← Back to team overview

maria-developers team mailing list archive

Re: MDEV-18734 ASAN heap-use-after-free in my_strnxfrm_simple_internal upon update on versioned partitioned table


Hi Sergei!

It turned out that only vcol blobs are affected. They are allocated
by update_virtual_fields(), so it was enough to just refresh their value by
doing update_virtual_fields() again after record is restored from the
queue. Please review the fix:


On Tue, Mar 12, 2019 at 1:42 PM Sergei Golubchik <serg@xxxxxxxxxxx> wrote:

> Hi, Aleksey!
> On Mar 11, Aleksey Midenkov wrote:
> > Hi, Sergei!
> >
> > ha_partition::handle_ordered_index_scan() stores records in
> > m_ordered_rec_buffer. Then TABLE::update_virtual_fields() updates blob
> > buffer and frees the old one. Then ha_partition::return_top_record()
> > returns record from m_ordered_rec_buffer with stale blob pointer. What
> > should we do with this? I propose to duplicate blob buffer when record
> > gets into m_ordered_rec_buffer.
> You can make Field_blob to forget that it owns the buffer.
> And when reading back from the queue, Field_blob will need to take
> over the buffer again.
> It's String::release() and String::reset() methods.
> The tricky part here is that Field_blob doesn't always own the buffer,
> sometimes the storage engine does. So, when reading from the queue and
> restoring the ownership you'll need to take care to do it only for
> values that Field_blob used to own before, not for all blobs.
> Regards,
> Sergei
> Chief Architect MariaDB
> and security@xxxxxxxxxxx

All the best,

Aleksey Midenkov

Follow ups