Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recent version of c-ares can cause use-after free in dns.cc #2640

Open
elcallio opened this issue Feb 12, 2025 · 0 comments
Open

Recent version of c-ares can cause use-after free in dns.cc #2640

elcallio opened this issue Feb 12, 2025 · 0 comments
Assignees
@elcallio

Comments

@elcallio
Copy link
Contributor

Recent c-ares (fedora 41 version), will do checks, including closing broken connections etc during FD processing,
not only for the fd(s) involved in the processing, unless explicitly disabled.

This can break our dns.cc state machine, as we might process a fd, but get a recursive callback which will modify the
collection we are iterating over (_sockets) such that our next iterator entry becomes invalid/points to free:d data.

Fix is relatively simple, use the now encouraged (newish) API, and turn off this background processing until we are out of the iteration loop.
@elcallio elcallio self-assigned this Feb 12, 2025
@tchaikov tchaikov mentioned this issue Feb 13, 2025
Open
elcallio pushed a commit to elcallio/seastar that referenced this issue Feb 18, 2025
dns: Fix event processing to work safely with recent c-ares
03fd647 
Fixes scylladb#2640

Recent c-ares (fedora 41 version), will do checks, including
closing broken connections etc during FD processing, not only
for the fd(s) involved in the processing, unless explicitly
disabled.

This can break our dns.cc state machine, as we might process a
fd, but get a recursive callback which will modify the
collection we are iterating over (_sockets) such that our next
iterator entry becomes invalid/points to free:d data.

Fix is relatively simple, use the now encouraged (newish) API,
and turn off this background processing until we are out of the
iteration loop.

v2:
* ifdef:ed old impl back for builds on c-ares older than 1.34
elcallio pushed a commit to elcallio/seastar that referenced this issue Feb 18, 2025
dns: Fix event processing to work safely with recent c-ares
e78b5d1 
Fixes scylladb#2640

Recent c-ares (fedora 41 version), will do checks, including
closing broken connections etc during FD processing, not only
for the fd(s) involved in the processing, unless explicitly
disabled.

This can break our dns.cc state machine, as we might process a
fd, but get a recursive callback which will modify the
collection we are iterating over (_sockets) such that our next
iterator entry becomes invalid/points to free:d data.

Fix is relatively simple, use the now encouraged (newish) API,
and turn off this background processing until we are out of the
iteration loop.

v2:
* ifdef:ed old impl back for builds on c-ares older than 1.34

v3:
* Change both implementations to use batch mode processing, bypassing
  the need to maintain iterability of the socket set while processing.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@elcallio elcallio

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@elcallio