Commit 98ed58ca authored by Tor Didriksen's avatar Tor Didriksen

Bug#16945503 ADDRESSSANITIZER BUG IN SYS_VARS

Sys_var_keycache inherits from some variant of Sys_var_integer

Instances of Sys_var_keycache are initialized using the KEYCACHE_VAR macro,
which takes an offset within st_key_cache.
However, the Sys_var_integer CTOR treats the offset as if it was within
global_system_variables (hidden within some layers of macros and fuction
pointers)

The result is that we write arbitrary data to arbitrary locations in memory.
This all happens during static initialization of global objects,
i.e. before we have even entered the main() function.


Bug#12325449 TYPO IN CMAKE/DTRACE.CMAKE
Fix typo in dtrace.cmake
parent 09d03ff3
# Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. # Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved.
# #
# This program is free software; you can redistribute it and/or modify # This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by # it under the terms of the GNU General Public License as published by
...@@ -158,7 +158,7 @@ IF(CMAKE_SYSTEM_NAME MATCHES "SunOS" AND ENABLE_DTRACE) ...@@ -158,7 +158,7 @@ IF(CMAKE_SYSTEM_NAME MATCHES "SunOS" AND ENABLE_DTRACE)
FOREACH(lib ${libs}) FOREACH(lib ${libs})
GET_TARGET_PROPERTY(libtype ${lib} TYPE) GET_TARGET_PROPERTY(libtype ${lib} TYPE)
IF(libtype MATCHES STATIC_LIBRARY) IF(libtype MATCHES STATIC_LIBRARY)
SET(static_libs ${static_lics} ${lib}) SET(static_libs ${static_libs} ${lib})
ENDIF() ENDIF()
ENDFOREACH() ENDFOREACH()
......
/* Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved. /* Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -122,7 +122,11 @@ public: ...@@ -122,7 +122,11 @@ public:
option.u_max_value= (uchar**)max_var_ptr(); option.u_max_value= (uchar**)max_var_ptr();
if (max_var_ptr()) if (max_var_ptr())
*max_var_ptr()= max_val; *max_var_ptr()= max_val;
global_var(T)= def_val;
// Do not set global_var for Sys_var_keycache objects
if (offset >= 0)
global_var(T)= def_val;
DBUG_ASSERT(size == sizeof(T)); DBUG_ASSERT(size == sizeof(T));
DBUG_ASSERT(min_val < max_val); DBUG_ASSERT(min_val < max_val);
DBUG_ASSERT(min_val <= def_val); DBUG_ASSERT(min_val <= def_val);
...@@ -659,12 +663,15 @@ public: ...@@ -659,12 +663,15 @@ public:
on_check_function on_check_func, on_check_function on_check_func,
keycache_update_function on_update_func, keycache_update_function on_update_func,
const char *substitute=0) const char *substitute=0)
: Sys_var_ulonglong(name_arg, comment, flag_args, off, size, : Sys_var_ulonglong(name_arg, comment, flag_args,
getopt, min_val, max_val, def_val, -1, /* offset, see base class CTOR */
block_size, lock, binlog_status_arg, on_check_func, 0, size,
substitute), getopt, min_val, max_val, def_val,
block_size, lock, binlog_status_arg, on_check_func, 0,
substitute),
keycache_update(on_update_func) keycache_update(on_update_func)
{ {
offset= off; /* Remember offset in KEY_CACHE */
option.var_type|= GET_ASK_ADDR; option.var_type|= GET_ASK_ADDR;
option.value= (uchar**)1; // crash me, please option.value= (uchar**)1; // crash me, please
keycache_var(dflt_key_cache, off)= def_val; keycache_var(dflt_key_cache, off)= def_val;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment