MySQL Forums
Forum List  »  InnoDB

Suspicious UAF at storage/innobase/row/row0merge.cc
Posted by: alex chen
Date: July 26, 2017 03:57AM

Hi all,

Our code scanner has pointed out a suspicious UAF at storage/innobase/row/row0merge.cc


At https://github.com/mysql/mysql-server/blob/5.7/storage/innobase/row/row0merge.cc#L1946
// ===============================================
/* Move to the successor of the
original record. */
if (!btr_pcur_move_to_next_user_rec(
&pcur, &mtr)) {
end_of_index:
row = NULL;
mtr_commit(&mtr);
mem_heap_free(row_heap);
ut_free(nonnull);
goto write_buffers; // Step 1: clean nonnull & row_heap, then start write_buffers
}
// ============================================


https://github.com/mysql/mysql-server/blob/5.7/storage/innobase/row/row0merge.cc#L2445
// ============================================
if (row_merge_file_create_if_needed(
file, tmpfd,
buf->n_tuples, path) < 0) {
err = DB_OUT_OF_MEMORY;
trx->error_key_num = i;
goto func_exit; // Step 2: GOTO func_exit here
}
// ==============================================


https://github.com/mysql/mysql-server/blob/5.7/storage/innobase/row/row0merge.cc#L2515
// ===============================================
func_exit:
/* row_merge_spatial_rows may have committed
the mtr before an error occurs. */
if (mtr.is_active()) {
mtr_commit(&mtr);
}
mem_heap_free(row_heap);
ut_free(nonnull); // Step 3: free nonnull & row_heap again.
// ==================================================




there are bunch of code that I cannot understand them all, Is that Step 1 & Step 2 exclude each other? or Is there are any chance that a `goto func_exit` will run after Step 1 had happened?

If there is one path start from step 1, and `goto func_exit`, then I believe it would be a UAF bug, otherwise it would be a false alarm.

Regards,

SourceBrella Inc. Alex

Options: ReplyQuote


Subject
Views
Written By
Posted
Suspicious UAF at storage/innobase/row/row0merge.cc
781
July 26, 2017 03:57AM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.