Commit c9b49a4b authored by Vlad Lesin's avatar Vlad Lesin

MDEV-18207: ASAN heap-use-after-free in _ma_get_status upon concurrent operations with sequence

The issue is that two MARIA_HA instances shares the same MARIA_STATUS_INFO
object during UNION execution, so the second MARIA_HA instance state pointer
MARIA_HA::state points to the MARIA_HA::state_save of the first MARIA instance.

This happens in
thr_multi_lock(...) {
...
	for (first_lock=data, pos= data+1 ; pos < end ; pos++)
	{
...
		if (pos[0]->lock == pos[-1]->lock && pos[0]->lock->copy_status)
			(pos[0]->lock->copy_status)((*pos)->status_param,
																	(*first_lock)->status_param);
...
	}
...
}

Usually the state is restored from ha_maria::external_lock(...):

\#0  _ma_update_status (param=0x6290000e6270) at ./storage/maria/ma_state.c:309
\#1  0x00005555577ccb15 in _ma_update_status_with_lock (info=0x6290000e6270) at ./storage/maria/ma_state.c:361
\#2  0x00005555577c7dcc in maria_lock_database (info=0x6290000e6270, lock_type=2) at ./storage/maria/ma_locking.c:66
\#3  0x0000555557802ccd in ha_maria::external_lock (this=0x61d0001b1308, thd=0x62a000048270, lock_type=2) at ./storage/maria/ha_maria.cc:2727

But _ma_update_status() does not take into account the case when
MARIA_HA::status points to the MARIA_HA::state_save of the other MARIA_HA
instance.

The fix is to restore MARIA_HA::state in ha_maria::external_lock() after
maria_lock_database() call for transactional tables.
parent 9d142a89
...@@ -2798,9 +2798,12 @@ int ha_maria::external_lock(THD *thd, int lock_type) ...@@ -2798,9 +2798,12 @@ int ha_maria::external_lock(THD *thd, int lock_type)
} }
} }
} /* if transactional table */ } /* if transactional table */
DBUG_RETURN(maria_lock_database(file, !table->s->tmp_table ? int result = maria_lock_database(file, !table->s->tmp_table ?
lock_type : ((lock_type == F_UNLCK) ? lock_type : ((lock_type == F_UNLCK) ?
F_UNLCK : F_EXTRA_LCK))); F_UNLCK : F_EXTRA_LCK));
if (!file->s->base.born_transactional)
file->state= &file->s->state.state; // Restore state if clone
DBUG_RETURN(result);
} }
int ha_maria::start_stmt(THD *thd, thr_lock_type lock_type) int ha_maria::start_stmt(THD *thd, thr_lock_type lock_type)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment