MDEV-22903 heap-use-after-free while accessing fts cache deleted doc ids

Problem: ======= fts_cache_append_deleted_doc_ids() holds the deleted_lock and tries to access size of deleted_doc_ids. In the meantime, fts_cache_clear() clears the sync_heap before clearing deleted_doc_ids. It leads to invalid access of deleted_doc_ids. Fix: === fts_cache_clear() should free the sync_heap after clearing deleted_doc_ids.
MariaDB · Jul 23, 2020 · adeb736 · adeb736
1 parent 52ccedd
commit adeb736
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/storage/innobase/fts/fts0fts.cc b/storage/innobase/fts/fts0fts.cc
@@ -1127,14 +1127,14 @@ fts_cache_clear(
 		index_cache->doc_stats = NULL;
 	}
 
-	mem_heap_free(static_cast<mem_heap_t*>(cache->sync_heap->arg));
-	cache->sync_heap->arg = NULL;
-
 	cache->total_size = 0;
 
 	mutex_enter((ib_mutex_t*) &cache->deleted_lock);
 	cache->deleted_doc_ids = NULL;
 	mutex_exit((ib_mutex_t*) &cache->deleted_lock);
+
+	mem_heap_free(static_cast<mem_heap_t*>(cache->sync_heap->arg));
+	cache->sync_heap->arg = NULL;
 }
 
 /*********************************************************************//**

diff --git a/storage/xtradb/fts/fts0fts.cc b/storage/xtradb/fts/fts0fts.cc
@@ -1127,14 +1127,14 @@ fts_cache_clear(
 		index_cache->doc_stats = NULL;
 	}
 
-	mem_heap_free(static_cast<mem_heap_t*>(cache->sync_heap->arg));
-	cache->sync_heap->arg = NULL;
-
 	cache->total_size = 0;
 
 	mutex_enter((ib_mutex_t*) &cache->deleted_lock);
 	cache->deleted_doc_ids = NULL;
 	mutex_exit((ib_mutex_t*) &cache->deleted_lock);
+
+	mem_heap_free(static_cast<mem_heap_t*>(cache->sync_heap->arg));
+	cache->sync_heap->arg = NULL;
 }
 
 /*********************************************************************//**