[MDEV-31928] Assertion `xid->gtrid_length + xid->bqual_length < 128' failed in void trx_undo_write_xid(trx_ulogf_t*, const XID*, mtr_t*) Created: 2023-08-16  Updated: 2023-08-17  Resolved: 2023-08-17

Status: Closed
Project: MariaDB Server
Component/s: Storage Engine - InnoDB
Affects Version/s: 10.4
Fix Version/s: 10.4.32

Type: Bug Priority: Major
Reporter: Ramesh Sivaraman Assignee: Marko Mäkelä
Resolution: Fixed Votes: 0
Labels: debug, not-10.5+

Issue Links:
Relates
relates to MDEV-21766 Forbid XID with empty 'gtrid' Closed

 Description    

CREATE TABLE t (s BINARY,KEY(s)) ENGINE=INNODB;
 
XA START 'gtrid_6789012345678901234567890123456789012345678901234567890123','bqual_6789012345678901234567890123456789012345678901234567890123',1234567890;
 
INSERT INTO t VALUES();
 
XA END 'gtrid_6789012345678901234567890123456789012345678901234567890123','bqual_6789012345678901234567890123456789012345678901234567890123',1234567890;
 
XA PREPARE 'gtrid_6789012345678901234567890123456789012345678901234567890123','bqual_6789012345678901234567890123456789012345678901234567890123',1234567890;

Leads to:

10.4.31 161ce045a71e306768d4609bdc35788fa5ea2a71 (Debug)

 
mariadbd: /test/10.4_dbg/storage/innobase/trx/trx0undo.cc:668: void trx_undo_write_xid(trx_ulogf_t*, const XID*, mtr_t*): Assertion `xid->gtrid_length + xid->bqual_length < 128' failed.

10.4.31 161ce045a71e306768d4609bdc35788fa5ea2a71 (Debug)

 
Core was generated by `/test/MD090823-mariadb-10.4.31-linux-x86_64-dbg/bin/mariadbd --no-defaults --co'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
[Current thread is 1 (Thread 0x14d8bc0d3700 (LWP 1293712))]
 
(gdb) bt
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
#1  0x000014d8beb48859 in __GI_abort () at abort.c:79
 
#2  0x000014d8beb48729 in __assert_fail_base (fmt=0x14d8becde588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x56347c194f80 "xid->gtrid_length + xid->bqual_length < 128", file=0x56347c197970 "/test/10.4_dbg/storage/innobase/trx/trx0undo.cc", line=668, function=<optimized out>) at assert.c:92
 
#3  0x000014d8beb59fd6 in __GI___assert_fail (assertion=assertion@entry=0x56347c194f80 "xid->gtrid_length + xid->bqual_length < 128", file=file@entry=0x56347c197970 "/test/10.4_dbg/storage/innobase/trx/trx0undo.cc", line=line@entry=668, function=function@entry=0x56347c197c10 "void trx_undo_write_xid(trx_ulogf_t*, const XID*, mtr_t*)") at assert.c:101
 
#4  0x000056347bb756ae in trx_undo_write_xid (mtr=0x14d8bc0d0490, xid=0x56347e65bdc8, log_hdr=0x14d8a9bf41db "") at /test/10.4_dbg/storage/innobase/trx/trx0undo.cc:668
 
#5  trx_undo_set_state_at_prepare (trx=trx@entry=0x14d8bca78110, undo=undo@entry=0x56347e65bdb0, rollback=rollback@entry=false, mtr=mtr@entry=0x14d8bc0d0490) at /test/10.4_dbg/storage/innobase/trx/trx0undo.cc:1612
 
#6  0x000056347bb67cef in trx_prepare_low (trx=trx@entry=0x14d8bca78110) at /test/10.4_dbg/storage/innobase/trx/trx0trx.cc:1971
 
#7  0x000056347bb67f50 in trx_prepare (trx=0x14d8bca78110) at /test/10.4_dbg/storage/innobase/trx/trx0trx.cc:1992
 
#8  trx_prepare_for_mysql (trx=trx@entry=0x14d8bca78110) at /test/10.4_dbg/storage/innobase/trx/trx0trx.cc:2030
 
#9  0x000056347b8e5ac4 in innobase_xa_prepare (hton=0x56347dcd2de8, thd=0x14d84c000d28, prepare_trx=<optimized out>) at /test/10.4_dbg/storage/innobase/handler/ha_innodb.cc:17027
 
#10 0x000056347b5d17e0 in prepare_or_error (ht=0x56347dcd2de8, thd=thd@entry=0x14d84c000d28, all=all@entry=true) at /test/10.4_dbg/sql/handler.cc:1287
 
#11 0x000056347b5d42b3 in ha_prepare (thd=thd@entry=0x14d84c000d28) at /test/10.4_dbg/sql/handler.cc:1325
 
#12 0x000056347b536618 in trans_xa_prepare (thd=thd@entry=0x14d84c000d28) at /test/10.4_dbg/sql/xa.cc:507
 
#13 0x000056347b35b8a5 in mysql_execute_command (thd=thd@entry=0x14d84c000d28) at /test/10.4_dbg/sql/sql_parse.cc:6075
 
#14 0x000056347b35e122 in mysql_parse (thd=thd@entry=0x14d84c000d28, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14d8bc0d23b0, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.4_dbg/sql/sql_parse.cc:8010
 
#15 0x000056347b360c3d in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14d84c000d28, packet=packet@entry=0x14d84c019509 "XA PREPARE 'gtrid_6789012345678901234567890123456789012345678901234567890123','bqual_6789012345678901234567890123456789012345678901234567890123',1234567890", packet_length=packet_length@entry=155, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.4_dbg/sql/sql_class.h:1231
 
#16 0x000056347b363468 in do_command (thd=0x14d84c000d28) at /test/10.4_dbg/sql/sql_parse.cc:1378
 
#17 0x000056347b4801ef in do_handle_one_connection (connect=<optimized out>) at /test/10.4_dbg/sql/sql_connect.cc:1420
 
#18 0x000056347b4802ab in handle_one_connection (arg=<optimized out>) at /test/10.4_dbg/sql/sql_connect.cc:1324
 
#19 0x000014d8bf059609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#20 0x000014d8bec45133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.4.31 (dbg)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.4.31 (opt), 10.5.22 (dbg), 10.5.22 (opt), 10.6.15 (opt), 10.6.15 (dbg), 10.9.8 (dbg), 10.9.8 (opt), 10.10.6 (dbg), 10.10.6 (opt), 10.11.5 (dbg), 10.11.5 (opt), 11.0.3 (dbg), 11.0.3 (opt), 11.1.2 (dbg), 11.1.2 (opt), 11.2.0 (dbg), 11.2.0 (opt)

 Comments   
Comment by Marko Mäkelä [ 2023-08-16 ]

This looks like a potential buffer overflow, but actually it is an off-by-one error in the debug assertion. The maximum total length of the two string identifiers (MYSQL_XIDDATASIZE) is 128 bytes.

Curiously, an attempt to specify an ID longer than 64 bytes would result in ER_PARSE_ERROR instead of a descriptive error message.

Comment by Marko Mäkelä [ 2023-08-17 ]

In MDEV-21766 (MariaDB Server 10.5.2), this debug assertion was replaced with individual assertions on gtrid_length and bqual_length that do not suffer from the off-by-one problem.

Generated at Thu Feb 08 10:27:31 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.