Bug #78180 potentially reading freed memory while querying i_s table
Submitted: 24 Aug 2015 6:46 Modified: 27 Aug 2015 16:51
Reporter: zhai weixiang (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: InnoDB storage engine Severity:S3 (Non-critical)
Version:5.7.8 OS:Any
Assigned to: CPU Architecture:Any

[24 Aug 2015 6:46] zhai weixiang 
Description:
quoted code from function i_s_dict_fill_sys_tablespaces in MySQL 5.7.8

        if (filename != NULL) {

                file = os_file_get_size(filename);

                /* Get the file system (or Volume) block size. */
                dberr_t err = os_file_get_status(filename, &stat, false, false);

                ut_free(filename);

                switch(err) {
                case DB_FAIL:
                        ib::warn()
                                << "File '" << filename << "', failed to get "
                                << "stats";
                        break;

                case DB_SUCCESS:
                case DB_NOT_FOUND:
                        break;

                default:
                        ib::error()
                                << "File '" << filename << "' "
                                << ut_strerr(err);
                        break;
                }
        }

filename is freed first but may be used later to print out the error message. 

How to repeat:
read the code

Suggested fix:
free the memory after switch..case
[24 Aug 2015 7:30] MySQL Verification Team 
thanks for the report.  same issue exists on current mysql-trunk
[27 Aug 2015 16:51] Daniel Price 
Posted by developer:
 
Fixed as of the upcoming 5.7.9, 5.8.0 releases, and here's the changelog entry:

The i_s_dict_fill_sys_tablespaces() function could free memory associated
with a file name before printing an error message.