From c7c92db43b63be0599a076590f012ed35d279a47 Mon Sep 17 00:00:00 2001 From: Ran Shidlansik Date: Wed, 6 May 2026 01:47:16 +0300 Subject: [PATCH] Delay full sync during yielding Lua scripts to prevent use-after-free (CVE-2026-23631) (#3625) During a full sync, the functions/scripting engine is freed right before loading the RDB from the primary. If a Lua script is still running and yielding via the long-command mechanism at that moment, the freed engine can be accessed when the script resumes, causing a use-after-free. Add a guard at the top of replicaReceiveRDBFromPrimaryToMemory() to check isInsideYieldingLongCommand() and return early, deferring the sync processing until the script completes. No validating test was added because the vulnerability is a race condition between a yielding Lua script and a replication event handler, which cannot be reliably triggered in a deterministic Tcl test. Signed-off-by: ikolomi Co-authored-by: ikolomi --- src/replication.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/replication.c b/src/replication.c index 9c8c56d44..23cc04372 100644 --- a/src/replication.c +++ b/src/replication.c @@ -2615,6 +2615,11 @@ int replicaLoadPrimaryRDBFromDisk(rdbSaveInfo *rsi) { /* Asynchronously read the SYNC payload we receive from a primary, parse it, * and load it directly to memory without going through the disk */ void replicaReceiveRDBFromPrimaryToMemory(connection *conn) { + /* During full sync, the functions engine is freed right before loading + * the RDB. To avoid this happening while a function is still running, + * delay full sync processing until it finishes. */ + if (isInsideYieldingLongCommand()) return; + char buf[PROTO_IOBUF_LEN]; int ret; rdbSaveInfo rsi = RDB_SAVE_INFO_INIT;