-130)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-7564579A: 646B95376F6C166E
X-77F55803: 4F1203BC0FB41BD95978C26455E69BE0ABDB394FB841241C41AA4B146174B5D1182A05F5380850406A5A7E2A07A7C64ED787844284E182EB878612B2B2ED6F27892264F5D2FB985D
X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE7195F30236A8D43B4EA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F790063745476ED688D943148638F802B75D45FF914D58D5BE9E6BC1A93B80C6DEB9DEE97C6FB206A91F05B2054AD9A288EE639C11EBD08704398C301DC1F2ED7A42611AD2E47CDBA5A96583C09775C1D3CA48CF87AC71952E7BCFF3CC7F00164DA146DAFE8445B8C89999729449624AB7ADAF37F6B57BC7E64490611E7FA7ABCAF51C92176DF2183F8FC7C0ADE7667AABD2F12D8941B15DA834481F9449624AB7ADAF372E808ACE2090B5E14AD6D5ED66289B5259CC434672EE63711DD303D21008E298D5E8D9A59859A8B6B372FE9A2E580EFC725E5C173C3A84C361DD96311B40C2D435872C767BF85DA2F004C90652538430E4A6367B16DE6309
X-B7AD71C0: AC4F5C86D027EB782CDD5689AFBDA7A2AD77751E876CB595E8F7B195E1C978319DA1CCF7994F9F8367D7C3C64BB55547
X-C1DE0DAB: C20DE7B7AB408E4181F030C43753B8186998911F362727C4C7A0BC55FA0FE5FC24EF86F98F4ADDDAC28EBF209B72AF9FA8B16E6F6D51B5EEB1881A6453793CE9C32612AADDFBE06152723239A1F374049510FB958DCE06DB6ED91DBE5ABE359A3485EE9140A7D39D1B2EFE7B39F7738393EDB24507CE13387DFF0A840B692CF8
X-C8649E89: 4E36BF7865823D7055A7F0CF078B5EC49A30900B95165D34AB80C45F81B80D636A67C053AEE22D540F0BD6921FA24AF7E93D8550C93ADF1C707527D0F861CB1A1D7E09C32AA3244C195817D98DBB183D235709245DAEA976C3B3ADDA61883BB5927AC6DF5659F194
X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojo6y/qPNd2uyJNhjrs3MTbw==
X-Mailru-Sender: 3B9A0136629DC9125D61937A2360A446E8AA2E7CD49B6F665322AD54E5CE8F73C255BFBEEFE9B2B4424AE0EB1F3D1D21E2978F233C3FAE6EE63DB1732555E4A8EE80603BA4A5B0BC112434F685709FCF0DA7A0AF5A3A8387
X-Mras: Ok
Subject: [Tarantool-patches] [PATCH] relay: fix use after free in subscribe_f
X-BeenThere: tarantool-patches@dev.tarantool.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Tarantool development patches <tarantool-patches.dev.tarantool.org>
List-Unsubscribe: <https://lists.tarantool.org/mailman/options/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=unsubscribe>
List-Archive: <https://lists.tarantool.org/pipermail/tarantool-patches/>
List-Post: <mailto:tarantool-patches@dev.tarantool.org>
List-Help: <mailto:tarantool-patches-request@dev.tarantool.org?subject=help>
List-Subscribe: <https://lists.tarantool.org/mailman/listinfo/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=subscribe>
From: Serge Petrenko via Tarantool-patches
 <tarantool-patches@dev.tarantool.org>
Reply-To: Serge Petrenko <sergepetrenko@tarantool.org>
Cc: tarantool-patches@dev.tarantool.org
Errors-To: tarantool-patches-bounces@dev.tarantool.org
Sender: "Tarantool-patches" <tarantool-patches-bounces@dev.tarantool.org>

relay_subscribe_f() remembered old recovery pointer, which might be
replaced by relay_restart_recovery() if a raft message is delivered during
cbus_process() loop in relay_send_is_raft_enabled().

Fix the issue by moving variable initialization below
relay_send_is_raft_enabled()

Closes #6031
---
https://github.com/tarantool/tarantool/issues/6031
https://github.com/tarantool/tarantool/tree/sp/gh-6031-use-after-free

 src/box/relay.cc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/box/relay.cc b/src/box/relay.cc
index ff43c2fc7..32d3a58dd 100644
--- a/src/box/relay.cc
+++ b/src/box/relay.cc
@@ -741,7 +741,6 @@ static int
 relay_subscribe_f(va_list ap)
 {
 	struct relay *relay = va_arg(ap, struct relay *);
-	struct recovery *r = relay->r;
 
 	coio_enable();
 	relay_set_cord_name(relay->io.fd);
@@ -756,6 +755,8 @@ relay_subscribe_f(va_list ap)
 	if (!relay->replica->anon)
 		relay_send_is_raft_enabled(relay, &raft_enabler, true);
 
+	struct recovery *r = relay->r;
+
 	/*
 	 * Setup garbage collection trigger.
 	 * Not needed for anonymous replicas, since they
-- 
2.30.1 (Apple Git-130)