Skip to content

Fix use after free on blocking RM_Call. #12342

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
oranagra merged 4 commits into from
Jun 25, 2023
Merged

Fix use after free on blocking RM_Call. #12342

oranagra merged 4 commits into from
Jun 25, 2023

Conversation

@MeirShpilraien
Copy link

@MeirShpilraien MeirShpilraien commented Jun 25, 2023
edited by oranagra
Loading

blocking RM_Call was introduced on: #11568 (7.2 RC1), which allows a module to perform blocking commands and get the reply asynchronously.If the command gets block, a special promise CallReply is returned that allow to set the unblock handler. The unblock handler will be called when the command invocation finish and it gets, as input, the command real reply.

The issue was that the real CallReply was created using a stack allocated RedisModuleCtx which is no longer available after the unblock handler finishes. So if the module keeps the CallReply after the unblock handler finished, the CallReply holds a pointer to invalid memory and will try to access it when the CallReply will be released.

The solution is to create the CallReply with a NULL context to make it totally detached and can be freed freely when the module wants.

Test was added to cover this case, running the test with valgrind before the fix shows the use after free error. With the fix, there are no valgrind errors.

unrelated: adding a missing $rd close in many tests in that file.

Fix use after free on blocking RM_Call.
132d65f 
blocking RM_Call was introduced on: https://github.com/redis/redis/pull/11568It allows a module to perform blocking commands and get the reply asynchronously.If the command gets block, a special promise CallReply is returned that allow to setthe unblock handler. The unblock hander will be called when the command invocation finishand it gets, as input, the command real reply.

The issue was that the real CallReply was created using a stack allocated RedisModuleCtxwhich is no longer available after the unblock handler finishes. So if the module keepsthe CallReply after the unblock handler finished, the CallReply holds a pointer to invalidmemory and will try to access it when the CallReply will be released.

The solution is to create the CallReply with a NULL context to make it totally detachedand can be freed freely when the module wants.

Test was added to cover this case, running the test with valgrind before the fix shows the use after free error. With the fix, there are not valgrind errors.
@MeirShpilraien MeirShpilraien requested a review from oranagra June 25, 2023 08:25
oranagra
oranagra approved these changes Jun 25, 2023
View reviewed changes
Meir Shpilraien (Spielrein) and others added 3 commits June 25, 2023 11:49
@oranagra oranagra merged commit 153f8f0 into redis:unstable Jun 25, 2023
@oranagra oranagra added the release-notes indication that this issue needs to be mentioned in the release notes label Jun 25, 2023
@oranagra oranagra mentioned this pull request Jul 10, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oranagra oranagra oranagra approved these changes

Assignees

No one assigned

Labels

release-notes indication that this issue needs to be mentioned in the release notes

Projects

Redis 7.2
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MeirShpilraien @oranagra