← Back to team overview

maria-developers team mailing list archive

Re: 489a7fba324: MDEV-29322 ASAN heap-use-after-free in Query_log_event::do_apply_event


Hi, Andrei,

On Sep 01, Andrei wrote:
> revision-id: 489a7fba324 (mariadb-10.5.17-10-g489a7fba324)
> parent(s): 0324bde8469
> author: Andrei
> committer: Andrei
> timestamp: 2022-09-01 14:15:11 +0300
> message:
> MDEV-29322 ASAN heap-use-after-free in Query_log_event::do_apply_event
> The ASAN report was reported in the parallel slave execution of a Query
> event and implicitly involved (so also parallelly run) Format-Description
> event.
> The Query actually had dependency on a preceding "old" FD whose
> instance got destructed, so to cause the ASAN error.
> The case is fixed with copying of the value of
> `options_written_to_bin_log` the sensitive member
> of FD event into worker's stable placeholders, so FD change
> won't affect Queries dependent on "old" instances.
> The method observes the following properties:
> 0. each worker gets its private copy;
> 1. the copied value gets a part of the execution context for any
>    Queries that follow the FD in binlog;
> 2. any new FD forces a new copy which does not any affect on
>    the past (in binlog order) Queries which might be still in
>    execution.

Sorry, but this doesn't make any sense. The value of
options_written_to_bin_log depends on the version of the server that has
written that binlog file. Query_log_event cannot just randomly use some
options_written_to_bin_log, it must use options_written_to_bin_log from
the Format_description_log_event that came from the binlog file where
the Query_log_event was read from.

If rli->relay_log.description_event_for_exec is not that
Format_description_log_event, and assuming that the correct
Format_description_log_event is not stored anywhere, the Query_log_event
has to remember options_written_to_bin_log itself, there's not much we
can do about it.

Or it can apply the mask in the constructor and store not flags2 but
the new value of thd->variables.option_bits.

Or it can extend flags2 to cover all OPTIONS_WRITTEN_TO_BINLOG.

VP of MariaDB Server Engineering
and security@xxxxxxxxxxx