[MDEV-29555] ASAN heap-buffer-overflow in mariabackup.huge_lsn,strict_full_crc32 Created: 2022-09-16  Updated: 2022-09-16  Resolved: 2022-09-16

Status: Closed
Project: MariaDB Server
Component/s: Storage Engine - InnoDB
Affects Version/s: 10.8.1, 10.9.0, 10.10.0
Fix Version/s: 10.8.6, 10.9.4, 10.10.2

Type: Bug Priority: Major
Reporter: Marko Mäkelä Assignee: Marko Mäkelä
Resolution: Fixed Votes: 0
Labels: ASAN

Issue Links:
Problem/Incident
is caused by MDEV-14425 Change the InnoDB redo log format to ... Closed

 Description   

nayuta-yanagisawa reported that the test mariabackup.huge_lsn,strict_full_crc32 would occasionally trigger AddressSanitizer heap-buffer-overflow on his system.

The following patch fixes it:

diff --git a/storage/innobase/log/log0recv.cc b/storage/innobase/log/log0recv.cc
 
index 0b6ddce30ce..37a4e722767 100644
 
--- a/storage/innobase/log/log0recv.cc
 
+++ b/storage/innobase/log/log0recv.cc
 
@@ -3713,7 +3713,7 @@ static bool recv_scan_log(bool last_phase)
 
 
       for (;;)
 
       {
 
-        const byte b{log_sys.buf[recv_sys.offset]};
 
+        const byte& b{log_sys.buf[recv_sys.offset]};
 
         r= recv_sys.parse_pmem(store);
 
         if (r == recv_sys_t::OK)
 
         {

In this test, some Perl code generates always the same log file that would wrap around at the end of the file. The recv_sys.offset will be equal to recv_sys.len, that is, b is pointing just past the end of log_sys.buf. We are actually only interested in the value of the byte (the first byte of the parsed record) at that offset if r == recv_sys_t::OK, which indicates that the entire mini-transaction was present in the buffer.

I do not think that this bug has much practical impact outside AddressSanitizer.
Generated at Thu Feb 08 10:09:30 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.