Bug #38469 | invalid memory read and/or crash with utf8 text field, stored procedure, uservar | ||
---|---|---|---|
Submitted: | 30 Jul 2008 18:21 | Modified: | 20 Oct 2008 15:31 |
Reporter: | Shane Bester (Platinum Quality Contributor) | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Stored Routines | Severity: | S1 (Critical) |
Version: | 5.0.66a, mysql-5.1.26-rc-linux-i686-glibc23, 5.1.28 | OS: | Any |
Assigned to: | Kristofer Pettersson | CPU Architecture: | Any |
[30 Jul 2008 18:21]
Shane Bester
[30 Jul 2008 18:23]
MySQL Verification Team
full stack1
Attachment: bug38469_full_stack_5.0.66a.txt (text/plain), 3.56 KiB.
[30 Jul 2008 20:52]
MySQL Verification Team
memory overruns are sensitive to compilers, and platform differences. at least on windows 5.0.66a, the following testcase shows a problem: --------- delimiter $ drop procedure if exists `p2` $ create procedure `p2`(in `a` text) begin declare `pos` int default 1; declare `str` text; set `str` := `a`; select substr(`str`, `pos`+ 1 )into `str`; end $ delimiter ; call `p2`('s s s s , ,'); show warnings; --------- notice the output of 'show warnings' is pointing to uninitialized or freed memory: mysql> call `p2`('s s s s , ,'); Query OK, 0 rows affected, 1 warning (0.00 sec) mysql> show warnings; +---------+------+------------------------------------------------------- | Level | Code | Message +---------+------+------------------------------------------------------- | Warning | 1366 | Incorrect string value: '\xA5\xA5\xA5\xA5\xA5\xA5...' ' +---------+------+------------------------------------------------------- 1 row in set (0.00 sec)
[31 Jul 2008 8:00]
MySQL Verification Team
under valgrind on 5.0.66a on linux there are errors. they are interrmittent though
Attachment: bug38469_valgrind_errors_and_testcase.txt (text/plain), 8.08 KiB.
[31 Jul 2008 8:10]
MySQL Verification Team
setting to verified on 5.0.66a with the following testcase. crash on linux is very hard to archieve with a simple testcase, but valgrind errors show the problem. start mysqld-debug with clean datadir under valgrind with these options: valgrind --tool=memcheck --leak-check=yes -v --show-reachable=yes ./bin/mysqld-debug --skip-grant-tables --skip-name-resolve --basedir=. --datadir=./data --default-character-set=utf8 now run: mysql -uroot use test delimiter $ drop procedure if exists `p2` $ create procedure `p2`(in `a` text) begin declare `pos` int default 1; declare `str` text; set `str` := `a`; select substr(`str`, `pos`+ 1 )into `str`; end $ delimiter ; call `p2`('s s s s , ,'); show warnings; See the above attached file for the output of valgrind.
[8 Aug 2008 20:50]
MySQL Verification Team
bug #38674 is likely the same as this.
[15 Sep 2008 8:07]
MySQL Verification Team
valgrind output from 5.1.28
Attachment: bug38469.txt (text/plain), 7.50 KiB.
[15 Sep 2008 21:23]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/54163 2677 Kristofer Pettersson 2008-09-15 Bug#38469 invalid memory read and/or crash with utf8 text field, stored procedure, uservar A stored procedure involving substrings could crash the server on certain platforms because of invalid memory reads. This patch fixes this issue.
[19 Sep 2008 13:25]
Kristofer Pettersson
Observations made while debugging this: * Where does the String object originate from? ie. where is the '*from' pointer pointing to? - `a` Item_splocal item: * Which Item is used? The 'field' will be Field_blob; what is the corresponding Item ? const Item * Item_splocal::this_item() const { DBUG_ASSERT(m_sp == m_thd->spcont->sp); return m_thd->spcont->get_item(m_var_idx); /* get value from value store */ } - Item_string is used to represent the current value of `Str` and is wrapped by Item_splocal. * The variable value is either copied or referenced by `Str`-Item_splocal variable. rcontext::set_variable(): int sp_rcontext::set_variable(THD *thd, Field *field, Item **value) { if (!value) { field->set_null(); return 0; } return sp_eval_expr(thd, field, value); } Setting will be rcontext::set_variable -> ... -> Item_string::save_in_field -> Item_string::save_str_value_in_field -> Field_blob::store * The Item_func_substr(..) is referencing the Item_splocal `Str`; a new temporary string is created which references Item_splocal `Str` using address to cached value in associated Field member, Field_blob. Is the String conversion happening at the right place? I think it should happen inside the String class or inside a String-help class attached to the String object, but we won't make this change today.
[20 Sep 2008 8:45]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/54404 2677 Kristofer Pettersson 2008-09-20 Bug#38469 invalid memory read and/or crash with utf8 text field, stored procedure, uservar A stored procedure involving substrings could crash the server on certain platforms because of invalid memory reads. During storing the new blob-field value, the cached value's address range overlapped that of the new field value. This caused problems when the cached value storage was reallocated to provide access for a new characater set representation. The patch checks the address ranges, and if they overlap, the new field value is copied to a new storage before it is converted to the new character set.
[20 Sep 2008 12:47]
Alexander Barkov
The patch looks fine. Thanks for the comments added!
[7 Oct 2008 19:21]
Paul DuBois
Noted in 5.1.29 changelog. Stored procedures involving substrings could crash the server on certain platforms due to invalid memory reads. Leaving report status unchanged; this is early documentation of an upcoming push into 5.1.29.
[9 Oct 2008 18:09]
Bugs System
Pushed into 5.1.30 (revid:kpettersson@mysql.com-20080920085103-z6pem6ae29r0fuir) (version source revid:kpettersson@mysql.com-20080920145234-bxwpkhohzmar9njy) (pib:4)
[9 Oct 2008 18:39]
Paul DuBois
Setting report to NDI pending push into 5.0.x, 6.0.x.
[17 Oct 2008 16:45]
Bugs System
Pushed into 6.0.8-alpha (revid:kpettersson@mysql.com-20080920085103-z6pem6ae29r0fuir) (version source revid:kpettersson@mysql.com-20080925114617-i25jmvw6nwwwcl0z) (pib:5)
[17 Oct 2008 17:50]
Paul DuBois
Noted in 6.0.8 changelog. Setting report to NDI pending push into 5.0.x.
[20 Oct 2008 15:31]
Paul DuBois
Noted in 5.0.72 changelog.
[28 Oct 2008 21:05]
Bugs System
Pushed into 5.1.29-ndb-6.2.17 (revid:kpettersson@mysql.com-20080920085103-z6pem6ae29r0fuir) (version source revid:tomas.ulin@sun.com-20081028140209-u4emkk1xphi5tkfb) (pib:5)
[28 Oct 2008 22:23]
Bugs System
Pushed into 5.1.29-ndb-6.3.19 (revid:kpettersson@mysql.com-20080920085103-z6pem6ae29r0fuir) (version source revid:tomas.ulin@sun.com-20081028194045-0353yg8cvd2c7dd1) (pib:5)
[1 Nov 2008 9:49]
Bugs System
Pushed into 5.1.29-ndb-6.4.0 (revid:kpettersson@mysql.com-20080920085103-z6pem6ae29r0fuir) (version source revid:jonas@mysql.com-20081101082305-qx5a1bj0z7i8ueys) (pib:5)
[7 Nov 2008 16:18]
Susanne Ebrecht
Bug #31107 is set as duplicate of this bug here.