Bug #108502 Return value of my_thread_get_THR_PFS() not get checked
Submitted: 15 Sep 2022 23:16 Modified: 6 Sep 2023 8:01
Reporter: Li Zhong Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Performance Schema Severity:S2 (Serious)
Version:8.0.21 OS:Any
Assigned to: Marc ALFF CPU Architecture:Any

[15 Sep 2022 23:16] Li Zhong 
Description:
Hi, I'm researcher on static analysis and we find a potential null pointer dereference bug in MySQL-server-8.0.21 code:

In https://github.com/mysql/mysql-server/blob/f8cdce86448a211511e8a039c62580ae16cb96f5/storag..., my_thread_get_THR_PFS(PFS_table_share*) could return nullptr. So when it is used in DBUG_ASSERT((uint)user_len <= sizeof(pfs->m_username)), it's possible to cause null pointer dereference. 

How to repeat:
We find this by our static analysis tool. The analysis result is checked manually.

Suggested fix:
Move the check in line 3106

if (unlikely(pfs == nullptr)) {
    return;
  }

right after the function call my_thread_get_THR_PFS().
[16 Sep 2022 4:53] MySQL Verification Team 
Hello Li Zhong,

Thank you for the report.

regards,
Umesh
[6 Sep 2023 7:41] Marc ALFF 
This was indeed a problem in 8.0.21, thanks for the report.

The issue was fixed indirectly in 8.0.29 by:

commit b2e8da10f48c102f3bd3e08a423d63205152380a
Author: Marc Alff <marc.alff@oracle.com>
Date:   Fri Nov 5 09:56:44 2021 +0100

    BUG#30881109 PERFSCHEMA TABLES ARE NOT COLLATION AWARE

which refactored the affected code.
[6 Sep 2023 8:01] Marc ALFF 
Fixed in 8.0.29