[#MDEV-23360] A possible use-after-free bug

[MDEV-23360] A possible use-after-free bug Created: 2020-08-01 Updated: 2020-08-01
Status:	Open
Project:	MariaDB Server
Component/s:	Storage Engine - RocksDB
Affects Version/s:	10.5.3
Fix Version/s:	10.5

Type:

Bug

Priority:

Major

Reporter:

Ryan

Assignee:

Sergei Petrunia

Resolution:

Unresolved

Votes:

Labels:

None

Environment:

Linux

Description

In the file(MariaDB/server/storage/rocksdb/rocksdb/db/db_impl/db_impl_open.cc), there is a possible use-after-free bug in the function RecoverLogFiles. The cfd is freed at line 949 and is used at 953 and 956.

cfd->UnrefAndTryDelete(); //949
auto iter = version_edits.find(cfd->GetID());//953
status = WriteLevel0TableForRecovery(job_id, cfd, cfd->mem(), edit);//956

The UnrefAndTryDelete function is located at line 606 in MariaDB/server/storage/rocksdb/rocksdb/db/trim_history_scheduler.cc.

Generated at Thu Feb 08 09:21:49 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-23360] A possible use-after-free bug Created: 2020-08-01 Updated: 2020-08-01