Skip to content

Fix crash when accessing already cleared memory in the sorting module#7195

Merged
dyemanov merged 2 commits intoFirebirdSQL:masterfrom
red-soft-ru:fix_memory_crash_in_sort
Jun 1, 2022
Merged

Fix crash when accessing already cleared memory in the sorting module#7195
dyemanov merged 2 commits intoFirebirdSQL:masterfrom
red-soft-ru:fix_memory_crash_in_sort

Conversation

@XaBbl4
Copy link
Copy Markdown
Contributor

@XaBbl4 XaBbl4 commented May 30, 2022
edited
Loading

Fix crash when accessing already cleared memory. In the following case:

  • specific record size;
  • the maximum size of the allocated map buffer is greater than MAX_SORT_BUFFER_SIZE;
  • unable to allocate memory in dbb_permament pool, throw BadAlloc exception;
  • buffer of size MAX_SORT_BUFFER_SIZE must be allocated in the owner's pool.

In the Sort::releaseBuffer procedure, the allocated buffer goes into the dbb_sort_buffers cache.
After the request is completed, the owner's pool is cleared and the pointer in dbb_sort_buffers cache will be corrupted. The next request, which will take the buffer from cache, throw with error.

Add reuse buffer flag to Sort
d4b727e 
Fix crash when accessing already cleared memory. In the following case:
- specific record size;
- the maximum size of the allocated map buffer is greater than MAX_SORT_BUFFER_SIZE;
- unable to allocate memory in dbb_permament pool, throw BadAlloc exception;
- buffer of size MAX_SORT_BUFFER_SIZE must be allocated in the owner's pool.
In the Sort::releaseBuffer procedure, the allocated buffer goes into
the dbb_sort_buffers cache.
After the request is completed, the owner's pool is cleared and
the pointer in dbb_sort_buffers cache will be corrupted. The next
request, which will take the buffer from cache, throw with error.
@hvlad
Copy link
Copy Markdown
Member

hvlad commented May 30, 2022

Could you create a ticket with description as above, please ?

Also, am I correct that the bug happens if
record_size * MIN_RECORDS_TO_ALLOC == 2^n * MAX_SORT_BUFFER_SIZE, or
record_size == 2^n * 16KB ?

hvlad
hvlad reviewed May 30, 2022
View reviewed changes
Comment thread src/jrd/sort.cpp
@asfernandes
Copy link
Copy Markdown
Member

asfernandes commented May 30, 2022

Could you create a ticket with description as above, please ?

Pull request is a ticket too, no need to create both. Just put labels on it.

@XaBbl4
Copy link
Copy Markdown
Contributor Author

XaBbl4 commented May 30, 2022

Also, am I correct that the bug happens if
record_size * MIN_RECORDS_TO_ALLOC == 2^n * MAX_SORT_BUFFER_SIZE, or
record_size == 2^n * 16KB ?

Yes that's right, when n > 0

@dyemanov dyemanov changed the title Add reuse buffer flag to Sort Fix crash when accessing already cleared memory in the sorting module Jun 1, 2022
@dyemanov dyemanov merged commit 89d90ae into FirebirdSQL:master Jun 1, 2022
@dyemanov
Copy link
Copy Markdown
Member

dyemanov commented Jun 1, 2022

I will backport to other versions a bit later.

@XaBbl4 XaBbl4 deleted the fix_memory_crash_in_sort branch June 1, 2022 18:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hvlad hvlad hvlad approved these changes

@dyemanov dyemanov dyemanov approved these changes

Assignees

@XaBbl4 XaBbl4

Labels

affect-version: 3.0.9 affect-version: 4.0.1 affect-version: 5.0 Initial component: engine fix-version: 5.0 Beta 1 qa: cannot be tested type: bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@XaBbl4 @hvlad @asfernandes @dyemanov @pavel-zotov