Fix a use-after-free in client reset when the original RealmCoordinator is gone

CHANGELOG.md

@@ -8,6 +8,7 @@
 ### Fixed
 * <How do the end-user experience this issue? what was the impact?> ([#????](https://github.com/realm/realm-core/issues/????), since v?.?.?)
 * CompensatingWriteErrorInfo reported string primary keys as boolean values instead ([PR #5938](https://github.com/realm/realm-core/pull/5938), since the introduction of CompensatingWriteErrorInfo in 12.1.0).
+* Fix a use-after-free if the last external reference to an encrypted Realm was closed between when a client reset error was received and when the download of the new Realm began. ([PR #5949](https://github.com/realm/realm-core/pull/5949), since 12.4.0).
 
 ### Breaking changes
 * Rename RealmConfig::automatic_handle_backlicks_in_migrations to RealmConfig::automatically_handle_backlinks_in_migrations ([PR #5897](https://github.com/realm/realm-core/pull/5897)).

src/realm/db.cpp

@@ -904,7 +904,7 @@ void DB::open(const std::string& path, bool no_create_file, const DBOptions opti
             // close previously, but wasn't (perhaps due to the process crashing)
             cfg.clear_file = (options.durability == Durability::MemOnly && begin_new_session);
 
-            cfg.encryption_key = m_key;
+            cfg.encryption_key = options.encryption_key;
             ref_type top_ref;
             try {
                 top_ref = alloc.attach_file(path, cfg); // Throws
@@ -1048,7 +1048,7 @@ void DB::open(const std::string& path, bool no_create_file, const DBOptions opti
                                                     path);
                 }
 
-                if (m_key) {
+                if (options.encryption_key) {
 #ifdef _WIN32
                     uint64_t pid = GetCurrentProcessId();
 #else
@@ -1099,7 +1099,7 @@ void DB::open(const std::string& path, bool no_create_file, const DBOptions opti
                 uint64_t pid = getpid();
 #endif
 
-                if (m_key && info->session_initiator_pid != pid) {
+                if (options.encryption_key && info->session_initiator_pid != pid) {
                     std::stringstream ss;
                     ss << path << ": Encrypted interprocess sharing is currently unsupported."
                        << "DB has been opened by pid: " << info->session_initiator_pid << ". Current pid is " << pid
@@ -1280,7 +1280,7 @@ bool DB::compact(bool bump_version_number, util::Optional<const char*> output_en
     }
     SharedInfo* info = m_file_map.get_addr();
     Durability dura = Durability(info->durability);
-    const char* write_key = bool(output_encryption_key) ? *output_encryption_key : m_key;
+    const char* write_key = bool(output_encryption_key) ? *output_encryption_key : get_encryption_key();
     {
         std::unique_lock<InterprocessMutex> lock(m_controlmutex); // Throws
 
@@ -2500,8 +2500,7 @@ void DB::async_request_write_mutex(TransactionRef& tr, util::UniqueFunction<void
 }
 
 inline DB::DB(const DBOptions& options)
-    : m_key(options.encryption_key)
-    , m_upgrade_callback(std::move(options.upgrade_callback))
+    : m_upgrade_callback(std::move(options.upgrade_callback))
 {
     if (options.enable_async_writes) {
         m_commit_helper = std::make_unique<AsyncCommitHelper>(this);

src/realm/db.hpp

@@ -172,7 +172,7 @@ class DB : public std::enable_shared_from_this<DB> {
 
     const char* get_encryption_key() const noexcept
     {
-        return m_key;
+        return m_alloc.m_file.get_encryption_key();
     }
 
 #ifdef REALM_DEBUG
@@ -461,7 +461,6 @@ class DB : public std::enable_shared_from_this<DB> {
     std::string m_lockfile_prefix;
     std::string m_db_path;
     std::string m_coordination_dir;
-    const char* m_key;
     int m_file_format_version = 0;
     util::InterprocessMutex m_writemutex;
     std::unique_ptr<ReadLockInfo> m_fake_read_lock_if_immutable;

src/realm/object-store/sync/sync_session.cpp

@@ -335,10 +335,18 @@ void SyncSession::download_fresh_realm(sync::ProtocolErrorInfo::Action server_re
                 server_requests_action);
         }
     }
+
+    std::vector<char> encryption_key;
+    {
+        util::CheckedLockGuard lock(m_config_mutex);
+        encryption_key = m_config.encryption_key;
+    }
+
     DBOptions options;
-    options.encryption_key = m_db->get_encryption_key();
     options.allow_file_format_upgrade = false;
     options.enable_async_writes = false;
+    if (!encryption_key.empty())
+        options.encryption_key = encryption_key.data();
 
     std::shared_ptr<DB> db;
     auto fresh_path = ClientResetOperation::get_fresh_path_for(m_db->get_path());