Don't like ads? PRO users don't see any ads ;-)
Public Pastes
Guest

Is Oracle MySQL Server bug #13898343 CVE-2012-1689 ?

By: eromang on Jul 19th, 2012  |  syntax: Diff  |  size: 5.01 KB  |  hits: 93  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. Is Oracle MySQL Server bug #13898343 CVE-2012-1689 ?
  2.  
  3. ------------------------------------------------------------
  4. revno: 3773
  5. committer: Marc Alff <marc.alff@oracle.com>
  6. branch nick: mysql-5.5-bug13898343
  7. timestamp: Wed 2012-03-28 17:54:30 +0200
  8. message:
  9.   Bug#13898343 THREAD LOOPS ENDLESSLY IN LF_PINBOX_PUT_PINS WHILE HOLDING
  10.   LOCK_THREAD_COUNT
  11.  
  12.   When using the performance schema file io instrumentation in MySQL 5.5,
  13.   a thread would loop forever inside lf_pinbox_put_pins, when disconnecting.
  14.   It would also hold LOCK_thread_count while doing so, effectively killing the
  15.   server.
  16.  
  17.   The root cause of the loop in lf_pinbox_put_pins() is a leak of LF_PINS,
  18.   when used with the filename_hash LF_HASH table in the performance schema.
  19.  
  20.   This fix contains the following changes:
  21.  
  22.   1)
  23.   Added the missing call to lf_hash_search_unpin(), to prevent the leak.
  24.  
  25.   2)
  26.   In mysys/lf_alloc-pin.c, there was some extra debugging code
  27.   (MY_LF_EXTRA_DEBUG) written to detect precisely this kind of issues,
  28.   but it was never used.
  29.   Replaced MY_LF_EXTRA_DEBUG with DBUG_OFF, so that leaks similar to this one
  30.   can be always detected in regular debug builds.
  31.  
  32.   3)
  33.   Backported the fix for the following bug, from 5.6 to 5.5:
  34.   Bug#13417446 - 63339: INCORRECT FILE PATH IN PEFORMANCE_SCHEMA ON WINDOWS
  35.  
  36. ------------------------------------------------------------
  37.  
  38. diff -Naur mysql-5.5.22/storage/perfschema/pfs_instr.cc mysql-5.5.23/storage/perfschema/pfs_instr.cc
  39. --- mysql-5.5.22/storage/perfschema/pfs_instr.cc        2012-03-02 20:44:47.000000000 +0100
  40. +++ mysql-5.5.23/storage/perfschema/pfs_instr.cc        2012-03-29 21:07:11.000000000 +0200
  41. @@ -1,4 +1,4 @@
  42. -/* Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
  43. +/* Copyright (c) 2008, 2012, Oracle and/or its affiliates. All rights reserved.
  44.  
  45.    This program is free software; you can redistribute it and/or modify
  46.    it under the terms of the GNU General Public License as published by
  47. @@ -802,6 +802,22 @@
  48.  }
  49.  
  50.  /**
  51. +  Get the hash pins for @filename_hash.
  52. +  @param thread The running thread.
  53. +  @returns The LF_HASH pins for the thread.
  54. +*/
  55. +LF_PINS* get_filename_hash_pins(PFS_thread *thread)
  56. +{
  57. +  if (unlikely(thread->m_filename_hash_pins == NULL))
  58. +  {
  59. +    if (! filename_hash_inited)
  60. +      return NULL;
  61. +    thread->m_filename_hash_pins= lf_hash_get_pins(&filename_hash);
  62. +  }
  63. +  return thread->m_filename_hash_pins;
  64. +}
  65. +
  66. +/**
  67.    Find or create instrumentation for a file instance by file name.
  68.    @param thread                       the executing instrumented thread
  69.    @param klass                        the file class
  70. @@ -816,23 +832,13 @@
  71.    PFS_file *pfs;
  72.    PFS_scan scan;
  73.  
  74. -  if (! filename_hash_inited)
  75. +  LF_PINS *pins= get_filename_hash_pins(thread);
  76. +  if (unlikely(pins == NULL))
  77.    {
  78. -    /* File instrumentation can be turned off. */
  79.      file_lost++;
  80.      return NULL;
  81.    }
  82.  
  83. -  if (unlikely(thread->m_filename_hash_pins == NULL))
  84. -  {
  85. -    thread->m_filename_hash_pins= lf_hash_get_pins(&filename_hash);
  86. -    if (unlikely(thread->m_filename_hash_pins == NULL))
  87. -    {
  88. -      file_lost++;
  89. -      return NULL;
  90. -    }
  91. -  }
  92. -
  93.    char safe_buffer[FN_REFLEN];
  94.    const char *safe_filename;
  95.  
  96. @@ -904,7 +910,7 @@
  97.    /* Append the unresolved file name to the resolved path */
  98.    char *ptr= buffer + strlen(buffer);
  99.    char *buf_end= &buffer[sizeof(buffer)-1];
  100. -  if (buf_end > ptr)
  101. +  if ((buf_end > ptr) && (*(ptr-1) != FN_LIBCHAR))
  102.      *ptr++= FN_LIBCHAR;
  103.    if (buf_end > ptr)
  104.      strncpy(ptr, safe_filename + dirlen, buf_end - ptr);
  105. @@ -918,16 +924,18 @@
  106.    const uint retry_max= 3;
  107.  search:
  108.    entry= reinterpret_cast<PFS_file**>
  109. -    (lf_hash_search(&filename_hash, thread->m_filename_hash_pins,
  110. +    (lf_hash_search(&filename_hash, pins,
  111.                      normalized_filename, normalized_length));
  112.    if (entry && (entry != MY_ERRPTR))
  113.    {
  114.      pfs= *entry;
  115.      pfs->m_file_stat.m_open_count++;
  116. -    lf_hash_search_unpin(thread->m_filename_hash_pins);
  117. +    lf_hash_search_unpin(pins);
  118.      return pfs;
  119.    }
  120.  
  121. +  lf_hash_search_unpin(pins);
  122. +
  123.    /* filename is not constant, just using it for noise on create */
  124.    uint random= randomized_index(filename, file_max);
  125.  
  126. @@ -954,7 +962,7 @@
  127.            reset_single_stat_link(&pfs->m_wait_stat);
  128.  
  129.            int res;
  130. -          res= lf_hash_insert(&filename_hash, thread->m_filename_hash_pins,
  131. +          res= lf_hash_insert(&filename_hash, pins,
  132.                                &pfs);
  133.            if (likely(res == 0))
  134.            {
  135. @@ -1006,9 +1014,12 @@
  136.  void destroy_file(PFS_thread *thread, PFS_file *pfs)
  137.  {
  138.    DBUG_ASSERT(thread != NULL);
  139. -  DBUG_ASSERT(thread->m_filename_hash_pins != NULL);
  140.    DBUG_ASSERT(pfs != NULL);
  141. -  lf_hash_delete(&filename_hash, thread->m_filename_hash_pins,
  142. +
  143. +  LF_PINS *pins= get_filename_hash_pins(thread);
  144. +  DBUG_ASSERT(pins != NULL);
  145. +
  146. +  lf_hash_delete(&filename_hash, pins,
  147.                   pfs->m_filename, pfs->m_filename_length);
  148.    pfs->m_lock.allocated_to_free();
  149.  }
create a new version of this paste RAW Paste Data