[MDEV-22824] Buffer overflow in dict_table_t::parse_name() - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.5.1
Fix Version/s: 10.5.4
Component/s: Storage Engine - InnoDB
Labels:
- ASAN
- corruption

Description

The test parts.longname that I extended for ~~MDEV-22817~~ revealed another error that was introduced in ~~MDEV-16678~~:

10.5 0e69f601aaafb920a9305c4ab5d380de2b43e917
==113772==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f8718ff4b21 at pc 0x7f872870157d bp 0x7f8718ff47f0 sp 0x7f8718ff3f98
WRITE of size 394 at 0x7f8718ff4b21 thread T15
#0 0x7f872870157c (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)
#1 0x558391fc45d0 in bool dict_table_t::parse_name<true>(char (&) [193], char (&) [193], unsigned long, unsigned long) const /home/buildbot/buildbot/build/mariadb-10.5.4/storage/innobase/dict/dict0dict.cc:751
#2 0x558391fc49c2 in dict_table_t* dict_acquire_mdl_shared<false>(dict_table_t, THD, MDL_ticket**, dict_table_op_t) /home/buildbot/buildbot/build/mariadb-10.5.4/storage/innobase/dict/dict0dict.cc:819
#3 0x558391faff5a in dict_table_open_on_id(unsigned long, bool, dict_table_op_t, THD, MDL_ticket*) /home/buildbot/buildbot/build/mariadb-10.5.4/storage/innobase/dict/dict0dict.cc:955

The problem is that we are copying the entire table name (with partition and subpartition names) to the buffer, and only then stripping the partition and subpartition components.

Attachments

Issue Links

is caused by

MDEV-16678 Use MDL for innodb background threads instead of dict_operation_lock

Closed

Activity

People

Assignee:: Marko Mäkelä

Reporter:: Marko Mäkelä

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2020-06-07 15:54

Updated:: 2020-06-07 15:58

Resolved:: 2020-06-07 15:58

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.