Fixed CORE-6450: Races in cache of opened security databases

AlexPeshkoff · AlexPeshkoff · commit 41a8fc5fd6f1 · 2020-11-19T13:36:07.000+03:00
diff --git a/src/auth/SecDbCache.cpp b/src/auth/SecDbCache.cpp
@@ -51,7 +51,7 @@ void CachedSecurityDatabase::handler()
 }
 
 
-void PluginDatabases::getInstance(IPluginConfig* pluginConfig, RefPtr<CachedSecurityDatabase>& instance)
+void PluginDatabases::getInstance(IPluginConfig* pluginConfig, CachedSecurityDatabase::Instance& instance)
 {
 	// Determine sec.db name based on existing config
 	PathName secDbName;
@@ -78,7 +78,7 @@ void PluginDatabases::getInstance(IPluginConfig* pluginConfig, RefPtr<CachedSecu
 				CachedSecurityDatabase* fromCache = dbArray[i];
 				if (fromCache->secDb->test())
 				{
-					instance = fromCache;
+					instance.set(fromCache);
 					break;
 				}
 				else
@@ -92,7 +92,7 @@ void PluginDatabases::getInstance(IPluginConfig* pluginConfig, RefPtr<CachedSecu
 
 		if (!instance)
 		{
-			instance = FB_NEW CachedSecurityDatabase(this, secDbName);
+			instance.set(FB_NEW CachedSecurityDatabase(this, secDbName));
 			instance->addRef();
 			secDbName.copyTo(instance->secureDbName, sizeof(instance->secureDbName));
 			dbArray.add(instance);
diff --git a/src/auth/SecDbCache.h b/src/auth/SecDbCache.h
@@ -74,6 +74,33 @@ class CachedSecurityDatabase FB_FINAL
 	Firebird::Mutex mutex;
 	Firebird::AutoPtr<VSecDb> secDb;
 	PluginDatabases* list;
+
+public:
+	// Related RAII holder
+	class Instance : public Firebird::RefPtr<CachedSecurityDatabase>
+	{
+	public:
+		Instance()
+		{ }
+
+		void set(CachedSecurityDatabase* db)
+		{
+			fb_assert(!hasData());
+			fb_assert(db);
+
+			assign(db);
+			(*this)->mutex.enter(FB_FUNCTION);
+		}
+
+		~Instance()
+		{
+			if (hasData())
+			{
+				(*this)->mutex.leave();
+				(*this)->close();
+			}
+		}
+	};
 };
 
 class PluginDatabases
@@ -88,7 +115,7 @@ class PluginDatabases
 	Firebird::Mutex arrayMutex;
 
 public:
-	void getInstance(Firebird::IPluginConfig* pluginConfig, Firebird::RefPtr<CachedSecurityDatabase>& instance);
+	void getInstance(Firebird::IPluginConfig* pluginConfig, CachedSecurityDatabase::Instance& instance);
 	int shutdown();
 	void handler(CachedSecurityDatabase* tgt);
 };
diff --git a/src/auth/SecureRemotePassword/server/SrpServer.cpp b/src/auth/SecureRemotePassword/server/SrpServer.cpp
@@ -287,28 +287,19 @@ int SrpServer::authenticate(CheckStatusWrapper* status, IServerBlock* sb, IWrite
 			messages.param->loginNull = 0;
 			messages.data.clear();
 
-			{ // reference & mutex scope scope
+			{ // instance RAII scope
+				CachedSecurityDatabase::Instance instance;
+
 				// Get database block from cache
-				RefPtr<CachedSecurityDatabase> instance;
 				instances->getInstance(iParameter, instance);
+				secDbName = instance->secureDbName;
 
-				try
-				{
-					MutexLockGuard g(instance->mutex, FB_FUNCTION);
-
-					secDbName = instance->secureDbName;
-					if (!instance->secDb)
-						instance->secDb = FB_NEW SecurityDatabase(instance->secureDbName, cryptCallback);
-
-					instance->secDb->lookup(messages.param.getData(), messages.data.getData());
-				}
-				catch(const Exception&)
-				{
-					instance->close();
-					throw;
-				}
+				// Create SecurityDatabase if needed
+				if (!instance->secDb)
+					instance->secDb = FB_NEW SecurityDatabase(instance->secureDbName, cryptCallback);
 
-				instance->close();
+				// Lookup
+				instance->secDb->lookup(messages.param.getData(), messages.data.getData());
 			}
 			HANDSHAKE_DEBUG(fprintf(stderr, "Srv: SRP1: Executed statement\n"));
 
diff --git a/src/auth/SecurityDatabase/LegacyServer.cpp b/src/auth/SecurityDatabase/LegacyServer.cpp
@@ -330,32 +330,20 @@ int SecurityDatabaseServer::authenticate(CheckStatusWrapper* status, IServerBloc
 		bool found = false;
 		char pw1[MAX_LEGACY_PASSWORD_LENGTH + 1];
 		PathName secureDbName;
-		{ // reference & mutex scope scope
+		{ // instance scope
 			// Get database block from cache
-			RefPtr<CachedSecurityDatabase> instance;
+			CachedSecurityDatabase::Instance instance;
 			instances->getInstance(iParameter, instance);
 
-			try
-			{
-				MutexLockGuard g(instance->mutex, FB_FUNCTION);
-
-				secureDbName = instance->secureDbName;
-				if (!instance->secDb)
-					instance->secDb = FB_NEW SecurityDatabase(instance->secureDbName);
-
-				user_name uname;		// user name buffer
-				login.copyTo(uname, sizeof uname);
-				user_record user_block;		// user record
-				found = instance->secDb->lookup(uname, &user_block);
-				fb_utils::copy_terminate(pw1, user_block.password, MAX_LEGACY_PASSWORD_LENGTH + 1);
-			}
-			catch(const Exception&)
-			{
-				instance->close();
-				throw;
-			}
+			secureDbName = instance->secureDbName;
+			if (!instance->secDb)
+				instance->secDb = FB_NEW SecurityDatabase(instance->secureDbName);
 
-			instance->close();
+			user_name uname;		// user name buffer
+			login.copyTo(uname, sizeof uname);
+			user_record user_block;		// user record
+			found = instance->secDb->lookup(uname, &user_block);
+			fb_utils::copy_terminate(pw1, user_block.password, MAX_LEGACY_PASSWORD_LENGTH + 1);
 		}
 		if (!found)
 		{
diff --git a/src/common/classes/RefCounted.h b/src/common/classes/RefCounted.h
@@ -167,14 +167,6 @@ namespace Firebird
 			return ptr;
 		}
 
-		/* NS: you cannot have operator bool here. It creates ambiguity with
-		  operator T* with some of the compilers (at least VS2003)
-
-		operator bool() const
-		{
-			return ptr ? true : false;
-		}*/
-
 		bool hasData() const
 		{
 			return ptr ? true : false;

Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ void CachedSecurityDatabase::handler()`
`51`	`51`	`}`
`52`	`52`
`53`	`53`
`54`		`-void PluginDatabases::getInstance(IPluginConfig* pluginConfig, RefPtr<CachedSecurityDatabase>& instance)`
	`54`	`+void PluginDatabases::getInstance(IPluginConfig* pluginConfig, CachedSecurityDatabase::Instance& instance)`
`55`	`55`	`{`
`56`	`56`	`// Determine sec.db name based on existing config`
`57`	`57`	`PathName secDbName;`
`@@ -78,7 +78,7 @@ void PluginDatabases::getInstance(IPluginConfig* pluginConfig, RefPtr<CachedSecu`
`78`	`78`	`CachedSecurityDatabase* fromCache = dbArray[i];`
`79`	`79`	`if (fromCache->secDb->test())`
`80`	`80`	`{`
`81`		`- instance = fromCache;`
	`81`	`+ instance.set(fromCache);`
`82`	`82`	`break;`
`83`	`83`	`}`
`84`	`84`	`else`
`@@ -92,7 +92,7 @@ void PluginDatabases::getInstance(IPluginConfig* pluginConfig, RefPtr<CachedSecu`
`92`	`92`
`93`	`93`	`if (!instance)`
`94`	`94`	`{`
`95`		`- instance = FB_NEW CachedSecurityDatabase(this, secDbName);`
	`95`	`+ instance.set(FB_NEW CachedSecurityDatabase(this, secDbName));`
`96`	`96`	`instance->addRef();`
`97`	`97`	`secDbName.copyTo(instance->secureDbName, sizeof(instance->secureDbName));`
`98`	`98`	`dbArray.add(instance);`
Original file line number	Diff line number	Diff line change
`@@ -167,14 +167,6 @@ namespace Firebird`
`167`	`167`	`return ptr;`
`168`	`168`	`}`
`169`	`169`
`170`		`- /* NS: you cannot have operator bool here. It creates ambiguity with`
`171`		`- operator T* with some of the compilers (at least VS2003)`
`172`		`-`
`173`		`- operator bool() const`
`174`		`- {`
`175`		`- return ptr ? true : false;`
`176`		`- }*/`
`177`		`-`
`178`	`170`	`bool hasData() const`
`179`	`171`	`{`
`180`	`172`	`return ptr ? true : false;`