[MDEV-3766] LP:956079 - Potential NULL pointer dereference in pagecache_fwrite Created: 2012-03-15  Updated: 2012-10-04  Resolved: 2012-10-04

Status: Closed
Project: MariaDB Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Vladislav Vaintroub Assignee: Oleksandr Byelkin
Resolution: Fixed Votes: 0
Labels: Launchpad

Attachments: XML File LPexportBug956079.xml    

 Description   

Inside pagecache_fwrite() , in ma_pagecache.c, if my_pwrite() fails, the error handling callback function is called via function pointer.

the code in question is

if (my_pwrite(filedesc->file, buffer, pagecache->block_size,
((my_off_t) pageno << pagecache->shift), flags))

{ (*filedesc->write_fail)(filedesc->callback_data); DBUG_RETURN(1); }

the problem is that *filedesc->write_fail can be NULL, which means failing my_pwrite() will cause a crash by dereferencing NULL pointer.

To reproduce,

1. add line
DBUG_ASSERT(*filedesc->write_fail);
prior to code in question.

2. Compile with DBUG, run
perl mysql-test-run.pl --suite=maria

3. Observe a crash . Here is for example what I get in 5.1

0028B9C3 mysqld.exe!my_sigabrt_handler()[mysqld.cc:2188]
00258DA9 mysqld.exe!raise()[winsig.c:586]
0025D4D6 mysqld.exe!abort()[abort.c:74]
008586A7 mysqld.exe!_wassert()[assert.c:336]
006351E1 mysqld.exe!pagecache_fwrite()[ma_pagecache.c:666]
0063B93D mysqld.exe!flush_cached_blocks()[ma_pagecache.c:4370]
0063B1E1 mysqld.exe!flush_pagecache_blocks_int()[ma_pagecache.c:4660]
0063AAC7 mysqld.exe!flush_pagecache_blocks_with_filter()[ma_pagecache.c:4780]

0063CC23 mysqld.exe!_ma_once_end_block_record()[ma_blockrec.c:451]
005F9133 mysqld.exe!maria_close()[ma_close.c:81]
005D1A89 mysqld.exe!ha_maria::close()[ha_maria.cc:1018]
0040847A mysqld.exe!closefrm()[table.cc:2013]
00369C11 mysqld.exe!intern_close_table()[sql_base.cc:793]

 Comments   
Comment by Vladislav Vaintroub [ 2012-03-15 ]

Re: Potential NULL pointer dereference in pagecache_fwrite
My modification of source code :
=== modified file 'storage/maria/ma_pagecache.c'
— storage/maria/ma_pagecache.c 2011-02-10 18:33:51 +0000
+++ storage/maria/ma_pagecache.c 2012-03-15 14:37:08 +0000
@@ -663,6 +663,7 @@
DBUG_PRINT("error", ("write callback problem"));
DBUG_RETURN(1);
}
+ DBUG_ASSERT(*filedesc->write_fail);
if (my_pwrite(filedesc->file, buffer, pagecache->block_size,
((my_off_t) pageno << pagecache->shift), flags))
{

Comment by Rasmus Johansson (Inactive) [ 2012-05-03 ]

Launchpad bug id: 956079

Generated at Thu Feb 08 06:51:03 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.