From: Marc Alff Date: March 5 2010 1:36am Subject: bzr commit into mysql-next-mr-bugfixing branch (marc.alff:3122) Bug#51738 List-Archive: http://lists.mysql.com/commits/102386 X-Bug: 51738 Message-Id: <20100305013658.2C23B45E80@linux-su11.site> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0471006462998267217==" --===============0471006462998267217== MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline #At file:///home/malff/BZR_TREE/mysql-next-mr-bugfixing-51738/ based on revid:alik@stripped 3122 Marc Alff 2010-03-04 Bug#51738 Unit test pfs_instr-t crashes The unit test pfs_instr-t: - generates a very long (10,000) bytes file name - calls find_or_create_file. This leads to a buffer overflow in mysys in my_realpath(), because my_realpath and mysys file APIs in general do not test for input parameters: mysys assumes every file name is less that FN_REFLEN in length. Calling find_or_create_file with a very long file name is likely to happen when instrumenting third party code that does not use mysys, so this test is legitimate. The fix is to make find_or_create_file in the performance schema more robust in this case. modified: storage/perfschema/pfs_instr.cc === modified file 'storage/perfschema/pfs_instr.cc' --- a/storage/perfschema/pfs_instr.cc 2010-03-02 00:10:01 +0000 +++ b/storage/perfschema/pfs_instr.cc 2010-03-05 01:36:54 +0000 @@ -746,6 +746,26 @@ find_or_create_file(PFS_thread *thread, } } + char safe_buffer[FN_REFLEN]; + const char *safe_filename; + + if (len >= FN_REFLEN) + { + /* + The instrumented code uses file names that exceeds FN_REFLEN. + This could be legal for instrumentation on non mysys APIs, + so we support it. + Truncate the file name so that: + - it fits into pfs->m_filename + - it is safe to use mysys apis to normalize the file name. + */ + memcpy(safe_buffer, filename, FN_REFLEN - 2); + safe_buffer[FN_REFLEN - 1]= 0; + safe_filename= safe_buffer; + } + else + safe_filename= filename; + /* Normalize the file name to avoid duplicates when using aliases: - absolute or relative paths @@ -759,7 +779,7 @@ find_or_create_file(PFS_thread *thread, Ignore errors, the file may not exist. my_realpath always provide a best effort result in buffer. */ - (void) my_realpath(buffer, filename, MYF(0)); + (void) my_realpath(buffer, safe_filename, MYF(0)); normalized_filename= buffer; normalized_length= strlen(normalized_filename); --===============0471006462998267217== MIME-Version: 1.0 Content-Type: text/bzr-bundle; charset="us-ascii"; name="bzr/marc.alff@stripped" Content-Transfer-Encoding: 7bit Content-Disposition: inline # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: marc.alff@stripped # target_branch: file:///home/malff/BZR_TREE/mysql-next-mr-bugfixing-\ # 51738/ # testament_sha1: 67751e0ea8ce10ca8c38a597da90ac9b19deac48 # timestamp: 2010-03-04 18:36:58 -0700 # base_revision_id: alik@stripped # # Begin bundle IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWfzcD7QAAjVfgFAQWXf//3sn Viq////6UAXVhDAzzgtpas6O2zCSIQJkNBpPJPImSj1PUbU0e1Jp6ntTUA0AJKEZMjJMjTTVMnqa HqGjQPUyaAABoCU0TSJhDVPaVPYRpTeSnqNNDagAxPUeoyYhzAEYJiAYBME0ZDQwCYIxMJIkET9U YZQwIZDQeoAAaZGhoA4owRoNofZmXbi9vzgtsP7lDrZvbk827pQ/1NzoyjeojFO2mjGMWVbIIaeE OFGNnwhT/P+3ggpSD162vH5/ecTrwSTf59fi2mb8/qJ20lpiCLdvS/O/CkXdI8RHjv5ZUu277NUT Pkoh0V35EKNWuJmsK3y6i/HLHTduXwww4D3TfNF8cB5oqo8xjSmxP3aYgat7xYWvgXVtssoU7EUt zt20alhUeFa5dtUSS0kVf5iKxmeG7v8OfLl2qIwVNjM5i4jV87K/R3Yvbh3Vb288ufl76e2TXnAp keB9xeuF7m0Rx3YWV8sQ8Vm+rfMSE+pYTPrloAnUeQML37riOMuhUybLIxKEmdRMrpRjJj6XkzCU B0JlzF7oJv8FFIdBA7JqFsHq8r3ROzfZ45tDCWb8a4KytcdOHK6+URMZUMV+KsOPL6Z1DrCTj0LQ ifz9mNW2zNjIs1MQpqBQfwLE9+WwgrDIvVhAIcbhZFxe++sRc7MmQHrVWk8obGGXFVcFVRTkKKaq E1ylSbE7VWwyOQxDszky3MmLP2aRHmOqSkLWSNC8jwVT7MEwbr2C3tnWy1dW8WilHBVLw4mveXMz zbgyikXl7FR7KXY6E64mO8mrSBOVu4gPOiae5UbEiNIE3nkFtOiViqa770ZNMlwV4nqJ9/TE8GsQ 36Il7W7FqsFbsp2uzo6/wPu2xLlVxjtnmB+bS05ISXtyc8hv6G90je+sDaTKKGtKKAvY+xRzMzNP 83TNfYVAQTLOwXVhcvIYMKwKWThhMT6qqdpQ/chEqO4/t+0lKcpbKS1IkDLO/l0Ax8yXX+tli7El VunfduZja2vCYB0qp54zAxFqlKZUy6bjyKsp9UOHyZe71j8RUIz2dO1OQAhaZzQXdSBkVkZu1P7e z46pziYxZJoFCQy3tcvasq1Ud4q1dsJydQTehOJ16nYYFuJpKoR16lbxG+Du0MJKIo7O2bHf3eH4 URpnJnepwJZxtdxMG3M54FWuwTpgiSBgIwtiuFNanGR8YT1i7ciWZHvOlZGnlVTOxk27Y+tGZW43 S4Q2EXKeEcTTpgqCqteoBYSUbKdd15gXmI5E9aAIMMAwtCCk5iz/pycTHncdJJkxns350ITbxn9P SQvWe3IbQUmlW91Os8/A0I+dd4z9gLBFBvgJVNVDvsqxUWtu7m24KZmvDlgKRp5mGIZIRJSS7wgq 5SumpQwePGeGydkrQhIw7bmAByga4GKzkYtRbXdXzZWFqQc0VTLemSJ0mWdXOk50pSHrcJ8omeKl 383zaxRtSOrlPE05zoTcEionsCWigHnxzQa/YxSROPntK2wq9iu7sOzCHxCOpkNEghIE32ze1jNW pdECalKfGtob7LUBYCTJMJo+gPQuQlzbq4inu7KA2juxcD0SV2IuPAuxKgcltYeIqTjGM7cOsXjV ta5ubuJ1iteTpzxB2fQuuRcCl4to12v9cqW4HFxGnYw58kEjMp53RDBwne0sqDaumeSaNAVtYphG wJlC0OS3qeiELzcnc0jujq+UWyEo2vZBWvXyraKGH1elfSj+3KzzUZ8+K1cHrc2kbQH+1aFVf8u7 ZmVXc9jBYEAMOAW1WC0iP52mDkzdc4cPu4uiuCjLn2uNVha1w5M+d8XZ5MaMZa+jNDJtOsiC+r2o hYg7JhJpcmZO64Cy5i/Js2+ZUoapyt1NTqrVNsxp9IAcZeHT4ioXirxbYqnMKDh9cMNgNa71p79o oJWrZHbWsIWVizosT/i7kinChIfm4H2g --===============0471006462998267217==--