Commit e1ed31bb authored 1 year ago by Georgiy Lebedev Committed by Aleksandr Lyapunov 1 year ago

memtx: fix heap-use-after-free of tuple stories caused by space alter

When a space is altered, we abort all in-progress transactions and delete
all stories related to that space: the problem is we don't delete the
stories' read gaps, which are also linked to the stories' transactions,
which get cleaned up on transaction destruction — this, in turn, results in
heap-use-after-free. To fix this, clean up stories' read gap in
`memtx_on_space_delete` — we don't do this in `memtx_tx_story_delete` since
it expects the story to not have any read gaps (see
`memtx_tx_story_gc_step`).

Tested this patch manually against Nick Shirokovskiy's experimental
small-ASAN integration branch.

Closes #8781

NO_DOC=bugfix
NO_TEST=<already covered by existing tests, but was not detectable by ASAN>

parent 9041d7ed

No related branches found

No related tags found

No related merge requests found

Hide whitespace changes

Inline Side-by-side

Showing with 19 additions and 1 deletion

Дмитрий Кольцов @vifley
mentioned in commit 1d0bc37b
· 1 year ago

mentioned in commit 1d0bc37b

mentioned in commit 1d0bc37b6740cb9c9c4dd3ef2905027c40438805

Toggle commit list
Georgy Moshkin @gmoshkin
mentioned in commit 8103bbcb
· 1 year ago

mentioned in commit 8103bbcb

mentioned in commit 8103bbcb19a5c586d94a611c348c5030e9a8bc20

Toggle commit list
Feodor Alexandrov @f.alexandrov
mentioned in commit 5070f252
· 1 year ago

mentioned in commit 5070f252

mentioned in commit 5070f252e2f826e6290c71b2555258a39fe02638

Toggle commit list

Please register or to comment