aboutsummaryrefslogtreecommitdiffstats
path: root/meta-oe/recipes-dbs/mysql
diff options
context:
space:
mode:
Diffstat (limited to 'meta-oe/recipes-dbs/mysql')
-rw-r--r--meta-oe/recipes-dbs/mysql/mariadb-native_10.7.8.bb (renamed from meta-oe/recipes-dbs/mysql/mariadb-native_10.7.7.bb)0
-rw-r--r--meta-oe/recipes-dbs/mysql/mariadb.inc4
-rw-r--r--meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-29644-a-potential-bug-of-null-pointer-dereferen.patch320
-rw-r--r--meta-oe/recipes-dbs/mysql/mariadb/CVE-2023-22084.patch91
-rw-r--r--meta-oe/recipes-dbs/mysql/mariadb_10.7.8.bb (renamed from meta-oe/recipes-dbs/mysql/mariadb_10.7.7.bb)0
5 files changed, 414 insertions, 1 deletions
diff --git a/meta-oe/recipes-dbs/mysql/mariadb-native_10.7.7.bb b/meta-oe/recipes-dbs/mysql/mariadb-native_10.7.8.bb
index 17a06349b0..17a06349b0 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb-native_10.7.7.bb
+++ b/meta-oe/recipes-dbs/mysql/mariadb-native_10.7.8.bb
diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc
index 097766e792..7c4b0a467f 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb.inc
+++ b/meta-oe/recipes-dbs/mysql/mariadb.inc
@@ -21,10 +21,12 @@ SRC_URI = "https://archive.mariadb.org/${BP}/source/${BP}.tar.gz \
file://sys_futex.patch \
file://cross-compiling.patch \
file://0001-sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch \
+ file://0001-MDEV-29644-a-potential-bug-of-null-pointer-dereferen.patch \
+ file://CVE-2023-22084.patch \
"
SRC_URI:append:libc-musl = " file://ppc-remove-glibc-dep.patch"
-SRC_URI[sha256sum] = "fd2f9fa3f135823c1626c9700e3bd736b829bfc09f61f5557d7313a7c9e02c29"
+SRC_URI[sha256sum] = "f8c69d9080d85eafb3e3a84837bfa566a7f5527a8af6f9a081429d4de0de4778"
UPSTREAM_CHECK_URI = "https://github.com/MariaDB/server/releases"
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-29644-a-potential-bug-of-null-pointer-dereferen.patch b/meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-29644-a-potential-bug-of-null-pointer-dereferen.patch
new file mode 100644
index 0000000000..2fe768d754
--- /dev/null
+++ b/meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-29644-a-potential-bug-of-null-pointer-dereferen.patch
@@ -0,0 +1,320 @@
+From b98375f9df0b024857c03c03bc3e73e8ced8d772 Mon Sep 17 00:00:00 2001
+From: Nayuta Yanagisawa <nayuta.yanagisawa@hey.com>
+Date: Tue, 27 Sep 2022 15:22:57 +0900
+Subject: [PATCH] MDEV-29644 a potential bug of null pointer dereference in
+ spider_db_mbase::print_warnings()
+
+The function spider_db_mbase::print_warnings() can potentially result
+in a null pointer dereference.
+
+Remove the null pointer dereference by cleaning up the function.
+
+Some small changes to the original commit
+422fb63a9bbee35c50b6c7be19d199afe0bc98fa.
+
+CVE: CVE-2022-47015
+
+Upstream-Status: Backport [https://github.com/MariaDB/server/commit/b98375f9df0]
+
+Co-Authored-By: Yuchen Pei <yuchen.pei@mariadb.com>
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ .../spider/bugfix/r/mdev_29644.result | 41 ++++++
+ .../mysql-test/spider/bugfix/t/mdev_29644.cnf | 3 +
+ .../spider/bugfix/t/mdev_29644.test | 56 ++++++++
+ storage/spider/spd_db_mysql.cc | 124 ++++++++----------
+ storage/spider/spd_db_mysql.h | 2 +-
+ 5 files changed, 154 insertions(+), 72 deletions(-)
+ create mode 100644 storage/spider/mysql-test/spider/bugfix/r/mdev_29644.result
+ create mode 100644 storage/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf
+ create mode 100644 storage/spider/mysql-test/spider/bugfix/t/mdev_29644.test
+
+diff --git a/storage/spider/mysql-test/spider/bugfix/r/mdev_29644.result b/storage/spider/mysql-test/spider/bugfix/r/mdev_29644.result
+new file mode 100644
+index 00000000000..b52cecc5bb7
+--- /dev/null
++++ b/storage/spider/mysql-test/spider/bugfix/r/mdev_29644.result
+@@ -0,0 +1,41 @@
++#
++# MDEV-29644 a potential bug of null pointer dereference in spider_db_mbase::print_warnings()
++#
++for master_1
++for child2
++child2_1
++child2_2
++child2_3
++for child3
++connection child2_1;
++CREATE DATABASE auto_test_remote;
++USE auto_test_remote;
++CREATE TABLE tbl_a (
++a CHAR(5)
++) ENGINE=InnoDB DEFAULT CHARSET=utf8;
++SET GLOBAL sql_mode='';
++connection master_1;
++CREATE DATABASE auto_test_local;
++USE auto_test_local;
++CREATE TABLE tbl_a (
++a CHAR(255)
++) ENGINE=Spider DEFAULT CHARSET=utf8 COMMENT='table "tbl_a", srv "s_2_1"';
++SET sql_mode='';
++INSERT INTO tbl_a VALUES ("this will be truncated");
++NOT FOUND /\[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*/ in mysqld.1.1.err
++SET GLOBAL spider_log_result_errors=4;
++INSERT INTO tbl_a VALUES ("this will be truncated");
++FOUND 1 /\[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*/ in mysqld.1.1.err
++connection master_1;
++SET GLOBAL spider_log_result_errors=DEFAULT;
++SET sql_mode=DEFAULT;
++DROP DATABASE IF EXISTS auto_test_local;
++connection child2_1;
++SET GLOBAL sql_mode=DEFAULT;
++DROP DATABASE IF EXISTS auto_test_remote;
++for master_1
++for child2
++child2_1
++child2_2
++child2_3
++for child3
+diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf b/storage/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf
+new file mode 100644
+index 00000000000..05dfd8a0bce
+--- /dev/null
++++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf
+@@ -0,0 +1,3 @@
++!include include/default_mysqld.cnf
++!include ../my_1_1.cnf
++!include ../my_2_1.cnf
+diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_29644.test b/storage/spider/mysql-test/spider/bugfix/t/mdev_29644.test
+new file mode 100644
+index 00000000000..3a8fbb251e1
+--- /dev/null
++++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_29644.test
+@@ -0,0 +1,56 @@
++--echo #
++--echo # MDEV-29644 a potential bug of null pointer dereference in spider_db_mbase::print_warnings()
++--echo #
++
++# The test case below does not cause the potential null pointer dereference.
++# It is just for checking spider_db_mbase::fetch_and_print_warnings() works.
++
++--disable_query_log
++--disable_result_log
++--source ../../t/test_init.inc
++--enable_result_log
++--enable_query_log
++
++--connection child2_1
++CREATE DATABASE auto_test_remote;
++USE auto_test_remote;
++eval CREATE TABLE tbl_a (
++ a CHAR(5)
++) $CHILD2_1_ENGINE $CHILD2_1_CHARSET;
++
++SET GLOBAL sql_mode='';
++
++--connection master_1
++CREATE DATABASE auto_test_local;
++USE auto_test_local;
++eval CREATE TABLE tbl_a (
++ a CHAR(255)
++) $MASTER_1_ENGINE $MASTER_1_CHARSET COMMENT='table "tbl_a", srv "s_2_1"';
++
++SET sql_mode='';
++
++let SEARCH_FILE= $MYSQLTEST_VARDIR/log/mysqld.1.1.err;
++let SEARCH_PATTERN= \[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*;
++
++INSERT INTO tbl_a VALUES ("this will be truncated");
++--source include/search_pattern_in_file.inc # should not find
++
++SET GLOBAL spider_log_result_errors=4;
++
++INSERT INTO tbl_a VALUES ("this will be truncated");
++--source include/search_pattern_in_file.inc # should find
++
++--connection master_1
++SET GLOBAL spider_log_result_errors=DEFAULT;
++SET sql_mode=DEFAULT;
++DROP DATABASE IF EXISTS auto_test_local;
++
++--connection child2_1
++SET GLOBAL sql_mode=DEFAULT;
++DROP DATABASE IF EXISTS auto_test_remote;
++
++--disable_query_log
++--disable_result_log
++--source ../t/test_deinit.inc
++--enable_query_log
++--enable_result_log
+diff --git a/storage/spider/spd_db_mysql.cc b/storage/spider/spd_db_mysql.cc
+index d377d2bd807..bc8383017f7 100644
+--- a/storage/spider/spd_db_mysql.cc
++++ b/storage/spider/spd_db_mysql.cc
+@@ -2207,7 +2207,7 @@ int spider_db_mbase::exec_query(
+ db_conn->affected_rows, db_conn->insert_id,
+ db_conn->server_status, db_conn->warning_count);
+ if (spider_param_log_result_errors() >= 3)
+- print_warnings(l_time);
++ fetch_and_print_warnings(l_time);
+ } else if (log_result_errors >= 4)
+ {
+ time_t cur_time = (time_t) time((time_t*) 0);
+@@ -2289,81 +2289,63 @@ bool spider_db_mbase::is_xa_nota_error(
+ DBUG_RETURN(xa_nota);
+ }
+
+-int spider_db_mbase::print_warnings(
+- struct tm *l_time
+-) {
++int spider_db_mbase::fetch_and_print_warnings(struct tm *l_time)
++{
+ int error_num = 0;
+- DBUG_ENTER("spider_db_mbase::print_warnings");
++ DBUG_ENTER("spider_db_mbase::fetch_and_print_warnings");
+ DBUG_PRINT("info",("spider this=%p", this));
+- if (db_conn->status == MYSQL_STATUS_READY)
++
++ if (spider_param_dry_access() || db_conn->status != MYSQL_STATUS_READY ||
++ db_conn->server_status & SERVER_MORE_RESULTS_EXISTS ||
++ !db_conn->warning_count)
++ DBUG_RETURN(0);
++
++ if (mysql_real_query(db_conn, SPIDER_SQL_SHOW_WARNINGS_STR,
++ SPIDER_SQL_SHOW_WARNINGS_LEN))
++ DBUG_RETURN(0);
++
++ MYSQL_RES *res= mysql_store_result(db_conn);
++ if (!res)
++ DBUG_RETURN(0);
++
++ uint num_fields= mysql_num_fields(res);
++ if (num_fields != 3)
+ {
+- if (
+-#if MYSQL_VERSION_ID < 50500
+- !(db_conn->last_used_con->server_status & SERVER_MORE_RESULTS_EXISTS) &&
+- db_conn->last_used_con->warning_count
+-#else
+- !(db_conn->server_status & SERVER_MORE_RESULTS_EXISTS) &&
+- db_conn->warning_count
+-#endif
+- ) {
+- if (
+- spider_param_dry_access() ||
+- !mysql_real_query(db_conn, SPIDER_SQL_SHOW_WARNINGS_STR,
+- SPIDER_SQL_SHOW_WARNINGS_LEN)
+- ) {
+- MYSQL_RES *res = NULL;
+- MYSQL_ROW row = NULL;
+- uint num_fields;
+- if (
+- spider_param_dry_access() ||
+- !(res = mysql_store_result(db_conn)) ||
+- !(row = mysql_fetch_row(res))
+- ) {
+- if (mysql_errno(db_conn))
+- {
+- if (res)
+- mysql_free_result(res);
+- DBUG_RETURN(0);
+- }
+- /* no record is ok */
+- }
+- num_fields = mysql_num_fields(res);
+- if (num_fields != 3)
+- {
+- mysql_free_result(res);
+- DBUG_RETURN(0);
+- }
+- if (l_time)
+- {
+- while (row)
+- {
+- fprintf(stderr, "%04d%02d%02d %02d:%02d:%02d [WARN SPIDER RESULT] "
+- "from [%s] %ld to %ld: %s %s %s\n",
++ mysql_free_result(res);
++ DBUG_RETURN(0);
++ }
++
++ MYSQL_ROW row= mysql_fetch_row(res);
++ if (l_time)
++ {
++ while (row)
++ {
++ fprintf(stderr,
++ "%04d%02d%02d %02d:%02d:%02d [WARN SPIDER RESULT] from [%s] %ld "
++ "to %ld: %s %s %s\n",
+ l_time->tm_year + 1900, l_time->tm_mon + 1, l_time->tm_mday,
+- l_time->tm_hour, l_time->tm_min, l_time->tm_sec,
+- conn->tgt_host, (ulong) db_conn->thread_id,
+- (ulong) current_thd->thread_id, row[0], row[1], row[2]);
+- row = mysql_fetch_row(res);
+- }
+- } else {
+- while (row)
+- {
+- DBUG_PRINT("info",("spider row[0]=%s", row[0]));
+- DBUG_PRINT("info",("spider row[1]=%s", row[1]));
+- DBUG_PRINT("info",("spider row[2]=%s", row[2]));
+- longlong res_num =
+- (longlong) my_strtoll10(row[1], (char**) NULL, &error_num);
+- DBUG_PRINT("info",("spider res_num=%lld", res_num));
+- my_printf_error((int) res_num, row[2], MYF(0));
+- error_num = (int) res_num;
+- row = mysql_fetch_row(res);
+- }
+- }
+- if (res)
+- mysql_free_result(res);
+- }
++ l_time->tm_hour, l_time->tm_min, l_time->tm_sec, conn->tgt_host,
++ (ulong) db_conn->thread_id, (ulong) current_thd->thread_id, row[0],
++ row[1], row[2]);
++ row= mysql_fetch_row(res);
++ }
++ } else {
++ while (row)
++ {
++ DBUG_PRINT("info",("spider row[0]=%s", row[0]));
++ DBUG_PRINT("info",("spider row[1]=%s", row[1]));
++ DBUG_PRINT("info",("spider row[2]=%s", row[2]));
++ longlong res_num =
++ (longlong) my_strtoll10(row[1], (char**) NULL, &error_num);
++ DBUG_PRINT("info",("spider res_num=%lld", res_num));
++ my_printf_error((int) res_num, row[2], MYF(0));
++ error_num = (int) res_num;
++ row = mysql_fetch_row(res);
+ }
+ }
++
++ mysql_free_result(res);
++
+ DBUG_RETURN(error_num);
+ }
+
+@@ -14668,7 +14650,7 @@ int spider_mbase_handler::show_table_status(
+ DBUG_RETURN(error_num);
+ }
+ }
+- if ((error_num = ((spider_db_mbase *) conn->db_conn)->print_warnings(NULL)))
++ if ((error_num = ((spider_db_mbase *) conn->db_conn)->fetch_and_print_warnings(NULL)))
+ {
+ DBUG_RETURN(error_num);
+ }
+diff --git a/storage/spider/spd_db_mysql.h b/storage/spider/spd_db_mysql.h
+index e90461ea278..a2012352f21 100644
+--- a/storage/spider/spd_db_mysql.h
++++ b/storage/spider/spd_db_mysql.h
+@@ -442,7 +442,7 @@ class spider_db_mbase: public spider_db_conn
+ bool is_xa_nota_error(
+ int error_num
+ );
+- int print_warnings(
++ int fetch_and_print_warnings(
+ struct tm *l_time
+ );
+ spider_db_result *store_result(
+--
+2.25.1
+
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/CVE-2023-22084.patch b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2023-22084.patch
new file mode 100644
index 0000000000..3053614854
--- /dev/null
+++ b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2023-22084.patch
@@ -0,0 +1,91 @@
+From 15ae97b1c2c14f1263cdc853673c4129625323de Mon Sep 17 00:00:00 2001
+From: Marko Mäkelä <marko.makela@mariadb.com>
+Date: Thu, 8 Feb 2024 08:09:20 +0000
+Subject: [PATCH] MDEV-32578 row_merge_fts_doc_tokenize() handles parser plugin
+ inconsistently
+
+When mysql/mysql-server@0c954c2
+added a plugin interface for FULLTEXT INDEX tokenization to MySQL 5.7,
+fts_tokenize_ctx::processed_len got a second meaning, which is only
+partly implemented in row_merge_fts_doc_tokenize().
+
+This inconsistency could cause a crash when using FULLTEXT...WITH PARSER.
+A test case that would crash MySQL 8.0 when using an n-gram parser and
+single-character words would fail to crash in MySQL 5.7, because the
+buf_full condition in row_merge_fts_doc_tokenize() was not met.
+
+This change is inspired by
+mysql/mysql-server@38e9a07
+that appeared in MySQL 5.7.44.
+
+CVE: CVE-2023-22084
+Upstream-Status: Backport [https://github.com/MariaDB/server/commit/15ae97b1c2c1]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ storage/innobase/include/row0ftsort.h | 6 +++++-
+ storage/innobase/row/row0ftsort.cc | 11 ++++++++---
+ 2 files changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/storage/innobase/include/row0ftsort.h b/storage/innobase/include/row0ftsort.h
+index 65508caf..3ffa8243 100644
+--- a/storage/innobase/include/row0ftsort.h
++++ b/storage/innobase/include/row0ftsort.h
+@@ -104,7 +104,10 @@ typedef UT_LIST_BASE_NODE_T(row_fts_token_t) fts_token_list_t;
+
+ /** Structure stores information from string tokenization operation */
+ struct fts_tokenize_ctx {
+- ulint processed_len; /*!< processed string length */
++ /** the processed string length in bytes
++ (when using the built-in tokenizer),
++ or the number of row_merge_fts_doc_tokenize_by_parser() calls */
++ ulint processed_len;
+ ulint init_pos; /*!< doc start position */
+ ulint buf_used; /*!< the sort buffer (ID) when
+ tokenization stops, which
+@@ -115,6 +118,7 @@ struct fts_tokenize_ctx {
+ ib_rbt_t* cached_stopword;/*!< in: stopword list */
+ dfield_t sort_field[FTS_NUM_FIELDS_SORT];
+ /*!< in: sort field */
++ /** parsed tokens (when using an external parser) */
+ fts_token_list_t fts_token_list;
+
+ fts_tokenize_ctx() :
+diff --git a/storage/innobase/row/row0ftsort.cc b/storage/innobase/row/row0ftsort.cc
+index 86e96624..406ff60f 100644
+--- a/storage/innobase/row/row0ftsort.cc
++++ b/storage/innobase/row/row0ftsort.cc
+@@ -491,7 +491,10 @@ row_merge_fts_doc_tokenize(
+
+ /* Tokenize the data and add each word string, its corresponding
+ doc id and position to sort buffer */
+- while (t_ctx->processed_len < doc->text.f_len) {
++ while (parser
++ ? (!t_ctx->processed_len
++ || UT_LIST_GET_LEN(t_ctx->fts_token_list))
++ : t_ctx->processed_len < doc->text.f_len) {
+ ulint idx = 0;
+ ulint cur_len;
+ doc_id_t write_doc_id;
+@@ -831,7 +834,8 @@ void fts_parallel_tokenization(
+ /* Not yet finish processing the "doc" on hand,
+ continue processing it */
+ ut_ad(doc.text.f_str);
+- ut_ad(t_ctx.processed_len < doc.text.f_len);
++ ut_ad(buf[0]->index->parser
++ || t_ctx.processed_len < doc.text.f_len);
+ }
+
+ processed = row_merge_fts_doc_tokenize(
+@@ -841,7 +845,8 @@ void fts_parallel_tokenization(
+
+ /* Current sort buffer full, need to recycle */
+ if (!processed) {
+- ut_ad(t_ctx.processed_len < doc.text.f_len);
++ ut_ad(buf[0]->index->parser
++ || t_ctx.processed_len < doc.text.f_len);
+ ut_ad(t_ctx.rows_added[t_ctx.buf_used]);
+ break;
+ }
+--
+2.40.0
diff --git a/meta-oe/recipes-dbs/mysql/mariadb_10.7.7.bb b/meta-oe/recipes-dbs/mysql/mariadb_10.7.8.bb
index 87faabfa27..87faabfa27 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb_10.7.7.bb
+++ b/meta-oe/recipes-dbs/mysql/mariadb_10.7.8.bb
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-09-23 01:18:58 +0000