From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id A1A2F6EC5B; Thu, 13 May 2021 13:36:32 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org A1A2F6EC5B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1620902192; bh=qvtRSK+jOZkXOnXLav5sZiM7ng5UZMOOCr+jw4S1TW0=; h=To:Cc:References:Date:In-Reply-To:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=hF+MWt0sceKEpRl9dy4Au1gXOkN9LBPqocXs2Gt9oeiG6J/41uebXw/AFCte7yrhf 9b2W72h5SRG/4hapaoUlV0r4cR2AWqy6ZY91H03mSo4QnCZ0dM83ZPODR2svgL0OIk JbRjiB8wbD90kHzXTg4RJUaVPfD5le5Wfr0/Ukn0= Received: from smtp43.i.mail.ru (smtp43.i.mail.ru [94.100.177.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id 8121B6EC5B for ; Thu, 13 May 2021 13:36:29 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 8121B6EC5B Received: by smtp43.i.mail.ru with esmtpa (envelope-from ) id 1lh8hg-0003zm-V1; Thu, 13 May 2021 13:36:29 +0300 To: Cyrill Gorcunov Cc: v.shpilevoy@tarantool.org, tarantool-patches@dev.tarantool.org References: <20210512113907.12968-1-sergepetrenko@tarantool.org> Message-ID: <315ea728-412a-e4c9-a10a-662ca9058e15@tarantool.org> Date: Thu, 13 May 2021 13:36:28 +0300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.10.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-GB X-7564579A: B8F34718100C35BD X-77F55803: 4F1203BC0FB41BD95978C26455E69BE0BB6090B4F8997C21AA3492AFA30115D5182A05F538085040D600ECABAB613FFF891316FB68FE89575CA4DE6033B1716765A8C6A459EFCA06 X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE74B51810D54EC17F0C2099A533E45F2D0395957E7521B51C2CFCAF695D4D8E9FCEA1F7E6F0F101C6778DA827A17800CE742D9BD90C58D50E0EA1F7E6F0F101C6723150C8DA25C47586E58E00D9D99D84E1BDDB23E98D2D38BD6CF32B5F8F9D4044879F7002377940A3EEEF6E18D8FD267CC7F00164DA146DAFE8445B8C89999728AA50765F7900637A359038F01FFAF82389733CBF5DBD5E9C8A9BA7A39EFB766F5D81C698A659EA7CC7F00164DA146DA9985D098DBDEAEC813BDA61BF53F5E1DF6B57BC7E6449061A352F6E88A58FB86F5D81C698A659EA73AA81AA40904B5D9A18204E546F3947CA6C7FFFE744CA7FBBA3038C0950A5D36C8A9BA7A39EFB766EC990983EF5C0329BA3038C0950A5D36D5E8D9A59859A8B6B4CA5BC574AE29103AA81AA40904B5D9DBF02ECDB25306B2201CA6A4E26CD07C3BBE47FD9DD3FB595F5C1EE8F4F765FC72CEEB2601E22B093A03B725D353964B0B7D0EA88DDEDAC722CA9DD8327EE4930A3850AC1BE2E735F1C9CF18C8EB2269C4224003CC83647689D4C264860C145E X-C1DE0DAB: 0D63561A33F958A5A9CBFB090FC5533FEF67DF8451EFC408B7A6212567CDB206D59269BC5F550898D99A6476B3ADF6B47008B74DF8BB9EF7333BD3B22AA88B938A852937E12ACA75F04B387B5D7535DE410CA545F18667F91A7EA1CDA0B5A7A0 X-C8649E89: 4E36BF7865823D7055A7F0CF078B5EC49A30900B95165D3475FE4AA98865E235C71A7F7C363D4FE4D0CB957796C2B3D5FA3E42D3B0A78448F6082CFA14F261DA1D7E09C32AA3244CF7CF65387398DF06614654624972C97633C9DC155518937FFACE5A9C96DEB163 X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojoybArHp+PQWf+CTQYUzGOg== X-Mailru-Sender: 583F1D7ACE8F49BD95918038521BA2AA4BB7DE5FE86C3994A959F03C2D0C1F60D5B96AA8844F609A424AE0EB1F3D1D21E2978F233C3FAE6EE63DB1732555E4A8EE80603BA4A5B0BC112434F685709FCF0DA7A0AF5A3A8387 X-Mras: Ok Subject: Re: [Tarantool-patches] [PATCH] relay: fix use after free in subscribe_f X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Serge Petrenko via Tarantool-patches Reply-To: Serge Petrenko Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" 12.05.2021 14:48, Cyrill Gorcunov пишет: > On Wed, May 12, 2021 at 02:39:07PM +0300, Serge Petrenko wrote: >> relay_subscribe_f() remembered old recovery pointer, which might be >> replaced by relay_restart_recovery() if a raft message is delivered during >> cbus_process() loop in relay_send_is_raft_enabled(). >> >> Fix the issue by moving variable initialization below >> relay_send_is_raft_enabled() >> >> Closes #6031 >> --- >> https://github.com/tarantool/tarantool/issues/6031 >> https://github.com/tarantool/tarantool/tree/sp/gh-6031-use-after-free >> >> src/box/relay.cc | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/src/box/relay.cc b/src/box/relay.cc >> index ff43c2fc7..32d3a58dd 100644 >> --- a/src/box/relay.cc >> +++ b/src/box/relay.cc >> @@ -741,7 +741,6 @@ static int >> relay_subscribe_f(va_list ap) >> { >> struct relay *relay = va_arg(ap, struct relay *); >> - struct recovery *r = relay->r; >> >> coio_enable(); >> relay_set_cord_name(relay->io.fd); >> @@ -756,6 +755,8 @@ relay_subscribe_f(va_list ap) >> if (!relay->replica->anon) >> relay_send_is_raft_enabled(relay, &raft_enabler, true); >> >> + struct recovery *r = relay->r; > Could you please add a comment why it is important to fetch `relay->r` > at exactly this stage. Something like > > /* > * Fetching relay->r should be done after > * cbus processing since the pointer may > * be updated undeneath. > */ > struct recovery *r = relay->r; > > Or something like this. Because commits messages are good but we > read the code in first place and this very nontrivial moment. Hi! Thanks for the review. Vlad suggested to inline relay->r. It has only 2 usage places after all. I agree this was nontrivial. It's better with the inline, I think. -- Serge Petrenko