2012-05-03 06:18:04.116302+00:00
https://api.launchpad.net/1.0/bugs/956079
https://api.launchpad.net/1.0/~wlad-montyprogram
https://api.launchpad.net/1.0/bugs/956079/linked_branches
https://api.launchpad.net/1.0/bugs/956079/activity
https://bugs.launchpad.net/bugs/956079
Vladislav Vaintroub
Oleksandr "Sanja" Byelkin
Potential NULL pointer dereference in pagecache_fwrite
Fix Released
High
2012-03-15 14:58:39.785207+00:00
file, buffer, pagecache->block_size,
((my_off_t) pageno << pagecache->shift), flags))
{
(*filedesc->write_fail)(filedesc->callback_data);
DBUG_RETURN(1);
}
the problem is that *filedesc->write_fail can be NULL, which means failing my_pwrite() will cause a crash by dereferencing NULL pointer.
To reproduce,
1. add line
DBUG_ASSERT(*filedesc->write_fail);
prior to code in question.
2. Compile with DBUG, run
perl mysql-test-run.pl --suite=maria
3. Observe a crash . Here is for example what I get in 5.1
0028B9C3 mysqld.exe!my_sigabrt_handler()[mysqld.cc:2188]
00258DA9 mysqld.exe!raise()[winsig.c:586]
0025D4D6 mysqld.exe!abort()[abort.c:74]
008586A7 mysqld.exe!_wassert()[assert.c:336]
006351E1 mysqld.exe!pagecache_fwrite()[ma_pagecache.c:666]
0063B93D mysqld.exe!flush_cached_blocks()[ma_pagecache.c:4370]
0063B1E1 mysqld.exe!flush_pagecache_blocks_int()[ma_pagecache.c:4660]
0063AAC7 mysqld.exe!flush_pagecache_blocks_with_filter()[ma_pagecache.c:4780]
0063CC23 mysqld.exe!_ma_once_end_block_record()[ma_blockrec.c:451]
005F9133 mysqld.exe!maria_close()[ma_close.c:81]
005D1A89 mysqld.exe!ha_maria::close()[ha_maria.cc:1018]
0040847A mysqld.exe!closefrm()[table.cc:2013]
00369C11 mysqld.exe!intern_close_table()[sql_base.cc:793]]]>
bug
Vladislav Vaintroub
added bug
maria: importance
Oleksandr "Sanja" Byelkin
maria: assignee
Oleksandr "Sanja" Byelkin
maria: status
Oleksandr "Sanja" Byelkin
maria: status
Oleksandr "Sanja" Byelkin
maria: status
Oleksandr "Sanja" Byelkin
Vladislav Vaintroub
file, buffer, pagecache->block_size,
((my_off_t) pageno << pagecache->shift), flags))
{
(*filedesc->write_fail)(filedesc->callback_data);
DBUG_RETURN(1);
}
the problem is that *filedesc->write_fail can be NULL, which means failing my_pwrite() will cause a crash by dereferencing NULL pointer.
To reproduce,
1. add line
DBUG_ASSERT(*filedesc->write_fail);
prior to code in question.
2. Compile with DBUG, run
perl mysql-test-run.pl --suite=maria
3. Observe a crash . Here is for example what I get in 5.1
0028B9C3 mysqld.exe!my_sigabrt_handler()[mysqld.cc:2188]
00258DA9 mysqld.exe!raise()[winsig.c:586]
0025D4D6 mysqld.exe!abort()[abort.c:74]
008586A7 mysqld.exe!_wassert()[assert.c:336]
006351E1 mysqld.exe!pagecache_fwrite()[ma_pagecache.c:666]
0063B93D mysqld.exe!flush_cached_blocks()[ma_pagecache.c:4370]
0063B1E1 mysqld.exe!flush_pagecache_blocks_int()[ma_pagecache.c:4660]
0063AAC7 mysqld.exe!flush_pagecache_blocks_with_filter()[ma_pagecache.c:4780]
0063CC23 mysqld.exe!_ma_once_end_block_record()[ma_blockrec.c:451]
005F9133 mysqld.exe!maria_close()[ma_close.c:81]
005D1A89 mysqld.exe!ha_maria::close()[ha_maria.cc:1018]
0040847A mysqld.exe!closefrm()[table.cc:2013]
00369C11 mysqld.exe!intern_close_table()[sql_base.cc:793]]]>
Vladislav Vaintroub
write_fail);
if (my_pwrite(filedesc->file, buffer, pagecache->block_size,
((my_off_t) pageno << pagecache->shift), flags))
{]]>