From ae0bda77b34a4b9a85afe776a9db024ea332cb1c Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Mon, 13 Sep 2021 11:06:08 -0700 Subject: [PATCH] vault-agent: copy values retrieved from bolt (#12534) Byte slices returned from Bolt are only valid during a transaction, so this makes a copy. Co-authored-by: Tom Proctor --- changelog/12534.txt | 3 +++ command/agent/cache/cacheboltdb/bolt.go | 12 ++++++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 changelog/12534.txt diff --git a/changelog/12534.txt b/changelog/12534.txt new file mode 100644 index 000000000..d7c05f641 --- /dev/null +++ b/changelog/12534.txt @@ -0,0 +1,3 @@ +```release-note:bug +agent: Avoid possible `unexpected fault address` panic when using persistent cache. +``` diff --git a/command/agent/cache/cacheboltdb/bolt.go b/command/agent/cache/cacheboltdb/bolt.go index 69a438c18..0a39c9cc1 100644 --- a/command/agent/cache/cacheboltdb/bolt.go +++ b/command/agent/cache/cacheboltdb/bolt.go @@ -219,7 +219,11 @@ func (b *BoltStorage) GetAutoAuthToken(ctx context.Context) ([]byte, error) { if meta == nil { return fmt.Errorf("bucket %q not found", metaBucketName) } - encryptedToken = meta.Get([]byte(AutoAuthToken)) + value := meta.Get([]byte(AutoAuthToken)) + if value != nil { + encryptedToken = make([]byte, len(value)) + copy(encryptedToken, value) + } return nil }) if err != nil { @@ -247,7 +251,11 @@ func (b *BoltStorage) GetRetrievalToken() ([]byte, error) { if keyBucket == nil { return fmt.Errorf("bucket %q not found", metaBucketName) } - token = keyBucket.Get([]byte(RetrievalTokenMaterial)) + value := keyBucket.Get([]byte(RetrievalTokenMaterial)) + if value != nil { + token = make([]byte, len(value)) + copy(token, value) + } return nil }) if err != nil {