Bug #59242 INS/UPD followed by DEL on same row in same trans can lead to buffer-overflow
Submitted: 31 Dec 2010 9:47 Modified: 6 Jan 2011 7:26
Reporter: Jonas Oreland Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Cluster: Cluster (NDB) storage engine Severity:S3 (Non-critical)
Version: OS:Any
Assigned to: Jonas Oreland CPU Architecture:Any

[31 Dec 2010 9:47] Jonas Oreland
Description:
When a INS/UPD/DEL is performed on a row, the before-image
is kept (to allow rollback). This before-image is kept in a
special undo-buffer. However, the DEL copied 4 to 8 bytes to much
and therefore over-writes the buffer allocated to it.

This is however only a problem if the end of allocated buffer
was at the end of a page boundary. Then the over-writing could
write onto a page is used for something else.

This could lead to bus error, or weird ndbrequire's.

This bug was introduced by fix for bug#35208 (april '08)
But the fix for bug#56524 (6.3.38,7.0.19,7.1.8) made it more likely...
since an additional 4 bytes would be over-written.

How to repeat:
.

Suggested fix:
.
[31 Dec 2010 9:58] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/127728

3371 jonas oreland	2010-12-31
      ndb - bug#59242 - Add header/footer to Undo_buffer to trap overflow (#ifdef VM_TRACE/ERROR_INSERT)
[31 Dec 2010 10:01] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/127730

3372 jonas oreland	2010-12-31
      ndb - bug#59242 - fix Undo_buffer overflow for multi-op DEL
[31 Dec 2010 10:02] Bugs System
Pushed into mysql-5.1-telco-6.3 5.1.51-ndb-6.3.40 (revid:jonas@mysql.com-20101231100803-131nhvxb3k03n05f) (version source revid:jonas@mysql.com-20101231100803-131nhvxb3k03n05f) (merge vers: 5.1.51-ndb-6.3.40) (pib:24)
[31 Dec 2010 12:10] Bugs System
Pushed into mysql-5.1-telco-7.0 5.1.51-ndb-7.0.21 (revid:jonas@mysql.com-20101231121543-ucea44l43wrpllwe) (version source revid:jonas@mysql.com-20101231121543-ucea44l43wrpllwe) (merge vers: 5.1.51-ndb-7.0.21) (pib:24)
[31 Dec 2010 22:40] Jonas Oreland
pushed to 6.3.40, 7.0.21 and 7.1.10
[6 Jan 2011 7:26] Jon Stephens
Documented bugfix in the NDB-6.3.40, 7.0.21, 7.1.10 changelogs as follows:

        A row insert or update followed by a delete operation on the
        same row within the same transaction could in some cases lead to
        a buffer overflow.

Closed.