Fix possible memory corruption in FLUSHALL when a client watches more than one key (#11854)

Avoid calling unwatchAllKeys when running touchAllWatchedKeysInDb (which was unnecessary) This can potentially lead to use-after-free and memory corruption when the next entry pointer held by the watched keys iterator is freed when unwatching all keys of a specific client. found with address sanitizer, added a test which will not always fail (depending on the random dict hashing seed) problem introduced in #9829 (Reids 7.0) Co-authored-by: Oran Agra <oran@redislabs.com>
2023-02-28 12:02:55 +02:00 · 2023-02-28 12:02:55 +02:00 · 18017df7c1
commit 18017df7c1
parent 4972760b67
2 changed files with 11 additions and 3 deletions
--- a/src/multi.c
+++ b/src/multi.c
@ -458,9 +458,9 @@ void touchAllWatchedKeysInDb(redisDb *emptied, redisDb *replaced_with) {
                }
                client *c = wk->client;
                c->flags |= CLIENT_DIRTY_CAS;
-                /* As the client is marked as dirty, there is no point in getting here
-                 * again for others keys (or keep the memory overhead till EXEC). */
-                unwatchAllKeys(c);
+                /* Note - we could potentially call unwatchAllKeys for this specific client in order to reduce
+                 * the total number of iterations. BUT this could also free the current next entry pointer
+                 * held by the iterator and can lead to use-after-free. */
            }
        }
    }
--- a/tests/unit/multi.tcl
+++ b/tests/unit/multi.tcl
@ -894,6 +894,14 @@ start_server {tags {"multi"}} {
        r readraw 1
        set _ $res
    } {*CONFIG SET failed*}
+    
+    test "Flushall while watching several keys by one client" {
+        r flushall
+        r mset a a b b
+        r watch b a
+        r flushall
+        r ping
+     }
 }

 start_server {overrides {appendonly {yes} appendfilename {appendonly.aof} appendfsync always} tags {external:skip}} {