[MDEV-18902] Uninitialized variable in recv_parse_log_recs() comparison type==MLOG_CHECKPOINT Created: 2019-03-12  Updated: 2019-03-12  Resolved: 2019-03-12

Status: Closed
Project: MariaDB Server
Component/s: mariabackup, Storage Engine - InnoDB
Affects Version/s: 10.2.2, 10.3.0, 10.4.0
Fix Version/s: 10.2.23, 10.3.14, 10.4.4

Type: Bug Priority: Major
Reporter: Marko Mäkelä Assignee: Marko Mäkelä
Resolution: Fixed Votes: 0
Labels: upstream


 Description   

The following comparison may compare an uninitialized type when the redo log parsing buffer runs out (ptr==end_ptr), potentially causing an incorrect claim that the redo log is corrupted:

			len = recv_parse_log_rec(
 
				&type, ptr, end_ptr, &space, &page_no,
 
				false, &body);
 
 
 
			if (recv_sys->found_corrupt_log
 
			    || type == MLOG_CHECKPOINT
 
			    || (ptr != end_ptr
 
				&& (*ptr & MLOG_SINGLE_REC_FLAG))) {

This was found by Valgrind:

10.2 69abd43703fcf68c4cf1056bf5bd56c690de5b4e

 
innodb.log_data_file_size '4k,innodb'    w7 [ fail ]  Found warnings/errors in server log file!
 
        Test ended at 2019-03-12 13:45:57
 
line
 
==372== Conditional jump or move depends on uninitialised value(s)
 
==372==    at 0xC03A1E: recv_parse_log_recs(unsigned long, store_t, bool) (log0recv.cc:2701)
 
==372==    by 0xC048CF: recv_scan_log_recs(unsigned long, store_t*, unsigned char const*, unsigned long, unsigned long, unsigned long, unsigned long*, unsigned long*) (log0recv.cc:3102)
 
==372==    by 0xC04DCC: recv_group_scan_log_recs(log_group_t*, unsigned long, unsigned long*, bool) (log0recv.cc:3197)
 
==372==    by 0xC060DD: recv_recovery_from_checkpoint_start(unsigned long) (log0recv.cc:3520)
 
==372==    by 0xD21754: innobase_start_or_create_for_mysql() (srv0start.cc:2192)
 
==372==    by 0xB5CB1B: innobase_init(void*) (ha_innodb.cc:4393)


Generated at Thu Feb 08 08:47:36 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.