Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.8.1, 10.9.0, 10.10.0
Description
nayuta-yanagisawa reported that the test mariabackup.huge_lsn,strict_full_crc32 would occasionally trigger AddressSanitizer heap-buffer-overflow on his system.
The following patch fixes it:
diff --git a/storage/innobase/log/log0recv.cc b/storage/innobase/log/log0recv.cc
|
index 0b6ddce30ce..37a4e722767 100644
|
--- a/storage/innobase/log/log0recv.cc
|
+++ b/storage/innobase/log/log0recv.cc
|
@@ -3713,7 +3713,7 @@ static bool recv_scan_log(bool last_phase)
|
|
for (;;)
|
{
|
- const byte b{log_sys.buf[recv_sys.offset]};
|
+ const byte& b{log_sys.buf[recv_sys.offset]};
|
r= recv_sys.parse_pmem(store);
|
if (r == recv_sys_t::OK)
|
{ |
In this test, some Perl code generates always the same log file that would wrap around at the end of the file. The recv_sys.offset will be equal to recv_sys.len, that is, b is pointing just past the end of log_sys.buf. We are actually only interested in the value of the byte (the first byte of the parsed record) at that offset if r == recv_sys_t::OK, which indicates that the entire mini-transaction was present in the buffer.
I do not think that this bug has much practical impact outside AddressSanitizer.
Attachments
Issue Links
- is caused by
-
MDEV-14425 Change the InnoDB redo log format to reduce write amplification
-
- Closed
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Link |
This issue is caused by |
| issue.field.resolutiondate | 2022-09-16 11:28:51.0 | 2022-09-16 11:28:51.762 |
| Fix Version/s | 10.8.6 [ 28443 ] | |
| Fix Version/s | 10.9.4 [ 28444 ] | |
| Fix Version/s | 10.10.2 [ 28410 ] | |
| Fix Version/s | 10.8 [ 26121 ] | |
| Fix Version/s | 10.9 [ 26905 ] | |
| Fix Version/s | 10.10 [ 27530 ] | |
| Resolution | Fixed [ 1 ] | |
| Status | Open [ 1 ] | Closed [ 6 ] |