Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-20309

InnoDB encryption accesses memory outside of allocated block

    Details

      Description

      mtr --valgrind encryption.innodb_encryption

      This is log is from MariaDB 10.5 compiled with
      ./BUILD/compile-pentium64-valgrind-max
      We get similar errors (and more) in 10.4)

      encryption.innodb_encryption 'innodb,undo0' [ fail ] Found warnings/errors in server log file!
      Test ended at 2019-08-10 16:21:55
      line
      ==12768== Invalid read of size 2
      ==12768== at 0x4C356A7: memmove (vg_replace_strmem.c:1271)
      ==12768== by 0x15763C7: wolfSSL_EVP_CipherUpdate (evp.c:361)
      ==12768== by 0x1437725: MyCTX::update(unsigned char const*, unsigned int, unsigned char*, unsigned int*) (my_crypt.cc:85)
      ==12768== by 0x143796B: MyCTX_nopad::update(unsigned char const*, unsigned int, unsigned char*, unsigned int*) (my_crypt.cc:143)
      ==12768== by 0x14372ED: my_aes_crypt_update (my_crypt.cc:310)
      ==12768== by 0xF2CFDF1: ctx_update(void*, unsigned char const*, unsigned int, unsigned char*, unsigned int*) (example_key_management_plugin.cc:126)
      ==12768== by 0xADF5FA: encryption_crypt (service_encryption.h:119)
      ==12768== by 0xADFF2F: do_crypt(unsigned char const*, unsigned int, unsigned char*, unsigned int*, st_encryption_scheme*, unsigned int, unsigned int, unsigned int, unsigned long long, int) (encryption.cc:223)
      ==12768== by 0xADFFD1: encryption_scheme_decrypt (encryption.cc:244)
      ==12768== by 0x12CDC06: fil_space_decrypt_full_crc32(unsigned long, fil_space_crypt_t*, unsigned char*, unsigned char*, dberr_t*) (fil0crypt.cc:842)
      ==12768== by 0x12CE1A7: fil_space_decrypt(unsigned long, fil_space_crypt_t*, unsigned char*, unsigned long, unsigned long, unsigned char*, dberr_t*) (fil0crypt.cc:976)
      ==12768== by 0x12CE30D: fil_space_decrypt(fil_space_t const*, unsigned char*, unsigned char*, bool*) (fil0crypt.cc:1011)
      ==12768== by 0x122565E: buf_page_decrypt_after_read(buf_page_t*, fil_space_t*) (buf0buf.cc:555)
      ==12768== by 0x1236C14: buf_page_io_complete(buf_page_t*, bool, bool) (buf0buf.cc:6019)
      ==12768== by 0x1261339: buf_read_page_low(dberr_t*, bool, unsigned long, unsigned long, page_id_t, unsigned long, bool, bool) (buf0rea.cc:203)
      ==12768== by 0x1261AE3: buf_read_page(page_id_t, unsigned long) (buf0rea.cc:411)
      ==12768== Address 0x10324000 is 0 bytes after a block of size 16,384 alloc'd
      ==12768== at 0x4C30833: memalign (vg_replace_malloc.c:908)
      ==12768== by 0x4C30936: posix_memalign (vg_replace_malloc.c:1072)
      ==12768== by 0x123B9B2: aligned_malloc(unsigned long, unsigned long) (buf0buf.cc:130)
      ==12768== by 0x12250BD: buf_tmp_reserve_crypt_buf(buf_tmp_buffer_t*) (buf0buf.cc:441)
      ==12768== by 0x1225622: buf_page_decrypt_after_read(buf_page_t*, fil_space_t*) (buf0buf.cc:550)
      ==12768== by 0x1236C14: buf_page_io_complete(buf_page_t*, bool, bool) (buf0buf.cc:6019)
      ==12768== by 0x1261339: buf_read_page_low(dberr_t*, bool, unsigned long, unsigned long, page_id_t, unsigned long, bool, bool) (buf0rea.cc:203)
      ==12768== by 0x1261AE3: buf_read_page(page_id_t, unsigned long) (buf0rea.cc:411)
      ==12768== by 0x1231BA4: buf_page_get_gen(page_id_t, unsigned long, unsigned long, buf_block_t*, unsigned long, char const*, unsigned int, mtr_t*, dberr_t*) (buf0buf.cc:4380)
      ==12768== by 0x126825F: dict_hdr_get(mtr_t*) (dict0boot.cc:49)
      ==12768== by 0x1268936: dict_boot() (dict0boot.cc:276)
      ==12768== by 0x116D1E6: srv_start(bool) (srv0start.cc:1881)
      ==12768== by 0xF83B68: innodb_init(void*) (ha_innodb.cc:4127)
      ==12768== by 0xBA2FC4: ha_initialize_handlerton(st_plugin_int*) (handler.cc:550)
      ==12768== by 0x8A3030: plugin_initialize(st_mem_root*, st_plugin_int*, int*, char**, bool) (sql_plugin.cc:1437)
      ==12768== by 0x8A3C2C: plugin_init(int*, char**, int) (sql_plugin.cc:1719)
      ==12768== Invalid read of size 2
      ==12768== at 0x4C35698: memmove (vg_replace_strmem.c:1271)
      ==12768== by 0x15763C7: wolfSSL_EVP_CipherUpdate (evp.c:361)
      ==12768== by 0x1437725: MyCTX::update(unsigned char const*, unsigned int, unsigned char*, unsigned int*) (my_crypt.cc:85)
      ==12768== by 0x143796B: MyCTX_nopad::update(unsigned char const*, unsigned int, unsigned char*, unsigned int*) (my_crypt.cc:143)
      ==12768== by 0x14372ED: my_aes_crypt_update (my_crypt.cc:310)
      ==12768== by 0xF2CFDF1: ctx_update(void*, unsigned char const*, unsigned int, unsigned char*, unsigned int*) (example_key_management_plugin.cc:126)
      ==12768== by 0xADF5FA: encryption_crypt (service_encryption.h:119)
      ==12768== by 0xADFF2F: do_crypt(unsigned char const*, unsigned int, unsigned char*, unsigned int*, st_encryption_scheme*, unsigned int, unsigned int, unsigned int, unsigned long long, int) (encryption.cc:223)
      ==12768== by 0xADFFD1: encryption_scheme_decrypt (encryption.cc:244)
      ==12768== by 0x12CDC06: fil_space_decrypt_full_crc32(unsigned long, fil_space_crypt_t*, unsigned char*, unsigned char*, dberr_t*) (fil0crypt.cc:842)
      ==12768== by 0x12CE1A7: fil_space_decrypt(unsigned long, fil_space_crypt_t*, unsigned char*, unsigned long, unsigned long, unsigned char*, dberr_t*) (fil0crypt.cc:976)
      ==12768== by 0x12CE30D: fil_space_decrypt(fil_space_t const*, unsigned char*, unsigned char*, bool*) (fil0crypt.cc:1011)
      ==12768== by 0x122565E: buf_page_decrypt_after_read(buf_page_t*, fil_space_t*) (buf0buf.cc:555)
      ==12768== by 0x1236C14: buf_page_io_complete(buf_page_t*, bool, bool) (buf0buf.cc:6019)
      ==12768== by 0x1261339: buf_read_page_low(dberr_t*, bool, unsigned long, unsigned long, page_id_t, unsigned long, bool, bool) (buf0rea.cc:203)
      ==12768== by 0x1261AE3: buf_read_page(page_id_t, unsigned long) (buf0rea.cc:411)
      ==12768== Address 0x10324004 is 4 bytes after a block of size 16,384 alloc'd
      ==12768== at 0x4C30833: memalign (vg_replace_malloc.c:908)
      ==12768== by 0x4C30936: posix_memalign (vg_replace_malloc.c:1072)
      ==12768== by 0x123B9B2: aligned_malloc(unsigned long, unsigned long) (buf0buf.cc:130)
      ==12768== by 0x12250BD: buf_tmp_reserve_crypt_buf(buf_tmp_buffer_t*) (buf0buf.cc:441)
      ==12768== by 0x1225622: buf_page_decrypt_after_read(buf_page_t*, fil_space_t*) (buf0buf.cc:550)
      ==12768== by 0x1236C14: buf_page_io_complete(buf_page_t*, bool, bool) (buf0buf.cc:6019)
      ==12768== by 0x1261339: buf_read_page_low(dberr_t*, bool, unsigned long, unsigned long, page_id_t, unsigned long, bool, bool) (buf0rea.cc:203)
      ==12768== by 0x1261AE3: buf_read_page(page_id_t, unsigned long) (buf0rea.cc:411)
      ==12768== by 0x1231BA4: buf_page_get_gen(page_id_t, unsigned long, unsigned long, buf_block_t*, unsigned long, char const*, unsigned int, mtr_t*, dberr_t*) (buf0buf.cc:4380)
      ==12768== by 0x126825F: dict_hdr_get(mtr_t*) (dict0boot.cc:49)
      ==12768== by 0x1268936: dict_boot() (dict0boot.cc:276)
      ==12768== by 0x116D1E6: srv_start(bool) (srv0start.cc:1881)
      ==12768== by 0xF83B68: innodb_init(void*) (ha_innodb.cc:4127)
      ==12768== by 0xBA2FC4: ha_initialize_handlerton(st_plugin_int*) (handler.cc:550)
      ==12768== by 0x8A3030: plugin_initialize(st_mem_root*, st_plugin_int*, int*, char**, bool) (sql_plugin.cc:1437)
      ==12768== by 0x8A3C2C: plugin_init(int*, char**, int) (sql_plugin.cc:1719)

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                wlad Vladislav Vaintroub
                Reporter:
                monty Michael Widenius
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: