From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id C60206EC5B; Wed, 12 May 2021 14:48:42 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org C60206EC5B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1620820122; bh=NdyZi1h4L6YbAYK9Hq/HqS17po41gEIO5cC1VtUzYeY=; h=Date:To:Cc:References:In-Reply-To:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=FbLZQOVbpij7n4BnjmPdTk0UMKUR82Ykvkhn1W6fEkwW5A4/QYW7xpv0OYkfC+stx 4DI+kwHqOYLV0Oi8UBPJrwIePx9b1OP1iVxkL/D3vRReOOfAW7BQqvgCO+J/vdBUcZ Jh/QS9qrTJOYmwbcz9P6HSd1hS9smmakjBwAe5gY= Received: from mail-lf1-f47.google.com (mail-lf1-f47.google.com [209.85.167.47]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id 57B556EC5B for ; Wed, 12 May 2021 14:48:41 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 57B556EC5B Received: by mail-lf1-f47.google.com with SMTP id m11so16846888lfg.3 for ; Wed, 12 May 2021 04:48:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=I9D1UqxGp2t6UDgSRMYfUfnG/J7s89e11hh2B3M7BLg=; b=GEw7J6jAYf4XKmalqEIvliEUldNqX2XST2JdrYSIZP/rjYCb7scg6lLPs700eHDbWr 8GMBZxujgLkLPMBuCRCGBJ2v1N4X/9NievP4NntoB39AF3tSCqzBuNkswEFf+l6FmEUR J26uKMPyPLqc1cyE89WvfLJciHJWqVeQStXHBNxGPr1uT7xq006ZJEqY/1ioexslXG9x /Ru1kCAs+tX1BqupbeSYC0m5oCuaj/tl7yoxvL848qxDID10xjXXsNjOwmBa2oovZH/N U0hnPSFygLMGwjfuyqFiGWq9z43KVfwKHqMML5yLCaO/4XaX51/HVmF5bi9dz6TmTmqt pI0A== X-Gm-Message-State: AOAM531C78AvgZOYsrsUcKWDx/OHf9CCvYNlIkajRuQardrE7lDs1gOe 7tjTcoNRtExBsyg22jfcpmvJ134LlaY= X-Google-Smtp-Source: ABdhPJx+BLqiqBNAOW8fnBGqwtcvo5KrcvIohF5B2nSwlY7hKr2OHvqEqDk5xs+J1+pah3P2f60SzA== X-Received: by 2002:a05:6512:1188:: with SMTP id g8mr24781964lfr.410.1620820120158; Wed, 12 May 2021 04:48:40 -0700 (PDT) Received: from grain.localdomain ([5.18.171.94]) by smtp.gmail.com with ESMTPSA id c17sm2955372lfs.75.2021.05.12.04.48.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 12 May 2021 04:48:38 -0700 (PDT) Received: by grain.localdomain (Postfix, from userid 1000) id 4471D5A0020; Wed, 12 May 2021 14:48:38 +0300 (MSK) Date: Wed, 12 May 2021 14:48:38 +0300 To: Serge Petrenko Cc: v.shpilevoy@tarantool.org, tarantool-patches@dev.tarantool.org Message-ID: References: <20210512113907.12968-1-sergepetrenko@tarantool.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210512113907.12968-1-sergepetrenko@tarantool.org> User-Agent: Mutt/2.0.6 (2021-03-06) Subject: Re: [Tarantool-patches] [PATCH] relay: fix use after free in subscribe_f X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Cyrill Gorcunov via Tarantool-patches Reply-To: Cyrill Gorcunov Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" On Wed, May 12, 2021 at 02:39:07PM +0300, Serge Petrenko wrote: > relay_subscribe_f() remembered old recovery pointer, which might be > replaced by relay_restart_recovery() if a raft message is delivered during > cbus_process() loop in relay_send_is_raft_enabled(). > > Fix the issue by moving variable initialization below > relay_send_is_raft_enabled() > > Closes #6031 > --- > https://github.com/tarantool/tarantool/issues/6031 > https://github.com/tarantool/tarantool/tree/sp/gh-6031-use-after-free > > src/box/relay.cc | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/src/box/relay.cc b/src/box/relay.cc > index ff43c2fc7..32d3a58dd 100644 > --- a/src/box/relay.cc > +++ b/src/box/relay.cc > @@ -741,7 +741,6 @@ static int > relay_subscribe_f(va_list ap) > { > struct relay *relay = va_arg(ap, struct relay *); > - struct recovery *r = relay->r; > > coio_enable(); > relay_set_cord_name(relay->io.fd); > @@ -756,6 +755,8 @@ relay_subscribe_f(va_list ap) > if (!relay->replica->anon) > relay_send_is_raft_enabled(relay, &raft_enabler, true); > > + struct recovery *r = relay->r; Could you please add a comment why it is important to fetch `relay->r` at exactly this stage. Something like /* * Fetching relay->r should be done after * cbus processing since the pointer may * be updated undeneath. */ struct recovery *r = relay->r; Or something like this. Because commits messages are good but we read the code in first place and this very nontrivial moment.