Fix use-after-free crash in SQLite extension (#481)

When the server crashed and the process got terminated, the SqDriver
instance was killed first (e.g. by atexit). SqDatabase tries to access
SqDriver in its destructor.
This patch tells SqDatabase to not use anything from SqDriver anymore
after SqDriver got destroyed.

Next to that, the clientprefs extension relied on the IDatabase pointer
being valid to get the driver pointer. Cache the pointer, so the dbi
system still knows the IDBThreadOperation belonged to the now gone
driver, even after the database object is gone.

extensions/clientprefs/query.cpp

@@ -92,7 +92,7 @@ void TQueryOp::RunThreadPart()
 
 IDBDriver *TQueryOp::GetDriver()
 {
-	return m_database->GetDriver();
+	return m_driver;
 }
 
 IdentityToken_t *TQueryOp::GetOwner()
@@ -114,6 +114,7 @@ TQueryOp::TQueryOp(enum querytype type, int serial)
 	m_type = type;
 	m_serial = serial;
 	m_database = NULL;
+	m_driver = NULL;
 	m_insertId = -1;
 	m_pResult = NULL;
 }
@@ -123,6 +124,7 @@ TQueryOp::TQueryOp(enum querytype type, Cookie *cookie)
 	m_type = type;
 	m_pCookie = cookie;
 	m_database = NULL;
+	m_driver = NULL;
 	m_insertId = -1;
 	m_pResult = NULL;
 	m_serial = 0;
@@ -131,6 +133,7 @@ TQueryOp::TQueryOp(enum querytype type, Cookie *cookie)
 void TQueryOp::SetDatabase(IDatabase *db)
 {
 	m_database = db;
+	m_driver = m_database->GetDriver();
 }
 
 bool TQueryOp::BindParamsAndRun()

extensions/clientprefs/query.h

@@ -100,6 +100,7 @@ class TQueryOp : public IDBThreadOperation
 
 private:
 	IDatabase *m_database;
+	IDBDriver *m_driver;
 	IQuery *m_pResult;
 
 	/* Query type */

extensions/sqlite/driver/SqDatabase.h

@@ -64,6 +64,10 @@ class SqDatabase
 	bool SetCharacterSet(const char *characterset);
 public:
 	sqlite3 *GetDb();
+	void PrepareForForcedShutdown()
+	{
+		m_Persistent = false;
+	}
 private:
 	sqlite3 *m_sq3;
 	ke::AutoPtr<ke::Mutex> m_FullLock;

extensions/sqlite/driver/SqDriver.cpp

@@ -67,6 +67,32 @@ SqDriver::SqDriver()
 {
 	m_Handle = BAD_HANDLE;
 	m_bThreadSafe = false;
+	m_bShutdown = false;
+}
+
+// The extension got unloaded. Remove any open database now to avoid a use-after-free
+// of g_SqDriver in SqDatabase's destructor.
+SqDriver::~SqDriver()
+{
+	ke::AutoLock lock(&m_OpenLock);
+
+	List<SqDbInfo>::iterator iter;
+	SqDatabase *sqdb;
+	for (iter = m_Cache.begin(); iter != m_Cache.end(); iter++)
+	{
+		// Don't let SqDatabase try to remove itself from m_Cache
+		// now that we're gone.
+		sqdb = (SqDatabase *)(*iter).db;
+		sqdb->PrepareForForcedShutdown();
+
+		iter = m_Cache.erase(iter);
+	}
+
+	if (!m_bShutdown)
+	{
+		dbi->RemoveDriver(&g_SqDriver);
+		Shutdown();
+	}
 }
 
 void SqDriver::Initialize()
@@ -76,6 +102,7 @@ void SqDriver::Initialize()
 
 void SqDriver::Shutdown()
 {
+	m_bShutdown = true;
 	if (m_bThreadSafe)
 	{
 		sqlite3_enable_shared_cache(0);

extensions/sqlite/driver/SqDriver.h

@@ -56,6 +56,7 @@ class SqDriver : public IDBDriver
 {
 public:
 	SqDriver();
+	~SqDriver();
 	void Initialize();
 	void Shutdown();
 public:
@@ -74,6 +75,7 @@ class SqDriver : public IDBDriver
 	ke::Mutex m_OpenLock;
 	List<SqDbInfo> m_Cache;
 	bool m_bThreadSafe;
+	bool m_bShutdown;
 };
 
 extern SqDriver g_SqDriver;