diff options
Diffstat (limited to 'meta-oe/recipes-dbs/mysql')
-rw-r--r-- | meta-oe/recipes-dbs/mysql/mariadb-native_10.7.8.bb (renamed from meta-oe/recipes-dbs/mysql/mariadb-native_10.7.7.bb) | 0 | ||||
-rw-r--r-- | meta-oe/recipes-dbs/mysql/mariadb.inc | 4 | ||||
-rw-r--r-- | meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-29644-a-potential-bug-of-null-pointer-dereferen.patch | 320 | ||||
-rw-r--r-- | meta-oe/recipes-dbs/mysql/mariadb/CVE-2023-22084.patch | 91 | ||||
-rw-r--r-- | meta-oe/recipes-dbs/mysql/mariadb_10.7.8.bb (renamed from meta-oe/recipes-dbs/mysql/mariadb_10.7.7.bb) | 0 |
5 files changed, 414 insertions, 1 deletions
diff --git a/meta-oe/recipes-dbs/mysql/mariadb-native_10.7.7.bb b/meta-oe/recipes-dbs/mysql/mariadb-native_10.7.8.bb index 17a06349b0..17a06349b0 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb-native_10.7.7.bb +++ b/meta-oe/recipes-dbs/mysql/mariadb-native_10.7.8.bb diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc index 097766e792..7c4b0a467f 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb.inc +++ b/meta-oe/recipes-dbs/mysql/mariadb.inc @@ -21,10 +21,12 @@ SRC_URI = "https://archive.mariadb.org/${BP}/source/${BP}.tar.gz \ file://sys_futex.patch \ file://cross-compiling.patch \ file://0001-sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch \ + file://0001-MDEV-29644-a-potential-bug-of-null-pointer-dereferen.patch \ + file://CVE-2023-22084.patch \ " SRC_URI:append:libc-musl = " file://ppc-remove-glibc-dep.patch" -SRC_URI[sha256sum] = "fd2f9fa3f135823c1626c9700e3bd736b829bfc09f61f5557d7313a7c9e02c29" +SRC_URI[sha256sum] = "f8c69d9080d85eafb3e3a84837bfa566a7f5527a8af6f9a081429d4de0de4778" UPSTREAM_CHECK_URI = "https://github.com/MariaDB/server/releases" diff --git a/meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-29644-a-potential-bug-of-null-pointer-dereferen.patch b/meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-29644-a-potential-bug-of-null-pointer-dereferen.patch new file mode 100644 index 0000000000..2fe768d754 --- /dev/null +++ b/meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-29644-a-potential-bug-of-null-pointer-dereferen.patch @@ -0,0 +1,320 @@ +From b98375f9df0b024857c03c03bc3e73e8ced8d772 Mon Sep 17 00:00:00 2001 +From: Nayuta Yanagisawa <nayuta.yanagisawa@hey.com> +Date: Tue, 27 Sep 2022 15:22:57 +0900 +Subject: [PATCH] MDEV-29644 a potential bug of null pointer dereference in + spider_db_mbase::print_warnings() + +The function spider_db_mbase::print_warnings() can potentially result +in a null pointer dereference. + +Remove the null pointer dereference by cleaning up the function. + +Some small changes to the original commit +422fb63a9bbee35c50b6c7be19d199afe0bc98fa. + +CVE: CVE-2022-47015 + +Upstream-Status: Backport [https://github.com/MariaDB/server/commit/b98375f9df0] + +Co-Authored-By: Yuchen Pei <yuchen.pei@mariadb.com> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + .../spider/bugfix/r/mdev_29644.result | 41 ++++++ + .../mysql-test/spider/bugfix/t/mdev_29644.cnf | 3 + + .../spider/bugfix/t/mdev_29644.test | 56 ++++++++ + storage/spider/spd_db_mysql.cc | 124 ++++++++---------- + storage/spider/spd_db_mysql.h | 2 +- + 5 files changed, 154 insertions(+), 72 deletions(-) + create mode 100644 storage/spider/mysql-test/spider/bugfix/r/mdev_29644.result + create mode 100644 storage/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf + create mode 100644 storage/spider/mysql-test/spider/bugfix/t/mdev_29644.test + +diff --git a/storage/spider/mysql-test/spider/bugfix/r/mdev_29644.result b/storage/spider/mysql-test/spider/bugfix/r/mdev_29644.result +new file mode 100644 +index 00000000000..b52cecc5bb7 +--- /dev/null ++++ b/storage/spider/mysql-test/spider/bugfix/r/mdev_29644.result +@@ -0,0 +1,41 @@ ++# ++# MDEV-29644 a potential bug of null pointer dereference in spider_db_mbase::print_warnings() ++# ++for master_1 ++for child2 ++child2_1 ++child2_2 ++child2_3 ++for child3 ++connection child2_1; ++CREATE DATABASE auto_test_remote; ++USE auto_test_remote; ++CREATE TABLE tbl_a ( ++a CHAR(5) ++) ENGINE=InnoDB DEFAULT CHARSET=utf8; ++SET GLOBAL sql_mode=''; ++connection master_1; ++CREATE DATABASE auto_test_local; ++USE auto_test_local; ++CREATE TABLE tbl_a ( ++a CHAR(255) ++) ENGINE=Spider DEFAULT CHARSET=utf8 COMMENT='table "tbl_a", srv "s_2_1"'; ++SET sql_mode=''; ++INSERT INTO tbl_a VALUES ("this will be truncated"); ++NOT FOUND /\[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*/ in mysqld.1.1.err ++SET GLOBAL spider_log_result_errors=4; ++INSERT INTO tbl_a VALUES ("this will be truncated"); ++FOUND 1 /\[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*/ in mysqld.1.1.err ++connection master_1; ++SET GLOBAL spider_log_result_errors=DEFAULT; ++SET sql_mode=DEFAULT; ++DROP DATABASE IF EXISTS auto_test_local; ++connection child2_1; ++SET GLOBAL sql_mode=DEFAULT; ++DROP DATABASE IF EXISTS auto_test_remote; ++for master_1 ++for child2 ++child2_1 ++child2_2 ++child2_3 ++for child3 +diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf b/storage/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf +new file mode 100644 +index 00000000000..05dfd8a0bce +--- /dev/null ++++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf +@@ -0,0 +1,3 @@ ++!include include/default_mysqld.cnf ++!include ../my_1_1.cnf ++!include ../my_2_1.cnf +diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_29644.test b/storage/spider/mysql-test/spider/bugfix/t/mdev_29644.test +new file mode 100644 +index 00000000000..3a8fbb251e1 +--- /dev/null ++++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_29644.test +@@ -0,0 +1,56 @@ ++--echo # ++--echo # MDEV-29644 a potential bug of null pointer dereference in spider_db_mbase::print_warnings() ++--echo # ++ ++# The test case below does not cause the potential null pointer dereference. ++# It is just for checking spider_db_mbase::fetch_and_print_warnings() works. ++ ++--disable_query_log ++--disable_result_log ++--source ../../t/test_init.inc ++--enable_result_log ++--enable_query_log ++ ++--connection child2_1 ++CREATE DATABASE auto_test_remote; ++USE auto_test_remote; ++eval CREATE TABLE tbl_a ( ++ a CHAR(5) ++) $CHILD2_1_ENGINE $CHILD2_1_CHARSET; ++ ++SET GLOBAL sql_mode=''; ++ ++--connection master_1 ++CREATE DATABASE auto_test_local; ++USE auto_test_local; ++eval CREATE TABLE tbl_a ( ++ a CHAR(255) ++) $MASTER_1_ENGINE $MASTER_1_CHARSET COMMENT='table "tbl_a", srv "s_2_1"'; ++ ++SET sql_mode=''; ++ ++let SEARCH_FILE= $MYSQLTEST_VARDIR/log/mysqld.1.1.err; ++let SEARCH_PATTERN= \[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*; ++ ++INSERT INTO tbl_a VALUES ("this will be truncated"); ++--source include/search_pattern_in_file.inc # should not find ++ ++SET GLOBAL spider_log_result_errors=4; ++ ++INSERT INTO tbl_a VALUES ("this will be truncated"); ++--source include/search_pattern_in_file.inc # should find ++ ++--connection master_1 ++SET GLOBAL spider_log_result_errors=DEFAULT; ++SET sql_mode=DEFAULT; ++DROP DATABASE IF EXISTS auto_test_local; ++ ++--connection child2_1 ++SET GLOBAL sql_mode=DEFAULT; ++DROP DATABASE IF EXISTS auto_test_remote; ++ ++--disable_query_log ++--disable_result_log ++--source ../t/test_deinit.inc ++--enable_query_log ++--enable_result_log +diff --git a/storage/spider/spd_db_mysql.cc b/storage/spider/spd_db_mysql.cc +index d377d2bd807..bc8383017f7 100644 +--- a/storage/spider/spd_db_mysql.cc ++++ b/storage/spider/spd_db_mysql.cc +@@ -2207,7 +2207,7 @@ int spider_db_mbase::exec_query( + db_conn->affected_rows, db_conn->insert_id, + db_conn->server_status, db_conn->warning_count); + if (spider_param_log_result_errors() >= 3) +- print_warnings(l_time); ++ fetch_and_print_warnings(l_time); + } else if (log_result_errors >= 4) + { + time_t cur_time = (time_t) time((time_t*) 0); +@@ -2289,81 +2289,63 @@ bool spider_db_mbase::is_xa_nota_error( + DBUG_RETURN(xa_nota); + } + +-int spider_db_mbase::print_warnings( +- struct tm *l_time +-) { ++int spider_db_mbase::fetch_and_print_warnings(struct tm *l_time) ++{ + int error_num = 0; +- DBUG_ENTER("spider_db_mbase::print_warnings"); ++ DBUG_ENTER("spider_db_mbase::fetch_and_print_warnings"); + DBUG_PRINT("info",("spider this=%p", this)); +- if (db_conn->status == MYSQL_STATUS_READY) ++ ++ if (spider_param_dry_access() || db_conn->status != MYSQL_STATUS_READY || ++ db_conn->server_status & SERVER_MORE_RESULTS_EXISTS || ++ !db_conn->warning_count) ++ DBUG_RETURN(0); ++ ++ if (mysql_real_query(db_conn, SPIDER_SQL_SHOW_WARNINGS_STR, ++ SPIDER_SQL_SHOW_WARNINGS_LEN)) ++ DBUG_RETURN(0); ++ ++ MYSQL_RES *res= mysql_store_result(db_conn); ++ if (!res) ++ DBUG_RETURN(0); ++ ++ uint num_fields= mysql_num_fields(res); ++ if (num_fields != 3) + { +- if ( +-#if MYSQL_VERSION_ID < 50500 +- !(db_conn->last_used_con->server_status & SERVER_MORE_RESULTS_EXISTS) && +- db_conn->last_used_con->warning_count +-#else +- !(db_conn->server_status & SERVER_MORE_RESULTS_EXISTS) && +- db_conn->warning_count +-#endif +- ) { +- if ( +- spider_param_dry_access() || +- !mysql_real_query(db_conn, SPIDER_SQL_SHOW_WARNINGS_STR, +- SPIDER_SQL_SHOW_WARNINGS_LEN) +- ) { +- MYSQL_RES *res = NULL; +- MYSQL_ROW row = NULL; +- uint num_fields; +- if ( +- spider_param_dry_access() || +- !(res = mysql_store_result(db_conn)) || +- !(row = mysql_fetch_row(res)) +- ) { +- if (mysql_errno(db_conn)) +- { +- if (res) +- mysql_free_result(res); +- DBUG_RETURN(0); +- } +- /* no record is ok */ +- } +- num_fields = mysql_num_fields(res); +- if (num_fields != 3) +- { +- mysql_free_result(res); +- DBUG_RETURN(0); +- } +- if (l_time) +- { +- while (row) +- { +- fprintf(stderr, "%04d%02d%02d %02d:%02d:%02d [WARN SPIDER RESULT] " +- "from [%s] %ld to %ld: %s %s %s\n", ++ mysql_free_result(res); ++ DBUG_RETURN(0); ++ } ++ ++ MYSQL_ROW row= mysql_fetch_row(res); ++ if (l_time) ++ { ++ while (row) ++ { ++ fprintf(stderr, ++ "%04d%02d%02d %02d:%02d:%02d [WARN SPIDER RESULT] from [%s] %ld " ++ "to %ld: %s %s %s\n", + l_time->tm_year + 1900, l_time->tm_mon + 1, l_time->tm_mday, +- l_time->tm_hour, l_time->tm_min, l_time->tm_sec, +- conn->tgt_host, (ulong) db_conn->thread_id, +- (ulong) current_thd->thread_id, row[0], row[1], row[2]); +- row = mysql_fetch_row(res); +- } +- } else { +- while (row) +- { +- DBUG_PRINT("info",("spider row[0]=%s", row[0])); +- DBUG_PRINT("info",("spider row[1]=%s", row[1])); +- DBUG_PRINT("info",("spider row[2]=%s", row[2])); +- longlong res_num = +- (longlong) my_strtoll10(row[1], (char**) NULL, &error_num); +- DBUG_PRINT("info",("spider res_num=%lld", res_num)); +- my_printf_error((int) res_num, row[2], MYF(0)); +- error_num = (int) res_num; +- row = mysql_fetch_row(res); +- } +- } +- if (res) +- mysql_free_result(res); +- } ++ l_time->tm_hour, l_time->tm_min, l_time->tm_sec, conn->tgt_host, ++ (ulong) db_conn->thread_id, (ulong) current_thd->thread_id, row[0], ++ row[1], row[2]); ++ row= mysql_fetch_row(res); ++ } ++ } else { ++ while (row) ++ { ++ DBUG_PRINT("info",("spider row[0]=%s", row[0])); ++ DBUG_PRINT("info",("spider row[1]=%s", row[1])); ++ DBUG_PRINT("info",("spider row[2]=%s", row[2])); ++ longlong res_num = ++ (longlong) my_strtoll10(row[1], (char**) NULL, &error_num); ++ DBUG_PRINT("info",("spider res_num=%lld", res_num)); ++ my_printf_error((int) res_num, row[2], MYF(0)); ++ error_num = (int) res_num; ++ row = mysql_fetch_row(res); + } + } ++ ++ mysql_free_result(res); ++ + DBUG_RETURN(error_num); + } + +@@ -14668,7 +14650,7 @@ int spider_mbase_handler::show_table_status( + DBUG_RETURN(error_num); + } + } +- if ((error_num = ((spider_db_mbase *) conn->db_conn)->print_warnings(NULL))) ++ if ((error_num = ((spider_db_mbase *) conn->db_conn)->fetch_and_print_warnings(NULL))) + { + DBUG_RETURN(error_num); + } +diff --git a/storage/spider/spd_db_mysql.h b/storage/spider/spd_db_mysql.h +index e90461ea278..a2012352f21 100644 +--- a/storage/spider/spd_db_mysql.h ++++ b/storage/spider/spd_db_mysql.h +@@ -442,7 +442,7 @@ class spider_db_mbase: public spider_db_conn + bool is_xa_nota_error( + int error_num + ); +- int print_warnings( ++ int fetch_and_print_warnings( + struct tm *l_time + ); + spider_db_result *store_result( +-- +2.25.1 + diff --git a/meta-oe/recipes-dbs/mysql/mariadb/CVE-2023-22084.patch b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2023-22084.patch new file mode 100644 index 0000000000..3053614854 --- /dev/null +++ b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2023-22084.patch @@ -0,0 +1,91 @@ +From 15ae97b1c2c14f1263cdc853673c4129625323de Mon Sep 17 00:00:00 2001 +From: Marko Mäkelä <marko.makela@mariadb.com> +Date: Thu, 8 Feb 2024 08:09:20 +0000 +Subject: [PATCH] MDEV-32578 row_merge_fts_doc_tokenize() handles parser plugin + inconsistently + +When mysql/mysql-server@0c954c2 +added a plugin interface for FULLTEXT INDEX tokenization to MySQL 5.7, +fts_tokenize_ctx::processed_len got a second meaning, which is only +partly implemented in row_merge_fts_doc_tokenize(). + +This inconsistency could cause a crash when using FULLTEXT...WITH PARSER. +A test case that would crash MySQL 8.0 when using an n-gram parser and +single-character words would fail to crash in MySQL 5.7, because the +buf_full condition in row_merge_fts_doc_tokenize() was not met. + +This change is inspired by +mysql/mysql-server@38e9a07 +that appeared in MySQL 5.7.44. + +CVE: CVE-2023-22084 +Upstream-Status: Backport [https://github.com/MariaDB/server/commit/15ae97b1c2c1] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + storage/innobase/include/row0ftsort.h | 6 +++++- + storage/innobase/row/row0ftsort.cc | 11 ++++++++--- + 2 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/storage/innobase/include/row0ftsort.h b/storage/innobase/include/row0ftsort.h +index 65508caf..3ffa8243 100644 +--- a/storage/innobase/include/row0ftsort.h ++++ b/storage/innobase/include/row0ftsort.h +@@ -104,7 +104,10 @@ typedef UT_LIST_BASE_NODE_T(row_fts_token_t) fts_token_list_t; + + /** Structure stores information from string tokenization operation */ + struct fts_tokenize_ctx { +- ulint processed_len; /*!< processed string length */ ++ /** the processed string length in bytes ++ (when using the built-in tokenizer), ++ or the number of row_merge_fts_doc_tokenize_by_parser() calls */ ++ ulint processed_len; + ulint init_pos; /*!< doc start position */ + ulint buf_used; /*!< the sort buffer (ID) when + tokenization stops, which +@@ -115,6 +118,7 @@ struct fts_tokenize_ctx { + ib_rbt_t* cached_stopword;/*!< in: stopword list */ + dfield_t sort_field[FTS_NUM_FIELDS_SORT]; + /*!< in: sort field */ ++ /** parsed tokens (when using an external parser) */ + fts_token_list_t fts_token_list; + + fts_tokenize_ctx() : +diff --git a/storage/innobase/row/row0ftsort.cc b/storage/innobase/row/row0ftsort.cc +index 86e96624..406ff60f 100644 +--- a/storage/innobase/row/row0ftsort.cc ++++ b/storage/innobase/row/row0ftsort.cc +@@ -491,7 +491,10 @@ row_merge_fts_doc_tokenize( + + /* Tokenize the data and add each word string, its corresponding + doc id and position to sort buffer */ +- while (t_ctx->processed_len < doc->text.f_len) { ++ while (parser ++ ? (!t_ctx->processed_len ++ || UT_LIST_GET_LEN(t_ctx->fts_token_list)) ++ : t_ctx->processed_len < doc->text.f_len) { + ulint idx = 0; + ulint cur_len; + doc_id_t write_doc_id; +@@ -831,7 +834,8 @@ void fts_parallel_tokenization( + /* Not yet finish processing the "doc" on hand, + continue processing it */ + ut_ad(doc.text.f_str); +- ut_ad(t_ctx.processed_len < doc.text.f_len); ++ ut_ad(buf[0]->index->parser ++ || t_ctx.processed_len < doc.text.f_len); + } + + processed = row_merge_fts_doc_tokenize( +@@ -841,7 +845,8 @@ void fts_parallel_tokenization( + + /* Current sort buffer full, need to recycle */ + if (!processed) { +- ut_ad(t_ctx.processed_len < doc.text.f_len); ++ ut_ad(buf[0]->index->parser ++ || t_ctx.processed_len < doc.text.f_len); + ut_ad(t_ctx.rows_added[t_ctx.buf_used]); + break; + } +-- +2.40.0 diff --git a/meta-oe/recipes-dbs/mysql/mariadb_10.7.7.bb b/meta-oe/recipes-dbs/mysql/mariadb_10.7.8.bb index 87faabfa27..87faabfa27 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb_10.7.7.bb +++ b/meta-oe/recipes-dbs/mysql/mariadb_10.7.8.bb |