fix: opensrv Use After Free update (#4732)

* chore: version skew * fix: even more version skew * feat: use `ring` instead of `aws-lc` for remove nasm assembler on windows * feat: use `ring` for pgwire * feat: change to use `aws-lc-sys` on windows instead * feat: change back to use `ring` * chore: provide CryptoProvider * feat: use upstream repo * feat: install ring crypto lib in main * chore: use same fn to install in tests * feat: make pgwire use `ring`
GreptimeTeam · Sep 19, 2024 · d1e0602 · d1e0602
1 parent befb6d8
commit d1e0602
Show file tree

Hide file tree

Showing 9 changed files with 122 additions and 38 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -99,7 +99,7 @@ base64 = "0.21"
 bigdecimal = "0.4.2"
 bitflags = "2.4.1"
 bytemuck = "1.12"
-bytes = { version = "1.5", features = ["serde"] }
+bytes = { version = "1.7", features = ["serde"] }
 chrono = { version = "0.4", features = ["serde"] }
 clap = { version = "4.4", features = ["derive"] }
 config = "0.13.0"

diff --git a/src/cmd/src/bin/greptime.rs b/src/cmd/src/bin/greptime.rs
@@ -15,10 +15,11 @@
 #![doc = include_str!("../../../../README.md")]
 
 use clap::{Parser, Subcommand};
-use cmd::error::Result;
+use cmd::error::{InitTlsProviderSnafu, Result};
 use cmd::options::GlobalOptions;
 use cmd::{cli, datanode, flownode, frontend, metasrv, standalone, App};
 use common_version::version;
+use servers::install_ring_crypto_provider;
 
 #[derive(Parser)]
 #[command(name = "greptime", author, version, long_version = version(), about)]
@@ -94,6 +95,7 @@ async fn main() -> Result<()> {
 
 async fn main_body() -> Result<()> {
     setup_human_panic();
+    install_ring_crypto_provider().map_err(|msg| InitTlsProviderSnafu { msg }.build())?;
     start(Command::parse()).await
 }
 

diff --git a/src/cmd/src/error.rs b/src/cmd/src/error.rs
@@ -24,6 +24,12 @@ use snafu::{Location, Snafu};
 #[snafu(visibility(pub))]
 #[stack_trace_debug]
 pub enum Error {
+    #[snafu(display("Failed to install ring crypto provider: {}", msg))]
+    InitTlsProvider {
+        #[snafu(implicit)]
+        location: Location,
+        msg: String,
+    },
     #[snafu(display("Failed to create default catalog and schema"))]
     InitMetadata {
         #[snafu(implicit)]
@@ -369,9 +375,10 @@ impl ErrorExt for Error {
             }
             Error::SubstraitEncodeLogicalPlan { source, .. } => source.status_code(),
 
-            Error::SerdeJson { .. } | Error::FileIo { .. } | Error::SpawnThread { .. } => {
-                StatusCode::Unexpected
-            }
+            Error::SerdeJson { .. }
+            | Error::FileIo { .. }
+            | Error::SpawnThread { .. }
+            | Error::InitTlsProvider { .. } => StatusCode::Unexpected,
 
             Error::Other { source, .. } => source.status_code(),
 

diff --git a/src/servers/Cargo.toml b/src/servers/Cargo.toml
@@ -65,10 +65,12 @@ notify.workspace = true
 object-pool = "0.5"
 once_cell.workspace = true
 openmetrics-parser = "0.4"
-opensrv-mysql = "0.7.0"
+# use crates.io version after current revision is merged in next release
+# opensrv-mysql = "0.7.0"
+opensrv-mysql = { git = "https://github.com/datafuselabs/opensrv", rev = "6bbc3b65e6b19212c4f7fc4f40c20daf6f452deb" }
 opentelemetry-proto.workspace = true
 parking_lot = "0.12"
-pgwire = "0.20"
+pgwire = { version = "0.22", default-features = false, features = ["server-api-ring"] }
 pin-project = "1.0"
 pipeline.workspace = true
 postgres-types = { version = "0.2", features = ["with-chrono-0_4", "with-serde_json-1"] }
@@ -85,7 +87,7 @@ rand.workspace = true
 regex.workspace = true
 reqwest.workspace = true
 rust-embed = { version = "6.6", features = ["debug-embed"] }
-rustls = "0.22"
+rustls = { version = "0.23", default-features = false, features = ["ring", "logging", "std", "tls12"] }
 rustls-pemfile = "2.0"
 rustls-pki-types = "1.0"
 schemars.workspace = true
@@ -98,7 +100,7 @@ sql.workspace = true
 strum.workspace = true
 table.workspace = true
 tokio.workspace = true
-tokio-rustls = "0.25"
+tokio-rustls = "0.26"
 tokio-stream = { workspace = true, features = ["net"] }
 tokio-util.workspace = true
 tonic.workspace = true
@@ -130,12 +132,17 @@ session = { workspace = true, features = ["testing"] }
 table.workspace = true
 tempfile = "3.0.0"
 tokio-postgres = "0.7"
-tokio-postgres-rustls = "0.11"
+tokio-postgres-rustls = "0.12"
 tokio-test = "0.4"
 
 [target.'cfg(not(windows))'.dev-dependencies]
 pprof = { version = "0.13", features = ["criterion", "flamegraph"] }
 
+[target.'cfg(windows)'.dependencies]
+aws-lc-sys = { version = "0.21.0", features = [
+    "prebuilt-nasm",
+] } # use prebuilt nasm on windows per https://github.com/aws/aws-lc-rs/blob/main/aws-lc-sys/README.md#use-of-prebuilt-nasm-objects
+
 [build-dependencies]
 common-version.workspace = true