Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29555

ASAN heap-buffer-overflow in mariabackup.huge_lsn,strict_full_crc32

    XMLWordPrintable

Details

    Description

      nayuta-yanagisawa reported that the test mariabackup.huge_lsn,strict_full_crc32 would occasionally trigger AddressSanitizer heap-buffer-overflow on his system.

      The following patch fixes it:

      diff --git a/storage/innobase/log/log0recv.cc b/storage/innobase/log/log0recv.cc
      index 0b6ddce30ce..37a4e722767 100644
      --- a/storage/innobase/log/log0recv.cc
      +++ b/storage/innobase/log/log0recv.cc
      @@ -3713,7 +3713,7 @@ static bool recv_scan_log(bool last_phase)
       
             for (;;)
             {
      -        const byte b{log_sys.buf[recv_sys.offset]};
      +        const byte& b{log_sys.buf[recv_sys.offset]};
               r= recv_sys.parse_pmem(store);
               if (r == recv_sys_t::OK)
               {
      

      In this test, some Perl code generates always the same log file that would wrap around at the end of the file. The recv_sys.offset will be equal to recv_sys.len, that is, b is pointing just past the end of log_sys.buf. We are actually only interested in the value of the byte (the first byte of the parsed record) at that offset if r == recv_sys_t::OK, which indicates that the entire mini-transaction was present in the buffer.

      I do not think that this bug has much practical impact outside AddressSanitizer.

      Attachments

        Issue Links

          Activity

            People

              marko Marko Mäkelä
              marko Marko Mäkelä
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.