MySQL Bugs: #73310: AddressSanitizer bug in DataBuffer2<sz,Pool>::import (Dbdict::alterTable

Bug #73310	AddressSanitizer bug in DataBuffer2<sz,Pool>::import (Dbdict::alterTable_parse)
Submitted:	17 Jul 2014 10:19	Modified:	7 Aug 2014 11:50
Reporter:	Mauritz Sundell	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Cluster: Cluster (NDB) storage engine	Severity:	S3 (Non-critical)
Version:	7.1	OS:	Any
Assigned to:		CPU Architecture:	Any

Description:
DataBuffer2 is a linked list of fixed size buffers, when calling import() it tries to fill the first buffer with data from source, even if source data is shorter than buffer space left.  This results in read beyond source buffer.

==7830== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f923e4fe7fb at pc 0x801556 bp 0x7f923e4fe220 sp 0x7f923e4fe218
READ of size 1 at 0x7f923e4fe7fb thread T15
    #0 0x801555 in memcpy /usr/include/bits/string3.h:51
    #1 0x810697 in Dbdict::alterTable_parse(Signal*, bool, Ptr<Dbdict::SchemaOp>, SectionHandle&, Dbdict::ErrorInfo&) /home/msundell/lab/repo/mysql-7.4/storage/ndb/src/kernel/blocks/dbdict/Dbdict.cpp:8757
    #2 0x77eec7 in Dbdict::handleClientReq(Signal*, Ptr<Dbdict::SchemaOp>, SectionHandle&) /home/msundell/lab/repo/mysql-7.4/storage/ndb/src/kernel/blocks/dbdict/Dbdict.cpp:27987 (discriminator 3)
    #3 0x785152 in Dbdict::execALTER_TABLE_REQ(Signal*) /home/msundell/lab/repo/mysql-7.4/storage/ndb/src/kernel/blocks/dbdict/Dbdict.cpp:8506
    #4 0x12fdb3e in SimulatedBlock::executeFunction(unsigned short, Signal*, void (SimulatedBlock::*)(Signal*)) /home/msundell/lab/repo/mysql-7.4/storage/ndb/src/kernel/vm/SimulatedBlock.hpp:1150
    #5 0x12fde5e in run_job_buffers /home/msundell/lab/repo/mysql-7.4/storage/ndb/src/kernel/vm/mt.cpp:3775
    #6 0x130700f in mt_job_thread_main /home/msundell/lab/repo/mysql-7.4/storage/ndb/src/kernel/vm/mt.cpp:4501
    #7 0x120c2ab in ndb_thread_wrapper /home/msundell/lab/repo/mysql-7.4/storage/ndb/src/common/portlib/NdbThread.c:202
    #8 0x7f9254c9f557 in ?? ??:0
    #9 0x7f9254a71d62 in ?? ??:0
    #10 0x7f9253d8f2ec in ?? ??:0
Address 0x7f923e4fe7fb is located at offset 539 in frame <alterTable_parse> of T15's stack:
  This frame has 13 object(s):
    [32, 40) 'attrData'
    [96, 112) 'trans_ptr'
    [160, 176) 'alterTabPtr'
    [224, 240) 'tablePtr'
    [288, 304) 'newTablePtr'
    [352, 368) 'tabInfoPtr'
    [416, 432) 'obj'
    [480, 512) 'r1'
    [544, 576) 'te'
    [608, 648) 'parseRecord'
    [704, 760) 'w'
    [800, 928) 'name'
    [960, 1160) 'buf'

How to repeat:
Compile with ASAN, and run for example ./mtr ndb.ndb_alter_table

Suggested fix:
--- storage/ndb/src/kernel/vm/DataBuffer2.hpp
+++ storage/ndb/src/kernel/vm/DataBuffer2.hpp
@@ -245,9 +245,13 @@ DataBuffer2<sz, Pool>::import(const Data
 
   if (left)
   {
-    memcpy(p->data+ind, src, 4 * left);
     if (len <= left)
+    {
+      memcpy(p->data+ind, src, 4 * len);
       return true;
+    }
+
+    memcpy(p->data+ind, src, 4 * left);
 
     src += left;
     len -= left;

Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

Fixed in 7.3.7. No user-facing changes to document. Closed.

If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at

    http://dev.mysql.com/doc/en/installing-source.html