Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-5013

sql/sql_plugin.cc:update_func_str() for PLUGIN_VAR_MEMALLOC may cause double free

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.0.4
    • Fix Version/s: 10.0.5
    • Component/s: None
    • Labels:
      None
    • Environment:
      My platform is Debian GNU/Linux sid x86_64 but it causes all platform.

      Description

      If there is the following variable definition, it may cause double free:

      static MYSQL_SYSVAR_STR(variable_name,
                              variable,
                              PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_MEMALLOC, // PLUGIN_VAR_MEMALLOC is important!
                              "description",
                              NULL,
                              NULL, // using the default update function is important!
                              NULL);

      The points are PLUGIN_VAR_MEMALLOC and the default update function.

      If this pattern is used, the following SQL causes double free:

      SET GLOBAL variable = "value";
      SET GLOBAL variable = NULL;

      If a variable uses PLUGIN_VAR_MEMALLOC and the default update function, the following code is used in sql/sql_plugin.cc:

      static void update_func_str(THD *thd, struct st_mysql_sys_var *var,
                                   void *tgt, const void *save)
      {
        char *value= *(char**) save;
        if (var->flags & PLUGIN_VAR_MEMALLOC)
        { // This clause is used!
          char *old= *(char**) tgt;
          if (value)
            *(char**) tgt= my_strdup(value, MYF(0));
          my_free(old);
        }
        else
          *(char**) tgt= value;
      }

      if value is NULL, tgt still referes freed memory. It is freed in sql/sql_plugin.cc:plugin_vars_free_values(). It causes double free.

      This pattern isn't used all of bundled storage engines. It is used in mroonga storage engine: https://github.com/mroonga/mroonga/blob/3156280442792c1446175044ba666428690b9c55/ha_mroonga.cpp#L699
      (I'm a mroonga storage engine developer.)

      I will attach a patch to fix the problem.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              serg Sergei Golubchik
              Reporter:
              kou Kouhei Sutou
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: