Audit log worker thread may crash on write call writing fewer bytes than requested

Bug #1552682 reported by Laurynas Biveinis on 2016-03-03
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MySQL Server
Unknown
Unknown
Percona Server moved to https://jira.percona.com/projects/PS
Status tracked in 5.7
5.5
Invalid
Undecided
Unassigned
5.6
Invalid
Undecided
Unassigned
5.7
Fix Released
High
Laurynas Biveinis

Bug Description

audit_log.audit_log_old w4 [ fail ]
...
15:31:42 UTC - mysqld got signal 11 ;
...
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f1960740101 in __pthread_kill (threadid=<optimized out>, signo=11) at ../nptl/sysdeps/unix/sysv/linux/pthread_kill.c:61
61 ../nptl/sysdeps/unix/sysv/linux/pthread_kill.c: No such file or directory.
#0 0x00007f1960740101 in __pthread_kill (threadid=<optimized out>, signo=11) at ../nptl/sysdeps/unix/sysv/linux/pthread_kill.c:61
#1 0x000000000079549d in handle_fatal_signal (sig=11) at /mnt/workspace/mysql-5.7-param/BUILD_TYPE/release/Host/debian-jessie-64bit/sql/signal_handler.cc:223
#2 <signal handler called>
#3 thd_killed (thd=<optimized out>) at /mnt/workspace/mysql-5.7-param/BUILD_TYPE/release/Host/debian-jessie-64bit/sql/sql_class.cc:4043
#4 0x0000000000e7960a in my_write (Filedes=20, Buffer=Buffer@entry=0x2e68557 "<AUDIT_RECORD\n NAME=\"Query\"\n RECORD=\"35_2016-03-02T15:31:42\"\n TIMESTAMP=\"2016-03-02T15:31:42 UTC\"\n COMMAND_CLASS=\"insert\"\n CONNECTION_ID=\"6\"\n STATUS=\"0\"\n SQLTEXT=\"insert into sa_t1 values (1), "..., Count=Count@entry=2052, MyFlags=MyFlags@entry=0) at /mnt/workspace/mysql-5.7-param/BUILD_TYPE/release/Host/debian-jessie-64bit/mysys/my_write.c:84
#5 0x00007f19300eb196 in logger_write (log=0x2e69560, buffer=0x2e68557 "<AUDIT_RECORD\n NAME=\"Query\"\n RECORD=\"35_2016-03-02T15:31:42\"\n TIMESTAMP=\"2016-03-02T15:31:42 UTC\"\n COMMAND_CLASS=\"insert\"\n CONNECTION_ID=\"6\"\n STATUS=\"0\"\n SQLTEXT=\"insert into sa_t1 values (1), "..., size=2052, state=LOG_RECORD_COMPLETE) at /mnt/workspace/mysql-5.7-param/BUILD_TYPE/release/Host/debian-jessie-64bit/plugin/audit_log/file_logger.c:294
#6 0x00007f19300eb7c8 in audit_log_flush (log=0x2e68450) at /mnt/workspace/mysql-5.7-param/BUILD_TYPE/release/Host/debian-jessie-64bit/plugin/audit_log/buffer.c:86
#7 audit_log_flush_worker (arg=0x2e68450) at /mnt/workspace/mysql-5.7-param/BUILD_TYPE/release/Host/debian-jessie-64bit/plugin/audit_log/buffer.c:106
#8 0x00007f196073b0a4 in start_thread (arg=0x7f1907fff700) at pthread_create.c:309
#9 0x00007f195e98787d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

The issue here is my_b_write, if ::write returned fewer bytes than requested, will check thread kill status through a thd_killed call with a NULL arg. It will attempt to read a THD pointer from TLS, will receive NULL for this utility thread, and will dereference it.

tags: added: audit
tags: added: upstream
summary: - Audit log worker thread may crash on I/O returning an error
+ Audit log worker thread may crash on write call writing fewer bytes than
+ requested

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-970

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.