Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix data race between updating a route entry's tainted status and incoming requests - OSS #21640

Merged
merged 2 commits into from
Jul 7, 2023
Merged

Fix data race between updating a route entry's tainted status and incoming requests - OSS #21640

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f9b706e
Fix data race within route entry tainting with requests - OSS
stevendpclark Jul 6, 2023
c4e79a8
Add cl
stevendpclark Jul 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions changelog/21640.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
core: fix race when updating a mount's route entry tainted status and incoming requests
```
12 changes: 6 additions & 6 deletions vault/router.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ func NewRouter() *Router {

// routeEntry is used to represent a mount point in the router
type routeEntry struct {
tainted bool
tainted atomic.Bool
backend logical.Backend
mountEntry *MountEntry
storageView logical.Storage
Expand Down Expand Up @@ -125,7 +125,7 @@ func (entry *routeEntry) Deserialize() map[string]interface{} {
entry.l.RLock()
defer entry.l.RUnlock()
ret := map[string]interface{}{
"tainted": entry.tainted,
"tainted": entry.tainted.Load(),
"storage_prefix": entry.storagePrefix,
}
for k, v := range entry.mountEntry.Deserialize() {
Expand Down Expand Up @@ -189,12 +189,12 @@ func (r *Router) Mount(backend logical.Backend, prefix string, mountEntry *Mount

// Create a mount entry
re := &routeEntry{
tainted: mountEntry.Tainted,
backend: backend,
mountEntry: mountEntry,
storagePrefix: storageView.Prefix(),
storageView: storageView,
}
re.tainted.Store(mountEntry.Tainted)
re.rootPaths.Store(pathsToRadix(paths.Root))
loginPathsEntry, err := parseUnauthenticatedPaths(paths.Unauthenticated)
if err != nil {
Expand Down Expand Up @@ -290,7 +290,7 @@ func (r *Router) Taint(ctx context.Context, path string) error {
defer r.l.Unlock()
_, raw, ok := r.root.LongestPrefix(path)
if ok {
raw.(*routeEntry).tainted = true
raw.(*routeEntry).tainted.Store(true)
}
return nil
}
Expand All @@ -307,7 +307,7 @@ func (r *Router) Untaint(ctx context.Context, path string) error {
defer r.l.Unlock()
_, raw, ok := r.root.LongestPrefix(path)
if ok {
raw.(*routeEntry).tainted = false
raw.(*routeEntry).tainted.Store(false)
}
return nil
}
Expand Down Expand Up @@ -605,7 +605,7 @@ func (r *Router) routeCommon(ctx context.Context, req *logical.Request, existenc

// If the path is tainted, we reject any operation except for
// Rollback and Revoke
if re.tainted {
if re.tainted.Load() {
switch req.Operation {
case logical.RevokeOperation, logical.RollbackOperation:
default:
Expand Down