Fix use-after-free in VM_RegisterClusterMessageReceiver#3846
Conversation
When unregistering a cluster message receiver (callback = NULL) for the head node of the linked list, the code incorrectly updated clusterReceivers[type]->next instead of clusterReceivers[type] itself. This left the array entry pointing to freed memory, causing a use-after-free on any subsequent list traversal. Signed-off-by: Eran Ifrah <eifrah@amazon.com>
📝 WalkthroughWalkthroughFixes the head-unlink bug in VM_RegisterClusterMessageReceiver and adds test module commands plus a Tcl integration test that unregisters and re-registers a type-3 cluster receiver and verifies message reception. ChangesCluster receiver unregistration and tests
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## unstable #3846 +/- ##
============================================
- Coverage 76.69% 76.61% -0.08%
============================================
Files 162 162
Lines 80679 80679
============================================
- Hits 61874 61816 -58
- Misses 18805 18863 +58
🚀 New features to boost your workflow:
|
enjoy-binbin
left a comment
There was a problem hiding this comment.
Okay, so it was wrong from the very beginning.
Test that unregistering the head receiver and re-registering does not crash due to accessing freed memory. Signed-off-by: Eran Ifrah <eifrah@amazon.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@tests/modules/cluster.c`:
- Around line 93-112: Each handler lacks an arity check—add a guard at the top
of test_register_receiver, test_unregister_receiver, and test_send_msg_type3 to
ensure argc == 1; if not, return an argument error (e.g. call
ValkeyModule_ReplyWithError(ctx, "ERR wrong number of arguments") and return)
before using ValkeyModule_RegisterClusterMessageReceiver /
ValkeyModule_SendClusterMessage so the command contract is enforced.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 412db148-e870-4026-beca-b5924d46bb8c
📒 Files selected for processing (2)
tests/modules/cluster.ctests/unit/moduleapi/cluster.tcl
When unregistering a cluster message receiver (callback = NULL) for the head node of the linked list, the code incorrectly updated clusterReceivers[type]->next instead of clusterReceivers[type] itself. This left the array entry pointing to freed memory, causing a use-after-free on any subsequent list traversal. --------- Signed-off-by: Eran Ifrah <eifrah@amazon.com>
When unregistering a cluster message receiver (callback = NULL) for the head node of the linked list, the code incorrectly updated clusterReceivers[type]->next instead of clusterReceivers[type] itself. This left the array entry pointing to freed memory, causing a use-after-free on any subsequent list traversal. --------- Signed-off-by: Eran Ifrah <eifrah@amazon.com>
When unregistering a cluster message receiver (callback = NULL) for the head node of the linked list, the code incorrectly updated clusterReceivers[type]->next instead of clusterReceivers[type] itself. This left the array entry pointing to freed memory, causing a use-after-free on any subsequent list traversal. --------- Signed-off-by: Eran Ifrah <eifrah@amazon.com>
When unregistering a cluster message receiver (callback = NULL) for the head node of the linked list, the code incorrectly updated clusterReceivers[type]->next instead of clusterReceivers[type] itself. This left the array entry pointing to freed memory, causing a use-after-free on any subsequent list traversal. --------- Signed-off-by: Eran Ifrah <eifrah@amazon.com>
When unregistering a cluster message receiver (callback = NULL) for the head node of the linked list, the code incorrectly updated clusterReceivers[type]->next instead of clusterReceivers[type] itself. This left the array entry pointing to freed memory, causing a use-after-free on any subsequent list traversal. --------- Signed-off-by: Eran Ifrah <eifrah@amazon.com>
When unregistering a cluster message receiver (callback = NULL) for the head node of the linked list, the code incorrectly updated clusterReceivers[type]->next instead of clusterReceivers[type] itself. This left the array entry pointing to freed memory, causing a use-after-free on any subsequent list traversal. --------- Signed-off-by: Eran Ifrah <eifrah@amazon.com>
When unregistering a cluster message receiver (callback = NULL) for the head node of the linked list, the code incorrectly updated clusterReceivers[type]->next instead of clusterReceivers[type] itself. This left the array entry pointing to freed memory, causing a use-after-free on any subsequent list traversal. --------- Signed-off-by: Eran Ifrah <eifrah@amazon.com>
# Backport sweep for 9.1 Automated cherry-picks from PRs marked "To be backported". ## Applied | Source PR | Title | Detail | |---|---|---| | #3743 | Fix buffered_reply assert in HFE commands with module keyspace notifications | cherry-picked in a prior sweep | | #3766 | Fix flaky block_keyspace_notification test for HGETDEL notify race | cherry-picked in a prior sweep | | #3800 | Fix heap-use-after-free in ACL LOAD when client free is deferred | cherry-picked in a prior sweep | | #3723 | Fix double-finish and RESP reply violation in cluster slot migration | cherry-picked in a prior sweep | | #3872 | Redacting customer information when hide_user_data_from_log is true in rdb.c, networking.c, debug.c and t_hash | cherry-picked in a prior sweep | | #3846 | Fix use-after-free in VM_RegisterClusterMessageReceiver | cherry-picked in a prior sweep | | #3806 | Add ALL_DBS flag to CLUSTER FLUSHSLOT for database-level ACL | cherry-picked in a prior sweep | | #3847 | Harden SENTINEL commands and config rewrite against control-character injection | | | #3801 | Validate every DB clause in COPY against ACL db= permissions | | | #3851 | Replace AUTOMATION_PAT with Valkeyrie Bot GitHub App token | | | #3848 | Fix cluster AUX-field control-character and delimiter injection | | | #3544 | Revert "IO-Threads redesign cleanup work (#3544)" | cherry-picked in a prior sweep | | #3888 | Report exact dbid for COPY in ACL LOG when db= access is denied | conflicts resolved by Claude Code | | #3942 | Fix shard_id format specifier in UPDATE message log | | | #3941 | Avoid random() % 0 undefined behaviour when cluster-node-timeout < 30 | | --- *Generated by valkey-ci-agent using Claude Code.* --------- Signed-off-by: Binbin <binloveplay1314@qq.com> Signed-off-by: Ran Shidlansik <ranshid@amazon.com> Signed-off-by: chx9 <lovelypiska@outlook.com> Signed-off-by: zackcam <zackcam@amazon.com> Signed-off-by: Eran Ifrah <eifrah@amazon.com> Signed-off-by: Jules Lasarte <lasartej@amazon.com> Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com> Signed-off-by: akash kumar <akumdev@amazon.com> Co-authored-by: Binbin <binloveplay1314@qq.com> Co-authored-by: Ran Shidlansik <ranshid@amazon.com> Co-authored-by: lovelypiska <lovelypiska@outlook.com> Co-authored-by: zackcam <zackcam@amazon.com> Co-authored-by: eifrah-aws <eifrah@amazon.com> Co-authored-by: jjuleslasarte <jules.lasarte@gmail.com> Co-authored-by: Jules Lasarte <lasartej@amazon.com> Co-authored-by: Akash Kumar <45854686+akashkgit@users.noreply.github.com>
When unregistering a cluster message receiver (callback = NULL) for the head node of the linked list, the code incorrectly updated clusterReceivers[type]->next instead of clusterReceivers[type] itself. This left the array entry pointing to freed memory, causing a use-after-free on any subsequent list traversal. --------- Signed-off-by: Eran Ifrah <eifrah@amazon.com>
When unregistering a cluster message receiver (callback = NULL) for the head node of the linked list, the code incorrectly updated clusterReceivers[type]->next instead of clusterReceivers[type] itself. This left the array entry pointing to freed memory, causing a use-after-free on any subsequent list traversal. --------- Signed-off-by: Eran Ifrah <eifrah@amazon.com>
When unregistering a cluster message receiver (callback = NULL) for the head node of the linked list, the code incorrectly updated clusterReceivers[type]->next instead of clusterReceivers[type] itself. This left the array entry pointing to freed memory, causing a use-after-free on any subsequent list traversal.