scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-30 02:02:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix data race between updating a route entry's tainted status and incoming requests - OSS (#21640)

Browse Source 
* Fix data race within route entry tainting with requests - OSS

 - There is a data race between a mount being mounted with incoming
   requests and checking the mount's tainted status.

* Add cl
This commit is contained in:
Steven Clark
2023-07-07 09:14:33 -04:00
committed by GitHub
parent 34d1d200ee
commit e83b9e2bde
2 changed files with 9 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/21640.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:bug
core: fix race when updating a mount's route entry tainted status and incoming requests
```

12
vault/router.go
View File

@@ -58,7 +58,7 @@ func NewRouter() *Router {
// routeEntry is used to represent a mount point in the router
type routeEntry struct {
tainted bool
tainted atomic.Bool
backend logical.Backend
mountEntry *MountEntry
storageView logical.Storage
@@ -125,7 +125,7 @@ func (entry *routeEntry) Deserialize() map[string]interface{} {
entry.l.RLock()
defer entry.l.RUnlock()
ret := map[string]interface{}{
"tainted": entry.tainted,
"tainted": entry.tainted.Load(),
"storage_prefix": entry.storagePrefix,
}
for k, v := range entry.mountEntry.Deserialize() {
@@ -189,12 +189,12 @@ func (r *Router) Mount(backend logical.Backend, prefix string, mountEntry *Mount
// Create a mount entry
re := &routeEntry{
tainted: mountEntry.Tainted,
backend: backend,
mountEntry: mountEntry,
storagePrefix: storageView.Prefix(),
storageView: storageView,
}
re.tainted.Store(mountEntry.Tainted)
re.rootPaths.Store(pathsToRadix(paths.Root))
loginPathsEntry, err := parseUnauthenticatedPaths(paths.Unauthenticated)
if err != nil {
@@ -290,7 +290,7 @@ func (r *Router) Taint(ctx context.Context, path string) error {
defer r.l.Unlock()
_, raw, ok := r.root.LongestPrefix(path)
if ok {
raw.(*routeEntry).tainted = true
raw.(*routeEntry).tainted.Store(true)
}
return nil
}
@@ -307,7 +307,7 @@ func (r *Router) Untaint(ctx context.Context, path string) error {
defer r.l.Unlock()
_, raw, ok := r.root.LongestPrefix(path)
if ok {
raw.(*routeEntry).tainted = false
raw.(*routeEntry).tainted.Store(false)
}
return nil
}
@@ -605,7 +605,7 @@ func (r *Router) routeCommon(ctx context.Context, req *logical.Request, existenc
// If the path is tainted, we reject any operation except for
// Rollback and Revoke
if re.tainted {
if re.tainted.Load() {
switch req.Operation {
case logical.RevokeOperation, logical.RollbackOperation:
default: