Skip to content

Commit

Permalink
MDEV-22070 MSAN use-of-uninitialized-value in encryption.innodb-redo-…
Browse files Browse the repository at this point in the history 
…badkey

On a checksum failure of a ROW_FORMAT=COMPRESSED page,
buf_LRU_free_one_page() would invoke buf_LRU_block_remove_hashed()
which will read the uncompressed page frame, although it would not
be initialized. With bad enough luck, fil_page_get_type(page)
could return an unrecognized value and cause the server to abort.

buf_page_io_complete(): On the corruption of a ROW_FORMAT=COMPRESSED
page, zerofill the uncompressed page frame.
  • Loading branch information
@dr-m
dr-m committed May 14, 2020
1 parent 31f34b2 commit ee5152f
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 6 deletions.
10 changes: 7 additions & 3 deletions storage/innobase/buf/buf0buf.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
Copyright (c) 1995, 2016, Oracle and/or its affiliates. All Rights Reserved.
Copyright (c) 2008, Google Inc.
Copyright (c) 2013, 2019, MariaDB Corporation.
Copyright (c) 2013, 2020, MariaDB Corporation.
Portions of this file contain modifications contributed and copyrighted by
Google, Inc. Those modifications are gratefully acknowledged and are described
Expand Down Expand Up @@ -4931,9 +4931,8 @@ buf_page_io_complete(buf_page_t* bpage, bool evict)

err = buf_page_check_corrupt(bpage, space);

database_corrupted:

if (err != DB_SUCCESS) {
database_corrupted:
/* Not a real corruption if it was triggered by
error injection */
DBUG_EXECUTE_IF("buf_page_import_corrupt_failure",
Expand All @@ -4948,6 +4947,11 @@ buf_page_io_complete(buf_page_t* bpage, bool evict)
goto page_not_corrupt;
);

if (uncompressed && bpage->zip.data) {
memset(reinterpret_cast<buf_block_t*>(bpage)
->frame, 0, srv_page_size);
}

if (err == DB_PAGE_CORRUPTED) {
ib_logf(IB_LOG_LEVEL_ERROR,
"Database page corruption on disk"
Expand Down
10 changes: 7 additions & 3 deletions storage/xtradb/buf/buf0buf.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
Copyright (c) 1995, 2016, Oracle and/or its affiliates. All Rights Reserved.
Copyright (c) 2008, Google Inc.
Copyright (c) 2013, 2019, MariaDB Corporation.
Copyright (c) 2013, 2020, MariaDB Corporation.
Portions of this file contain modifications contributed and copyrighted by
Google, Inc. Those modifications are gratefully acknowledged and are described
Expand Down Expand Up @@ -4936,9 +4936,8 @@ buf_page_io_complete(buf_page_t* bpage)
err = buf_page_check_corrupt(bpage, space);
}

database_corrupted:

if (err != DB_SUCCESS) {
database_corrupted:
/* Not a real corruption if it was triggered by
error injection */
DBUG_EXECUTE_IF("buf_page_import_corrupt_failure",
Expand All @@ -4953,6 +4952,11 @@ buf_page_io_complete(buf_page_t* bpage)
goto page_not_corrupt;
);

if (uncompressed && bpage->zip.data) {
memset(reinterpret_cast<buf_block_t*>(bpage)
->frame, 0, srv_page_size);
}

if (err == DB_PAGE_CORRUPTED) {
ib_logf(IB_LOG_LEVEL_ERROR,
"Database page corruption on disk"
Expand Down

0 comments on commit ee5152f

Please sign in to comment.