From 551414a257ea13d11325003fe83ac6ddd1c42b16 Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Fri, 10 Sep 2021 17:38:11 -0700
Subject: [PATCH 1/4] vault-agent: copy values retrieved from bolt

Byte slices returned from Bolt are only valid during a transaction, so
this makes a copy.
---
 command/agent/cache/cacheboltdb/bolt.go | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/command/agent/cache/cacheboltdb/bolt.go b/command/agent/cache/cacheboltdb/bolt.go
index 69a438c1808ed..0a39c9cc15c61 100644
--- a/command/agent/cache/cacheboltdb/bolt.go
+++ b/command/agent/cache/cacheboltdb/bolt.go
@@ -219,7 +219,11 @@ func (b *BoltStorage) GetAutoAuthToken(ctx context.Context) ([]byte, error) {
 		if meta == nil {
 			return fmt.Errorf("bucket %q not found", metaBucketName)
 		}
-		encryptedToken = meta.Get([]byte(AutoAuthToken))
+		value := meta.Get([]byte(AutoAuthToken))
+		if value != nil {
+			encryptedToken = make([]byte, len(value))
+			copy(encryptedToken, value)
+		}
 		return nil
 	})
 	if err != nil {
@@ -247,7 +251,11 @@ func (b *BoltStorage) GetRetrievalToken() ([]byte, error) {
 		if keyBucket == nil {
 			return fmt.Errorf("bucket %q not found", metaBucketName)
 		}
-		token = keyBucket.Get([]byte(RetrievalTokenMaterial))
+		value := keyBucket.Get([]byte(RetrievalTokenMaterial))
+		if value != nil {
+			token = make([]byte, len(value))
+			copy(token, value)
+		}
 		return nil
 	})
 	if err != nil {

From 9978fcf3ca8fa5e93eb2f9fcbab6b59643e707fd Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Fri, 10 Sep 2021 18:19:58 -0700
Subject: [PATCH 2/4] changelog

---
 changelog/12534.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 changelog/12534.txt

diff --git a/changelog/12534.txt b/changelog/12534.txt
new file mode 100644
index 0000000000000..23ae59bdd6f58
--- /dev/null
+++ b/changelog/12534.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+agent: Avoid possible `unexpected fault address` panic caused by using byte slices returned from Bolt outside their transactions; make a copy first.
+```

From a238a87f39d13d0a4c417ddf52caaa271efd5f3a Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Fri, 10 Sep 2021 18:24:52 -0700
Subject: [PATCH 3/4] changelog

---
 changelog/12534.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/changelog/12534.txt b/changelog/12534.txt
index 23ae59bdd6f58..9caec8c9df398 100644
--- a/changelog/12534.txt
+++ b/changelog/12534.txt
@@ -1,3 +1,3 @@
 ```release-note:bug
-agent: Avoid possible `unexpected fault address` panic caused by using byte slices returned from Bolt outside their transactions; make a copy first.
+agent: Avoid possible `unexpected fault address` panic caused by using byte slices returned from Bolt outside their transactions; make a copy first in the persistent cache restore functions.
 ```

From 4bc0bc0d4e2cc679902667eef94b5fd27bb2ab22 Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Mon, 13 Sep 2021 10:49:28 -0700
Subject: [PATCH 4/4] simpler changelog

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
---
 changelog/12534.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/changelog/12534.txt b/changelog/12534.txt
index 9caec8c9df398..d7c05f641502b 100644
--- a/changelog/12534.txt
+++ b/changelog/12534.txt
@@ -1,3 +1,3 @@
 ```release-note:bug
-agent: Avoid possible `unexpected fault address` panic caused by using byte slices returned from Bolt outside their transactions; make a copy first in the persistent cache restore functions.
+agent: Avoid possible `unexpected fault address` panic when using persistent cache.
 ```