BUG#36263410 ndb_mgmd double free of --bind-address

Problem: Starting ´ndb_mgmd --bind-address´ may potentially cause abnormal program termination in MgmtSrvr destructor when ndb_mgmd restart itself. Core was generated by `ndb_mgmd --defa'. Program terminated with signal SIGABRT, Aborted. #0 0x00007f8ce4066b8f in raise () from /lib64/libc.so.6 #1 0x00007f8ce4039ea5 in abort () from /lib64/libc.so.6 #2 0x00007f8ce40a7d97 in __libc_message () from /lib64/libc.so.6 #3 0x00007f8ce40af08c in malloc_printerr () from /lib64/libc.so.6 #4 0x00007f8ce40b132d in _int_free () from /lib64/libc.so.6 #5 0x00000000006e9ffe in MgmtSrvr::~MgmtSrvr (this=0x28de4b0) at mysql/8.0/storage/ndb/src/mgmsrv/MgmtSrvr.cpp: 890 #6 0x00000000006ea09e in MgmtSrvr::~MgmtSrvr (this=0x2) at mysql/8.0/ storage/ndb/src/mgmsrv/MgmtSrvr.cpp:849 #7 0x0000000000700d94 in mgmd_run () at mysql/8.0/storage/ndb/src/mgmsrv/main.cpp:260 percona#8 0x0000000000700775 in mgmd_main (argc=<optimized out>, argv=0x28041d0) at mysql/8.0/storage/ndb/src/ mgmsrv/main.cpp:479 Analysis: While starting up, the ndb_mgmd will allocate memory for bind_address in order to potentially rewrite the parameter. When ndb_mgmd restart itself the memory will be released and dangling pointer causing double free. Fix: Drop support for bind_address=[::], it is not documented anywhere, is not useful and doesn't work. This means the need to rewrite bind_address is gone and bind_address argument need neither alloc or free. Change-Id: I7797109b9d8391394587188d64d4b1f398887e94
percona-ysorokin · Feb 6, 2024 · 0855cd6 · 0855cd6
1 parent 4c5a7f5
commit 0855cd6
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 12 deletions.
diff --git a/storage/ndb/src/mgmsrv/MgmtSrvr.cpp b/storage/ndb/src/mgmsrv/MgmtSrvr.cpp
@@ -886,8 +886,6 @@ MgmtSrvr::~MgmtSrvr() {
 
   delete m_local_config;
 
-  if (m_opts.bind_address != nullptr)
-    free(const_cast<char *>(m_opts.bind_address));
   NdbMutex_Destroy(m_local_config_mutex);
   NdbMutex_Destroy(m_reserved_nodes_mutex);
 }

diff --git a/storage/ndb/src/mgmsrv/main.cpp b/storage/ndb/src/mgmsrv/main.cpp
@@ -169,7 +169,7 @@ static void short_usage_sub(void) {
   ndb_service_print_options("ndb_mgmd");
 }
 
-static void mgmd_exit(int result) {
+[[noreturn]] static void mgmd_exit(int result) {
   g_eventLogger->close();
 
   ndb_end(opt_ndb_endinfo ? MY_CHECK_ERROR | MY_GIVE_INFO : 0);
@@ -398,15 +398,6 @@ static int mgmd_main(int argc, char **argv) {
     }
   }
 
-  if (opts.bind_address) {
-    int len = strlen(opts.bind_address);
-    if ((opts.bind_address[0] == '[') && (opts.bind_address[len - 1] == ']')) {
-      opts.bind_address = strdup(opts.bind_address + 1);
-    } else {
-      opts.bind_address = strdup(opts.bind_address);
-    }
-  }
-
   /* Setup use of event logger */
   g_eventLogger->setCategory(opt_logname);