MDEV-29555 ASAN heap-buffer-overflow in mariabackup.huge_lsn,strict_full_crc32

recv_scan_log(): Do not dereference the first byte of the log record before recv_sys.parse_pmem() (or recv_sys_t::parse_mtr()) returns OK. In the case of the failure that was analyzed, we had recv_sys.offset == recv_sys.len and recv_sys_t::parse_mtr() would return PREMATURE_EOF. This would lead us to reading more data and parsing again. When a memory-mapped interface to the log is being used, that is, log_sys.is_pmem() holds, recv_sys.offset cannot point past the end of the memory-mapped log_sys.buf[]. This is guaranteed by log_sys.calc_lsn_offset(). Thanks to Nayuta Yanagisawa for providing a core dump for analysis.

MDEV-29555 ASAN heap-buffer-overflow in mariabackup.huge_lsn,strict_full_crc32
recv_scan_log(): Do not dereference the first byte of the log record before recv_sys.parse_pmem() (or recv_sys_t::parse_mtr()) returns OK. In the case of the failure that was analyzed, we had recv_sys.offset == recv_sys.len and recv_sys_t::parse_mtr() would return PREMATURE_EOF. This would lead us to reading more data and parsing again. When a memory-mapped interface to the log is being used, that is, log_sys.is_pmem() holds, recv_sys.offset cannot point past the end of the memory-mapped log_sys.buf[]. This is guaranteed by log_sys.calc_lsn_offset(). Thanks to Nayuta Yanagisawa for providing a core dump for analysis.
593fdee3 · Marko Mäkelä · d2cae171 · 593fdee3
Commit 593fdee3 authored Sep 16, 2022 by Marko Mäkelä
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

storage/innobase/log/log0recv.cc storage/innobase/log/log0recv.cc +1 -1

No files found.
--- a/storage/innobase/log/log0recv.cc
+++ b/storage/innobase/log/log0recv.cc
@@ -3713,7 +3713,7 @@ static bool recv_scan_log(bool last_phase)

      for (;;)
      {
-        const byte b{log_sys.buf[recv_sys.offset]};
+        const byte& b{log_sys.buf[recv_sys.offset]};
        r= recv_sys.parse_pmem(store);
        if (r == recv_sys_t::OK)
        {