[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8954) LMDB double-commit double-free heap crash

To: openldap-its@OpenLDAP.org
Subject: (ITS#8954) LMDB double-commit double-free heap crash
From: robin.rowe@venturehollywood.com
Date: Sat, 05 Jan 2019 23:03:07 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Robin Rowe
Version: --branch OPENLDAP_REL_ENG_2_4
OS: Windows 10
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (23.242.20.216)


LMDB becomes unstable if we double-commit the same transaction. Caused by
freeing me_txn0 again after 2nd commit had previously free it. 

To experience this bug, add a second commit to sample-mdb.c about line 43,
deliberately cause a double-commit:

	sprintf(sval, "%03x %d foo bar", 32, 3141592);
	rc = mdb_put(txn, dbi, &key, &data, 0);
	rc = mdb_txn_commit(txn);
#ifndef HIDE_DOUBLE_FREE_BUG
	rc = mdb_txn_commit(txn);// 2nd commit destabilizes LMDB env
#endif
	if (rc) {

What's different after a double-commit...
mdb.c:3470 		rc = MDB_BAD_TXN; // Detected double-commit
mdb.c:3471		goto fail; // Jumps away into unsafe code path...

...Much later, at end of program:
	mdb_env_close(env); // Heap crash here, double-free!
	return 0;
}

Double-commit eventually crashes us with double-free in mdb_env_close here:

mdb.c:5076	free(env->me_dirty_list);
mdb.c:5076	free(env->me_txn0); // 2nd commit already freed 
                                    // txn pointed to by me_txn0!

Granted it is a user mistake to commit the same transaction twice. However,
because the crash won't happen until much later, when env is freed, any LMDB
users who make this mistake will be quite perplexed.

Will anyone fix this?

Robin

Prev by Date: Re: (ITS#8953) Windows lmdb warnings and a memory error
Next by Date: Re: (ITS#8954) LMDB double-commit double-free heap crash
Index(es):
- Chronological
- Thread