Skip to content

Fix search app buffer use-after-free (#143134)#143297

Merged
ebarlas merged 1 commit intoelastic:9.2from
ebarlas:backport/9.2/pr-143134
Mar 2, 2026
Merged

Fix search app buffer use-after-free (#143134)#143297
ebarlas merged 1 commit intoelastic:9.2from
ebarlas:backport/9.2/pr-143134

Conversation

@ebarlas
Copy link
Copy Markdown
Contributor

@ebarlas ebarlas commented Feb 27, 2026

This is a backport of the following commits from main to 9.2: 755e020

@ebarlas
Fix search app buffer use-after-free (elastic#143134)
a00c527 
updateSearchApplication released a ReleasableBytesStreamOutput in
a try-with-resources block while an async client.index() call
still held a BytesReference view of its pages.

The bug was latent until elastic#142451 switched the default buffer size
to PAGE_SIZE_IN_BYTES, causing BigArrays to recycle pages instead
of plain byte arrays. Freed pages were immediately reused,
corrupting the IndexRequest source on replica nodes.

Bind buffer release to the async listener via ActionListener.run
and flush instead of close, matching AsyncTaskIndexService.
@elasticsearchmachine elasticsearchmachine added v9.2.7 needs:triage Requires assignment of a team area label labels Feb 27, 2026
@ebarlas ebarlas added :Security/Security Security issues without another label backport Team:Security Meta label for security team and removed needs:triage Requires assignment of a team area label labels Feb 27, 2026
@ebarlas ebarlas self-assigned this Feb 28, 2026
@ebarlas ebarlas requested a review from DaveCTurner February 28, 2026 00:57
DaveCTurner
DaveCTurner approved these changes Mar 2, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@DaveCTurner DaveCTurner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ebarlas ebarlas merged commit 4cb7af5 into elastic:9.2 Mar 2, 2026
35 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DaveCTurner DaveCTurner DaveCTurner approved these changes

Assignees

@ebarlas ebarlas

Labels

backport :Security/Security Security issues without another label Team:Security Meta label for security team v9.2.7

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ebarlas @DaveCTurner @elasticsearchmachine