-
Notifications
You must be signed in to change notification settings - Fork 10.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use-after-free bug when updates on SSL server handshaker #36693
Comments
Hi @gengliqi, v1.44.x is an old branch. Can you please check if the issue exists with 1.63/1.64? |
It does exist in 1.63/1.64. The code I referenced before comes from the master branch. |
Hi @gengliqi, thanks for reporting the problem. Could provide a test to reproduce the crash? |
We didn't write a small unit test to verify this issue. We modified the code of TiFlash and gRPC core to make the crash occur very quickly in the following way:
|
What version of gRPC and what language are you using?
v1.44.0 c++
The related code is the same as the master branch.
What operating system (Linux, Windows,...) and version?
Doesn't matter
What runtime / compiler are you using (e.g. python version or version of gcc)
Doesn't matter
What did you do?
TiFlash use gRPC
grpc_ssl_server_credentials_create_options_using_config_fetcher
(pingcap/tiflash#6346) to support reloading SSL online.However, we found TiFlash crashed sometimes in gRPC core.(pingcap/tiflash#8535 (comment))
After some investigation, we figured out the root cause is that
server_handshaker_factory
may be used after free.grpc/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc
Lines 248 to 256 in b3e061e
Imagine a case:
Thread 1: call
try_fetch_ssl_server_credentials
but nothing has changed.Thread 1: call
tsi_ssl_server_handshaker_factory_create_handshaker
with theserver_handshaker_factory_
.Thread 2: call
try_fetch_ssl_server_credentials
whereserver_handshaker_factory_
has been updated and the originalserver_handshaker_factory_
has been destroyed due to zero ref count.grpc/src/core/tsi/ssl_transport_security.cc
Lines 1933 to 1938 in b3e061e
Thread 1: see code above. Line 1936 shows that the newly-created
tsi_ssl_handshaker
uses the destroyedserver_handshaker_factory_
, leading to a crash eventually.This issue is basically the same as #22489.
Unfortunately, #22647 did not fix this bug thoroughly.
#22531 can fix this bug but it's closed.
What did you expect to see?
No crash.
What did you see instead?
Crashed.
Stack can be seen in pingcap/tiflash#8535 (comment).
Anything else we should know about your project / environment?
The text was updated successfully, but these errors were encountered: