strconvert() / my_mb_wc_filename() can do out-of-bound reads on short inputs
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| MySQL Server |
Unknown
|
Unknown
|
|||
| Percona Server moved to https://jira.percona.com/projects/PS |
Fix Released
|
High
|
Unassigned | ||
| 5.1 |
Won't Fix
|
High
|
Unassigned | ||
| 5.5 |
Fix Released
|
High
|
Unassigned | ||
| 5.6 |
Fix Released
|
High
|
Unassigned | ||
Bug Description
Found using AddressSanitizer testing.
strconvert() makes the following assumption about the character set's 'mb_wc' method:
/*
Using 'from + 10' is safe:
- it is enough to scan a single character in any character set.
- if remaining string is shorter than 10, then mb_wc will return
with error because of unexpected '\0' character.
*/
However, my_mb_wc_filename() (perhaps other implementations as well, I didn't check other handlers) does not stop immediately when encountering the '\0' character. If the first character of the input string is not '\0', it assumes the input to contain at least 2 more characters:
if (s + 3 > e)
return MY_CS_TOOSMALL3;
byte1= s[1];
byte2= s[2];
Which may result in an out-of-bound read of at most 2 bytes and thus, undefined program behavior.
In particular, an out-of-bound read of 1 byte occurs during InnoDB initialization. innodb_init() calls filename_
How to repeat:
Analyze the code path in innodb_init() -> filename_
| tags: | added: asan |
| Laurynas Biveinis (laurynas-biveinis) wrote | #1 |
| Changed in percona-server: | |
| status: | Triaged → Fix Released |
| tags: | added: upstream |
| Shahriyar Rzayev (rzayev-sehriyar) wrote | #2 |
Likely fixed under internal bug id 14834378 in 5.5.33 / 5.6.9.