libroach: fix concurrent access to same file when using encryption#26377
Merged
craig[bot] merged 1 commit intocockroachdb:masterfrom Jun 4, 2018
Merged
libroach: fix concurrent access to same file when using encryption#26377craig[bot] merged 1 commit intocockroachdb:masterfrom
craig[bot] merged 1 commit intocockroachdb:masterfrom
Conversation
Member
|
This change is |
Contributor
|
Review status: all files reviewed at latest revision, all discussions resolved, some commit checks failed. Comments from Reviewable |
Fixes cockroachdb#26261. The various `Env::***File` objects are used concurrently by rocksdb (eg: in the compaction code). If multiple reads occur on the same encrypted file handle and CryptoPP is using the software AES implementation, some working state in the cipher gets corrupted by the other calls. This results in broken decryption bubbling up as checksum failures on rocksdb. Fix this by passing the key to the `CTRCipherStream` and initializing a new `Cipher` object for each block of data (the `RandomAccessFile::Read` block. This will still use one `Cipher` for multiple AES blocks). Release note (bug fix): fix concurrent access to same file when using encryption
6dfa24f to
6e9ad40
Compare
Contributor
Author
|
TFTR. Rebased and squashed. |
Contributor
Author
|
bors r+ |
Contributor
Build failed (retrying...) |
craig bot
pushed a commit
that referenced
this pull request
Jun 4, 2018
26377: libroach: fix concurrent access to same file when using encryption r=mberhault a=mberhault Fixes #26261. The various `Env::***File` objects are used concurrently by rocksdb (eg: in the compaction code). If multiple reads occur on the same encrypted file handle and CryptoPP is using the software AES implementation, some working state in the cipher gets corrupted by the other calls. This results in broken decryption bubbling up as checksum failures on rocksdb. Fix this by passing the key to the `CTRCipherStream` and initializing a new `Cipher` object for each block of data (the `RandomAccessFile::Read` block. This will still use one `Cipher` for multiple AES blocks). Release note (bug fix): fix concurrent access to same file when using encryption Co-authored-by: marc <marc@cockroachlabs.com>
Contributor
Build succeeded |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #26261.
The various
Env::***Fileobjects are used concurrently by rocksdb (eg: in the compaction code).If multiple reads occur on the same encrypted file handle and CryptoPP is using the software AES implementation, some working state in the cipher gets corrupted by the other calls. This results in broken decryption bubbling up as checksum failures on rocksdb.
Fix this by passing the key to the
CTRCipherStreamand initializing a newCipherobject for each block of data (theRandomAccessFile::Readblock. This will still use oneCipherfor multiple AES blocks).Release note (bug fix): fix concurrent access to same file when using encryption