MDEV-22070 MSAN use-of-uninitialized-value in encryption.innodb-redo-badkey

On a checksum failure of a ROW_FORMAT=COMPRESSED page, buf_LRU_free_one_page() would invoke buf_LRU_block_remove_hashed() which will read the uncompressed page frame, although it would not be initialized. With bad enough luck, fil_page_get_type(page) could return an unrecognized value and cause the server to abort. buf_page_io_complete(): On the corruption of a ROW_FORMAT=COMPRESSED page, zerofill the uncompressed page frame.

MDEV-22070 MSAN use-of-uninitialized-value in encryption.innodb-redo-badkey
On a checksum failure of a ROW_FORMAT=COMPRESSED page, buf_LRU_free_one_page() would invoke buf_LRU_block_remove_hashed() which will read the uncompressed page frame, although it would not be initialized. With bad enough luck, fil_page_get_type(page) could return an unrecognized value and cause the server to abort. buf_page_io_complete(): On the corruption of a ROW_FORMAT=COMPRESSED page, zerofill the uncompressed page frame.
ee5152fc · Marko Mäkelä · 31f34b20 · ee5152fc · ee5152fc
Commit ee5152fc authored May 14, 2020 by Marko Mäkelä
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 6 deletions

storage/innobase/buf/buf0buf.cc storage/innobase/buf/buf0buf.cc +7 -3

storage/xtradb/buf/buf0buf.cc storage/xtradb/buf/buf0buf.cc +7 -3

No files found.
--- a/storage/innobase/buf/buf0buf.cc
+++ b/storage/innobase/buf/buf0buf.cc
@@ -2,7 +2,7 @@

 Copyright (c) 1995, 2016, Oracle and/or its affiliates. All Rights Reserved.
 Copyright (c) 2008, Google Inc.
-Copyright (c) 2013, 2019, MariaDB Corporation.
+Copyright (c) 2013, 2020, MariaDB Corporation.

 Portions of this file contain modifications contributed and copyrighted by
 Google, Inc. Those modifications are gratefully acknowledged and are described
@@ -4931,9 +4931,8 @@ buf_page_io_complete(buf_page_t* bpage, bool evict)

 		err = buf_page_check_corrupt(bpage, space);

-database_corrupted:
-
 		if (err != DB_SUCCESS) {
+database_corrupted:
 			/* Not a real corruption if it was triggered by
 			error injection */
 			DBUG_EXECUTE_IF("buf_page_import_corrupt_failure",
@@ -4948,6 +4947,11 @@ buf_page_io_complete(buf_page_t* bpage, bool evict)
 				goto page_not_corrupt;
 			);

+			if (uncompressed && bpage->zip.data) {
+				memset(reinterpret_cast<buf_block_t*>(bpage)
+				       ->frame, 0, srv_page_size);
+			}
+
 			if (err == DB_PAGE_CORRUPTED) {
 				ib_logf(IB_LOG_LEVEL_ERROR,
 					"Database page corruption on disk"

--- a/storage/xtradb/buf/buf0buf.cc
+++ b/storage/xtradb/buf/buf0buf.cc
@@ -2,7 +2,7 @@

 Copyright (c) 1995, 2016, Oracle and/or its affiliates. All Rights Reserved.
 Copyright (c) 2008, Google Inc.
-Copyright (c) 2013, 2019, MariaDB Corporation.
+Copyright (c) 2013, 2020, MariaDB Corporation.

 Portions of this file contain modifications contributed and copyrighted by
 Google, Inc. Those modifications are gratefully acknowledged and are described
@@ -4936,9 +4936,8 @@ buf_page_io_complete(buf_page_t* bpage)
 			err = buf_page_check_corrupt(bpage, space);
 		}

-database_corrupted:
-
 		if (err != DB_SUCCESS) {
+database_corrupted:
 			/* Not a real corruption if it was triggered by
 			error injection */
 			DBUG_EXECUTE_IF("buf_page_import_corrupt_failure",
@@ -4953,6 +4952,11 @@ buf_page_io_complete(buf_page_t* bpage)
 				goto page_not_corrupt;
 			);

+			if (uncompressed && bpage->zip.data) {
+				memset(reinterpret_cast<buf_block_t*>(bpage)
+				       ->frame, 0, srv_page_size);
+			}
+
 			if (err == DB_PAGE_CORRUPTED) {
 				ib_logf(IB_LOG_LEVEL_ERROR,
 					"Database page corruption on disk"