memtx: fix use after free in functional index iterator
A memtx tree iterator remembers the last tuple returned to the user and its hint so that it can restore iteration if the index is changed. To prevent the tuple from being freed, it references it. The problem is it's not enough for a functional index, because the latter allocates key parts separately from tuples (it stores pointers to them in memtx tree hints). As a result, if a tuple is deleted from the tree, its key parts will be immediately freed, even if the tuple itself is referenced. Since key parts are necessary to restore an iterator, this results in a use after free bug. To fix the issue, let's store a copy of the current tuple key part in the iterator along with the tuple. If a key part is small, the copy is stored in a preallocated fixed-size buffer, otherwise it's allocated with malloc. Closes #6786 (cherry picked from commit 51d0a9b2)
Showing
- changelogs/unreleased/gh-6786-func-index-iterator-stable.md 4 additions, 0 deletionschangelogs/unreleased/gh-6786-func-index-iterator-stable.md
- src/box/memtx_engine.h 11 additions, 1 deletionsrc/box/memtx_engine.h
- src/box/memtx_tree.cc 29 additions, 0 deletionssrc/box/memtx_tree.cc
- test/box-luatest/gh-6786_func_index_iterator_stable_test.lua 59 additions, 0 deletionstest/box-luatest/gh-6786_func_index_iterator_stable_test.lua
Loading
Please register or sign in to comment