luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/builtin/logical/pki
History
Alexander Scheel 2b9a8c6c49
Fix race in tidy status with cert counting (#18899) 
* Read total cert counts with atomic.LoadUint32(...)

When generating the tidy status, we read the values of two backend
atomics, b.certCount and b.revokedCertCount, without using the atomic
load operation. This resulted in a data race when the status was read
at the same time as an on-going tidy operation:

    WARNING: DATA RACE
    Write at 0x00c00c77680c by goroutine 90522:
      sync/atomic.AddInt32()
          /usr/local/go/src/runtime/race_amd64.s:281 +0xb
      sync/atomic.AddUint32()
          <autogenerated>:1 +0x1a
      github.com/hashicorp/vault/builtin/logical/pki.(*backend).tidyStatusIncRevokedCertCount()
          /home/circleci/go/src/github.com/hashicorp/vault/builtin/logical/pki/path_tidy.go:1236 +0x107
      github.com/hashicorp/vault/builtin/logical/pki.(*backend).doTidyRevocationStore()
          /home/circleci/go/src/github.com/hashicorp/vault/builtin/logical/pki/path_tidy.go:525 +0x1404
      github.com/hashicorp/vault/builtin/logical/pki.(*backend).startTidyOperation.func1.1()
          /home/circleci/go/src/github.com/hashicorp/vault/builtin/logical/pki/path_tidy.go:290 +0x1a4
      github.com/hashicorp/vault/builtin/logical/pki.(*backend).startTidyOperation.func1()
          /home/circleci/go/src/github.com/hashicorp/vault/builtin/logical/pki/path_tidy.go:342 +0x278

    Previous read at 0x00c00c77680c by goroutine 90528:
      reflect.Value.Uint()
          /usr/local/go/src/reflect/value.go:2584 +0x195
      encoding/json.uintEncoder()
          /usr/local/go/src/encoding/json/encode.go:562 +0x45
      encoding/json.ptrEncoder.encode()
          /usr/local/go/src/encoding/json/encode.go:944 +0x3c2
      encoding/json.ptrEncoder.encode-fm()
          <autogenerated>:1 +0x90
      encoding/json.(*encodeState).reflectValue()
          /usr/local/go/src/encoding/json/encode.go:359 +0x88
      encoding/json.interfaceEncoder()
          /usr/local/go/src/encoding/json/encode.go:715 +0x17b
      encoding/json.mapEncoder.encode()
          /usr/local/go/src/encoding/json/encode.go:813 +0x854
      ... more stack trace pointing into JSON encoding and http
      handler...

In particular, because the tidy status was directly reading the uint
value without resorting to the atomic side, the JSON serialization could
race with a later atomic update.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Also use atomic load in tests

Because no tidy operation is running here, it should be safe to read the
pointed value directly, but use the safer atomic.Load for consistency.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-30 14:13:40 -05:00
..
cmd/pki Update to api 1.0.1 and sdk 0.1.8 2019-04-15 14:10:07 -04:00
backend.go Allow unification of revocations on other clusters (#18873) 2023-01-27 16:34:04 +00:00
backend_test.go Fix race in tidy status with cert counting (#18899) 2023-01-30 14:13:40 -05:00
ca_test.go Add issuer reference info on JSON endpoint (#18482) 2022-12-19 21:39:01 +00:00
ca_util.go Vault 9406 enablement certs need userid handling in role (#18397) 2023-01-25 13:13:54 -05:00
cert_util.go Vault 9406 enablement certs need userid handling in role (#18397) 2023-01-25 13:13:54 -05:00
cert_util_test.go Refactor PKI to use shared storage context (#18266) 2022-12-08 09:27:02 -05:00
chain_test.go Add t.Helper() to various PKI test helper methods (#18881) 2023-01-27 17:29:11 +00:00
chain_util.go PKI - Fix order of chain building writes (#17772) 2022-11-03 11:50:03 -04:00
config_util.go Refactor CRL Building for unified CRLs (#18754) 2023-01-18 15:05:14 -05:00
crl_test.go Refactor CRL Building for unified CRLs (#18754) 2023-01-18 15:05:14 -05:00
crl_util.go Allow unification of revocations on other clusters (#18873) 2023-01-27 16:34:04 +00:00
fields.go Add tidy of cross-cluster revoked storage (#18860) 2023-01-26 13:30:57 -05:00
integration_test.go Respond with data to all writes in PKI engine (#18222) 2022-12-05 10:40:39 -05:00
key_util.go Refactor PKI storage calls to take a shared struct (#16019) 2022-06-29 12:00:44 -04:00
managed_key_util.go secret/pki: Return correct algorithm type from key fetch API for managed keys (#15468) 2022-05-17 11:36:14 -04:00
ocsp.go Add unified storage support to OCSP handler (#18788) 2023-01-23 15:49:07 +00:00
ocsp_test.go Add t.Helper() to various PKI test helper methods (#18881) 2023-01-27 17:29:11 +00:00
path_config_ca.go Move from %v->%w for errs (#17860) 2022-11-09 15:40:26 -05:00
path_config_cluster.go Add cluster_aia_path templating variable (#18493) 2023-01-10 09:51:37 -05:00
path_config_crl.go Unified revocation migration code (#18866) 2023-01-27 15:49:20 +00:00
path_config_urls.go Add cluster_aia_path templating variable (#18493) 2023-01-10 09:51:37 -05:00
path_fetch.go Add unified crl building (#18792) 2023-01-23 19:17:34 +00:00
path_fetch_issuers.go Add unified crl building (#18792) 2023-01-23 19:17:34 +00:00
path_fetch_keys.go Refactor PKI storage calls to take a shared struct (#16019) 2022-06-29 12:00:44 -04:00
path_intermediate.go PKI: Add support for signature_bits param to the intermediate/generate api (#17388) 2022-10-03 12:39:54 -04:00
path_issue_sign.go Vault 9406 enablement certs need userid handling in role (#18397) 2023-01-25 13:13:54 -05:00
path_manage_issuers.go Refactor PKI to use shared storage context (#18266) 2022-12-08 09:27:02 -05:00
path_manage_keys.go Refactor PKI storage calls to take a shared struct (#16019) 2022-06-29 12:00:44 -04:00
path_manage_keys_test.go Move pki docker tests to pkiext (#17928) 2022-11-14 18:26:26 -05:00
path_resign_crls.go New PKI API to generate and sign a CRL based on input data (#18040) 2022-11-22 11:41:04 -05:00
path_resign_crls_test.go Add t.Helper() to various PKI test helper methods (#18881) 2023-01-27 17:29:11 +00:00
path_revoke.go Return a detailed list response for unified-revoked API endpoint (#18862) 2023-01-26 19:12:35 +00:00
path_roles.go Vault 9406 enablement certs need userid handling in role (#18397) 2023-01-25 13:13:54 -05:00
path_roles_test.go Move pki docker tests to pkiext (#17928) 2022-11-14 18:26:26 -05:00
path_root.go Allow tidy to backup legacy CA bundles (#18645) 2023-01-11 12:12:53 -05:00
path_sign_issuers.go Add PSS support to PKI Secrets Engine (#16519) 2022-08-03 12:42:24 -04:00
path_tidy.go Fix race in tidy status with cert counting (#18899) 2023-01-30 14:13:40 -05:00
path_tidy_test.go Add cross-cluster revocation queues for PKI (#18784) 2023-01-23 09:29:27 -05:00
periodic.go Unified revocation migration code (#18866) 2023-01-27 15:49:20 +00:00
secret_certs.go Add support for revoke by serial number to update the unified CRL (#18786) 2023-01-23 10:22:10 -05:00
storage.go Unified revocation migration code (#18866) 2023-01-27 15:49:20 +00:00
storage_migrations.go PKI - Fix order of chain building writes (#17772) 2022-11-03 11:50:03 -04:00
storage_migrations_test.go Add t.Helper() to various PKI test helper methods (#18881) 2023-01-27 17:29:11 +00:00
storage_test.go Move pki docker tests to pkiext (#17928) 2022-11-14 18:26:26 -05:00
storage_unified.go Return a detailed list response for unified-revoked API endpoint (#18862) 2023-01-26 19:12:35 +00:00
test_helpers.go Add t.Helper() to various PKI test helper methods (#18881) 2023-01-27 17:29:11 +00:00
util.go Unified revocation migration code (#18866) 2023-01-27 15:49:20 +00:00