Bug #63901 Potentially invalid write to a MYISAM_SHARE share object
Submitted: 2 Jan 2012 19:08 Modified: 2 Jan 2012 19:42
Reporter: Davi Arnaut (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: MyISAM storage engine Severity:S3 (Non-critical)
Version:5.1, 5.5+ OS:Any
Assigned to: CPU Architecture:Any

[2 Jan 2012 19:08] Davi Arnaut
Description:
Allocating a MYISAM_SHARE object in the heap when opening a MyISAM table might lead to a invalid write to a MYISAM_SHARE object allocated in the stack.

mi_open.c:

272     if (!my_multi_malloc(MY_WME,
273                          &share,sizeof(*share),
274                          &share->state.rec_per_key_part,sizeof(long)*key_parts,
...
289                          &share->key_root_lock, sizeof(mysql_rwlock_t)*keys,
290                          &share->mmap_lock, sizeof(mysql_rwlock_t),
291                          NullS))

myisamdef.h:

216   uint     nonmmaped_inserts;           /* counter of writing in non-mmaped
217                                            area */
218   mysql_rwlock_t mmap_lock;
219 } MYISAM_SHARE;

The mmap_lock field is not a pointer, so it does not need to be explicitly allocated. Also, if the size of the mysql_rwlock_t type is less than the size of a pointer, the stack might be corrupted, but it is highly unlikely.

How to repeat:
Code inspection.

Suggested fix:
@@ -287,7 +287,6 @@ MI_INFO *mi_open(const char *name, int mode, uint open_flags)
                         &share->state.key_del,
                         (share->state.header.max_block_size_index*sizeof(my_off_t)),
                          &share->key_root_lock, sizeof(mysql_rwlock_t)*keys,
-                         &share->mmap_lock, sizeof(mysql_rwlock_t),
                         NullS))
       goto err;
     errpos=4;

Also, suggest to replace the use of "share->" with "share_buff."
[2 Jan 2012 19:42] Marc ALFF
Hi Davi

Verified as described.

Thanks,
-- Marc