From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <tarantool-patches-bounces@dev.tarantool.org>
Received: from [87.239.111.99] (localhost [127.0.0.1])
	by dev.tarantool.org (Postfix) with ESMTP id A1A2F6EC5B;
	Thu, 13 May 2021 13:36:32 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org A1A2F6EC5B
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev;
	t=1620902192; bh=qvtRSK+jOZkXOnXLav5sZiM7ng5UZMOOCr+jw4S1TW0=;
	h=To:Cc:References:Date:In-Reply-To:Subject:List-Id:
	 List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
	 From:Reply-To:From;
	b=hF+MWt0sceKEpRl9dy4Au1gXOkN9LBPqocXs2Gt9oeiG6J/41uebXw/AFCte7yrhf
	 9b2W72h5SRG/4hapaoUlV0r4cR2AWqy6ZY91H03mSo4QnCZ0dM83ZPODR2svgL0OIk
	 JbRjiB8wbD90kHzXTg4RJUaVPfD5le5Wfr0/Ukn0=
Received: from smtp43.i.mail.ru (smtp43.i.mail.ru [94.100.177.103])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by dev.tarantool.org (Postfix) with ESMTPS id 8121B6EC5B
 for <tarantool-patches@dev.tarantool.org>;
 Thu, 13 May 2021 13:36:29 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 8121B6EC5B
Received: by smtp43.i.mail.ru with esmtpa (envelope-from
 <sergepetrenko@tarantool.org>)
 id 1lh8hg-0003zm-V1; Thu, 13 May 2021 13:36:29 +0300
To: Cyrill Gorcunov <gorcunov@gmail.com>
Cc: v.shpilevoy@tarantool.org, tarantool-patches@dev.tarantool.org
References: <20210512113907.12968-1-sergepetrenko@tarantool.org>
 <YJvAlgNUNrXpmese@grain>
Message-ID: <315ea728-412a-e4c9-a10a-662ca9058e15@tarantool.org>
Date: Thu, 13 May 2021 13:36:28 +0300
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0)
 Gecko/20100101 Thunderbird/78.10.1
MIME-Version: 1.0
In-Reply-To: <YJvAlgNUNrXpmese@grain>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-GB
X-7564579A: B8F34718100C35BD
X-77F55803: 4F1203BC0FB41BD95978C26455E69BE0BB6090B4F8997C21AA3492AFA30115D5182A05F538085040D600ECABAB613FFF891316FB68FE89575CA4DE6033B1716765A8C6A459EFCA06
X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE74B51810D54EC17F0C2099A533E45F2D0395957E7521B51C2CFCAF695D4D8E9FCEA1F7E6F0F101C6778DA827A17800CE742D9BD90C58D50E0EA1F7E6F0F101C6723150C8DA25C47586E58E00D9D99D84E1BDDB23E98D2D38BD6CF32B5F8F9D4044879F7002377940A3EEEF6E18D8FD267CC7F00164DA146DAFE8445B8C89999728AA50765F7900637A359038F01FFAF82389733CBF5DBD5E9C8A9BA7A39EFB766F5D81C698A659EA7CC7F00164DA146DA9985D098DBDEAEC813BDA61BF53F5E1DF6B57BC7E6449061A352F6E88A58FB86F5D81C698A659EA73AA81AA40904B5D9A18204E546F3947CA6C7FFFE744CA7FBBA3038C0950A5D36C8A9BA7A39EFB766EC990983EF5C0329BA3038C0950A5D36D5E8D9A59859A8B6B4CA5BC574AE29103AA81AA40904B5D9DBF02ECDB25306B2201CA6A4E26CD07C3BBE47FD9DD3FB595F5C1EE8F4F765FC72CEEB2601E22B093A03B725D353964B0B7D0EA88DDEDAC722CA9DD8327EE4930A3850AC1BE2E735F1C9CF18C8EB2269C4224003CC83647689D4C264860C145E
X-C1DE0DAB: 0D63561A33F958A5A9CBFB090FC5533FEF67DF8451EFC408B7A6212567CDB206D59269BC5F550898D99A6476B3ADF6B47008B74DF8BB9EF7333BD3B22AA88B938A852937E12ACA75F04B387B5D7535DE410CA545F18667F91A7EA1CDA0B5A7A0
X-C8649E89: 4E36BF7865823D7055A7F0CF078B5EC49A30900B95165D3475FE4AA98865E235C71A7F7C363D4FE4D0CB957796C2B3D5FA3E42D3B0A78448F6082CFA14F261DA1D7E09C32AA3244CF7CF65387398DF06614654624972C97633C9DC155518937FFACE5A9C96DEB163
X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojoybArHp+PQWf+CTQYUzGOg==
X-Mailru-Sender: 583F1D7ACE8F49BD95918038521BA2AA4BB7DE5FE86C3994A959F03C2D0C1F60D5B96AA8844F609A424AE0EB1F3D1D21E2978F233C3FAE6EE63DB1732555E4A8EE80603BA4A5B0BC112434F685709FCF0DA7A0AF5A3A8387
X-Mras: Ok
Subject: Re: [Tarantool-patches] [PATCH] relay: fix use after free in
 subscribe_f
X-BeenThere: tarantool-patches@dev.tarantool.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Tarantool development patches <tarantool-patches.dev.tarantool.org>
List-Unsubscribe: <https://lists.tarantool.org/mailman/options/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=unsubscribe>
List-Archive: <https://lists.tarantool.org/pipermail/tarantool-patches/>
List-Post: <mailto:tarantool-patches@dev.tarantool.org>
List-Help: <mailto:tarantool-patches-request@dev.tarantool.org?subject=help>
List-Subscribe: <https://lists.tarantool.org/mailman/listinfo/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=subscribe>
From: Serge Petrenko via Tarantool-patches
 <tarantool-patches@dev.tarantool.org>
Reply-To: Serge Petrenko <sergepetrenko@tarantool.org>
Errors-To: tarantool-patches-bounces@dev.tarantool.org
Sender: "Tarantool-patches" <tarantool-patches-bounces@dev.tarantool.org>



12.05.2021 14:48, Cyrill Gorcunov пишет:
> On Wed, May 12, 2021 at 02:39:07PM +0300, Serge Petrenko wrote:
>> relay_subscribe_f() remembered old recovery pointer, which might be
>> replaced by relay_restart_recovery() if a raft message is delivered during
>> cbus_process() loop in relay_send_is_raft_enabled().
>>
>> Fix the issue by moving variable initialization below
>> relay_send_is_raft_enabled()
>>
>> Closes #6031
>> ---
>> https://github.com/tarantool/tarantool/issues/6031
>> https://github.com/tarantool/tarantool/tree/sp/gh-6031-use-after-free
>>
>>   src/box/relay.cc | 3 ++-
>>   1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/box/relay.cc b/src/box/relay.cc
>> index ff43c2fc7..32d3a58dd 100644
>> --- a/src/box/relay.cc
>> +++ b/src/box/relay.cc
>> @@ -741,7 +741,6 @@ static int
>>   relay_subscribe_f(va_list ap)
>>   {
>>   	struct relay *relay = va_arg(ap, struct relay *);
>> -	struct recovery *r = relay->r;
>>   
>>   	coio_enable();
>>   	relay_set_cord_name(relay->io.fd);
>> @@ -756,6 +755,8 @@ relay_subscribe_f(va_list ap)
>>   	if (!relay->replica->anon)
>>   		relay_send_is_raft_enabled(relay, &raft_enabler, true);
>>   
>> +	struct recovery *r = relay->r;
> Could you please add a comment why it is important to fetch `relay->r`
> at exactly this stage. Something like
>
> 	/*
> 	 * Fetching relay->r should be done after
> 	 * cbus processing since the pointer may
> 	 * be updated undeneath.
> 	 */
> 	struct recovery *r = relay->r;
>
> Or something like this. Because commits messages are good but we
> read the code in first place and this very nontrivial moment.

Hi! Thanks for the review.
Vlad suggested to inline relay->r. It has only 2 usage places after all.

I agree this was nontrivial. It's better with the inline, I think.

-- 
Serge Petrenko