diff options
author | Sergei Golubchik <serg@mariadb.org> | 2019-11-04 18:30:48 +0100 |
---|---|---|
committer | Sergei Golubchik <serg@mariadb.org> | 2019-11-04 23:14:27 +0100 |
commit | cd156e2c3e8576ee42ff470235d3af005daee274 (patch) | |
tree | af485bb26e2a74b047f6d72d15f3bef6bb9c7b77 | |
parent | 9277b6ec1ce8bc195a10b5deb11d65843adf8972 (diff) | |
download | mariadb-git-cd156e2c3e8576ee42ff470235d3af005daee274.tar.gz |
MDEV-20971 ASAN heap-use-after-free in list_delete / heap_close
Don't save/restore HP_INFO as it could be changed by a concurrent thread.
different parts of HP_INFO are protected by different mutexes and
the mutex that protect most of the HP_INFO does not protect its open_list
data.
As a bonus, make heap_check_heap() to take const HP_INFO* and not
make any changes there whatsoever.
-rw-r--r-- | include/heap.h | 2 | ||||
-rw-r--r-- | storage/heap/_check.c | 27 |
2 files changed, 14 insertions, 15 deletions
diff --git a/include/heap.h b/include/heap.h index 63d961b577a..014ec042671 100644 --- a/include/heap.h +++ b/include/heap.h @@ -245,7 +245,7 @@ int hp_panic(enum ha_panic_function flag); int heap_rkey(HP_INFO *info, uchar *record, int inx, const uchar *key, key_part_map keypart_map, enum ha_rkey_function find_flag); extern uchar * heap_find(HP_INFO *info,int inx,const uchar *key); -extern int heap_check_heap(HP_INFO *info, my_bool print_status); +extern int heap_check_heap(const HP_INFO *info, my_bool print_status); extern uchar *heap_position(HP_INFO *info); /* The following is for programs that uses the old HEAP interface where diff --git a/storage/heap/_check.c b/storage/heap/_check.c index 33aa532bd6b..fc5716782e5 100644 --- a/storage/heap/_check.c +++ b/storage/heap/_check.c @@ -18,10 +18,8 @@ #include "heapdef.h" -static int check_one_key(HP_KEYDEF *keydef, uint keynr, ulong records, - ulong blength, my_bool print_status); -static int check_one_rb_key(HP_INFO *info, uint keynr, ulong records, - my_bool print_status); +static int check_one_key(HP_KEYDEF *, uint, ulong, ulong, my_bool); +static int check_one_rb_key(const HP_INFO *, uint, ulong, my_bool); /* @@ -40,13 +38,13 @@ static int check_one_rb_key(HP_INFO *info, uint keynr, ulong records, 1 error */ -int heap_check_heap(HP_INFO *info, my_bool print_status) +int heap_check_heap(const HP_INFO *info, my_bool print_status) { int error; uint key; ulong records=0, deleted=0, pos, next_block; HP_SHARE *share=info->s; - HP_INFO save_info= *info; /* Needed because scan_init */ + uchar *current_ptr= info->current_ptr; DBUG_ENTER("heap_check_heap"); for (error=key= 0 ; key < share->keys ; key++) @@ -65,7 +63,7 @@ int heap_check_heap(HP_INFO *info, my_bool print_status) { if (pos < next_block) { - info->current_ptr+= share->block.recbuffer; + current_ptr+= share->block.recbuffer; } else { @@ -77,9 +75,9 @@ int heap_check_heap(HP_INFO *info, my_bool print_status) break; /* End of file */ } } - hp_find_record(info,pos); + current_ptr= hp_find_block(&share->block, pos); - if (!info->current_ptr[share->visible]) + if (!current_ptr[share->visible]) deleted++; else records++; @@ -92,7 +90,6 @@ int heap_check_heap(HP_INFO *info, my_bool print_status) deleted, (ulong) share->deleted)); error= 1; } - *info= save_info; DBUG_RETURN(error); } @@ -165,7 +162,7 @@ static int check_one_key(HP_KEYDEF *keydef, uint keynr, ulong records, return error; } -static int check_one_rb_key(HP_INFO *info, uint keynr, ulong records, +static int check_one_rb_key(const HP_INFO *info, uint keynr, ulong records, my_bool print_status) { HP_KEYDEF *keydef= info->s->keydef + keynr; @@ -174,9 +171,11 @@ static int check_one_rb_key(HP_INFO *info, uint keynr, ulong records, uchar *key, *recpos; uint key_length; uint not_used[2]; + TREE_ELEMENT **last_pos; + TREE_ELEMENT *parents[MAX_TREE_HEIGHT+1]; - if ((key= tree_search_edge(&keydef->rb_tree, info->parents, - &info->last_pos, offsetof(TREE_ELEMENT, left)))) + if ((key= tree_search_edge(&keydef->rb_tree, parents, + &last_pos, offsetof(TREE_ELEMENT, left)))) { do { @@ -191,7 +190,7 @@ static int check_one_rb_key(HP_INFO *info, uint keynr, ulong records, } else found++; - key= tree_search_next(&keydef->rb_tree, &info->last_pos, + key= tree_search_next(&keydef->rb_tree, &last_pos, offsetof(TREE_ELEMENT, left), offsetof(TREE_ELEMENT, right)); } while (key); |