diff options
author | vkumbhar <vkumbhar@mvista.com> | 2023-03-27 18:20:03 +0530 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2023-04-06 07:32:11 -0400 |
commit | f1d4acc09de9bd8e5e18f45f1e7efadece527195 (patch) | |
tree | 456a57f2c9f456c63d59da112bf4150d9ee12c9b | |
parent | 98e6e3168818fb37a06d21df11b38729c18b3c3d (diff) | |
download | meta-openembedded-f1d4acc09de9bd8e5e18f45f1e7efadece527195.tar.gz |
mariadb: fix CVE-2022-47015 NULL pointer dereference in spider_db_mbase::print_warnings()
The function spider_db_mbase::print_warnings() can potentially result
in a null pointer dereference.
Remove the null pointer dereference by cleaning up the function.
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-oe/recipes-dbs/mysql/mariadb.inc | 1 | ||||
-rw-r--r-- | meta-oe/recipes-dbs/mysql/mariadb/CVE-2022-47015.patch | 269 |
2 files changed, 270 insertions, 0 deletions
diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc index 565f4d561..e052c7691 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb.inc +++ b/meta-oe/recipes-dbs/mysql/mariadb.inc | |||
@@ -16,6 +16,7 @@ SRC_URI = "https://downloads.mariadb.org/interstitial/${BP}/source/${BP}.tar.gz | |||
16 | file://sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch \ | 16 | file://sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch \ |
17 | file://0001-disable-ucontext-on-musl.patch \ | 17 | file://0001-disable-ucontext-on-musl.patch \ |
18 | file://fix-arm-atomic.patch \ | 18 | file://fix-arm-atomic.patch \ |
19 | file://CVE-2022-47015.patch \ | ||
19 | " | 20 | " |
20 | 21 | ||
21 | SRC_URI[sha256sum] = "ff963c4e11bc06b775f66f2b1ddef184996208fb4b23cfdb50d95fb02eaa7ef8" | 22 | SRC_URI[sha256sum] = "ff963c4e11bc06b775f66f2b1ddef184996208fb4b23cfdb50d95fb02eaa7ef8" |
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/CVE-2022-47015.patch b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2022-47015.patch new file mode 100644 index 000000000..0ddcdc028 --- /dev/null +++ b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2022-47015.patch | |||
@@ -0,0 +1,269 @@ | |||
1 | From be0a46b3d52b58956fd0d47d040b9f4514406954 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nayuta Yanagisawa <nayuta.yanagisawa@hey.com> | ||
3 | Date: Tue, 27 Sep 2022 15:22:57 +0900 | ||
4 | Subject: [PATCH] MDEV-29644 a potential bug of null pointer dereference in | ||
5 | spider_db_mbase::print_warnings() | ||
6 | |||
7 | Upstream-Status: Backport [https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954] | ||
8 | CVE: CVE-2022-47015 | ||
9 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
10 | --- | ||
11 | .../spider/bugfix/r/mdev_29644.result | 44 ++++++++++ | ||
12 | .../mysql-test/spider/bugfix/t/mdev_29644.cnf | 3 + | ||
13 | .../spider/bugfix/t/mdev_29644.test | 58 ++++++++++++ | ||
14 | storage/spider/spd_db_mysql.cc | 88 ++++++++----------- | ||
15 | storage/spider/spd_db_mysql.h | 4 +- | ||
16 | 5 files changed, 141 insertions(+), 56 deletions(-) | ||
17 | create mode 100644 spider/mysql-test/spider/bugfix/r/mdev_29644.result | ||
18 | create mode 100644 spider/mysql-test/spider/bugfix/t/mdev_29644.cnf | ||
19 | create mode 100644 spider/mysql-test/spider/bugfix/t/mdev_29644.test | ||
20 | |||
21 | diff --git a/spider/mysql-test/spider/bugfix/r/mdev_29644.result b/spider/mysql-test/spider/bugfix/r/mdev_29644.result | ||
22 | new file mode 100644 | ||
23 | index 00000000..eb725602 | ||
24 | --- /dev/null | ||
25 | +++ b/spider/mysql-test/spider/bugfix/r/mdev_29644.result | ||
26 | @@ -0,0 +1,44 @@ | ||
27 | +# | ||
28 | +# MDEV-29644 a potential bug of null pointer dereference in spider_db_mbase::print_warnings() | ||
29 | +# | ||
30 | +for master_1 | ||
31 | +for child2 | ||
32 | +child2_1 | ||
33 | +child2_2 | ||
34 | +child2_3 | ||
35 | +for child3 | ||
36 | +connection child2_1; | ||
37 | +CREATE DATABASE auto_test_remote; | ||
38 | +USE auto_test_remote; | ||
39 | +CREATE TABLE tbl_a ( | ||
40 | +a CHAR(5) | ||
41 | +) ENGINE=InnoDB DEFAULT CHARSET=utf8; | ||
42 | +set @orig_sql_mode=@@global.sql_mode; | ||
43 | +SET GLOBAL sql_mode=''; | ||
44 | +connection master_1; | ||
45 | +CREATE DATABASE auto_test_local; | ||
46 | +USE auto_test_local; | ||
47 | +CREATE TABLE tbl_a ( | ||
48 | +a CHAR(255) | ||
49 | +) ENGINE=Spider DEFAULT CHARSET=utf8 COMMENT='table "tbl_a", srv "s_2_1"'; | ||
50 | +SET @orig_sql_mode=@@global.sql_mode; | ||
51 | +SET GLOBAL sql_mode=''; | ||
52 | +INSERT INTO tbl_a VALUES ("this will be truncated"); | ||
53 | +NOT FOUND /\[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*/ in mysqld.1.1.err | ||
54 | +SET @orig_log_result_errors=@@global.spider_log_result_errors; | ||
55 | +SET GLOBAL spider_log_result_errors=4; | ||
56 | +INSERT INTO tbl_a VALUES ("this will be truncated"); | ||
57 | +FOUND 1 /\[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*/ in mysqld.1.1.err | ||
58 | +connection master_1; | ||
59 | +SET GLOBAL spider_log_result_errors=@orig_log_result_errors; | ||
60 | +SET GLOBAL sql_mode=@orig_sql_mode; | ||
61 | +DROP DATABASE IF EXISTS auto_test_local; | ||
62 | +connection child2_1; | ||
63 | +SET GLOBAL sql_mode=@orig_sql_mode; | ||
64 | +DROP DATABASE IF EXISTS auto_test_remote; | ||
65 | +for master_1 | ||
66 | +for child2 | ||
67 | +child2_1 | ||
68 | +child2_2 | ||
69 | +child2_3 | ||
70 | +for child3 | ||
71 | diff --git a/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf b/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf | ||
72 | new file mode 100644 | ||
73 | index 00000000..05dfd8a0 | ||
74 | --- /dev/null | ||
75 | +++ b/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf | ||
76 | @@ -0,0 +1,3 @@ | ||
77 | +!include include/default_mysqld.cnf | ||
78 | +!include ../my_1_1.cnf | ||
79 | +!include ../my_2_1.cnf | ||
80 | diff --git a/spider/mysql-test/spider/bugfix/t/mdev_29644.test b/spider/mysql-test/spider/bugfix/t/mdev_29644.test | ||
81 | new file mode 100644 | ||
82 | index 00000000..4ebdf317 | ||
83 | --- /dev/null | ||
84 | +++ b/spider/mysql-test/spider/bugfix/t/mdev_29644.test | ||
85 | @@ -0,0 +1,58 @@ | ||
86 | +--echo # | ||
87 | +--echo # MDEV-29644 a potential bug of null pointer dereference in spider_db_mbase::print_warnings() | ||
88 | +--echo # | ||
89 | + | ||
90 | +# The test case below does not cause the potential null pointer dereference. | ||
91 | +# It is just for checking spider_db_mbase::fetch_and_print_warnings() works. | ||
92 | + | ||
93 | +--disable_query_log | ||
94 | +--disable_result_log | ||
95 | +--source ../../t/test_init.inc | ||
96 | +--enable_result_log | ||
97 | +--enable_query_log | ||
98 | + | ||
99 | +--connection child2_1 | ||
100 | +CREATE DATABASE auto_test_remote; | ||
101 | +USE auto_test_remote; | ||
102 | +eval CREATE TABLE tbl_a ( | ||
103 | + a CHAR(5) | ||
104 | +) $CHILD2_1_ENGINE $CHILD2_1_CHARSET; | ||
105 | +set @orig_sql_mode=@@global.sql_mode; | ||
106 | +SET GLOBAL sql_mode=''; | ||
107 | + | ||
108 | +--connection master_1 | ||
109 | +CREATE DATABASE auto_test_local; | ||
110 | +USE auto_test_local; | ||
111 | +eval CREATE TABLE tbl_a ( | ||
112 | + a CHAR(255) | ||
113 | +) $MASTER_1_ENGINE $MASTER_1_CHARSET COMMENT='table "tbl_a", srv "s_2_1"'; | ||
114 | + | ||
115 | +SET @orig_sql_mode=@@global.sql_mode; | ||
116 | +SET GLOBAL sql_mode=''; | ||
117 | + | ||
118 | +let SEARCH_FILE= $MYSQLTEST_VARDIR/log/mysqld.1.1.err; | ||
119 | +let SEARCH_PATTERN= \[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*; | ||
120 | + | ||
121 | +INSERT INTO tbl_a VALUES ("this will be truncated"); | ||
122 | +--source include/search_pattern_in_file.inc # should not find | ||
123 | + | ||
124 | +SET @orig_log_result_errors=@@global.spider_log_result_errors; | ||
125 | +SET GLOBAL spider_log_result_errors=4; | ||
126 | + | ||
127 | +INSERT INTO tbl_a VALUES ("this will be truncated"); | ||
128 | +--source include/search_pattern_in_file.inc # should find | ||
129 | + | ||
130 | +--connection master_1 | ||
131 | +SET GLOBAL spider_log_result_errors=@orig_log_result_errors; | ||
132 | +SET GLOBAL sql_mode=@orig_sql_mode; | ||
133 | +DROP DATABASE IF EXISTS auto_test_local; | ||
134 | + | ||
135 | +--connection child2_1 | ||
136 | +SET GLOBAL sql_mode=@orig_sql_mode; | ||
137 | +DROP DATABASE IF EXISTS auto_test_remote; | ||
138 | + | ||
139 | +--disable_query_log | ||
140 | +--disable_result_log | ||
141 | +--source ../t/test_deinit.inc | ||
142 | +--enable_query_log | ||
143 | +--enable_result_log | ||
144 | diff --git a/storage/spider/spd_db_mysql.cc b/storage/spider/spd_db_mysql.cc | ||
145 | index 85f910aa..7d6bd599 100644 | ||
146 | --- a/storage/spider/spd_db_mysql.cc | ||
147 | +++ b/storage/spider/spd_db_mysql.cc | ||
148 | @@ -2197,7 +2197,7 @@ int spider_db_mbase::exec_query( | ||
149 | db_conn->affected_rows, db_conn->insert_id, | ||
150 | db_conn->server_status, db_conn->warning_count); | ||
151 | if (spider_param_log_result_errors() >= 3) | ||
152 | - print_warnings(l_time); | ||
153 | + fetch_and_print_warnings(l_time); | ||
154 | } else if (log_result_errors >= 4) | ||
155 | { | ||
156 | time_t cur_time = (time_t) time((time_t*) 0); | ||
157 | @@ -2279,61 +2279,43 @@ bool spider_db_mbase::is_xa_nota_error( | ||
158 | DBUG_RETURN(xa_nota); | ||
159 | } | ||
160 | |||
161 | -void spider_db_mbase::print_warnings( | ||
162 | - struct tm *l_time | ||
163 | -) { | ||
164 | - DBUG_ENTER("spider_db_mbase::print_warnings"); | ||
165 | - DBUG_PRINT("info",("spider this=%p", this)); | ||
166 | - if (db_conn->status == MYSQL_STATUS_READY) | ||
167 | +void spider_db_mbase::fetch_and_print_warnings(struct tm *l_time) | ||
168 | +{ | ||
169 | + DBUG_ENTER("spider_db_mbase::fetch_and_print_warnings"); | ||
170 | + | ||
171 | + if (spider_param_dry_access() || db_conn->status != MYSQL_STATUS_READY || | ||
172 | + db_conn->server_status & SERVER_MORE_RESULTS_EXISTS) | ||
173 | + DBUG_VOID_RETURN; | ||
174 | + | ||
175 | + if (mysql_real_query(db_conn, SPIDER_SQL_SHOW_WARNINGS_STR, | ||
176 | + SPIDER_SQL_SHOW_WARNINGS_LEN)) | ||
177 | + DBUG_VOID_RETURN; | ||
178 | + | ||
179 | + MYSQL_RES *res= mysql_store_result(db_conn); | ||
180 | + if (!res) | ||
181 | + DBUG_VOID_RETURN; | ||
182 | + | ||
183 | + uint num_fields= mysql_num_fields(res); | ||
184 | + if (num_fields != 3) | ||
185 | { | ||
186 | -#if MYSQL_VERSION_ID < 50500 | ||
187 | - if (!(db_conn->last_used_con->server_status & SERVER_MORE_RESULTS_EXISTS)) | ||
188 | -#else | ||
189 | - if (!(db_conn->server_status & SERVER_MORE_RESULTS_EXISTS)) | ||
190 | -#endif | ||
191 | - { | ||
192 | - if ( | ||
193 | - spider_param_dry_access() || | ||
194 | - !mysql_real_query(db_conn, SPIDER_SQL_SHOW_WARNINGS_STR, | ||
195 | - SPIDER_SQL_SHOW_WARNINGS_LEN) | ||
196 | - ) { | ||
197 | - MYSQL_RES *res = NULL; | ||
198 | - MYSQL_ROW row = NULL; | ||
199 | - uint num_fields; | ||
200 | - if ( | ||
201 | - spider_param_dry_access() || | ||
202 | - !(res = mysql_store_result(db_conn)) || | ||
203 | - !(row = mysql_fetch_row(res)) | ||
204 | - ) { | ||
205 | - if (mysql_errno(db_conn)) | ||
206 | - { | ||
207 | - if (res) | ||
208 | - mysql_free_result(res); | ||
209 | - DBUG_VOID_RETURN; | ||
210 | - } | ||
211 | - /* no record is ok */ | ||
212 | - } | ||
213 | - num_fields = mysql_num_fields(res); | ||
214 | - if (num_fields != 3) | ||
215 | - { | ||
216 | - mysql_free_result(res); | ||
217 | - DBUG_VOID_RETURN; | ||
218 | - } | ||
219 | - while (row) | ||
220 | - { | ||
221 | - fprintf(stderr, "%04d%02d%02d %02d:%02d:%02d [WARN SPIDER RESULT] " | ||
222 | - "from [%s] %ld to %ld: %s %s %s\n", | ||
223 | + mysql_free_result(res); | ||
224 | + DBUG_VOID_RETURN; | ||
225 | + } | ||
226 | + | ||
227 | + MYSQL_ROW row= mysql_fetch_row(res); | ||
228 | + while (row) | ||
229 | + { | ||
230 | + fprintf(stderr, | ||
231 | + "%04d%02d%02d %02d:%02d:%02d [WARN SPIDER RESULT] from [%s] %ld " | ||
232 | + "to %ld: %s %s %s\n", | ||
233 | l_time->tm_year + 1900, l_time->tm_mon + 1, l_time->tm_mday, | ||
234 | - l_time->tm_hour, l_time->tm_min, l_time->tm_sec, | ||
235 | - conn->tgt_host, (ulong) db_conn->thread_id, | ||
236 | - (ulong) current_thd->thread_id, row[0], row[1], row[2]); | ||
237 | - row = mysql_fetch_row(res); | ||
238 | - } | ||
239 | - if (res) | ||
240 | - mysql_free_result(res); | ||
241 | - } | ||
242 | - } | ||
243 | + l_time->tm_hour, l_time->tm_min, l_time->tm_sec, conn->tgt_host, | ||
244 | + (ulong) db_conn->thread_id, (ulong) current_thd->thread_id, row[0], | ||
245 | + row[1], row[2]); | ||
246 | + row= mysql_fetch_row(res); | ||
247 | } | ||
248 | + mysql_free_result(res); | ||
249 | + | ||
250 | DBUG_VOID_RETURN; | ||
251 | } | ||
252 | |||
253 | diff --git a/storage/spider/spd_db_mysql.h b/storage/spider/spd_db_mysql.h | ||
254 | index 626bb4d5..82c7c0ec 100644 | ||
255 | --- a/storage/spider/spd_db_mysql.h | ||
256 | +++ b/storage/spider/spd_db_mysql.h | ||
257 | @@ -439,9 +439,7 @@ class spider_db_mbase: public spider_db_conn | ||
258 | bool is_xa_nota_error( | ||
259 | int error_num | ||
260 | ); | ||
261 | - void print_warnings( | ||
262 | - struct tm *l_time | ||
263 | - ); | ||
264 | + void fetch_and_print_warnings(struct tm *l_time); | ||
265 | spider_db_result *store_result( | ||
266 | spider_db_result_buffer **spider_res_buf, | ||
267 | st_spider_db_request_key *request_key, | ||
268 | -- | ||
269 | 2.25.1 | ||