Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-5013

sql/sql_plugin.cc:update_func_str() for PLUGIN_VAR_MEMALLOC may cause double free

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 10.0.4
    • 10.0.5
    • None
    • None
    • My platform is Debian GNU/Linux sid x86_64 but it causes all platform.

    Description

      If there is the following variable definition, it may cause double free:

      static MYSQL_SYSVAR_STR(variable_name,
                              variable,
                              PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_MEMALLOC, // PLUGIN_VAR_MEMALLOC is important!
                              "description",
                              NULL,
                              NULL, // using the default update function is important!
                              NULL);

      The points are PLUGIN_VAR_MEMALLOC and the default update function.

      If this pattern is used, the following SQL causes double free:

      SET GLOBAL variable = "value";
      SET GLOBAL variable = NULL;

      If a variable uses PLUGIN_VAR_MEMALLOC and the default update function, the following code is used in sql/sql_plugin.cc:

      static void update_func_str(THD *thd, struct st_mysql_sys_var *var,
                                   void *tgt, const void *save)
      {
        char *value= *(char**) save;
        if (var->flags & PLUGIN_VAR_MEMALLOC)
        { // This clause is used!
          char *old= *(char**) tgt;
          if (value)
            *(char**) tgt= my_strdup(value, MYF(0));
          my_free(old);
        }
        else
          *(char**) tgt= value;
      }

      if value is NULL, tgt still referes freed memory. It is freed in sql/sql_plugin.cc:plugin_vars_free_values(). It causes double free.

      This pattern isn't used all of bundled storage engines. It is used in mroonga storage engine: https://github.com/mroonga/mroonga/blob/3156280442792c1446175044ba666428690b9c55/ha_mroonga.cpp#L699
      (I'm a mroonga storage engine developer.)

      I will attach a patch to fix the problem.

      Attachments

        Issue Links

          Activity

            Yes, thanks!
            We've just did the same fix in 5.5, and soon I'll merge it into 10.0. This should be fixed in the 5.5.33 and in 10.0.5.

            serg Sergei Golubchik added a comment - Yes, thanks! We've just did the same fix in 5.5, and soon I'll merge it into 10.0. This should be fixed in the 5.5.33 and in 10.0.5.
            kou Kouhei Sutou added a comment -

            Thanks for confirming it! I'll wait for the next release!

            (Thanks for fixing markup of the description.

            kou Kouhei Sutou added a comment - Thanks for confirming it! I'll wait for the next release! (Thanks for fixing markup of the description.

            People

              serg Sergei Golubchik
              kou Kouhei Sutou
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.