BUG#21206: memory corruption when too many cursors are opened at once

Too many cursors (more than 1024) could lead to memory corruption.
This affects both, stored routines and C API cursors, and the
threshold is per-server, not per-connection.  Similarly, the
corruption could happen when the server was under heavy load
(executing more than 1024 simultaneous complex queries), and this is
the reason why this bug is fixed in 4.1, which doesn't support
cursors.

The corruption was caused by a bug in the temporary tables code, when
an attempt to create a table could lead to a write beyond allocated
space.  Note, that only internal tables were affected (the tables
created internally by the server to resolve the query), not tables
created with CREATE TEMPORARY TABLE.  Another pre-condition for the
bug is TRUE value of --temp-pool startup option, which, however, is a
default.

The cause of a bug was that random memory was overwritten in
bitmap_set_next() due to out-of-bound memory access.
parent 367dcdf8
......@@ -159,7 +159,7 @@ uint bitmap_set_next(MY_BITMAP *map)
{
uchar *bitmap=map->bitmap;
uint bit_found = MY_BIT_NONE;
uint bitmap_size=map->bitmap_size*8;
uint bitmap_size=map->bitmap_size;
uint i;
DBUG_ASSERT(map->bitmap);
......@@ -445,7 +445,7 @@ uint bitmap_get_first(const MY_BITMAP *map)
{
uchar *bitmap=map->bitmap;
uint bit_found = MY_BIT_NONE;
uint bitmap_size=map->bitmap_size*8;
uint bitmap_size=map->bitmap_size;
uint i;
DBUG_ASSERT(map->bitmap);
......
......@@ -8375,13 +8375,15 @@ create_tmp_table(THD *thd,TMP_TABLE_PARAM *param,List<Item> &fields,
param->group_length : 0,
NullS))
{
bitmap_clear_bit(&temp_pool, temp_pool_slot);
if (temp_pool_slot != MY_BIT_NONE)
bitmap_clear_bit(&temp_pool, temp_pool_slot);
DBUG_RETURN(NULL); /* purecov: inspected */
}
/* Copy_field belongs to TMP_TABLE_PARAM, allocate it in THD mem_root */
if (!(param->copy_field= copy= new (thd->mem_root) Copy_field[field_count]))
{
bitmap_clear_bit(&temp_pool, temp_pool_slot);
if (temp_pool_slot != MY_BIT_NONE)
bitmap_clear_bit(&temp_pool, temp_pool_slot);
free_root(&own_root, MYF(0)); /* purecov: inspected */
DBUG_RETURN(NULL); /* purecov: inspected */
}
......@@ -8905,7 +8907,8 @@ create_tmp_table(THD *thd,TMP_TABLE_PARAM *param,List<Item> &fields,
err:
thd->mem_root= mem_root_save;
free_tmp_table(thd,table); /* purecov: inspected */
bitmap_clear_bit(&temp_pool, temp_pool_slot);
if (temp_pool_slot != MY_BIT_NONE)
bitmap_clear_bit(&temp_pool, temp_pool_slot);
DBUG_RETURN(NULL); /* purecov: inspected */
}
......@@ -9193,7 +9196,8 @@ free_tmp_table(THD *thd, TABLE *entry)
(*ptr)->free();
free_io_cache(entry);
bitmap_clear_bit(&temp_pool, entry->temp_pool_slot);
if (entry->temp_pool_slot != MY_BIT_NONE)
bitmap_clear_bit(&temp_pool, entry->temp_pool_slot);
free_root(&own_root, MYF(0)); /* the table is allocated in its own root */
thd->proc_info=save_proc_info;
......
......@@ -14929,7 +14929,53 @@ static void test_bug14169()
rc= mysql_query(mysql, "drop table t1");
myquery(rc);
}/*
}
/*
Bug#21206: memory corruption when too many cursors are opened at once
Memory corruption happens when more than 1024 cursors are open
simultaneously.
*/
static void test_bug21206()
{
const size_t cursor_count= 1025;
const char *create_table[]=
{
"DROP TABLE IF EXISTS t1",
"CREATE TABLE t1 (i INT)",
"INSERT INTO t1 VALUES (1), (2), (3)"
};
const char *query= "SELECT * FROM t1";
Stmt_fetch *fetch_array=
(Stmt_fetch*) calloc(cursor_count, sizeof(Stmt_fetch));
Stmt_fetch *fetch;
DBUG_ENTER("test_bug21206");
myheader("test_bug21206");
fill_tables(create_table, sizeof(create_table) / sizeof(*create_table));
for (fetch= fetch_array; fetch < fetch_array + cursor_count; ++fetch)
{
/* Init will exit(1) in case of error */
stmt_fetch_init(fetch, fetch - fetch_array, query);
}
for (fetch= fetch_array; fetch < fetch_array + cursor_count; ++fetch)
stmt_fetch_close(fetch);
free(fetch_array);
DBUG_VOID_RETURN;
}
/*
Read and parse arguments and MySQL options from my.cnf
*/
......@@ -15195,6 +15241,7 @@ static struct my_tests_st my_tests[]= {
{ "test_bug15613", test_bug15613 },
{ "test_bug14169", test_bug14169 },
{ "test_bug17667", test_bug17667 },
{ "test_bug21206", test_bug21206 },
{ 0, 0 }
};
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment