emsmdb: fix use-after-free in ~LOGON_ITEM

LOGON_ITEM::root is going away first, and with it, any information on
node order. Then, as phash.~unordered_map runs, it processes
object_nodes in arbitrary order, freeing a logon_object before a
message_object, but note how ~message_object still wants to use the
logon object.

```
==579226==ERROR: AddressSanitizer: heap-use-after-free on address
0x7d3fa4210ad4 at pc 0x7fcfa5b1a037 bp 0x7ffdf9f81600 sp 0x7ffdf9f815f8
READ of size 1 at 0x7d3fa4210ad4 thread T0
    f0 0x7fcfa5b1a036 in gromox::exmdb_client_is_local(char const*, long*) lib/exmdb_client.cpp:438
    f1 0x7fcfa8cf86ad in exmdb_client_local::unload_instance(char const*, unsigned int) exch/exmdb/rpc.cpp:991
    f2 0x7fcfaabd0c57 in message_object::~message_object() exch/emsmdb/message_object.cpp:183
    f3 0x7fcfaae2a22a in object_node::clear() exch/emsmdb/rop_processor.cpp:89
    f4 0x7fcfaac05e6e in object_node::~object_node() exch/emsmdb/rop_processor.hpp:35
    …
    f20 0x7fcfaaae8b06 in LOGON_ITEM::~LOGON_ITEM() exch/emsmdb/rop_processor.hpp:20
    f21 0x7fcfaaae8b54 in std::default_delete<LOGON_ITEM>::operator()(LOGON_ITEM*) const /usr/include/c++/15/bits/unique_ptr.h:93
    f22 0x7fcfaaae703d in std::unique_ptr<LOGON_ITEM>::~unique_ptr() /usr/include/c++/15/bits/unique_ptr.h:399
    f23 0x7fcfaaae5b78 in LOGMAP::~LOGMAP() exch/emsmdb/rop_processor.hpp:25
    f24 0x7fcfaaae6287 in emsmdb_info::~emsmdb_info() exch/emsmdb/emsmdb_interface.hpp:17
    f25 0x7fcfaaab19c0 in ~HANDLE_DATA exch/emsmdb/emsmdb_interface.cpp:306
    …
    f32 0x7fcfaaac64af in clear /usr/include/c++/15/bits/unordered_map.h:862
    f33 0x7fcfaaab47b7 in emsmdb_interface_stop() exch/emsmdb/emsmdb_interface.cpp:461

0x7d3fa4210ad4 is located 340 bytes inside of 760-byte region [0x7d3fa4210980,0x7d3fa4210c78)
freed by thread T0 here:
    f0 operator delete(void*, unsigned long) (/lib64/libasan.so.8+0x12382b)
    f1 object_node::clear() exch/emsmdb/rop_processor.cpp:82
    f2 object_node::~object_node() exch/emsmdb/rop_processor.hpp:35
    …
    f26 std::unordered_map<unsigned int, std::shared_ptr<object_node>, std::hash<unsigned int>, std::equal_to<unsigned int>, std::allocator<std::pair<unsigned int const, std::shared_ptr<object_node> > > >::~unordered_map() /usr/include/c++/15/bits/unordered_map.h:112
    f27 LOGON_ITEM::~LOGON_ITEM() exch/emsmdb/rop_processor.hpp:20
    f28 std::default_delete<LOGON_ITEM>::operator()(LOGON_ITEM*) const /usr/include/c++/15/bits/unique_ptr.h:93
    f29 std::unique_ptr<LOGON_ITEM, std::default_delete<LOGON_ITEM> >::~unique_ptr() /usr/include/c++/15/bits/unique_ptr.h:399
    f30 LOGMAP::~LOGMAP() exch/emsmdb/rop_processor.hpp:25
    f31 emsmdb_info::~emsmdb_info() exch/emsmdb/emsmdb_interface.hpp:17
    f32 ~HANDLE_DATA exch/emsmdb/emsmdb_interface.cpp:306
```

We could reorder LOGON_ITEM members, but if `root` is the last holder
of shared_ptr references, there may be a deep call chain for cleanup,
which is probably why phash was first. Add back an explicit
pre-destructor.

Fixes: gromox-1.28-104-g2917d2657

Author: jengelh

exch/emsmdb/message_object.cpp

@@ -179,9 +179,11 @@ message_object::~message_object()
 {
 	auto pmessage = this;
 
-	if (pmessage->instance_id != 0)
+	if (pmessage->instance_id != 0) {
+		fprintf(stderr, "MO %p references logon %p\n", this, plogon);
 		exmdb_client->unload_instance(pmessage->plogon->get_dir(),
 			pmessage->instance_id);
+	}
 	if (pmessage->precipient_columns != nullptr)
 		proptag_array_free(pmessage->precipient_columns);
 	if (pmessage->pchanged_proptags != nullptr)

exch/emsmdb/message_object.hpp

@@ -14,6 +14,11 @@ struct ics_state;
 struct logon_object;
 struct stream_object;
 
+/**
+ * @plogon: the logon ought to be pinned because object_node<message_object>
+ *          has a shared ptr to the parent (which in turn does, ... so
+ *          the root is held)
+ */
 struct message_object {
 	protected:
 	message_object() = default;

exch/emsmdb/rop_processor.cpp

@@ -79,13 +79,16 @@ void object_node::clear() noexcept
 			if (ref != g_logon_hash.end() && --ref->second == 0)
 				g_logon_hash.erase(ref);
 		}
+		fprintf(stderr, "~object_node(%p, parent=%p) deleting inner logon %p\n", this, parent.get(), logon);
 		delete logon;
 		break;
 	}
 	case ems_objtype::folder:
+		fprintf(stderr, "~object_node(%p, parent=%p) deleting inner folder %p\n", this, parent.get(), pobject);
 		delete static_cast<folder_object *>(pobject);
 		break;
 	case ems_objtype::message:
+		fprintf(stderr, "~object_node(%p, parent=%p) deleting inner message %p\n", this, parent.get(), pobject);
 		delete static_cast<message_object *>(pobject);
 		break;
 	case ems_objtype::attach:
@@ -239,6 +242,8 @@ int32_t rop_processor_add_object_handle(LOGMAP *plogmap, uint8_t logon_id,
 		plogitem->root = pobjnode;
 	else if (g_emsmdb_full_parenting || object_dep(parent->type, pobjnode->type))
 		pobjnode->parent = std::move(parent);
+	fprintf(stderr, "AOH(inner=%p objnode=%p parentnode=%p)\n",
+		pobjnode->pobject, pobjnode.get(), pobjnode->parent.get());
 	if (pobjnode->type == ems_objtype::icsupctx) {
 		auto pemsmdb_info = emsmdb_interface_get_emsmdb_info();
 		pemsmdb_info->upctx_ref ++;

exch/emsmdb/rop_processor.hpp

@@ -38,8 +38,8 @@ struct object_node {
 
 	uint32_t handle = 0;
 	ems_objtype type = ems_objtype::none;
-	void *pobject = nullptr;
 	std::shared_ptr<object_node> parent;
+	void *pobject = nullptr;
 };
 
 extern void rop_processor_init(int scan_interval);