Bug #88914 Potential null pointer dereference at pointer node->undo_recs (row0purge.cc)
Submitted: 14 Dec 2017 9:29 Modified: 26 Nov 2018 13:03
Reporter: milly Zhu Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Server: InnoDB storage engine Severity:S3 (Non-critical)
Version:mysql-5.7.20 OS:Ubuntu (Ubuntu-14.04)
Assigned to: CPU Architecture:Any
Tags: null pointer dereference

[14 Dec 2017 9:29] milly Zhu 
Description:
Hi~!

We developed a dynamic tool based on Pintool to detect vulnerabilities. And our tool reported a potential null pointer derefrence at storage/innobase/row/row0purge.cc.

Detailed trace:

-----------------   NPD @ 0xb8c0364-----------------
thread-1(null):
_ZL13row_purge_endP9que_thr_t+0xa1 at ~/mysql-5.7.20/install/bin/mysqld+0x95a2bc1 (~/mysql-5.7.20/storage/innobase/row/row0purge.cc:1080) 
_Z14row_purge_stepP9que_thr_t+0x1af at ~/mysql-5.7.20/install/bin/mysqld+0x95a2dc3 (~/mysql-5.7.20/storage/innobase/row/row0purge.cc:1133) 
_ZL12que_thr_stepP9que_thr_t+0x354 at ~/mysql-5.7.20/install/bin/mysqld+0x952584a (~/mysql-5.7.20/storage/innobase/que/que0que.cc:1056) 
_ZL19que_run_threads_lowP9que_thr_t+0xe5 at ~/mysql-5.7.20/install/bin/mysqld+0x9525a51 (~/mysql-5.7.20/storage/innobase/que/que0que.cc:1118) 
_Z15que_run_threadsP9que_thr_t+0xa2 at ~/mysql-5.7.20/install/bin/mysqld+0x9525c23 (~/mysql-5.7.20/storage/innobase/que/que0que.cc:1158) 
_Z9trx_purgemmb+0x2d3 at ~/mysql-5.7.20/install/bin/mysqld+0x962a31b (~/mysql-5.7.20/storage/innobase/trx/trx0purge.cc:1877) 
_ZL12srv_do_purgemPm+0x22e at ~/mysql-5.7.20/install/bin/mysqld+0x95f4e58 (~/mysql-5.7.20/storage/innobase/srv/srv0srv.cc:2631) 
srv_purge_coordinator_thread+0x24c at ~/mysql-5.7.20/install/bin/mysqld+0x95f552c (~/mysql-5.7.20/storage/innobase/srv/srv0srv.cc:2803) 
start_thread+0xd2 at /lib/i386-linux-gnu/libpthread.so.0+0x6f72 
__clone+0x5e at /lib/i386-linux-gnu/libc.so.6+0xee3ee 
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
thread-2(access):
_Z14row_purge_stepP9que_thr_t+0x178 at ~/mysql-5.7.20/install/bin/mysqld+0x95a2d8c (~/mysql-5.7.20/storage/innobase/row/row0purge.cc:1127) 
_ZL12que_thr_stepP9que_thr_t+0x354 at ~/mysql-5.7.20/install/bin/mysqld+0x952584a (~/mysql-5.7.20/storage/innobase/que/que0que.cc:1056) 
_ZL19que_run_threads_lowP9que_thr_t+0xe5 at ~/mysql-5.7.20/install/bin/mysqld+0x9525a51 (~/mysql-5.7.20/storage/innobase/que/que0que.cc:1118) 
_Z15que_run_threadsP9que_thr_t+0xa2 at ~/mysql-5.7.20/install/bin/mysqld+0x9525c23 (~/mysql-5.7.20/storage/innobase/que/que0que.cc:1158) 
_ZL16srv_task_executev+0x14c at ~/mysql-5.7.20/install/bin/mysqld+0x95f4924 (~/mysql-5.7.20/storage/innobase/srv/srv0srv.cc:2472) 
srv_worker_thread+0x1ab at ~/mysql-5.7.20/install/bin/mysqld+0x95f4aee (~/mysql-5.7.20/storage/innobase/srv/srv0srv.cc:2522) 
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Race happens at the pointer node->undo_recs. It is a potential null pointer dereference. It may not lead to a crash or a core dump but may be expoitable.

Thanks.

Submitted by
================
Yan Cai and Biyun Zhu

How to repeat:
mysql-test-run --nocheck-testcase [testcase]

It happens in the phase of installing system database.
[24 Oct 2018 11:37] MySQL Verification Team 
HI,

We can not verify a bug based on the tool that is not widely used.

You should provide a full test case to repeat null pointer dereference, or a detailed analysis of the source code demonstrating how this race can occur in the production binary.
[24 Oct 2018 11:59] MySQL Verification Team 
I have also run mysql-test-run test with the option described and no problems were encountered.
[25 Nov 2018 1:00] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".