Skip to content

Commit ee5152f

Browse files
dr-mdr-m
committed
MDEV-22070 MSAN use-of-uninitialized-value in encryption.innodb-redo-badkey
On a checksum failure of a ROW_FORMAT=COMPRESSED page, buf_LRU_free_one_page() would invoke buf_LRU_block_remove_hashed() which will read the uncompressed page frame, although it would not be initialized. With bad enough luck, fil_page_get_type(page) could return an unrecognized value and cause the server to abort. buf_page_io_complete(): On the corruption of a ROW_FORMAT=COMPRESSED page, zerofill the uncompressed page frame.
1 parent 31f34b2 commit ee5152f

File tree

2 files changed

+14
-6
lines changed

2 files changed

+14
-6
lines changed

storage/innobase/buf/buf0buf.cc

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
33
Copyright (c) 1995, 2016, Oracle and/or its affiliates. All Rights Reserved.
44
Copyright (c) 2008, Google Inc.
5-
Copyright (c) 2013, 2019, MariaDB Corporation.
5+
Copyright (c) 2013, 2020, MariaDB Corporation.
66
77
Portions of this file contain modifications contributed and copyrighted by
88
Google, Inc. Those modifications are gratefully acknowledged and are described
@@ -4931,9 +4931,8 @@ buf_page_io_complete(buf_page_t* bpage, bool evict)
49314931

49324932
err = buf_page_check_corrupt(bpage, space);
49334933

4934-
database_corrupted:
4935-
49364934
if (err != DB_SUCCESS) {
4935+
database_corrupted:
49374936
/* Not a real corruption if it was triggered by
49384937
error injection */
49394938
DBUG_EXECUTE_IF("buf_page_import_corrupt_failure",
@@ -4948,6 +4947,11 @@ buf_page_io_complete(buf_page_t* bpage, bool evict)
49484947
goto page_not_corrupt;
49494948
);
49504949

4950+
if (uncompressed && bpage->zip.data) {
4951+
memset(reinterpret_cast<buf_block_t*>(bpage)
4952+
->frame, 0, srv_page_size);
4953+
}
4954+
49514955
if (err == DB_PAGE_CORRUPTED) {
49524956
ib_logf(IB_LOG_LEVEL_ERROR,
49534957
"Database page corruption on disk"

storage/xtradb/buf/buf0buf.cc

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
33
Copyright (c) 1995, 2016, Oracle and/or its affiliates. All Rights Reserved.
44
Copyright (c) 2008, Google Inc.
5-
Copyright (c) 2013, 2019, MariaDB Corporation.
5+
Copyright (c) 2013, 2020, MariaDB Corporation.
66
77
Portions of this file contain modifications contributed and copyrighted by
88
Google, Inc. Those modifications are gratefully acknowledged and are described
@@ -4936,9 +4936,8 @@ buf_page_io_complete(buf_page_t* bpage)
49364936
err = buf_page_check_corrupt(bpage, space);
49374937
}
49384938

4939-
database_corrupted:
4940-
49414939
if (err != DB_SUCCESS) {
4940+
database_corrupted:
49424941
/* Not a real corruption if it was triggered by
49434942
error injection */
49444943
DBUG_EXECUTE_IF("buf_page_import_corrupt_failure",
@@ -4953,6 +4952,11 @@ buf_page_io_complete(buf_page_t* bpage)
49534952
goto page_not_corrupt;
49544953
);
49554954

4955+
if (uncompressed && bpage->zip.data) {
4956+
memset(reinterpret_cast<buf_block_t*>(bpage)
4957+
->frame, 0, srv_page_size);
4958+
}
4959+
49564960
if (err == DB_PAGE_CORRUPTED) {
49574961
ib_logf(IB_LOG_LEVEL_ERROR,
49584962
"Database page corruption on disk"

0 commit comments

Comments
 (0)