From 1ab0a8cb726cb730954294423acec887b92fa5b0 Mon Sep 17 00:00:00 2001
From: Kefu Chai <k.chai@proxmox.com>
Date: Tue, 13 Jan 2026 09:19:17 +0800
Subject: [PATCH] common/options: fix heap-use-after-free by using
 never-destroyed static

The config schema map was using string_view keys that pointed to the
name field of Option objects stored in the global ceph_options vector.
When the vector is destroyed during program exit, the Option objects
are freed, but background threads (like BlueStore::MempoolThread) may
still be accessing config options, causing use-after-free.

ASan reported:
  READ of size 19 at 0x503000047c80 thread T411
    #12 md_config_t::find_option(std::string_view) const config.cc:261
    #17 BlueStore::MempoolThread::entry() BlueStore.cc:5591

  0x503000047c80 is located 0 bytes inside of 20-byte region
  freed by thread T0 here:
    #7 Option::~Option() options.h:15
    #13 std::vector<Option>::~vector() stl_vector.h:730
    #14 __run_exit_handlers stdlib/exit.c:113

  previously allocated by thread T0 here:
    #7 Option::Option(Option const&) options.h:15
    #18 build_options() build_options.cc:44

Fix by converting ceph_options from a global variable to a function
get_ceph_options() that returns a reference to a static pointer that
is never destroyed. This ensures the Option objects remain valid for
the lifetime of the program, even during exit when background threads
may still be accessing them.

This preserves the memory efficiency of using string_view keys in the
schema map while fixing the lifetime issue.

Signed-off-by: Kefu Chai <k.chai@proxmox.com>
---
 src/common/ceph_context.cc        | 2 +-
 src/common/config.cc              | 2 +-
 src/common/options.cc             | 7 ++++++-
 src/common/options.h              | 2 +-
 src/crimson/admin/admin_socket.cc | 2 +-
 src/mon/ConfigMonitor.cc          | 2 +-
 6 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/common/ceph_context.cc b/src/common/ceph_context.cc
index afd22f865437e..5bb0b4678b763 100644
--- a/src/common/ceph_context.cc
+++ b/src/common/ceph_context.cc
@@ -658,7 +658,7 @@ int CephContext::_do_command(
       } else {
         // Output all
         f->open_array_section("options");
-        for (const auto &option : ceph_options) {
+        for (const auto &option : get_ceph_options()) {
           f->dump_object("option", option);
         }
         f->close_section();
diff --git a/src/common/config.cc b/src/common/config.cc
index f320fbd1cbccb..52071dbbe1902 100644
--- a/src/common/config.cc
+++ b/src/common/config.cc
@@ -137,7 +137,7 @@ md_config_t::md_config_t(ConfigValues& values,
 {
   // Load the compile-time list of Option into
   // a map so that we can resolve keys quickly.
-  for (const auto &i : ceph_options) {
+  for (const auto &i : get_ceph_options()) {
     if (schema.count(i.name)) {
       // We may be instantiated pre-logging so send 
       std::cerr << "Duplicate config key in schema: '" << i.name << "'"
diff --git a/src/common/options.cc b/src/common/options.cc
index bbac26e261cd8..28e4941af4ed8 100644
--- a/src/common/options.cc
+++ b/src/common/options.cc
@@ -338,4 +338,9 @@ void Option::print(ostream *out) const
   }
 }
 
-const std::vector<Option> ceph_options = build_options();
+const std::vector<Option>& get_ceph_options() {
+  // Use a static pointer that's never destroyed to avoid use-after-free
+  // when background threads access options during program exit
+  static const std::vector<Option>* options = new std::vector<Option>(build_options());
+  return *options;
+}
diff --git a/src/common/options.h b/src/common/options.h
index f99433464bcdb..c29d2e029fb4a 100644
--- a/src/common/options.h
+++ b/src/common/options.h
@@ -434,4 +434,4 @@ constexpr unsigned long long operator""_T (unsigned long long n) {
   return n << 40;
 }
 
-extern const std::vector<Option> ceph_options;
+const std::vector<Option>& get_ceph_options();
diff --git a/src/crimson/admin/admin_socket.cc b/src/crimson/admin/admin_socket.cc
index 5a676d9214c10..9db62af2bdf4d 100644
--- a/src/crimson/admin/admin_socket.cc
+++ b/src/crimson/admin/admin_socket.cc
@@ -574,7 +574,7 @@ public:
     unique_ptr<Formatter> f{Formatter::create(format, "json-pretty", "json-pretty")};
     // Output all
     f->open_array_section("options");
-    for (const auto &option : ceph_options) {
+    for (const auto &option : get_ceph_options()) {
       f->dump_object("option", option);
     }
     f->close_section();
diff --git a/src/mon/ConfigMonitor.cc b/src/mon/ConfigMonitor.cc
index 7abd0c6818e9a..9b1f6a8aab5af 100644
--- a/src/mon/ConfigMonitor.cc
+++ b/src/mon/ConfigMonitor.cc
@@ -219,7 +219,7 @@ bool ConfigMonitor::preprocess_command(MonOpRequestRef op)
     if (f) {
       f->open_array_section("options");
     }
-    for (auto& i : ceph_options) {
+    for (auto& i : get_ceph_options()) {
       if (f) {
 	f->dump_string("option", i.name);
       } else {
-- 
2.47.3