summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorvkumbhar <vkumbhar@mvista.com>2023-03-27 18:20:03 +0530
committerArmin Kuster <akuster808@gmail.com>2023-04-06 07:32:11 -0400
commitf1d4acc09de9bd8e5e18f45f1e7efadece527195 (patch)
tree456a57f2c9f456c63d59da112bf4150d9ee12c9b
parent98e6e3168818fb37a06d21df11b38729c18b3c3d (diff)
downloadmeta-openembedded-f1d4acc09de9bd8e5e18f45f1e7efadece527195.tar.gz
mariadb: fix CVE-2022-47015 NULL pointer dereference in spider_db_mbase::print_warnings()
The function spider_db_mbase::print_warnings() can potentially result in a null pointer dereference. Remove the null pointer dereference by cleaning up the function. Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat
-rw-r--r--meta-oe/recipes-dbs/mysql/mariadb.inc1
-rw-r--r--meta-oe/recipes-dbs/mysql/mariadb/CVE-2022-47015.patch269
2 files changed, 270 insertions, 0 deletions
diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc
index 565f4d561..e052c7691 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb.inc
+++ b/meta-oe/recipes-dbs/mysql/mariadb.inc
@@ -16,6 +16,7 @@ SRC_URI = "https://downloads.mariadb.org/interstitial/${BP}/source/${BP}.tar.gz
16 file://sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch \ 16 file://sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch \
17 file://0001-disable-ucontext-on-musl.patch \ 17 file://0001-disable-ucontext-on-musl.patch \
18 file://fix-arm-atomic.patch \ 18 file://fix-arm-atomic.patch \
19 file://CVE-2022-47015.patch \
19 " 20 "
20 21
21SRC_URI[sha256sum] = "ff963c4e11bc06b775f66f2b1ddef184996208fb4b23cfdb50d95fb02eaa7ef8" 22SRC_URI[sha256sum] = "ff963c4e11bc06b775f66f2b1ddef184996208fb4b23cfdb50d95fb02eaa7ef8"
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/CVE-2022-47015.patch b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2022-47015.patch
new file mode 100644
index 000000000..0ddcdc028
--- /dev/null
+++ b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2022-47015.patch
@@ -0,0 +1,269 @@
1From be0a46b3d52b58956fd0d47d040b9f4514406954 Mon Sep 17 00:00:00 2001
2From: Nayuta Yanagisawa <nayuta.yanagisawa@hey.com>
3Date: Tue, 27 Sep 2022 15:22:57 +0900
4Subject: [PATCH] MDEV-29644 a potential bug of null pointer dereference in
5 spider_db_mbase::print_warnings()
6
7Upstream-Status: Backport [https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954]
8CVE: CVE-2022-47015
9Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
10---
11 .../spider/bugfix/r/mdev_29644.result | 44 ++++++++++
12 .../mysql-test/spider/bugfix/t/mdev_29644.cnf | 3 +
13 .../spider/bugfix/t/mdev_29644.test | 58 ++++++++++++
14 storage/spider/spd_db_mysql.cc | 88 ++++++++-----------
15 storage/spider/spd_db_mysql.h | 4 +-
16 5 files changed, 141 insertions(+), 56 deletions(-)
17 create mode 100644 spider/mysql-test/spider/bugfix/r/mdev_29644.result
18 create mode 100644 spider/mysql-test/spider/bugfix/t/mdev_29644.cnf
19 create mode 100644 spider/mysql-test/spider/bugfix/t/mdev_29644.test
20
21diff --git a/spider/mysql-test/spider/bugfix/r/mdev_29644.result b/spider/mysql-test/spider/bugfix/r/mdev_29644.result
22new file mode 100644
23index 00000000..eb725602
24--- /dev/null
25+++ b/spider/mysql-test/spider/bugfix/r/mdev_29644.result
26@@ -0,0 +1,44 @@
27+#
28+# MDEV-29644 a potential bug of null pointer dereference in spider_db_mbase::print_warnings()
29+#
30+for master_1
31+for child2
32+child2_1
33+child2_2
34+child2_3
35+for child3
36+connection child2_1;
37+CREATE DATABASE auto_test_remote;
38+USE auto_test_remote;
39+CREATE TABLE tbl_a (
40+a CHAR(5)
41+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
42+set @orig_sql_mode=@@global.sql_mode;
43+SET GLOBAL sql_mode='';
44+connection master_1;
45+CREATE DATABASE auto_test_local;
46+USE auto_test_local;
47+CREATE TABLE tbl_a (
48+a CHAR(255)
49+) ENGINE=Spider DEFAULT CHARSET=utf8 COMMENT='table "tbl_a", srv "s_2_1"';
50+SET @orig_sql_mode=@@global.sql_mode;
51+SET GLOBAL sql_mode='';
52+INSERT INTO tbl_a VALUES ("this will be truncated");
53+NOT FOUND /\[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*/ in mysqld.1.1.err
54+SET @orig_log_result_errors=@@global.spider_log_result_errors;
55+SET GLOBAL spider_log_result_errors=4;
56+INSERT INTO tbl_a VALUES ("this will be truncated");
57+FOUND 1 /\[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*/ in mysqld.1.1.err
58+connection master_1;
59+SET GLOBAL spider_log_result_errors=@orig_log_result_errors;
60+SET GLOBAL sql_mode=@orig_sql_mode;
61+DROP DATABASE IF EXISTS auto_test_local;
62+connection child2_1;
63+SET GLOBAL sql_mode=@orig_sql_mode;
64+DROP DATABASE IF EXISTS auto_test_remote;
65+for master_1
66+for child2
67+child2_1
68+child2_2
69+child2_3
70+for child3
71diff --git a/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf b/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf
72new file mode 100644
73index 00000000..05dfd8a0
74--- /dev/null
75+++ b/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf
76@@ -0,0 +1,3 @@
77+!include include/default_mysqld.cnf
78+!include ../my_1_1.cnf
79+!include ../my_2_1.cnf
80diff --git a/spider/mysql-test/spider/bugfix/t/mdev_29644.test b/spider/mysql-test/spider/bugfix/t/mdev_29644.test
81new file mode 100644
82index 00000000..4ebdf317
83--- /dev/null
84+++ b/spider/mysql-test/spider/bugfix/t/mdev_29644.test
85@@ -0,0 +1,58 @@
86+--echo #
87+--echo # MDEV-29644 a potential bug of null pointer dereference in spider_db_mbase::print_warnings()
88+--echo #
89+
90+# The test case below does not cause the potential null pointer dereference.
91+# It is just for checking spider_db_mbase::fetch_and_print_warnings() works.
92+
93+--disable_query_log
94+--disable_result_log
95+--source ../../t/test_init.inc
96+--enable_result_log
97+--enable_query_log
98+
99+--connection child2_1
100+CREATE DATABASE auto_test_remote;
101+USE auto_test_remote;
102+eval CREATE TABLE tbl_a (
103+ a CHAR(5)
104+) $CHILD2_1_ENGINE $CHILD2_1_CHARSET;
105+set @orig_sql_mode=@@global.sql_mode;
106+SET GLOBAL sql_mode='';
107+
108+--connection master_1
109+CREATE DATABASE auto_test_local;
110+USE auto_test_local;
111+eval CREATE TABLE tbl_a (
112+ a CHAR(255)
113+) $MASTER_1_ENGINE $MASTER_1_CHARSET COMMENT='table "tbl_a", srv "s_2_1"';
114+
115+SET @orig_sql_mode=@@global.sql_mode;
116+SET GLOBAL sql_mode='';
117+
118+let SEARCH_FILE= $MYSQLTEST_VARDIR/log/mysqld.1.1.err;
119+let SEARCH_PATTERN= \[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*;
120+
121+INSERT INTO tbl_a VALUES ("this will be truncated");
122+--source include/search_pattern_in_file.inc # should not find
123+
124+SET @orig_log_result_errors=@@global.spider_log_result_errors;
125+SET GLOBAL spider_log_result_errors=4;
126+
127+INSERT INTO tbl_a VALUES ("this will be truncated");
128+--source include/search_pattern_in_file.inc # should find
129+
130+--connection master_1
131+SET GLOBAL spider_log_result_errors=@orig_log_result_errors;
132+SET GLOBAL sql_mode=@orig_sql_mode;
133+DROP DATABASE IF EXISTS auto_test_local;
134+
135+--connection child2_1
136+SET GLOBAL sql_mode=@orig_sql_mode;
137+DROP DATABASE IF EXISTS auto_test_remote;
138+
139+--disable_query_log
140+--disable_result_log
141+--source ../t/test_deinit.inc
142+--enable_query_log
143+--enable_result_log
144diff --git a/storage/spider/spd_db_mysql.cc b/storage/spider/spd_db_mysql.cc
145index 85f910aa..7d6bd599 100644
146--- a/storage/spider/spd_db_mysql.cc
147+++ b/storage/spider/spd_db_mysql.cc
148@@ -2197,7 +2197,7 @@ int spider_db_mbase::exec_query(
149 db_conn->affected_rows, db_conn->insert_id,
150 db_conn->server_status, db_conn->warning_count);
151 if (spider_param_log_result_errors() >= 3)
152- print_warnings(l_time);
153+ fetch_and_print_warnings(l_time);
154 } else if (log_result_errors >= 4)
155 {
156 time_t cur_time = (time_t) time((time_t*) 0);
157@@ -2279,61 +2279,43 @@ bool spider_db_mbase::is_xa_nota_error(
158 DBUG_RETURN(xa_nota);
159 }
160
161-void spider_db_mbase::print_warnings(
162- struct tm *l_time
163-) {
164- DBUG_ENTER("spider_db_mbase::print_warnings");
165- DBUG_PRINT("info",("spider this=%p", this));
166- if (db_conn->status == MYSQL_STATUS_READY)
167+void spider_db_mbase::fetch_and_print_warnings(struct tm *l_time)
168+{
169+ DBUG_ENTER("spider_db_mbase::fetch_and_print_warnings");
170+
171+ if (spider_param_dry_access() || db_conn->status != MYSQL_STATUS_READY ||
172+ db_conn->server_status & SERVER_MORE_RESULTS_EXISTS)
173+ DBUG_VOID_RETURN;
174+
175+ if (mysql_real_query(db_conn, SPIDER_SQL_SHOW_WARNINGS_STR,
176+ SPIDER_SQL_SHOW_WARNINGS_LEN))
177+ DBUG_VOID_RETURN;
178+
179+ MYSQL_RES *res= mysql_store_result(db_conn);
180+ if (!res)
181+ DBUG_VOID_RETURN;
182+
183+ uint num_fields= mysql_num_fields(res);
184+ if (num_fields != 3)
185 {
186-#if MYSQL_VERSION_ID < 50500
187- if (!(db_conn->last_used_con->server_status & SERVER_MORE_RESULTS_EXISTS))
188-#else
189- if (!(db_conn->server_status & SERVER_MORE_RESULTS_EXISTS))
190-#endif
191- {
192- if (
193- spider_param_dry_access() ||
194- !mysql_real_query(db_conn, SPIDER_SQL_SHOW_WARNINGS_STR,
195- SPIDER_SQL_SHOW_WARNINGS_LEN)
196- ) {
197- MYSQL_RES *res = NULL;
198- MYSQL_ROW row = NULL;
199- uint num_fields;
200- if (
201- spider_param_dry_access() ||
202- !(res = mysql_store_result(db_conn)) ||
203- !(row = mysql_fetch_row(res))
204- ) {
205- if (mysql_errno(db_conn))
206- {
207- if (res)
208- mysql_free_result(res);
209- DBUG_VOID_RETURN;
210- }
211- /* no record is ok */
212- }
213- num_fields = mysql_num_fields(res);
214- if (num_fields != 3)
215- {
216- mysql_free_result(res);
217- DBUG_VOID_RETURN;
218- }
219- while (row)
220- {
221- fprintf(stderr, "%04d%02d%02d %02d:%02d:%02d [WARN SPIDER RESULT] "
222- "from [%s] %ld to %ld: %s %s %s\n",
223+ mysql_free_result(res);
224+ DBUG_VOID_RETURN;
225+ }
226+
227+ MYSQL_ROW row= mysql_fetch_row(res);
228+ while (row)
229+ {
230+ fprintf(stderr,
231+ "%04d%02d%02d %02d:%02d:%02d [WARN SPIDER RESULT] from [%s] %ld "
232+ "to %ld: %s %s %s\n",
233 l_time->tm_year + 1900, l_time->tm_mon + 1, l_time->tm_mday,
234- l_time->tm_hour, l_time->tm_min, l_time->tm_sec,
235- conn->tgt_host, (ulong) db_conn->thread_id,
236- (ulong) current_thd->thread_id, row[0], row[1], row[2]);
237- row = mysql_fetch_row(res);
238- }
239- if (res)
240- mysql_free_result(res);
241- }
242- }
243+ l_time->tm_hour, l_time->tm_min, l_time->tm_sec, conn->tgt_host,
244+ (ulong) db_conn->thread_id, (ulong) current_thd->thread_id, row[0],
245+ row[1], row[2]);
246+ row= mysql_fetch_row(res);
247 }
248+ mysql_free_result(res);
249+
250 DBUG_VOID_RETURN;
251 }
252
253diff --git a/storage/spider/spd_db_mysql.h b/storage/spider/spd_db_mysql.h
254index 626bb4d5..82c7c0ec 100644
255--- a/storage/spider/spd_db_mysql.h
256+++ b/storage/spider/spd_db_mysql.h
257@@ -439,9 +439,7 @@ class spider_db_mbase: public spider_db_conn
258 bool is_xa_nota_error(
259 int error_num
260 );
261- void print_warnings(
262- struct tm *l_time
263- );
264+ void fetch_and_print_warnings(struct tm *l_time);
265 spider_db_result *store_result(
266 spider_db_result_buffer **spider_res_buf,
267 st_spider_db_request_key *request_key,
268--
2692.25.1
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-20 00:17:48 +0000