gvsafronov/futriix
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity

Fix dict use-after-free problem in kvs->rehashing (#13154)

Browse Source 
In ASAN CI, we find server may crash because of NULL ptr in `kvstoreIncrementallyRehash`.
the reason is that we use two phase unlink in `dbGenericDelete`. After `kvstoreDictTwoPhaseUnlinkFind`,
the dict may be in rehashing and only have one element in ht[0] of `db->keys`.

When we delete the last element in `db->keys` meanwhile `db->keys` is in rehashing, we may free the
dict in `kvstoreDictTwoPhaseUnlinkFree` without deleting the node in `kvs->rehashing`. Then we may
use this freed ptr in `kvstoreIncrementallyRehash` in the `serverCron` and cause the crash.
This is indeed a use-after-free problem.

The fix is to call rehashingCompleted in dictRelease and dictEmpty, so that every call for
rehashingStarted is always matched with a rehashingCompleted.

Adding a test in the unit test to catch it consistently

---------

Co-authored-by: Oran Agra <oran@redislabs.com>
Co-authored-by: debing.sun <debing.sun@redis.com>
This commit is contained in:
Yanqi Lv 2024-03-21 04:44:28 +08:00 committed by GitHub
parent bad33f8738
commit e64d91c371
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/dict.c
View File

@ -706,6 +706,10 @@ int _dictClear(dict *d, int htidx, void(callback)(dict*)) {
/* Clear & Release the hash table */
void dictRelease(dict *d)
{
/* Someone may be monitoring a dict that started rehashing, before
* destroying the dict fake completion. */
if (dictIsRehashing(d) && d->type->rehashingCompleted)
d->type->rehashingCompleted(d);
_dictClear(d,0,NULL);
_dictClear(d,1,NULL);
zfree(d);
@ -1588,6 +1592,10 @@ void *dictFindPositionForInsert(dict *d, const void *key, dictEntry **existing)
}
void dictEmpty(dict *d, void(callback)(dict*)) {
/* Someone may be monitoring a dict that started rehashing, before
* destroying the dict fake completion. */
if (dictIsRehashing(d) && d->type->rehashingCompleted)
d->type->rehashingCompleted(d);
_dictClear(d,0,callback);
_dictClear(d,1,callback);
d->rehashidx = -1;

3
src/kvstore.c
View File

@ -957,6 +957,9 @@ int kvstoreTest(int argc, char **argv, int flags) {
}
kvstoreIteratorRelease(kvs_it);
/* Make sure the dict was removed from the rehashing list. */
while (kvstoreIncrementallyRehash(kvs2, 1000)) {}
dict *d = kvstoreGetDict(kvs2, didx);
assert(d == NULL);
assert(kvstoreDictSize(kvs2, didx) == 0);