MySQL Bugs: #40778: thd_security_context has bad architecture; allocates on unprotected memroot

Bug #40778	thd_security_context has bad architecture; allocates on unprotected memroot
Submitted:	17 Nov 2008 10:46	Modified:	9 Jan 18:27
Reporter:	Kristofer Pettersson
Status:	Closed
Category:	Server: SE API	Severity:	S3 (Non-critical)
Version:	5.0	OS:	Any
Assigned to:	Kristofer Pettersson	Target Version:	5.0+
Triage:	Triaged: D1 (Critical)

Description:
The function thd_security_context allocates memory on an unprotected MEM_ROOT if the
message length becomes longer than requested and the initial buffer memory needs to be
reallocated.

1. Writing more bytes than requested seems wrong even if we grow the buffer dynamically.
2. If the MEM_ROOT is invalidated this will lead to a crash.

How to repeat:
Crash because of using memory on an invalid MEM_ROOT has not yet been discovered. But it
is clear that the design is not what you expect from this function.

Other crashes have been discovered related to this function, see Bug#38883

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/58950

2687 Kristofer Pettersson	2008-11-17
      Bug#40778 thd_security_context has bad architecture; allocates on unprotected
memroot
            
      The function thd_security_context allocates memory on an unprotected MEM_ROOT if
the
      message length becomes longer than requested and the initial buffer memory needs to
      be reallocated.
            
      This patch fixes the design error by copying parts of the reallocated buffer 
      to the destination buffer. This works because the destination buffer isn't
      owned by the String object and thus isn't freed when a new buffer is allocated.
      Any new memory allocated by the String object is reclaimed when the object
      is destroyed at the end of the function call.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/58955

2687 Kristofer Pettersson	2008-11-17
      Bug#40778 thd_security_context has bad architecture; allocates on unprotected
memroot
                  
      The function thd_security_context allocates memory on an unprotected MEM_ROOT if
the
      message length becomes longer than requested and the initial buffer memory needs to
      be reallocated.
                  
      This patch fixes the design error by copying parts of the reallocated buffer 
      to the destination buffer. This works because the destination buffer isn't
      owned by the String object and thus isn't freed when a new buffer is allocated.
      Any new memory allocated by the String object is reclaimed when the object
      is destroyed at the end of the function call.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/58956

2688 Kristofer Pettersson	2008-11-17
      Bug#40778 thd_security_context has bad architecture; allocates on unprotected
memroot
                  
      The function thd_security_context allocates memory on an unprotected MEM_ROOT if
the
      message length becomes longer than requested and the initial buffer memory needs to
      be reallocated.
                  
      This patch fixes the design error by copying parts of the reallocated buffer 
      to the destination buffer. This works because the destination buffer isn't
      owned by the String object and thus isn't freed when a new buffer is allocated.
      Any new memory allocated by the String object is reclaimed when the object
      is destroyed at the end of the function call.

-- 
MySQL Code Commits Mailing List
For list archives: http://lists.mysql.com/commits
To unsubscribe:    http://lists.mysql.com/commits?unsub=commits@bugs.mysql.com

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/58957

2687 Kristofer Pettersson	2008-11-17
      Bug#40778 thd_security_context has bad architecture; allocates on unprotected
memroot
                        
      The function thd_security_context allocates memory on an unprotected MEM_ROOT if
the
      message length becomes longer than requested and the initial buffer memory needs to
      be reallocated.
                        
      This patch fixes the design error by copying parts of the reallocated buffer 
      to the destination buffer. This works because the destination buffer isn't
      owned by the String object and thus isn't freed when a new buffer is allocated.
      Any new memory allocated by the String object is reclaimed when the object
      is destroyed at the end of the function call.

Pushed into 5.1.31  (revid:kristofer.pettersson@sun.com-20081117141721-x8jrq5vhnhwotxtu)
(version source revid:patrick.crews@sun.com-20081126180318-v685u61mpgoc176x) (pib:5)

Pushed into 6.0.9-alpha 
(revid:kristofer.pettersson@sun.com-20081117141721-x8jrq5vhnhwotxtu) (version source
revid:ingo.struewing@sun.com-20081121151447-dtf2ofz2ys0zqed1) (pib:5)

Internal only. No documentation needed.

Pushed into 5.1.31-ndb-6.2.17 (revid:tomas.ulin@sun.com-20090119095303-uwwvxiibtr38djii)
(version source revid:tomas.ulin@sun.com-20090108105244-8opp3i85jw0uj5ib) (merge vers:
5.1.31-ndb-6.2.17) (pib:6)

Pushed into 5.1.31-ndb-6.3.21 (revid:tomas.ulin@sun.com-20090119104956-guxz190n2kh31fxl)
(version source revid:tomas.ulin@sun.com-20090119104956-guxz190n2kh31fxl) (merge vers:
5.1.31-ndb-6.3.21) (pib:6)

Pushed into 5.1.31-ndb-6.4.1 (revid:tomas.ulin@sun.com-20090119144033-4aylstx5czzz88i5)
(version source revid:tomas.ulin@sun.com-20090119144033-4aylstx5czzz88i5) (merge vers:
5.1.31-ndb-6.4.1) (pib:6)