Ticket 49238 - AddressSanitizer: heap-use-after-free in libreplication
Bug Description:
The bug is detected in csn pending list component, when
accessing a csn that has already been freed.
The bug is mostly detectable under ASAN because under normal run
the read access to the csn would only crash if the csn was in
an unmapped page (that is quite difficult to acheive).
The bug was observed under the following conditions:
- very slow machine
- all instances running on the same machine
The patch address 2 issues
Issue - 1
Under specfic circumstance (failure, like "db_deadlock" during changelog update),
the csn was freed but still present in the pending list (fix-1).
Issue - 2
Further investigations, showed an other corner case where a
replica could be updated by several suppliers in parallel.
In such scenario, an update (on one thread-2) with a higher csn (let csn-2)
may be applied before an update (on another thread-1) with a smaller
csn (let csn-1).
csn-2 is freed when thread-2 complete but the csn-2 will remain
in the pending list until csn-1 is commited.
so followup of pending list may access a csn that was freed
Fix Description:
Issue - 1
The fix in repl5_plugins.c, frees the csn (thread private area)
at the condition pending list was roll up for that csn (ruv update).
Issue - 2
The fix is in two parts:
If a supplier tries to acquire a replica while it is
already owner of it, the replica is granted.
If a supplier owns a replica and is asking again for it,
but this time the replica is not granted, the replica is release and
the supplier disconnected.
https://pagure.io/389-ds-base/issue/49238
Reviewed by: Mark Reynolds, Ludwig Krispenz, William Brown (thanks to you all !!)
Platforms tested: 7.4
Flag Day: no
Doc impact: no