[MDEV-15772] Potential list overrun during XA recovery - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 5.5(EOL), 10.0(EOL), 10.1(EOL), 10.2(EOL), 10.3(EOL)
Fix Version/s: 10.2.24, 5.5.64, 10.1.39, 10.3.15, 10.4.5
Component/s: XA
Labels:
None

Description

In ha_recover() array of XA transactions is allocated as following:

#define MAX_XID_LIST_SIZE  (1024*128)

#define MIN_XID_LIST_SIZE  128

  for (info.len= MAX_XID_LIST_SIZE ;

       info.list==0 && info.len > MIN_XID_LIST_SIZE; info.len/=2)

    info.list=(XID *)my_malloc(info.len*sizeof(XID), MYF(0));

  if (!info.list)

    sql_print_error(ER(ER_OUTOFMEMORY),

                    static_cast<int>(info.len*sizeof(XID)));

    DBUG_RETURN(1);

Then each storage engine fills this array. However at least InnoDB (trx_recover_for_mysql()) doesn't check for boundaries and may overrun this array.

Attachments

Issue Links

relates to

MDEV-19408 Assertion `trx->state == TRX_STATE_ACTIVE || trx->state == TRX_STATE_PREPARED' failed in ReadView::copy_trx_ids, innodb.xa_debug, innodb.innodb fail in buildbot

Closed

Activity

People

Assignee:: Marko Mäkelä

Reporter:: Sergey Vojtovich

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2018-04-04 08:48

Updated:: 2019-05-08 04:01

Resolved:: 2019-04-24 09:20

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.