Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net: fix use-after-free in slab compaction #3019

Merged
merged 4 commits into from Oct 21, 2020
Merged

net: fix use-after-free in slab compaction #3019

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ce52b56
net: fix use-after-free in slab compaction
carllerche Oct 21, 2020
01b2c14
expand debug_assert
carllerche Oct 21, 2020
9a678ea
style
carllerche Oct 21, 2020
c871a0c
try fixing asan ci run
carllerche Oct 21, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
15 changes: 15 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Expand Up @@ -112,6 +112,21 @@ jobs:
- name: miri
run: cargo miri test --features rt,rt-multi-thread,sync task
working-directory: tokio
san:
name: san
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions-rs/toolchain@v1
with:
toolchain: ${{ env.nightly }}
override: true
- name: asan
run: cargo +nightly test --all-features --target x86_64-unknown-linux-gnu --lib -- --test-threads 1
working-directory: tokio
env:
RUSTFLAGS: -Z sanitizer=address
ASAN_OPTIONS: detect_leaks=0

cross:
name: cross
Expand Down
43 changes: 42 additions & 1 deletion tokio/src/util/slab.rs
View file
Open in desktop
Expand Up @@ -272,7 +272,9 @@ impl<T> Slab<T> {
pub(crate) fn compact(&mut self) {
// Iterate each page except the very first one. The very first page is
// never freed.
for (idx, page) in (&self.pages[1..]).iter().enumerate() {
carllerche marked this conversation as resolved.
Show resolved Hide resolved
for (n, page) in (&self.pages[1..]).iter().enumerate() {
let idx = n + 1;

if page.used.load(Relaxed) != 0 || !page.allocated.load(Relaxed) {
// If the page has slots in use or the memory has not been
// allocated then it cannot be compacted.
Expand Down Expand Up @@ -302,6 +304,8 @@ impl<T> Slab<T> {
// Drop the lock so we can drop the vector outside the lock below.
drop(slots);

debug_assert!(self.cached[idx].slots.is_null() || self.cached[idx].slots == vec.as_ptr());

// Clear cache
self.cached[idx].slots = ptr::null();
self.cached[idx].init = 0;
Expand Down Expand Up @@ -791,4 +795,41 @@ mod test {
}
}
}

#[test]
fn issue_3014() {
let mut slab = Slab::<Foo>::new();
let alloc = slab.allocator();
let mut entries = vec![];

for _ in 0..5 {
entries.clear();

// Allocate a few pages + 1
for i in 0..(32 + 64 + 128 + 1) {
let (addr, val) = alloc.allocate().unwrap();
val.id.store(i, SeqCst);

entries.push((addr, val, i));
}

for (addr, val, i) in &entries {
assert_eq!(*i, val.id.load(SeqCst));
assert_eq!(*i, slab.get(*addr).unwrap().id.load(SeqCst));
}

// Release the last entry
entries.pop();

// Compact
slab.compact();

// Check all the addresses

for (addr, val, i) in &entries {
assert_eq!(*i, val.id.load(SeqCst));
assert_eq!(*i, slab.get(*addr).unwrap().id.load(SeqCst));
}
}
}
}