Fixed access to undefined memory found by valgrind and MSAN

montywi · montywi · commit c4bf4b7aefcd · 2020-05-23T12:29:10.000+03:00
When my_vsnprintf() is patched, the code protected disabled with
'WAITING_FOR_BUGFIX_TO_VSPRINTF' should be enabled again. Also all %b
formats in this patch should be revert to %s again
diff --git a/extra/replace.c b/extra/replace.c
@@ -64,7 +64,7 @@ typedef struct st_pointer_array {		/* when using array-strings */
 #define LAST_CHAR_CODE	259
 
 typedef struct st_replace {
-  my_bool   found;
+  uint8 found;
   struct st_replace *next[256];
 } REPLACE;
 
@@ -654,7 +654,13 @@ static REPLACE *init_replace(char * *from, char * *to,uint count,
     for (i=1 ; i <= found_sets ; i++)
     {
       pos=from[found_set[i-1].table_offset];
-      rep_str[i].found= (my_bool) (!memcmp(pos,"\\^",3) ? 2 : 1);
+      /*
+        Test if we are matching start of string (\^)
+        We can't use bcmp() here as pos may be only 1 character and
+        that would confuse MSAN.
+      */
+      rep_str[i].found= (uint8) ((pos[0] == '\\' && pos[1] == '^' &&
+                                  pos[2] == 0) ? 2 : 1);
       rep_str[i].replace_string=to_array[found_set[i-1].table_offset];
       rep_str[i].to_offset=found_set[i-1].found_offset-start_at_word(pos);
       rep_str[i].from_offset=found_set[i-1].found_offset-replace_len(pos)+
diff --git a/include/my_dbug.h b/include/my_dbug.h
@@ -52,7 +52,10 @@ extern void _db_enter_(const char *_func_, const char *_file_, uint _line_,
 extern  void _db_return_(struct _db_stack_frame_ *_stack_frame_);
 extern  int _db_pargs_(uint _line_,const char *keyword);
 extern  void _db_doprnt_(const char *format,...)
-  ATTRIBUTE_FORMAT(printf, 1, 2);
+#ifdef WAITING_FOR_BUGFIX_TO_VSPRINTF
+  ATTRIBUTE_FORMAT(printf, 1, 2)
+#endif
+  ;
 extern  void _db_dump_(uint _line_,const char *keyword,
                        const unsigned char *memory, size_t length);
 extern  void _db_end_(void);
diff --git a/mysql-test/main/sum_distinct-big.test b/mysql-test/main/sum_distinct-big.test
@@ -3,6 +3,8 @@
 #
 
 --source include/big_test.inc
+# Test will take more than one hour with valgrind
+--source include/not_valgrind.inc
 --source include/have_innodb.inc
 --source include/have_sequence.inc
 
diff --git a/mysql-test/valgrind.supp b/mysql-test/valgrind.supp
@@ -750,45 +750,6 @@
 # Note the wildcard in the (mangled) function signatures of
 # write_keys() and find_all_keys().
 # They both return ha_rows, which is platform dependent.
-#
-# The '...' wildcards are for 'fun:inline_mysql_file_write' and
-# 'fun:find_all_keys' which *may* be inlined.
-{
-   Bug#12856915 VALGRIND FAILURE IN FILESORT/CREATE_SORT_INDEX / one
-   Memcheck:Param
-   write(buf)
-   obj:*/libpthread*.so
-   fun:my_write
-   ...
-   fun:my_b_flush_io_cache
-   fun:_my_b_write
-   fun:_Z*10write_keysP13st_sort_paramPPhjP11st_io_cacheS4_
-   ...
-   fun:_Z8filesortP3THDP5TABLEP13st_sort_fieldjP10SQL_SELECTybPy
-}
-
-{
-   Bug#12856915 VALGRIND FAILURE IN FILESORT/CREATE_SORT_INDEX / two
-   Memcheck:Param
-   write(buf)
-   obj:*/libpthread*.so
-   fun:my_write
-   ...
-   fun:my_b_flush_io_cache
-   fun:_Z15merge_many_buffP13st_sort_paramPhP10st_buffpekPjP11st_io_cache
-   fun:_Z8filesortP3THDP5TABLEP13st_sort_fieldjP10SQL_SELECTybPy
-}
-
-{
-   Bug#12856915 VALGRIND FAILURE IN FILESORT/CREATE_SORT_INDEX / three
-   Memcheck:Param
-   write(buf)
-   obj:*/libpthread*.so
-   fun:my_write
-   ...
-   fun:my_b_flush_io_cache
-   fun:_Z8filesortP3THDP5TABLEP13st_sort_fieldjP10SQL_SELECTybPy
-}
 
 {
    OpenSSL still reachable.
diff --git a/plugin/type_inet/sql_type_inet.cc b/plugin/type_inet/sql_type_inet.cc
@@ -1411,7 +1411,7 @@ void Type_handler_inet6::sort_length(THD *thd,
                                      const Type_std_attributes *item,
                                      SORT_FIELD_ATTR *attr) const
 {
-  attr->length= Inet6::binary_length();
+  attr->original_length= attr->length= Inet6::binary_length();
   attr->suffix_length= 0;
 }
 
diff --git a/sql/item_subselect.cc b/sql/item_subselect.cc
@@ -728,8 +728,8 @@ bool Item_subselect::exec()
         QT_WITHOUT_INTRODUCERS));
 
     push_warning_printf(thd, Sql_condition::WARN_LEVEL_NOTE,
-       ER_UNKNOWN_ERROR, "DBUG: Item_subselect::exec %.*s",
-       print.length(),print.c_ptr());
+                        ER_UNKNOWN_ERROR, "DBUG: Item_subselect::exec %.*b",
+                        print.length(),print.ptr());
   );
   /*
     Do not execute subselect in case of a fatal error
diff --git a/sql/protocol.cc b/sql/protocol.cc
@@ -1218,7 +1218,7 @@ bool Protocol_text::store(const char *from, size_t length,
 {
   CHARSET_INFO *tocs= this->thd->variables.character_set_results;
 #ifndef DBUG_OFF
-  DBUG_PRINT("info", ("Protocol_text::store field %u (%u): %.*s", field_pos,
+  DBUG_PRINT("info", ("Protocol_text::store field %u (%u): %.*b", field_pos,
                       field_count, (int) length, (length == 0 ? "" : from)));
   DBUG_ASSERT(field_handlers == 0 || field_pos < field_count);
   DBUG_ASSERT(valid_handler(field_pos, PROTOCOL_SEND_STRING));
diff --git a/sql/signal_handler.cc b/sql/signal_handler.cc
@@ -52,8 +52,9 @@ static inline void output_core_info()
   char buff[PATH_MAX];
   ssize_t len;
   int fd;
-  if ((len= readlink("/proc/self/cwd", buff, sizeof(buff))) >= 0)
+  if ((len= readlink("/proc/self/cwd", buff, sizeof(buff)-1)) >= 0)
   {
+    buff[len]= 0;
     my_safe_printf_stderr("Writing a core file...\nWorking directory at %.*s\n",
                           (int) len, buff);
   }
diff --git a/sql/tztime.cc b/sql/tztime.cc
@@ -1900,7 +1900,7 @@ tz_load_from_open_tables(const String *tz_name, TABLE_LIST *tz_tables)
       Most probably user has mistyped time zone name, so no need to bark here
       unless we need it for debugging.
     */
-     sql_print_error("Can't find description of time zone '%.*s'", 
+     sql_print_error("Can't find description of time zone '%.*b'",
                      tz_name->length(), tz_name->ptr());
 #endif
     goto end;
diff --git a/storage/maria/ma_bitmap.c b/storage/maria/ma_bitmap.c
@@ -519,9 +519,10 @@ my_bool _ma_bitmap_flush_all(MARIA_SHARE *share)
 #ifdef EXTRA_DEBUG_BITMAP
     {
       char tmp[MAX_BITMAP_INFO_LENGTH];      
-      _ma_get_bitmap_description(bitmap, bitmap->map, bitmap->page, tmp);
+      size_t len;
+      len= _ma_get_bitmap_description(bitmap, bitmap->map, bitmap->page, tmp);
       (void) translog_log_debug_info(0, LOGREC_DEBUG_INFO_QUERY,
-                                     (uchar*) tmp, strlen(tmp));
+                                     (uchar*) tmp, len);
     }
 #endif
 
@@ -957,13 +958,13 @@ void _ma_print_bitmap(MARIA_FILE_BITMAP *bitmap, uchar *data,
   Return content of bitmap as a printable string
 */
 
-void _ma_get_bitmap_description(MARIA_FILE_BITMAP *bitmap,
-                                uchar *bitmap_data,
-                                pgcache_page_no_t page,
-                                char *out)
+size_t _ma_get_bitmap_description(MARIA_FILE_BITMAP *bitmap,
+                                  uchar *bitmap_data,
+                                  pgcache_page_no_t page,
+                                  char *out)
 {
   uchar *pos, *end;
-  uint count=0, dot_printed= 0, len;
+  size_t count=0, dot_printed= 0, len;
   char buff[80], last[80];
 
   page++;
@@ -1000,6 +1001,7 @@ void _ma_get_bitmap_description(MARIA_FILE_BITMAP *bitmap,
   memcpy(out+len, buff, count);
   out[len + count]= '\n';
   out[len + count + 1]= 0;
+  return len + count + 1;
 }
 
 
diff --git a/storage/maria/ma_blockrec.h b/storage/maria/ma_blockrec.h
@@ -245,10 +245,10 @@ void _ma_bitmap_set_pagecache_callbacks(PAGECACHE_FILE *file,
 void _ma_print_bitmap(MARIA_FILE_BITMAP *bitmap, uchar *data,
                       pgcache_page_no_t page);
 #endif
-void _ma_get_bitmap_description(MARIA_FILE_BITMAP *bitmap,
-                                uchar *bitmap_data,
-                                pgcache_page_no_t page,
-                                char *out);
+size_t _ma_get_bitmap_description(MARIA_FILE_BITMAP *bitmap,
+                                  uchar *bitmap_data,
+                                  pgcache_page_no_t page,
+                                  char *out);
 
 uint _ma_apply_redo_insert_row_head_or_tail(MARIA_HA *info, LSN lsn,
                                             uint page_type,
diff --git a/storage/maria/ma_recovery.c b/storage/maria/ma_recovery.c
@@ -2238,7 +2238,7 @@ prototype_redo_exec_hook(CLR_END)
 
 prototype_redo_exec_hook(DEBUG_INFO)
 {
-  uchar *data;
+  char *data;
   enum translog_debug_info_type debug_info;
 
   enlarge_buffer(rec);
@@ -2251,11 +2251,10 @@ prototype_redo_exec_hook(DEBUG_INFO)
     return 1;
   }
   debug_info= (enum translog_debug_info_type) log_record_buffer.str[0];
-  data= log_record_buffer.str + 1;
+  data= (char*) log_record_buffer.str + 1;
   switch (debug_info) {
   case LOGREC_DEBUG_INFO_QUERY:
-    tprint(tracef, "Query: %.*s\n", rec->record_length - 1,
-           (char*) data);
+    tprint(tracef, "Query: %.*b\n", (int) rec->record_length - 1, data);
     break;
   default:
     DBUG_ASSERT(0);
diff --git a/storage/maria/ma_recovery_util.h b/storage/maria/ma_recovery_util.h
@@ -31,7 +31,12 @@ extern FILE *tracef;
 my_bool _ma_redo_not_needed_for_page(uint16 shortid, LSN lsn,
                                      pgcache_page_no_t page,
                                      my_bool index);
+#ifdef WAITING_FOR_BUGFIX_TO_VSPRINTF
 void tprint(FILE *trace_file, const char *format, ...)
   ATTRIBUTE_FORMAT(printf, 2, 3);
 void eprint(FILE *trace_file, const char *format, ...)
   ATTRIBUTE_FORMAT(printf, 2, 3);
+#else
+void tprint(FILE *trace_file, const char *format, ...);
+void eprint(FILE *trace_file, const char *format, ...);
+#endif

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,8 @@`
`3`	`3`	`#`
`4`	`4`
`5`	`5`	`--source include/big_test.inc`
	`6`	`+# Test will take more than one hour with valgrind`
	`7`	`+--source include/not_valgrind.inc`
`6`	`8`	`--source include/have_innodb.inc`
`7`	`9`	`--source include/have_sequence.inc`
`8`	`10`
Original file line number	Diff line number	Diff line change
`@@ -1411,7 +1411,7 @@ void Type_handler_inet6::sort_length(THD *thd,`
`1411`	`1411`	`const Type_std_attributes *item,`
`1412`	`1412`	`SORT_FIELD_ATTR *attr) const`
`1413`	`1413`	`{`
`1414`		`- attr->length= Inet6::binary_length();`
	`1414`	`+ attr->original_length= attr->length= Inet6::binary_length();`
`1415`	`1415`	`attr->suffix_length= 0;`
`1416`	`1416`	`}`
`1417`	`1417`
Original file line number	Diff line number	Diff line change
`@@ -1218,7 +1218,7 @@ bool Protocol_text::store(const char *from, size_t length,`
`1218`	`1218`	`{`
`1219`	`1219`	`CHARSET_INFO *tocs= this->thd->variables.character_set_results;`
`1220`	`1220`	`#ifndef DBUG_OFF`
`1221`		`- DBUG_PRINT("info", ("Protocol_text::store field %u (%u): %.*s", field_pos,`
	`1221`	`+ DBUG_PRINT("info", ("Protocol_text::store field %u (%u): %.*b", field_pos,`
`1222`	`1222`	`field_count, (int) length, (length == 0 ? "" : from)));`
`1223`	`1223`	`DBUG_ASSERT(field_handlers == 0 \|\| field_pos < field_count);`
`1224`	`1224`	`DBUG_ASSERT(valid_handler(field_pos, PROTOCOL_SEND_STRING));`
Original file line number	Diff line number	Diff line change
`@@ -52,8 +52,9 @@ static inline void output_core_info()`
`52`	`52`	`char buff[PATH_MAX];`
`53`	`53`	`ssize_t len;`
`54`	`54`	`int fd;`
`55`		`- if ((len= readlink("/proc/self/cwd", buff, sizeof(buff))) >= 0)`
	`55`	`+ if ((len= readlink("/proc/self/cwd", buff, sizeof(buff)-1)) >= 0)`
`56`	`56`	`{`
	`57`	`+ buff[len]= 0;`
`57`	`58`	`my_safe_printf_stderr("Writing a core file...\nWorking directory at %.*s\n",`
`58`	`59`	`(int) len, buff);`
`59`	`60`	`}`