From a30e9dda786e4583b567348d52405f283d201167 Mon Sep 17 00:00:00 2001 From: Gleb Shchepa Date: Wed, 24 Nov 2010 23:03:16 +0300 Subject: [PATCH 1/3] backport of bug #54461 from 5.1-security to 5.0-security > revision-id: gshchepa@mysql.com-20100801181236-uyuq6ewaq43rw780 > parent: alexey.kopytov@sun.com-20100723115254-jjwmhq97b9wl932l > committer: Gleb Shchepa > branch nick: mysql-5.1-security > timestamp: Sun 2010-08-01 22:12:36 +0400 > Bug #54461: crash with longblob and union or update with subquery > > Queries may crash, if > 1) the GREATEST or the LEAST function has a mixed list of > numeric and LONGBLOB arguments and > 2) the result of such a function goes through an intermediate > temporary table. > > An Item that references a LONGBLOB field has max_length of > UINT_MAX32 == (2^32 - 1). > > The current implementation of GREATEST/LEAST returns REAL > result for a mixed list of numeric and string arguments (that > contradicts with the current documentation, this contradiction > was discussed and it was decided to update the documentation). > > The max_length of such a function call was calculated as a > maximum of argument max_length values (i.e. UINT_MAX32). > > That max_length value of UINT_MAX32 was used as a length for > the intermediate temporary table Field_double to hold > GREATEST/LEAST function result. > > The Field_double::val_str() method call on that field > allocates a String value. > > Since an allocation of String reserves an additional byte > for a zero-termination, the size of String buffer was > set to (UINT_MAX32 + 1), that caused an integer overflow: > actually, an empty buffer of size 0 was allocated. > > An initialization of the "first" byte of that zero-size > buffer with '\0' caused a crash. > > The Item_func_min_max::fix_length_and_dec() has been > modified to calculate max_length for the REAL result like > we do it for arithmetical operators. mysql-test/r/func_misc.result: Test case for bug #54461. mysql-test/t/func_misc.test: Test case for bug #54461. sql/item_func.cc: Bug #54461: crash with longblob and union or update with subquery The Item_func_min_max::fix_length_and_dec() has been modified to calculate max_length for the REAL result like we do it for arithmetical operators. --- mysql-test/r/func_misc.result | 15 +++++++++++++++ mysql-test/t/func_misc.test | 13 ++++++++++++- sql/item_func.cc | 2 ++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/mysql-test/r/func_misc.result b/mysql-test/r/func_misc.result index 9f2fcb06638..f23718466d3 100644 --- a/mysql-test/r/func_misc.result +++ b/mysql-test/r/func_misc.result @@ -327,4 +327,19 @@ DROP TABLE t1; select NAME_CONST('_id',1234) as id; id 1234 +# +# Bug #54461: crash with longblob and union or update with subquery +# +CREATE TABLE t1 (a INT, b LONGBLOB); +INSERT INTO t1 VALUES (1, '2'), (2, '3'), (3, '2'); +SELECT DISTINCT LEAST(a, (SELECT b FROM t1 LIMIT 1)) FROM t1 UNION SELECT 1; +LEAST(a, (SELECT b FROM t1 LIMIT 1)) +1 +2 +SELECT DISTINCT GREATEST(a, (SELECT b FROM t1 LIMIT 1)) FROM t1 UNION SELECT 1; +GREATEST(a, (SELECT b FROM t1 LIMIT 1)) +2 +3 +1 +DROP TABLE t1; End of 5.0 tests diff --git a/mysql-test/t/func_misc.test b/mysql-test/t/func_misc.test index 01c508c9b58..89359fab0ca 100644 --- a/mysql-test/t/func_misc.test +++ b/mysql-test/t/func_misc.test @@ -450,5 +450,16 @@ DROP TABLE t1; # select NAME_CONST('_id',1234) as id; ---echo End of 5.0 tests +--echo # +--echo # Bug #54461: crash with longblob and union or update with subquery +--echo # +CREATE TABLE t1 (a INT, b LONGBLOB); +INSERT INTO t1 VALUES (1, '2'), (2, '3'), (3, '2'); + +SELECT DISTINCT LEAST(a, (SELECT b FROM t1 LIMIT 1)) FROM t1 UNION SELECT 1; +SELECT DISTINCT GREATEST(a, (SELECT b FROM t1 LIMIT 1)) FROM t1 UNION SELECT 1; + +DROP TABLE t1; + +--echo End of 5.0 tests diff --git a/sql/item_func.cc b/sql/item_func.cc index cb0d6bdbe5f..8af7db7fa1a 100644 --- a/sql/item_func.cc +++ b/sql/item_func.cc @@ -2250,6 +2250,8 @@ void Item_func_min_max::fix_length_and_dec() else if ((cmp_type == DECIMAL_RESULT) || (cmp_type == INT_RESULT)) max_length= my_decimal_precision_to_length(max_int_part+decimals, decimals, unsigned_flag); + else if (cmp_type == REAL_RESULT) + max_length= float_length(decimals); cached_field_type= agg_field_type(args, arg_count); } From 721983c393c07618541b5ebfb9c780ed3cf7a687 Mon Sep 17 00:00:00 2001 From: unknown Date: Fri, 26 Nov 2010 07:28:22 +0100 Subject: [PATCH 2/3] Raise version number after cloning 5.1.54 --- configure.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.in b/configure.in index 6c9c64d9c86..7a35e8587d4 100644 --- a/configure.in +++ b/configure.in @@ -12,7 +12,7 @@ dnl dnl When changing the major version number please also check the switch dnl statement in mysqlbinlog::check_master_version(). You may also need dnl to update version.c in ndb. -AC_INIT([MySQL Server], [5.1.54], [], [mysql]) +AC_INIT([MySQL Server], [5.1.55], [], [mysql]) AC_CONFIG_SRCDIR([sql/mysqld.cc]) AC_CANONICAL_SYSTEM From a699e4fce85a055e3ee55db12e9891e3b26ef720 Mon Sep 17 00:00:00 2001 From: Sunny Bains Date: Tue, 30 Nov 2010 20:11:26 +1100 Subject: [PATCH 3/3] Fix Bug# 56228 - Dropping tables from within an active statement crashes server InnoDB AUTOINC code expects the locks to be released in strict reverse order at the end of the statement. However, nested stored proedures and partition tables break this rule. We now allow the locks to be deleted from the trx->autoinc_locks vector in any order but optimise for the common (old) case. rb://441 Approved by Marko Makela --- .../r/innodb-autoinc-56228.result | 30 +++++++ .../t/innodb-autoinc-56228-master.opt | 1 + .../innodb_plugin/t/innodb-autoinc-56228.test | 42 ++++++++++ storage/innodb_plugin/include/ut0vec.h | 19 +++++ storage/innodb_plugin/include/ut0vec.ic | 29 +++++++ storage/innodb_plugin/lock/lock0lock.c | 78 ++++++++++++++++++- 6 files changed, 196 insertions(+), 3 deletions(-) create mode 100644 mysql-test/suite/innodb_plugin/r/innodb-autoinc-56228.result create mode 100644 mysql-test/suite/innodb_plugin/t/innodb-autoinc-56228-master.opt create mode 100644 mysql-test/suite/innodb_plugin/t/innodb-autoinc-56228.test diff --git a/mysql-test/suite/innodb_plugin/r/innodb-autoinc-56228.result b/mysql-test/suite/innodb_plugin/r/innodb-autoinc-56228.result new file mode 100644 index 00000000000..2ff2bd2800a --- /dev/null +++ b/mysql-test/suite/innodb_plugin/r/innodb-autoinc-56228.result @@ -0,0 +1,30 @@ +DROP TABLE IF EXISTS t1_56228; +Warnings: +Note 1051 Unknown table 't1_56228' +DROP TABLE IF EXISTS t2_56228; +Warnings: +Note 1051 Unknown table 't2_56228' +DROP FUNCTION IF EXISTS bug56228; +Warnings: +Note 1305 FUNCTION bug56228 does not exist +CREATE TEMPORARY TABLE t1_56228( +c1 iNT AUTO_INCREMENT PRIMARY KEY) ENGINE=InnoDB; +CREATE TEMPORARY TABLE t2_56228( +c1 iNT AUTO_INCREMENT PRIMARY KEY) ENGINE=InnoDB; +CREATE FUNCTION bug56228() RETURNS INT DETERMINISTIC +BEGIN +INSERT INTO t1_56228 VALUES(NULL); +INSERT INTO t2_56228 VALUES(NULL); +INSERT INTO t1_56228 VALUES(NULL); +INSERT INTO t2_56228 VALUES(NULL); +DROP TEMPORARY TABLE t1_56228; +RETURN 42; +END // +SELECT bug56228(); +bug56228() +42 +DROP FUNCTION bug56228; +DROP TEMPORARY TABLE t2_56228; +DROP TEMPORARY TABLE IF EXISTS t1_56228; +Warnings: +Note 1051 Unknown table 't1_56228' diff --git a/mysql-test/suite/innodb_plugin/t/innodb-autoinc-56228-master.opt b/mysql-test/suite/innodb_plugin/t/innodb-autoinc-56228-master.opt new file mode 100644 index 00000000000..0eed7aaadad --- /dev/null +++ b/mysql-test/suite/innodb_plugin/t/innodb-autoinc-56228-master.opt @@ -0,0 +1 @@ +--innodb_autoinc_lock_mode=0 diff --git a/mysql-test/suite/innodb_plugin/t/innodb-autoinc-56228.test b/mysql-test/suite/innodb_plugin/t/innodb-autoinc-56228.test new file mode 100644 index 00000000000..eb38b21861d --- /dev/null +++ b/mysql-test/suite/innodb_plugin/t/innodb-autoinc-56228.test @@ -0,0 +1,42 @@ +-- source include/have_innodb_plugin.inc + +let $innodb_file_format_check_orig=`select @@innodb_file_format_check`; + +## +# Bug #56228: dropping tables from within an active statement crashes server +# +DROP TABLE IF EXISTS t1_56228; +DROP TABLE IF EXISTS t2_56228; +DROP FUNCTION IF EXISTS bug56228; + +CREATE TEMPORARY TABLE t1_56228( + c1 iNT AUTO_INCREMENT PRIMARY KEY) ENGINE=InnoDB; +CREATE TEMPORARY TABLE t2_56228( + c1 iNT AUTO_INCREMENT PRIMARY KEY) ENGINE=InnoDB; + +DELIMITER //; + +CREATE FUNCTION bug56228() RETURNS INT DETERMINISTIC +BEGIN + INSERT INTO t1_56228 VALUES(NULL); + INSERT INTO t2_56228 VALUES(NULL); + INSERT INTO t1_56228 VALUES(NULL); + INSERT INTO t2_56228 VALUES(NULL); + DROP TEMPORARY TABLE t1_56228; + RETURN 42; +END // + +DELIMITER ;// + +SELECT bug56228(); + +DROP FUNCTION bug56228; +DROP TEMPORARY TABLE t2_56228; +DROP TEMPORARY TABLE IF EXISTS t1_56228; + +# +# restore environment to the state it was before this test execution +# + +-- disable_query_log +eval set global innodb_file_format_check=$innodb_file_format_check_orig; diff --git a/storage/innodb_plugin/include/ut0vec.h b/storage/innodb_plugin/include/ut0vec.h index a770f671cfc..0f8b955b098 100644 --- a/storage/innodb_plugin/include/ut0vec.h +++ b/storage/innodb_plugin/include/ut0vec.h @@ -93,6 +93,25 @@ ib_vector_get( ib_vector_t* vec, /*!< in: vector */ ulint n); /*!< in: element index to get */ +/****************************************************************//** +Get last element. The vector must not be empty. +@return last element */ +UNIV_INLINE +void* +ib_vector_get_last( +/*===============*/ + ib_vector_t* vec); /*!< in: vector */ + +/****************************************************************//** +Set the n'th element. */ +UNIV_INLINE +void +ib_vector_set( +/*==========*/ + ib_vector_t* vec, /*!< in/out: vector */ + ulint n, /*!< in: element index to set */ + void* elem); /*!< in: data element */ + /****************************************************************//** Remove the last element from the vector. */ UNIV_INLINE diff --git a/storage/innodb_plugin/include/ut0vec.ic b/storage/innodb_plugin/include/ut0vec.ic index 02e881f9bca..34c858868ce 100644 --- a/storage/innodb_plugin/include/ut0vec.ic +++ b/storage/innodb_plugin/include/ut0vec.ic @@ -50,6 +50,35 @@ ib_vector_get( return(vec->data[n]); } +/****************************************************************//** +Get last element. The vector must not be empty. +@return last element */ +UNIV_INLINE +void* +ib_vector_get_last( +/*===============*/ + ib_vector_t* vec) /*!< in: vector */ +{ + ut_a(vec->used > 0); + + return(vec->data[vec->used - 1]); +} + +/****************************************************************//** +Set the n'th element. */ +UNIV_INLINE +void +ib_vector_set( +/*==========*/ + ib_vector_t* vec, /*!< in/out: vector */ + ulint n, /*!< in: element index to set */ + void* elem) /*!< in: data element */ +{ + ut_a(n < vec->used); + + vec->data[n] = elem; +} + /****************************************************************//** Remove the last element from the vector. @return last vector element */ diff --git a/storage/innodb_plugin/lock/lock0lock.c b/storage/innodb_plugin/lock/lock0lock.c index 77d69d11a2d..c8bbc5c02bd 100644 --- a/storage/innodb_plugin/lock/lock0lock.c +++ b/storage/innodb_plugin/lock/lock0lock.c @@ -3624,6 +3624,80 @@ lock_table_create( return(lock); } +/*************************************************************//** +Pops autoinc lock requests from the transaction's autoinc_locks. We +handle the case where there are gaps in the array and they need to +be popped off the stack. */ +UNIV_INLINE +void +lock_table_pop_autoinc_locks( +/*=========================*/ + trx_t* trx) /*!< in/out: transaction that owns the AUTOINC locks */ +{ + ut_ad(mutex_own(&kernel_mutex)); + ut_ad(!ib_vector_is_empty(trx->autoinc_locks)); + + /* Skip any gaps, gaps are NULL lock entries in the + trx->autoinc_locks vector. */ + + do { + ib_vector_pop(trx->autoinc_locks); + + if (ib_vector_is_empty(trx->autoinc_locks)) { + return; + } + + } while (ib_vector_get_last(trx->autoinc_locks) == NULL); +} + +/*************************************************************//** +Removes an autoinc lock request from the transaction's autoinc_locks. */ +UNIV_INLINE +void +lock_table_remove_autoinc_lock( +/*===========================*/ + lock_t* lock, /*!< in: table lock */ + trx_t* trx) /*!< in/out: transaction that owns the lock */ +{ + lock_t* autoinc_lock; + lint i = ib_vector_size(trx->autoinc_locks) - 1; + + ut_ad(mutex_own(&kernel_mutex)); + ut_ad(lock_get_mode(lock) == LOCK_AUTO_INC); + ut_ad(lock_get_type_low(lock) & LOCK_TABLE); + ut_ad(!ib_vector_is_empty(trx->autoinc_locks)); + + /* With stored functions and procedures the user may drop + a table within the same "statement". This special case has + to be handled by deleting only those AUTOINC locks that were + held by the table being dropped. */ + + autoinc_lock = ib_vector_get(trx->autoinc_locks, i); + + /* This is the default fast case. */ + + if (autoinc_lock == lock) { + lock_table_pop_autoinc_locks(trx); + } else { + /* The last element should never be NULL */ + ut_a(autoinc_lock != NULL); + + /* Handle freeing the locks from within the stack. */ + + while (--i >= 0) { + autoinc_lock = ib_vector_get(trx->autoinc_locks, i); + + if (UNIV_LIKELY(autoinc_lock == lock)) { + ib_vector_set(trx->autoinc_locks, i, NULL); + return; + } + } + + /* Must find the autoinc lock. */ + ut_error; + } +} + /*************************************************************//** Removes a table lock request from the queue and the trx list of locks; this is a low-level function which does NOT check if waiting requests @@ -3663,10 +3737,8 @@ lock_table_remove_low( if (!lock_get_wait(lock) && !ib_vector_is_empty(trx->autoinc_locks)) { - lock_t* autoinc_lock; - autoinc_lock = ib_vector_pop(trx->autoinc_locks); - ut_a(autoinc_lock == lock); + lock_table_remove_autoinc_lock(lock, trx); } ut_a(table->n_waiting_or_granted_auto_inc_locks > 0);