MDEV-20378: Galera uses uninitialized memory

Problem was that wsrep thread argument was deleted on wrong place. Furthermore, scan method incorrectly used unsafe c_ptr(). Finally, fixed wsrep thread initialization to correctly set up thread_id and pass correct argument to functions and fix signess problem causing compiler errors.
author: Jan Lindström <jan.lindstrom@mariadb.com> 2019-08-20 10:32:04 +0300
committer: Jan Lindström <jan.lindstrom@mariadb.com> 2019-08-20 10:32:04 +0300
commit: 7b4de10477a7bdb51656d827ad2d914d29a4be4c (patch)
tree: bf1bade9ffc78d908539de4832c2800369375f85 /sql
parent: c5bc0cedea01cabfcd3a8d0d1410e427e2edc08e (diff)
download: mariadb-git-7b4de10477a7bdb51656d827ad2d914d29a4be4c.tar.gz
5 files changed, 30 insertions, 26 deletions
diff --git a/sql/wsrep_mysqld.cc b/sql/wsrep_mysqld.cc
index 74a28c4724f..0a9adc5fa2c 100644
--- a/sql/wsrep_mysqld.cc
+++ b/sql/wsrep_mysqld.cc
@@ -2696,7 +2696,7 @@ void* start_wsrep_THD(void *arg)
 
   WSREP_DEBUG("wsrep system thread %llu, %p starting",
               thd->thread_id, thd);
-  thd_args->fun()(thd, thd_args->args());
+  thd_args->fun()(thd, static_cast<void *>(thd_args));
 
   WSREP_DEBUG("wsrep system thread: %llu, %p closing",
               thd->thread_id, thd);
@@ -2707,8 +2707,6 @@ void* start_wsrep_THD(void *arg)
 
   close_connection(thd, 0);
 
-  delete thd_args;
-
   mysql_mutex_lock(&LOCK_wsrep_slave_threads);
   DBUG_ASSERT(wsrep_running_threads > 0);
   wsrep_running_threads--;
@@ -2727,6 +2725,7 @@ void* start_wsrep_THD(void *arg)
       break;
   }
 
+  delete thd_args;
   WSREP_DEBUG("wsrep running threads now: %lu", wsrep_running_threads);
   mysql_cond_broadcast(&COND_wsrep_slave_threads);
   mysql_mutex_unlock(&LOCK_wsrep_slave_threads);
diff --git a/sql/wsrep_mysqld.h b/sql/wsrep_mysqld.h
index 8714753ba76..d71d4afea11 100644
--- a/sql/wsrep_mysqld.h
+++ b/sql/wsrep_mysqld.h
@@ -411,18 +411,17 @@ typedef void (*wsrep_thd_processor_fun)(THD*, void *);
 class Wsrep_thd_args
 {
  public:
- Wsrep_thd_args(wsrep_thd_processor_fun fun, void* args,
-                wsrep_thread_type thread_type)
+ Wsrep_thd_args(wsrep_thd_processor_fun fun,
+                wsrep_thread_type thread_type,
+                pthread_t thread_id)
    :
   fun_ (fun),
-  args_ (args),
-  thread_type_ (thread_type)
+  thread_type_ (thread_type),
+  thread_id_ (thread_id)
   { }
 
   wsrep_thd_processor_fun fun() { return fun_; }
-
-  void* args() { return args_; }
-
+  pthread_t* thread_id() {return &thread_id_; }
   enum wsrep_thread_type thread_type() {return thread_type_;}
 
  private:
@@ -431,8 +430,8 @@ class Wsrep_thd_args
   Wsrep_thd_args& operator=(const Wsrep_thd_args&);
 
   wsrep_thd_processor_fun fun_;
-  void*                   args_;
   enum wsrep_thread_type  thread_type_;
+  pthread_t thread_id_;
 };
 
 void* start_wsrep_THD(void*);
diff --git a/sql/wsrep_schema.cc b/sql/wsrep_schema.cc
index c1b955e4483..064b6cf9f46 100644
--- a/sql/wsrep_schema.cc
+++ b/sql/wsrep_schema.cc
@@ -474,7 +474,9 @@ static int scan(TABLE* table, uint field, char* strbuf, uint strbuf_len)
 {
   String str;
   (void)table->field[field]->val_str(&str);
-  strncpy(strbuf, str.c_ptr(), std::min(str.length(), strbuf_len));
+  LEX_CSTRING tmp= str.lex_cstring();
+  uint len = tmp.length;
+  strncpy(strbuf, tmp.str, std::min(len, strbuf_len));
   strbuf[strbuf_len - 1]= '\0';
   return 0;
 }
diff --git a/sql/wsrep_sst.cc b/sql/wsrep_sst.cc
index 89e637ae075..5602b13f4fd 100644
--- a/sql/wsrep_sst.cc
+++ b/sql/wsrep_sst.cc
@@ -640,7 +640,7 @@ static ssize_t sst_prepare_other (const char*  method,
                                   const char** addr_out)
 {
   bool extra_args;
-  size_t const cmd_len= estimate_cmd_len(&extra_args);
+  ssize_t const cmd_len= estimate_cmd_len(&extra_args);
   wsp::string cmd_str(cmd_len);
 
   if (!cmd_str())
@@ -953,7 +953,7 @@ static int sst_donate_mysqldump (const char*         addr,
   memcpy(host, address.get_address(), address.get_address_len());
   int port= address.get_port();
   bool extra_args;
-  size_t const cmd_len= estimate_cmd_len(&extra_args);
+  ssize_t const cmd_len= estimate_cmd_len(&extra_args);
   wsp::string cmd_str(cmd_len);
 
   if (!cmd_str())
@@ -1350,7 +1350,7 @@ static int sst_donate_other (const char*        method,
                              char**             env) // carries auth info
 {
   bool extra_args;
-  size_t const cmd_len= estimate_cmd_len(&extra_args);
+  ssize_t const cmd_len= estimate_cmd_len(&extra_args);
   wsp::string cmd_str(cmd_len);
 
   if (!cmd_str())
diff --git a/sql/wsrep_thd.cc b/sql/wsrep_thd.cc
index 5907d495ee9..659bb8545b2 100644
--- a/sql/wsrep_thd.cc
+++ b/sql/wsrep_thd.cc
@@ -86,7 +86,7 @@ static void wsrep_replication_process(THD *thd,
 static bool create_wsrep_THD(Wsrep_thd_args* args)
 {
   ulong old_wsrep_running_threads= wsrep_running_threads;
-  pthread_t unused;
+
 #ifdef HAVE_PSI_THREAD_INTERFACE
   PSI_thread_key key;
 
@@ -103,7 +103,7 @@ static bool create_wsrep_THD(Wsrep_thd_args* args)
       break;
   }
 #endif
-  bool res= mysql_thread_create(key, &unused, &connection_attrib,
+  bool res= mysql_thread_create(key, args->thread_id(), &connection_attrib,
                                 start_wsrep_THD, (void*)args);
   /*
     if starting a thread on server startup, wait until the this thread's THD
@@ -123,9 +123,9 @@ void wsrep_create_appliers(long threads)
   /*  Dont' start slave threads if wsrep-provider or wsrep-cluster-address
       is not set.
   */
-  if (!WSREP_PROVIDER_EXISTS) 
+  if (!WSREP_PROVIDER_EXISTS)
   {
-    return; 
+    return;
   }
 
   if (!wsrep_cluster_address || wsrep_cluster_address[0]== 0)
@@ -135,11 +135,12 @@ void wsrep_create_appliers(long threads)
   }
 
   long wsrep_threads=0;
-  
+
   while (wsrep_threads++ < threads)
   {
-    Wsrep_thd_args* args(new Wsrep_thd_args(wsrep_replication_process, 0,
-                                            WSREP_APPLIER_THREAD));
+    Wsrep_thd_args* args(new Wsrep_thd_args(wsrep_replication_process,
+                                            WSREP_APPLIER_THREAD,
+                                            pthread_self()));
     if (create_wsrep_THD(args))
     {
       WSREP_WARN("Can't create thread to manage wsrep replication");
@@ -328,16 +329,19 @@ void wsrep_create_rollbacker()
 {
   if (wsrep_cluster_address && wsrep_cluster_address[0] != 0)
   {
-    Wsrep_thd_args* args= new Wsrep_thd_args(wsrep_rollback_process, 0,
-                                             WSREP_ROLLBACKER_THREAD);
+    Wsrep_thd_args* args(new Wsrep_thd_args(wsrep_rollback_process,
+                                            WSREP_ROLLBACKER_THREAD,
+                                            pthread_self()));
 
     /* create rollbacker */
     if (create_wsrep_THD(args))
       WSREP_WARN("Can't create thread to manage wsrep rollback");
 
     /* create post_rollbacker */
-    args= new Wsrep_thd_args(wsrep_post_rollback_process, 0,
-                             WSREP_ROLLBACKER_THREAD);
+    args= new Wsrep_thd_args(wsrep_post_rollback_process,
+                             WSREP_ROLLBACKER_THREAD,
+                             pthread_self());
+
     if (create_wsrep_THD(args))
       WSREP_WARN("Can't create thread to manage wsrep post rollback");
    }
author	Jan Lindström <jan.lindstrom@mariadb.com>	2019-08-20 10:32:04 +0300
committer	Jan Lindström <jan.lindstrom@mariadb.com>	2019-08-20 10:32:04 +0300
commit	7b4de10477a7bdb51656d827ad2d914d29a4be4c (patch)
tree	bf1bade9ffc78d908539de4832c2800369375f85 /sql
parent	c5bc0cedea01cabfcd3a8d0d1410e427e2edc08e (diff)
download	mariadb-git-7b4de10477a7bdb51656d827ad2d914d29a4be4c.tar.gz