common/ceph_timer: Pass reference to waited time on stack

std::condition_variable::wait_until takes a const reference to a
time_point. It may access this reference after relinquishing the
mutex, creating a potential use-after-free error if the first event is
shut down.

So, just copy the time onto the stack, so we have a reference that
won't disappear.

https://tracker.ceph.com/issues/44373

Signed-off-by: Adam C. Emerson <aemerson@redhat.com>

diff --git a/src/common/ceph_timer.h b/src/common/ceph_timer.h
index d5c0d60f37e5dd0e040624da3870e3289f685862..d12cc19933ae92167f770f530916027c9c474990 100644 (file)
--- a/src/common/ceph_timer.h
+++ b/src/common/ceph_timer.h
@@ -130,10 +130,15 @@ class timer {
 
       if (suspended)
        break;
-      if (schedule.empty())
+      if (schedule.empty()) {
        cond.wait(l);
-      else
-       cond.wait_until(l, schedule.begin()->t);
+      } else {
+       // Since wait_until takes its parameter by reference, passing
+       // the time /in the event/ is unsafe, as it might be canceled
+       // while we wait.
+       const auto t = schedule.begin()->t;
+       cond.wait_until(l, t);
+      }
     }
   }