[#MDEV-5013] sql/sql_plugin.cc:update_func_str() for PLUGIN_VAR

[MDEV-5013] sql/sql_plugin.cc:update_func_str() for PLUGIN_VAR_MEMALLOC may cause double free Created: 2013-09-13 Updated: 2013-09-21 Resolved: 2013-09-21
Status:	Closed
Project:	MariaDB Server
Component/s:	None
Affects Version/s:	10.0.4
Fix Version/s:	10.0.5

Type:

Bug

Priority:

Major

Reporter:

Kouhei Sutou

Assignee:

Sergei Golubchik

Resolution:

Fixed

Votes:

Labels:

None

Environment:

My platform is Debian GNU/Linux sid x86_64 but it causes all platform.

Attachments:

fix-plugin-variable-double-free.patch

Issue Links:

PartOf
is part of	~~MDEV-4907~~	merge 5.5 → 10.0-base → 10.0	Closed

Description

If there is the following variable definition, it may cause double free:

static MYSQL_SYSVAR_STR(variable_name,

                        variable,

                        PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_MEMALLOC, // PLUGIN_VAR_MEMALLOC is important!

                        "description",

                        NULL,

                        NULL, // using the default update function is important!

                        NULL);

The points are PLUGIN_VAR_MEMALLOC and the default update function.

If this pattern is used, the following SQL causes double free:

SET GLOBAL variable = "value";

SET GLOBAL variable = NULL;

If a variable uses PLUGIN_VAR_MEMALLOC and the default update function, the following code is used in sql/sql_plugin.cc:

static void update_func_str(THD *thd, struct st_mysql_sys_var *var,

                             void *tgt, const void *save)

  char *value= *(char**) save;

  if (var->flags & PLUGIN_VAR_MEMALLOC)

  { // This clause is used!

    char *old= *(char**) tgt;

    if (value)

      *(char**) tgt= my_strdup(value, MYF(0));

    my_free(old);

  else

    *(char**) tgt= value;

if value is NULL, tgt still referes freed memory. It is freed in sql/sql_plugin.cc:plugin_vars_free_values(). It causes double free.

This pattern isn't used all of bundled storage engines. It is used in mroonga storage engine: https://github.com/mroonga/mroonga/blob/3156280442792c1446175044ba666428690b9c55/ha_mroonga.cpp#L699
(I'm a mroonga storage engine developer.)

I will attach a patch to fix the problem.

Comments

Comment by Sergei Golubchik [ 2013-09-13 ]

Yes, thanks!
We've just did the same fix in 5.5, and soon I'll merge it into 10.0. This should be fixed in the 5.5.33 and in 10.0.5.

Comment by Kouhei Sutou [ 2013-09-14 ]

Thanks for confirming it! I'll wait for the next release!

(Thanks for fixing markup of the description.

Generated at Thu Feb 08 07:00:59 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.