MDEV-26228 ASAN heap-use-after-free with ON UPDATE CASCADE

In commit 83d2e084 (MDEV-24041) we failed to notice that in addition to the bug with DELETE and ON DELETE CASCADE, there is another bug with UPDATE and ON UPDATE CASCADE. row_ins_foreign_fill_virtual(): Use the correct memory heap for everything that will be reachable from the cascade->update that we return to the caller. Note: It is correct to use the shorter-lived cascade->heap for rec_get_offsets(), because that memory will be abandoned when row_ins_foreign_fill_virtual() returns.

MDEV-26228 ASAN heap-use-after-free with ON UPDATE CASCADE
In commit 83d2e084 (MDEV-24041) we failed to notice that in addition to the bug with DELETE and ON DELETE CASCADE, there is another bug with UPDATE and ON UPDATE CASCADE. row_ins_foreign_fill_virtual(): Use the correct memory heap for everything that will be reachable from the cascade->update that we return to the caller. Note: It is correct to use the shorter-lived cascade->heap for rec_get_offsets(), because that memory will be abandoned when row_ins_foreign_fill_virtual() returns.
173e562d · Marko Mäkelä · 4c4237e6 · 173e562d · 173e562d · 173e562d
Commit 173e562d authored Jul 23, 2021 by Marko Mäkelä
3 changed files
--- a/mysql-test/suite/gcol/r/innodb_virtual_fk.result
+++ b/mysql-test/suite/gcol/r/innodb_virtual_fk.result
@@ -809,15 +809,18 @@ generated_email_id int as (email_id),
 PRIMARY KEY (id),
 KEY mautic_generated_sent_date_email_id (generated_email_id),
 FOREIGN KEY (email_id) REFERENCES emails (id) ON DELETE SET NULL
+ON UPDATE CASCADE
 ) ENGINE=InnoDB;
 CREATE TABLE emails_metadata (
 email_id int,
 PRIMARY KEY (email_id),
 CONSTRAINT FK FOREIGN KEY (email_id) REFERENCES emails (id) ON DELETE CASCADE
+ON UPDATE CASCADE
 ) ENGINE=InnoDB;
 INSERT INTO emails VALUES (1);
 INSERT INTO email_stats (id, email_id,  date_sent) VALUES (1,1,'Jan');
 INSERT INTO emails_metadata VALUES (1);
+UPDATE emails SET id=2;
 DELETE FROM emails;
 DROP TABLE email_stats;
 DROP TABLE emails_metadata;

--- a/mysql-test/suite/gcol/t/innodb_virtual_fk.test
+++ b/mysql-test/suite/gcol/t/innodb_virtual_fk.test
@@ -670,6 +670,7 @@ CREATE TABLE email_stats (
  PRIMARY KEY (id),
  KEY mautic_generated_sent_date_email_id (generated_email_id),
  FOREIGN KEY (email_id) REFERENCES emails (id) ON DELETE SET NULL
+  ON UPDATE CASCADE
 ) ENGINE=InnoDB;
@@ -677,6 +678,7 @@ CREATE TABLE emails_metadata (
  email_id int,
  PRIMARY KEY (email_id),
  CONSTRAINT FK FOREIGN KEY (email_id) REFERENCES emails (id) ON DELETE CASCADE
+  ON UPDATE CASCADE
 ) ENGINE=InnoDB;
@@ -684,6 +686,7 @@ INSERT INTO emails VALUES (1);
 INSERT INTO email_stats (id, email_id,  date_sent) VALUES (1,1,'Jan');
 INSERT INTO emails_metadata VALUES (1);
+UPDATE emails SET id=2;
 DELETE FROM emails;
 DROP TABLE email_stats;

--- a/storage/innobase/row/row0ins.cc
+++ b/storage/innobase/row/row0ins.cc
 /*****************************************************************************
 Copyright (c) 1996, 2016, Oracle and/or its affiliates. All Rights Reserved.
-Copyright (c) 2016, 2020, MariaDB Corporation.
+Copyright (c) 2016, 2021, MariaDB Corporation.
 This program is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free Software
@@ -969,8 +969,8 @@ row_ins_foreign_fill_virtual(
 		upd_field = update->fields + n_diff;
 		upd_field->old_v_val = static_cast<dfield_t*>(
-				mem_heap_alloc(cascade->heap,
+			mem_heap_alloc(update->heap,
-					sizeof *upd_field->old_v_val));
+				       sizeof *upd_field->old_v_val));
 		dfield_copy(upd_field->old_v_val, vfield);