Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-24807

A possibility for double free in dtor of Event_queue_element_for_exec in the case of OOM

    XMLWordPrintable

    Details

      Description

      It seems that the handling of the OOM case in `Event_queue_element_for_exec::init` leaves the possibility for double free of memory (https://github.com/MariaDB/server/blob/786bc312b85e58857cb26a24ab6e997ba0fdfc32/sql/event_data_objects.cc#L187-L200):

      bool
      Event_queue_element_for_exec::init(const LEX_CSTRING &db, const LEX_CSTRING &n)
      {
        if (!(dbname.str= my_strndup(key_memory_Event_queue_element_for_exec_names,
                                     db.str, dbname.length= db.length, MYF(MY_WME))))
          return TRUE;
        if (!(name.str= my_strndup(key_memory_Event_queue_element_for_exec_names,
                                   n.str, name.length= n.length, MYF(MY_WME))))
        {
          my_free(const_cast<char*>(dbname.str)); // (1) dbname.str is not NULL here
          return TRUE;
        }
        return FALSE;
      }
      

      If the second call to `my_strndup` returns NULL then memory allocated for `dbname.str` will be freed (at the point (1)), but `dbname.str` won't be NULL and will keep its value.

      Then that value will be passed to `my_free` in the destructor of `Event_queue_element_for_exec` (https://github.com/MariaDB/server/blob/786bc312b85e58857cb26a24ab6e997ba0fdfc32/sql/event_data_objects.cc#L210-L214):

      Event_queue_element_for_exec::~Event_queue_element_for_exec()
      {
        my_free(const_cast<char*>(dbname.str)); // (2)
        my_free(const_cast<char*>(name.str));
      }
      

      and because at the point (2) the value of `dbname.str` is not null, then the call to `my_free` can lead to double free.

        Attachments

          Activity

            People

            Assignee:
            cvicentiu Vicențiu Ciorbaru
            Reporter:
            eao197 Yauheni Akhotnikau
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Git Integration