Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

job-exec: fix potential use-after-free in bulk-exec implementation #5937

Merged
merged 1 commit into from
May 3, 2024
Merged

job-exec: fix potential use-after-free in bulk-exec implementation #5937

merged 1 commit into from
May 3, 2024

Conversation

grondo
Copy link
Contributor

@grondo grondo commented May 3, 2024

Problem: The exit_batch_timer is not destroyed in bulk_exec_destroy(), which could result in the timer firing on a bulk_exec structure which has already been destroyed. Testing shows that this is a rare, but reproducible condition when bulk_exec_imp_kill() is used. This is possibly because destruction of the bulk_exec structure is tied to that of the future returned from this function. This allows the caller to destroy the future and the bulk_exec object before the timer watcher is cleared, resulting in use-after-free and memory corruption.

Destroy the exit_batch_timer watcher in bulk_exec_destroy().

garlick
garlick approved these changes May 3, 2024
View reviewed changes
Copy link
Member

@garlick garlick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Woo hoo! Nice sleuthing.

@grondo
Copy link
Contributor Author

grondo commented May 3, 2024

Thanks, setting MWP.

@grondo
job-exec: fix potential use-after-free in bulk-exec implementation
3085dca 
Problem: The exit_batch_timer is not destroyed in bulk_exec_destroy(),
which could result in the timer firing on a bulk_exec structure
which has already been destroyed. Testing shows that this is a rare,
but reproducible condition when bulk_exec_imp_kill() is used. This
is possibly because destruction of the bulk_exec structure is tied
to that of the future returned from this function. This allows the
caller to destroy the future and the bulk_exec object before the timer
watcher is cleared, resulting in use-after-free and memory corruption.

Destroy the exit_batch_timer watcher in bulk_exec_destroy().
@codecov Codecov
Copy link

codecov bot commented May 3, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.36%. Comparing base (25d186e) to head (3085dca).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #5937      +/-   ##
==========================================
+ Coverage   83.33%   83.36%   +0.03%     
==========================================
  Files         514      514              
  Lines       83104    83105       +1     
==========================================
+ Hits        69257    69283      +26     
+ Misses      13847    13822      -25
Files Coverage Δ
src/modules/job-exec/bulk-exec.c 77.86% <100.00%> (+0.06%) ⬆️

... and 18 files with indirect coverage changes

@mergify mergify bot merged commit 5f4feb1 into flux-framework:master May 3, 2024
35 checks passed
@grondo grondo deleted the bulk-exec-crash branch May 3, 2024 23:55
@grondo grondo mentioned this pull request May 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@garlick garlick garlick approved these changes

Assignees
No one assigned
Labels
merge-when-passing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@grondo @garlick