diff options
author | Marko Mäkelä <marko.makela@mariadb.com> | 2020-05-14 17:41:37 +0300 |
---|---|---|
committer | Marko Mäkelä <marko.makela@mariadb.com> | 2020-05-14 17:41:37 +0300 |
commit | ee5152fc4bc0f164d546ce87c1d36d1a5f78591b (patch) | |
tree | 4230c6277679e30233152298885acfaa58a3365e | |
parent | 31f34b20f3295db7e99877dcfe61b5798a6cfe95 (diff) | |
download | mariadb-git-ee5152fc4bc0f164d546ce87c1d36d1a5f78591b.tar.gz |
MDEV-22070 MSAN use-of-uninitialized-value in encryption.innodb-redo-badkey
On a checksum failure of a ROW_FORMAT=COMPRESSED page,
buf_LRU_free_one_page() would invoke buf_LRU_block_remove_hashed()
which will read the uncompressed page frame, although it would not
be initialized. With bad enough luck, fil_page_get_type(page)
could return an unrecognized value and cause the server to abort.
buf_page_io_complete(): On the corruption of a ROW_FORMAT=COMPRESSED
page, zerofill the uncompressed page frame.
-rw-r--r-- | storage/innobase/buf/buf0buf.cc | 10 | ||||
-rw-r--r-- | storage/xtradb/buf/buf0buf.cc | 10 |
2 files changed, 14 insertions, 6 deletions
diff --git a/storage/innobase/buf/buf0buf.cc b/storage/innobase/buf/buf0buf.cc index 136d46b7027..0fa569e0254 100644 --- a/storage/innobase/buf/buf0buf.cc +++ b/storage/innobase/buf/buf0buf.cc @@ -2,7 +2,7 @@ Copyright (c) 1995, 2016, Oracle and/or its affiliates. All Rights Reserved. Copyright (c) 2008, Google Inc. -Copyright (c) 2013, 2019, MariaDB Corporation. +Copyright (c) 2013, 2020, MariaDB Corporation. Portions of this file contain modifications contributed and copyrighted by Google, Inc. Those modifications are gratefully acknowledged and are described @@ -4931,9 +4931,8 @@ buf_page_io_complete(buf_page_t* bpage, bool evict) err = buf_page_check_corrupt(bpage, space); -database_corrupted: - if (err != DB_SUCCESS) { +database_corrupted: /* Not a real corruption if it was triggered by error injection */ DBUG_EXECUTE_IF("buf_page_import_corrupt_failure", @@ -4948,6 +4947,11 @@ database_corrupted: goto page_not_corrupt; ); + if (uncompressed && bpage->zip.data) { + memset(reinterpret_cast<buf_block_t*>(bpage) + ->frame, 0, srv_page_size); + } + if (err == DB_PAGE_CORRUPTED) { ib_logf(IB_LOG_LEVEL_ERROR, "Database page corruption on disk" diff --git a/storage/xtradb/buf/buf0buf.cc b/storage/xtradb/buf/buf0buf.cc index 398e1e84994..5e92c101110 100644 --- a/storage/xtradb/buf/buf0buf.cc +++ b/storage/xtradb/buf/buf0buf.cc @@ -2,7 +2,7 @@ Copyright (c) 1995, 2016, Oracle and/or its affiliates. All Rights Reserved. Copyright (c) 2008, Google Inc. -Copyright (c) 2013, 2019, MariaDB Corporation. +Copyright (c) 2013, 2020, MariaDB Corporation. Portions of this file contain modifications contributed and copyrighted by Google, Inc. Those modifications are gratefully acknowledged and are described @@ -4936,9 +4936,8 @@ buf_page_io_complete(buf_page_t* bpage) err = buf_page_check_corrupt(bpage, space); } -database_corrupted: - if (err != DB_SUCCESS) { +database_corrupted: /* Not a real corruption if it was triggered by error injection */ DBUG_EXECUTE_IF("buf_page_import_corrupt_failure", @@ -4953,6 +4952,11 @@ database_corrupted: goto page_not_corrupt; ); + if (uncompressed && bpage->zip.data) { + memset(reinterpret_cast<buf_block_t*>(bpage) + ->frame, 0, srv_page_size); + } + if (err == DB_PAGE_CORRUPTED) { ib_logf(IB_LOG_LEVEL_ERROR, "Database page corruption on disk" |