You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by wz...@apache.org on 2023/12/22 21:56:54 UTC
(impala) 01/02: IMPALA-12661: Fix ASAN heap-use-after-free in IcebergMetadataScanNode
This is an automated email from the ASF dual-hosted git repository.
wzhou pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git
commit 9fd1c81845e7d84ed6b9a903aa6ebe37a8abd254
Author: Tamas Mate <tm...@apache.org>
AuthorDate: Thu Dec 21 19:07:09 2023 +0100
IMPALA-12661: Fix ASAN heap-use-after-free in IcebergMetadataScanNode
The ASAN builds detected that the IcebergMetadataScanNode uses heap
allocated memory after it has been freed.
In CreateFieldAccessors() method, during tree traversal, the
current_type variable is reassigned to its children which is part of
of the object. However, by the end of the assignment the rhs object will
be destroyed. To fix this issue, the variable was replaced with a pointer.
Testing:
- Ran tests on ASAN build
Change-Id: I6df9c9cb6914a0c6c93b61aa0dd02acfdba68851
Reviewed-on: http://gerrit.cloudera.org:8080/20829
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
be/src/exec/iceberg-metadata/iceberg-metadata-scan-node.cc | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/be/src/exec/iceberg-metadata/iceberg-metadata-scan-node.cc b/be/src/exec/iceberg-metadata/iceberg-metadata-scan-node.cc
index f7f5c9a6d..d779992fb 100644
--- a/be/src/exec/iceberg-metadata/iceberg-metadata-scan-node.cc
+++ b/be/src/exec/iceberg-metadata/iceberg-metadata-scan-node.cc
@@ -104,12 +104,12 @@ Status IcebergMetadataScanNode::CreateFieldAccessors() {
// STRUCT node that stores the primitive type. Because, that struct node has the
// field id list of its childs.
int root_type_index = slot_desc->col_path()[0];
- ColumnType current_type =
- tuple_desc_->table_desc()->col_descs()[root_type_index].type();
+ ColumnType* current_type = &const_cast<ColumnType&>(
+ tuple_desc_->table_desc()->col_descs()[root_type_index].type());
for (int i = 1; i < slot_desc->col_path().size() - 1; ++i) {
- current_type = current_type.children[slot_desc->col_path()[i]];
+ current_type = ¤t_type->children[slot_desc->col_path()[i]];
}
- int field_id = current_type.field_ids[slot_desc->col_path().back()];
+ int field_id = current_type->field_ids[slot_desc->col_path().back()];
RETURN_IF_ERROR(AddAccessorForFieldId(env, field_id, slot_desc->id()));
} else {
// For primitives in the top level tuple, use the ColumnDescriptor