Hi all,
Our code scanner has pointed out a suspicious UAF at storage/innobase/row/row0merge.cc
At https://github.com/mysql/mysql-server/blob/5.7/storage/innobase/row/row0merge.cc#L1946
// ===============================================
/* Move to the successor of the
original record. */
if (!btr_pcur_move_to_next_user_rec(
&pcur, &mtr)) {
end_of_index:
row = NULL;
mtr_commit(&mtr);
mem_heap_free(row_heap);
ut_free(nonnull);
goto write_buffers; // Step 1: clean nonnull & row_heap, then start write_buffers
}
// ============================================
https://github.com/mysql/mysql-server/blob/5.7/storage/innobase/row/row0merge.cc#L2445
// ============================================
if (row_merge_file_create_if_needed(
file, tmpfd,
buf->n_tuples, path) < 0) {
err = DB_OUT_OF_MEMORY;
trx->error_key_num = i;
goto func_exit; // Step 2: GOTO func_exit here
}
// ==============================================
https://github.com/mysql/mysql-server/blob/5.7/storage/innobase/row/row0merge.cc#L2515
// ===============================================
func_exit:
/* row_merge_spatial_rows may have committed
the mtr before an error occurs. */
if (mtr.is_active()) {
mtr_commit(&mtr);
}
mem_heap_free(row_heap);
ut_free(nonnull); // Step 3: free nonnull & row_heap again.
// ==================================================
there are bunch of code that I cannot understand them all, Is that Step 1 & Step 2 exclude each other? or Is there are any chance that a `goto func_exit` will run after Step 1 had happened?
If there is one path start from step 1, and `goto func_exit`, then I believe it would be a UAF bug, otherwise it would be a false alarm.
Regards,
SourceBrella Inc. Alex
Our code scanner has pointed out a suspicious UAF at storage/innobase/row/row0merge.cc
At https://github.com/mysql/mysql-server/blob/5.7/storage/innobase/row/row0merge.cc#L1946
// ===============================================
/* Move to the successor of the
original record. */
if (!btr_pcur_move_to_next_user_rec(
&pcur, &mtr)) {
end_of_index:
row = NULL;
mtr_commit(&mtr);
mem_heap_free(row_heap);
ut_free(nonnull);
goto write_buffers; // Step 1: clean nonnull & row_heap, then start write_buffers
}
// ============================================
https://github.com/mysql/mysql-server/blob/5.7/storage/innobase/row/row0merge.cc#L2445
// ============================================
if (row_merge_file_create_if_needed(
file, tmpfd,
buf->n_tuples, path) < 0) {
err = DB_OUT_OF_MEMORY;
trx->error_key_num = i;
goto func_exit; // Step 2: GOTO func_exit here
}
// ==============================================
https://github.com/mysql/mysql-server/blob/5.7/storage/innobase/row/row0merge.cc#L2515
// ===============================================
func_exit:
/* row_merge_spatial_rows may have committed
the mtr before an error occurs. */
if (mtr.is_active()) {
mtr_commit(&mtr);
}
mem_heap_free(row_heap);
ut_free(nonnull); // Step 3: free nonnull & row_heap again.
// ==================================================
there are bunch of code that I cannot understand them all, Is that Step 1 & Step 2 exclude each other? or Is there are any chance that a `goto func_exit` will run after Step 1 had happened?
If there is one path start from step 1, and `goto func_exit`, then I believe it would be a UAF bug, otherwise it would be a false alarm.
Regards,
SourceBrella Inc. Alex