[MDEV-14945] possible buffer overflow in stack resolver - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5
Fix Version/s: 10.1.48, 10.2.35, 10.3.26, 10.4.16, 10.5.7
Component/s: Server
Labels:
None

Description

Can be seen in stack traces like in ~~MDEV-14710~~. To quote here

*** buffer overflow detected ***: /usr/sbin/mysqld terminated

======= Backtrace: =========

/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f3e6272abcb]

/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7f3e627b3227]

/lib/x86_64-linux-gnu/libc.so.6(+0xf7360)[0x7f3e627b1360]

/lib/x86_64-linux-gnu/libc.so.6(+0xf919a)[0x7f3e627b319a]

/usr/sbin/mysqld(my_addr_resolve+0x4c)[0x5612759e2cfc]

/usr/sbin/mysqld(my_print_stacktrace+0x1bb)[0x5612759cc4fb]

/usr/sbin/mysqld(handle_fatal_signal+0x3bd)[0x561275511a4d]

...

Attachments

Activity

Ascending order - Click to sort in descending order

Sergei Golubchik added a comment - 2018-01-14 15:19 - edited

technically, it could've happen that the memory was corrupted before, and only detected in my_addr_resolve().

Sergei Golubchik added a comment - 2018-01-14 15:19 - edited technically, it could've happen that the memory was corrupted before, and only detected in my_addr_resolve() .

Sergei Golubchik added a comment - 2020-09-17 17:12

This seems to be it: https://stackoverflow.com/questions/22827510/how-to-avoid-bad-fd-set-buffer-overflow-crash

Sergei Golubchik added a comment - 2020-09-17 17:12 This seems to be it: https://stackoverflow.com/questions/22827510/how-to-avoid-bad-fd-set-buffer-overflow-crash

Sergei Golubchik added a comment - 2020-09-17 17:19

supposedly rewriting select to poll should fix it.

alternatively, a hack like for (f=10; f < 30; f++) close(f); could, perhaps, alleviate the issue. but only if no cleaner solution would help

Sergei Golubchik added a comment - 2020-09-17 17:19 supposedly rewriting select to poll should fix it. alternatively, a hack like for (f=10; f < 30; f++) close(f); could, perhaps, alleviate the issue. but only if no cleaner solution would help

Vicențiu Ciorbaru added a comment - 2020-10-26 19:05

A tentative fix for this was done by moving stack variables out to global space (code is run single threaded anyway) and switching select to poll. poll can also error out with ENOMEM, which represents Kernel data structures were not allocated due to out-of-memory. There's no way to realistically fix that though.

Let's see if this fix is any good as I can't quite reproduce it locally.

Vicențiu Ciorbaru added a comment - 2020-10-26 19:05 A tentative fix for this was done by moving stack variables out to global space (code is run single threaded anyway) and switching select to poll. poll can also error out with ENOMEM, which represents Kernel data structures were not allocated due to out-of-memory. There's no way to realistically fix that though. Let's see if this fix is any good as I can't quite reproduce it locally.

People

Assignee:: Vicențiu Ciorbaru

Reporter:: Sergei Golubchik

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2018-01-14 15:16

Updated:: 2020-10-26 19:05

Resolved:: 2020-10-26 19:05

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server