MDEV-19582 Out-of-bounds memory accesses by WolfSSL

Fix errors caught by clang-7 in the encrypted variants of the tests innodb.innodb-table-online innodb.innodb-index-online

MDEV-19582 Out-of-bounds memory accesses by WolfSSL
Fix errors caught by clang-7 in the encrypted variants of the tests innodb.innodb-table-online innodb.innodb-index-online
e32212c6 · Marko Mäkelä · f465ec8c · e32212c6 · e32212c6 · e32212c6
Commit e32212c6 authored May 27, 2019 by Marko Mäkelä
Showing with 21 additions and 6 deletions

storage/innobase/CMakeLists.txt storage/innobase/CMakeLists.txt +2 -0

storage/innobase/row/row0log.cc storage/innobase/row/row0log.cc +8 -4

storage/innobase/row/row0merge.cc storage/innobase/row/row0merge.cc +11 -2

No files found.
--- a/storage/innobase/CMakeLists.txt
+++ b/storage/innobase/CMakeLists.txt
@@ -161,6 +161,8 @@ IF(NOT TARGET innobase)
  RETURN()
 ENDIF()

+ADD_DEFINITIONS(${SSL_DEFINES})
+
 # A GCC bug causes crash when compiling these files on ARM64 with -O1+
 # Compile them with -O0 as a workaround.
 IF(CMAKE_COMPILER_IS_GNUCXX AND CMAKE_SYSTEM_PROCESSOR MATCHES "aarch64"

--- a/storage/innobase/row/row0log.cc
+++ b/storage/innobase/row/row0log.cc
@@ -301,7 +301,8 @@ row_log_block_allocate(
 		);

 		log_buf.block = ut_allocator<byte>(mem_key_row_log_buf)
-			.allocate_large(srv_sort_buf_size, &log_buf.block_pfx);
+			.allocate_large(srv_sort_buf_size + WOLFSSL_PAD_SIZE,
+					&log_buf.block_pfx);

 		if (log_buf.block == NULL) {
 			DBUG_RETURN(false);
@@ -321,7 +322,8 @@ row_log_block_free(
 	DBUG_ENTER("row_log_block_free");
 	if (log_buf.block != NULL) {
 		ut_allocator<byte>(mem_key_row_log_buf).deallocate_large(
-			log_buf.block, &log_buf.block_pfx, log_buf.size);
+			log_buf.block, &log_buf.block_pfx,
+			log_buf.size + WOLFSSL_PAD_SIZE);
 		log_buf.block = NULL;
 	}
 	DBUG_VOID_RETURN;
@@ -3273,11 +3275,13 @@ row_log_free(
 	row_merge_file_destroy_low(log->fd);

 	if (log->crypt_head) {
-		os_mem_free_large(log->crypt_head, srv_sort_buf_size + WOLFSSL_PAD_SIZE);
+		os_mem_free_large(log->crypt_head, srv_sort_buf_size
+				  + WOLFSSL_PAD_SIZE);
 	}

 	if (log->crypt_tail) {
-		os_mem_free_large(log->crypt_tail, srv_sort_buf_size + WOLFSSL_PAD_SIZE);
+		os_mem_free_large(log->crypt_tail, srv_sort_buf_size
+				  + WOLFSSL_PAD_SIZE);
 	}

 	mutex_free(&log->mutex);

--- a/storage/innobase/row/row0merge.cc
+++ b/storage/innobase/row/row0merge.cc
@@ -61,6 +61,14 @@ float my_log2f(float n)
 # define posix_fadvise(fd, offset, len, advice) /* nothing */
 #endif /* _WIN32 */

+#ifdef HAVE_WOLFSSL
+// Workaround for MDEV-19582
+// (WolfSSL accesses memory out of bounds)
+# define WOLFSSL_PAD_SIZE MY_AES_BLOCK_SIZE
+#else
+# define WOLFSSL_PAD_SIZE 0
+#endif
+
 /* Whether to disable file system cache */
 char	srv_disable_sort_file_cache;

@@ -4628,7 +4636,7 @@ row_merge_build_indexes(

 	if (log_tmp_is_encrypted()) {
 		crypt_block = static_cast<row_merge_block_t*>(
-			alloc.allocate_large(block_size,
+			alloc.allocate_large(block_size + WOLFSSL_PAD_SIZE,
 					     &crypt_pfx));

 		if (crypt_block == NULL) {
@@ -4998,7 +5006,8 @@ row_merge_build_indexes(
 	alloc.deallocate_large(block, &block_pfx, block_size);

 	if (crypt_block) {
-		alloc.deallocate_large(crypt_block, &crypt_pfx, block_size);
+		alloc.deallocate_large(crypt_block, &crypt_pfx,
+				       block_size + WOLFSSL_PAD_SIZE);
 	}

 	DICT_TF2_FLAG_UNSET(new_table, DICT_TF2_FTS_ADD_DOC_ID);