List:Commits« Previous MessageNext Message »
From:Kristofer Pettersson Date:November 3 2008 2:20pm
Subject:bzr commit into mysql-5.1 branch (kristofer.pettersson:2686) Bug#38883
View as plain text  
#At file:///home/thek/Development/cpp/mysqlbzr/mysql-5.1-bug38883/

 2686 Kristofer Pettersson	2008-11-03
      Bug#38883 thd_security_context is not thread safe, crashes?
      
      Innodb monitor could cause a server crash because of invalid access to a
      shared variable in a concurrent environment.
      
      This patch adds a guard to protect against crashes but not against
      inconsistent values because of performance reasons.
modified:
  sql/sql_class.cc

per-file messages:
  sql/sql_class.cc
    * The innodb monitor reads unprotected memory when it access proc_info belonging to another threads thread handler. This will cause a crash if the proc_info pointer assumes a NULL value when it is passed to the string object. This is avoided by attempting a snapshot of the pointer value and check that for NULL.
=== modified file 'sql/sql_class.cc'
--- a/sql/sql_class.cc	2008-10-24 13:58:48 +0000
+++ b/sql/sql_class.cc	2008-11-03 14:28:28 +0000
@@ -328,6 +328,18 @@ char *thd_security_context(THD *thd, cha
   const Security_context *sctx= &thd->main_security_ctx;
   char header[64];
   int len;
+  /*
+    The pointers thd->query and thd->proc_info might change since they are
+    being modified concurrently. This is acceptable since these values doesn't
+    have to very accurate, but we need to attempt a snapshot on the pointer
+    values to avoid using NULL values.
+  */
+  if (max_query_len < 1)
+    len= thd->query_length;
+  else
+    len= min(thd->query_length, max_query_len);
+  const char *query= thd->query;
+  const char *proc_info= thd->proc_info;
 
   len= my_snprintf(header, sizeof(header),
                    "MySQL thread id %lu, query id %lu",
@@ -353,20 +365,17 @@ char *thd_security_context(THD *thd, cha
     str.append(sctx->user);
   }
 
-  if (thd->proc_info)
+  if (proc_info)
   {
     str.append(' ');
-    str.append(thd->proc_info);
+    str.append(proc_info);
   }
 
-  if (thd->query)
+  if (query)
   {
     if (max_query_len < 1)
-      len= thd->query_length;
-    else
-      len= min(thd->query_length, max_query_len);
     str.append('\n');
-    str.append(thd->query, len);
+    str.append(query, len);
   }
   if (str.c_ptr_safe() == buffer)
     return buffer;
Thread
bzr commit into mysql-5.1 branch (kristofer.pettersson:2686) Bug#38883Kristofer Pettersson3 Nov