Is Oracle MySQL Server bug #13898343 CVE-2012-1689 ?

1. Is Oracle MySQL Server bug #13898343 CVE-2012-1689 ?
2.  
3. ------------------------------------------------------------
4. revno: 3773
5. committer: Marc Alff <marc.alff@oracle.com>
6. branch nick: mysql-5.5-bug13898343
7. timestamp: Wed 2012-03-28 17:54:30 +0200
8. message:
9.   Bug#13898343 THREAD LOOPS ENDLESSLY IN LF_PINBOX_PUT_PINS WHILE HOLDING
10.   LOCK_THREAD_COUNT
11.  
12.   When using the performance schema file io instrumentation in MySQL 5.5,
13.   a thread would loop forever inside lf_pinbox_put_pins, when disconnecting.
14.   It would also hold LOCK_thread_count while doing so, effectively killing the
15.   server.
16.  
17.   The root cause of the loop in lf_pinbox_put_pins() is a leak of LF_PINS,
18.   when used with the filename_hash LF_HASH table in the performance schema.
19.  
20.   This fix contains the following changes:
21.  
22.   1)
23.   Added the missing call to lf_hash_search_unpin(), to prevent the leak.
24.  
25.   2)
26.   In mysys/lf_alloc-pin.c, there was some extra debugging code
27.   (MY_LF_EXTRA_DEBUG) written to detect precisely this kind of issues,
28.   but it was never used.
29.   Replaced MY_LF_EXTRA_DEBUG with DBUG_OFF, so that leaks similar to this one
30.   can be always detected in regular debug builds.
31.  
32.   3)
33.   Backported the fix for the following bug, from 5.6 to 5.5:
34.   Bug#13417446 - 63339: INCORRECT FILE PATH IN PEFORMANCE_SCHEMA ON WINDOWS
35.  
36. ------------------------------------------------------------
37.  
38. diff -Naur mysql-5.5.22/storage/perfschema/pfs_instr.cc mysql-5.5.23/storage/perfschema/pfs_instr.cc
39. --- mysql-5.5.22/storage/perfschema/pfs_instr.cc    2012-03-02 20:44:47.000000000 +0100
40. +++ mysql-5.5.23/storage/perfschema/pfs_instr.cc    2012-03-29 21:07:11.000000000 +0200
41. @@ -1,4 +1,4 @@
42. -/* Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
43. +/* Copyright (c) 2008, 2012, Oracle and/or its affiliates. All rights reserved.
44.  
45.    This program is free software; you can redistribute it and/or modify
46.    it under the terms of the GNU General Public License as published by
47. @@ -802,6 +802,22 @@
48.  }
49.  
50.  /**
51. +  Get the hash pins for @filename_hash.
52. +  @param thread The running thread.
53. +  @returns The LF_HASH pins for the thread.
54. +*/
55. +LF_PINS* get_filename_hash_pins(PFS_thread *thread)
56. +{
57. +  if (unlikely(thread->m_filename_hash_pins == NULL))
58. +  {
59. +    if (! filename_hash_inited)
60. +      return NULL;
61. +    thread->m_filename_hash_pins= lf_hash_get_pins(&filename_hash);
62. +  }
63. +  return thread->m_filename_hash_pins;
64. +}
65. +
66. +/**
67.    Find or create instrumentation for a file instance by file name.
68.    @param thread                       the executing instrumented thread
69.    @param klass                        the file class
70. @@ -816,23 +832,13 @@
71.    PFS_file *pfs;
72.    PFS_scan scan;
73.  
74. -  if (! filename_hash_inited)
75. +  LF_PINS *pins= get_filename_hash_pins(thread);
76. +  if (unlikely(pins == NULL))
77.    {
78. -    /* File instrumentation can be turned off. */
79.      file_lost++;
80.      return NULL;
81.    }
82.  
83. -  if (unlikely(thread->m_filename_hash_pins == NULL))
84. -  {
85. -    thread->m_filename_hash_pins= lf_hash_get_pins(&filename_hash);
86. -    if (unlikely(thread->m_filename_hash_pins == NULL))
87. -    {
88. -      file_lost++;
89. -      return NULL;
90. -    }
91. -  }
92. -
93.    char safe_buffer[FN_REFLEN];
94.    const char *safe_filename;
95.  
96. @@ -904,7 +910,7 @@
97.    /* Append the unresolved file name to the resolved path */
98.    char *ptr= buffer + strlen(buffer);
99.    char *buf_end= &buffer[sizeof(buffer)-1];
100. -  if (buf_end > ptr)
101. +  if ((buf_end > ptr) && (*(ptr-1) != FN_LIBCHAR))
102.      *ptr++= FN_LIBCHAR;
103.    if (buf_end > ptr)
104.      strncpy(ptr, safe_filename + dirlen, buf_end - ptr);
105. @@ -918,16 +924,18 @@
106.    const uint retry_max= 3;
107.  search:
108.    entry= reinterpret_cast<PFS_file**>
109. -    (lf_hash_search(&filename_hash, thread->m_filename_hash_pins,
110. +    (lf_hash_search(&filename_hash, pins,
111.                      normalized_filename, normalized_length));
112.    if (entry && (entry != MY_ERRPTR))
113.    {
114.      pfs= *entry;
115.      pfs->m_file_stat.m_open_count++;
116. -    lf_hash_search_unpin(thread->m_filename_hash_pins);
117. +    lf_hash_search_unpin(pins);
118.      return pfs;
119.    }
120.  
121. +  lf_hash_search_unpin(pins);
122. +
123.    /* filename is not constant, just using it for noise on create */
124.    uint random= randomized_index(filename, file_max);
125.  
126. @@ -954,7 +962,7 @@
127.            reset_single_stat_link(&pfs->m_wait_stat);
128.  
129.            int res;
130. -          res= lf_hash_insert(&filename_hash, thread->m_filename_hash_pins,
131. +          res= lf_hash_insert(&filename_hash, pins,
132.                                &pfs);
133.            if (likely(res == 0))
134.            {
135. @@ -1006,9 +1014,12 @@
136.  void destroy_file(PFS_thread *thread, PFS_file *pfs)
137.  {
138.    DBUG_ASSERT(thread != NULL);
139. -  DBUG_ASSERT(thread->m_filename_hash_pins != NULL);
140.    DBUG_ASSERT(pfs != NULL);
141. -  lf_hash_delete(&filename_hash, thread->m_filename_hash_pins,
142. +
143. +  LF_PINS *pins= get_filename_hash_pins(thread);
144. +  DBUG_ASSERT(pins != NULL);
145. +
146. +  lf_hash_delete(&filename_hash, pins,
147.                   pfs->m_filename, pfs->m_filename_length);
148.    pfs->m_lock.allocated_to_free();
149.  }